#!/usr/bin/perl # Header Analyzer for Thunderbird # Time-stamp: "2009-03-09 15:14:49 nor" use Mail::MboxParser; use Time::Local; use Encode; #set mbox path my $mboxpath="C:/Documents and Settings/nor/Application Data/Thunderbird/Profiles/80difho0.default/Mail/Local Folders/tower_spam"; my $jst = 9; my $year_defalut = 2009; my $delm = "\t"; my $mb = new Mail::MboxParser ($mboxpath); for my $msg ($mb->get_messages) { my ($host_ip1, $host_ip2, $host_ip3, $host_ip4); my $host_say = ""; my $host_dns = ""; my $host_ip = ""; my $date = strdate($msg->header->{date}), $delm; my ($address, $name_str) = decode_from($msg->header->{from}); my $return_path = $msg->get_field('return-path'); $return_path =~ s/^Return\-Path://; $return_path =~ s/ * *//; for my $field ( split /\n/, $msg->get_field('received') ) { if ( $field =~ /mail\.rally\.or\.jp/ ) { $field =~ s/^Received: from //; $field =~ s/ by mail\.rally\.or\.jp.*$//; $host_say = $field; $host_dns = $field; $host_ip = $field; $host_say =~ s/ \(.*$//; $host_dns =~ s/^[^\(]+\(//; $host_dns =~ s/ .+$//; $host_ip =~ s/^[^\[]+\[//; $host_ip =~ s/\].*$//; ($host_ip1, $host_ip2, $host_ip3, $host_ip4) = split /\./, $host_ip; } } $subject = unknown2sjis($msg->header->{subject}); my $messageid = $msg->get_field('message-id'); $messageid =~ s/^Message\-I[Dd]: *$//; print "$host_ip" . $delm; print "$host_ip1" . $delm; print "$host_ip2" . $delm; print "$host_ip3" . $delm; print "$host_ip4" . $delm; print "$host_say" . $delm; print "$host_dns" . $delm; print $date, $delm; print $address, $delm; print $return_path , $delm; print $name_str, $delm; print $subject, $delm; print $messageid, $delm; print "\n"; } sub strdate { my ($date) = @_; $date =~ s/^.*,[\t ]*//; $date =~ s/ \(.+\)$//; my $tz = $date; $tz =~ s/^.* ([\+\-]\d\d)00$/$1/; unless ($tz =~ /^[\+\-]\d\d$/) { if ($tz eq "GMT") { $tz = 0; } else { $tz = $jst; } } $date =~ s/ ([\+\-]\d\d)00$//; $date =~ s/ GMT$//; my $time = $date; $time =~ s/^.* (\d\d:\d\d:\d\d)$/$1/; $date =~ s/ \d\d:\d\d:\d\d$//; my($hour, $min, $sec) = split /:/, $time; my($year, $month, $day); if ($date =~ /^20\d\d-\d\d-\d\d/) { ($year, $month, $day) = split /\-/, $date; $month = $month - 1; } elsif ($date =~ /^\d+ [a-zA-Z]{3,3} 20\d+/) { ($day, $month, $year) = split / /, $date; if ($month eq "jan") { $month = 0; } elsif ($month eq "Feb") { $month = 1; } elsif ($month eq "Mar") { $month = 2; } elsif ($month eq "Apr") { $month = 3; } elsif ($month eq "May") { $month = 4; } elsif ($month eq "Jun") { $month = 5; } elsif ($month eq "Jul") { $month = 6; } elsif ($month eq "Aug") { $month = 7; } elsif ($month eq "Sep") { $month = 8; } elsif ($month eq "Oct") { $month = 9; } elsif ($month eq "Nov") { $month = 10; } elsif ($month eq "Dec") { $month = 11; } }else{ ($sec, $min, $hour, $day, $month, $year) = (0, 0, 0, 2, 0, 1970); } if (($year < 1970) or ($year > 2020)) { $year = $year_defalut; } ($sec, $min, $hour, $day, $month, $year) = localtime(timegm($sec, $min, $hour, $day, $month, $year) - $tz*60*60); $year = $year + 1900; $month++; sprintf("%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d", $year, $month, $day, $hour, $min, $sec); } sub decode_from() { my($str)=@_; my $address; my $name_str; $address = $str; $address =~ s/^.*.*$//; $name_str = $str; $name_str =~ s/<.*>//; $name_str =~ s/^ +//; $name_str =~ s/ +$//; $name_str = unknown2sjis($name_str); $name_str =~ s/^\"//; $name_str =~ s/\"$//; ($address, $name_str); } sub unknown2sjis() { my($str)=@_; my $nomime = decode('MIME-Header', $str); my $sjis_mime = encode('cp932', $nomime); my $sjis_jis = encode('cp932',decode('8bit-jis', $str)); my $sjis_sjis = encode('cp932',decode('cp932', $str)); if ($sjis_mime eq $sjis_sjis) { return $sjis_jis; } elsif ($sjis_jis eq $sjis_sjis) { return $sjis_mime; } elsif ($sjis_mime eq $sjis_jis) { return $sjis_sjis; } }