malicious mail attached to 'carrier' mail is not correctly analyzed.

[begunrom]

Hi I am testing mail2misp.
I am sending a mail with another mail as attachment.
The mail is successfully received in misp but the attached mail is seen as a file object.
I would like the attachment to be analyzed and sent to misp (and the carrier mail to be ignored).

Is this possible?

I originally tried with an msg attachment (Outlook), then I tried with an eml attachment that I converted from the msg.
I both used mail_to_misp.py and mail_to_mips_forward.py. The result was the same.

Am I doing something wrong?

[rommelfs]

Could you please try to forward the mail inline the other mail and not as an attachment?

Currently,

mail_to_misp/mail_to_misp_config.py-example

Line 72 in d747ede

forward_identifiers = {'-------- Forwarded Message --------', 'Begin forwarded message:'}

defines the known separators for forwarded mails.

Please try this and see if the forwarding separator matches the ones defined. Just add a new one if your mail client does it differently.

[begunrom]

I defined 'Carrier mail' as separator, but that does not make any difference.
Please find attached a sample of a "carrier mail" with 2 eml attachments that I seek to process.

Full email (1).zip

[begunrom]

Created pull request
#38