Actions
Feature #8693
open
SD
OD
Task #6473: tracking: detect: smtp keyword coverage
detect: smtp/email body and header inspection keywords
Feature #8693:
detect: smtp/email body and header inspection keywords
Description
Create new sticky buffers separating the email headers from the body. Ideally, a raw and normalized buffer for each.
Normalization would include handling base64 and quoted-printable encoding.
email.headers / email.raw.headers
// Raw Received: by mail-qv1-xf64.google.com with SMTP id 12345.1 for <user@victim.io>; Mon, 29 Jun 2026 08:49:07 -0700 (PDT) Date: Mon, 29 Jun 2026 15:20:55 +0000 To: =?UTF-8?B?VmljdGlt?= <user@victim.io> From: =?UTF-8?B?QXR0YWNrZXI=?= <super@baddie.xyz> Subject: =?UTF-8?B?UmVtaW5kZXI6IFBsZWFzZSB2ZXJpZnkgeW91ciBhY2NvdW50IGJlZm9yZSA2LiBKdWx5IDIwMjYgKCM2TjZBWVVPOSk=?= Message-ID: <12345667@victim.io> MIME-Version: 1.0 Content-Type: text/html
email.body / email.raw.body
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
</body>
</html>
Actions