yaraMail

The Yara Scanner for IMAP Feeds and saved Streams allows you to read an SMTP formatted email file or connect to an IMAP/POP server to access emails and extract attachments. It scans the attachments using a specified Yara rule file and writes the results to a report file. After completing the process, it deletes the temporary directory that was created. **Usage:** **IMAP Feed:** ```bash python yaraMail.py -e -o sampleReport.txt -i -u me@you.com -p password -f inbox sample.yar imap.gmail.com ``` **POP Feed:** ```bash python yaraMail.py -e -o sampleReport.txt -w -u you@me.com -p password sample.yar pop3.live.com ``` **From File:** ```bash python yaraMail.py -e -o sampleReport.txt sample.yar SampleMail.txt ``` **Reports:** Here is an example of how the report will be printed out: ``` From: Kevin Breen email@email.com Subject: Subject Line Att Name: Name of attatch.ext Matched Rules: Rule_Name1 Rule_Name2 ``` **Misc:**

The Attachment extract also retrieves any Body of the email in either text/plain or text/HTML format. - The text body of the email is usually named part-001.ksh (this is the extension that Python's MIME library typically assigns). - The HTML body of the email is generally named part-002.html. ToDo: - Add verbose output.