[IntelMQ-users] mail collector extra fields
Mika Silander
mika.silander at csc.fi
Mon Jul 8 12:06:00 CEST 2024
Hi Thomas,
Afaik, the extra.* fields are added by the Mail collector bot into the outgoing messages on-the-fly, i.e. the messages you are supposed to feed to the parser bot that follows in the chain.
If you look at the end of https://github.com/certtools/intelmq/blob/develop/intelmq/bots/collectors/mail/collector_mail_attach.py you should see the enrichment. Message subjects and id etc should of course be present in the email report that is processed by the Mail collector bot for the enrichment to work.
Disclaimer: the above based on my assumptions not knowing what your database and its entries truly look like.
Br, Mika
----- Original Message -----
From: "Thomas Hungenberg via IntelMQ-users" <intelmq-users at lists.cert.at>
To: "intelmq-users" <intelmq-users at lists.cert.at>
Sent: Monday, 8 July, 2024 12:16:29
Subject: [IntelMQ-users] mail collector extra fields
Hello,
according to <https://github.com/certtools/intelmq/blob/develop/docs/user/bots.md>
events collected using a "Generic Mail URL Fetcher" should include this information:
feed.url
extra.email_date
extra.email_subject
extra.email_from
extra.email_message_id
extra.file_name
In our database, the events DO include feed.url but DO NOT include any of the extra fields.
Events collected using a "Generic Mail Attachment Fetcher" are missing the extra fields as well.
I wonder if this is a bug or caused by some configuration issue with our setup.
- Thomas
--
List settings:
https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users
IntelMQ Documentation: https://docs.intelmq.org/
More information about the IntelMQ-users
mailing list