decode-spam-headers
decode-spam-headers copied to clipboard
mgeeky
Cloudmark Authority X-CNFS-Analysis / X-CMAE-Envelope header
In the not accepted by Gmail mail mentioned in #4, I also notice a X-CNFS-Analysis header. Which is apparently something spam filter related by Cloudmark Authority for at least the past 15 years ref.
Syntax are something like:
X-CNFS-Analysis: v=2.4 cv=<hash> c=1 sm=1 tr=0 ts=622096d8 cx=a_exe
a= <base64>:117 a=<base64>:17
a=<hash>:10 a=<hash>:9 a=<hash>:10 a=<hash>:10
X-CMAE-Envelope: <base64>
CMAE = CloudMark Authority Engine
Parser for this one too will land when only I find a minute, Again, Thanks Henk!
So, unfortunately there is hardly any information related to specific header's fields. Best I could do is:
-----------------------------------------
(1) Test: Cloudmark Analysis
HEADER:
X-CNFS-Analysis
VALUE:
v=2.4 cv=X9mXlEfe c=1 sm=1 tr=0 ts=5fc7c1fb a=W6fcibsR95OiD+X+thQpDQ==:117
a=W6fcibsR95OiD+X+thQpDQ==:17 a=xqWC_Br6kY4A:10 a=HpEJnUlJZJkA:10 a=uU2Hr5VP7ueSOeE0IWgA:9
a=QEXdDO2ut3YA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=pGLkceISAAAA:8 a=67BIL_jfAAAA:8
a=VviWYApGstzf7Dq6:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10
a=pHzHmUro8NiASowvMSCR:22 a=6VlIyEUom7LUIeUMNQJH:22
ANALYSIS:
- Cloudmark Authority Engine (CMAE) analysis results:
- Version: 2.4
- cv: X9mXlEfe
- c: 1
- sm: 1
- tr: 0
- Timestamp: 2020-12-02 16:34:03
- a (17 entries):
- 117 - W6fcibsR95OiD+X+thQpDQ==
- 17 - W6fcibsR95OiD+X+thQpDQ==
- 10 - xqWC_Br6kY4A
- 10 - HpEJnUlJZJkA
- 9 - uU2Hr5VP7ueSOeE0IWgA
- 10 - QEXdDO2ut3YA
- 8 - yMhMjlubAAAA
- 8 - SSmOFEACAAAA
- 8 - pGLkceISAAAA
- 8 - 67BIL_jfAAAA
- 21 - VviWYApGstzf7Dq6
- 10 - gKO2Hq4RSVkA
- 10 - UiCQ7L4-1S4A
- 10 - hTZeC7Yk6K0A
- 10 - frz4AuCg-hUA
- 22 - pHzHmUro8NiASowvMSCR
- 22 - 6VlIyEUom7LUIeUMNQJH
-----------------------------------------
or when used with --debug-all flag:
-----------------------------------------
(1) Test: Cloudmark Analysis
HEADER:
X-CNFS-Analysis
VALUE:
v=2.4 cv=X9mXlEfe c=1 sm=1 tr=0 ts=5fc7c1fb a=W6fcibsR95OiD+X+thQpDQ==:117
a=W6fcibsR95OiD+X+thQpDQ==:17 a=xqWC_Br6kY4A:10 a=HpEJnUlJZJkA:10 a=uU2Hr5VP7ueSOeE0IWgA:9
a=QEXdDO2ut3YA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=pGLkceISAAAA:8 a=67BIL_jfAAAA:8
a=VviWYApGstzf7Dq6:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10
a=pHzHmUro8NiASowvMSCR:22 a=6VlIyEUom7LUIeUMNQJH:22
ANALYSIS:
- Cloudmark Authority Engine (CMAE) analysis results:
- Version: 2.4
- cv: X9mXlEfe
- c: 1
- sm: 1
- tr: 0
- Timestamp: 2020-12-02 16:34:03
- a (17 entries):
- 117 - W6fcibsR95OiD+X+thQpDQ==
0000 | 5b dc 89 11 0f 14 29 0d | [.....). ...
- 17 - W6fcibsR95OiD+X+thQpDQ==
0000 | 5b dc 89 11 0f 14 29 0d | [.....). ...
- 10 - xqWC_Br6kY4A
0000 | 78 71 57 43 5f 42 72 36 6b 59 34 41 | xqWC_Br6kY4A ...
- 10 - HpEJnUlJZJkA
0000 | 1e 09 49 49 64 00 | ..IId. ...
- 9 - uU2Hr5VP7ueSOeE0IWgA
0000 | 4d 4f 39 34 21 68 00 | MO94!h. ...
- 10 - QEXdDO2ut3YA
0000 | 40 45 0c 76 00 | @E.v. ...
- 8 - yMhMjlubAAAA
0000 | 4c 5b 00 00 00 | L[... ...
- 8 - SSmOFEACAAAA
0000 | 49 29 14 40 02 00 00 00 | I).@.... ...
- 8 - pGLkceISAAAA
0000 | 62 71 12 00 00 00 | bq.... ...
- 8 - 67BIL_jfAAAA
0000 | 36 37 42 49 4c 5f 6a 66 41 41 41 41 | 67BIL_jfAAAA ...
- 21 - VviWYApGstzf7Dq6
0000 | 56 60 0a 46 3a | V`.F: ...
- 10 - gKO2Hq4RSVkA
0000 | 1e 11 49 59 00 | ..IY. ...
- 10 - UiCQ7L4-1S4A
0000 | 55 69 43 51 37 4c 34 2d 31 53 34 41 | UiCQ7L4-1S4A ...
- 10 - hTZeC7Yk6K0A
0000 | 36 5e 0b 24 00 | 6^.$. ...
- 10 - frz4AuCg-hUA
0000 | 66 72 7a 34 41 75 43 67 2d 68 55 41 | frz4AuCg-hUA ...
- 22 - pHzHmUro8NiASowvMSCR
0000 | 7c c7 99 4a d8 80 4a 2f 31 20 | |..J..J/1 ...
- 22 - 6VlIyEUom7LUIeUMNQJH
0000 | 59 48 45 28 21 0c 35 02 47 | YHE(!.5.G ...
-----------------------------------------
Hope that helps!
If you know anything more with regards to that header, let me know!
Regards, Mariusz.
I have no clue either. We probably need to ask the company.
I saw that X-CMAE-Envelope base64-decoded started with 1.1|..binary data..
I suspect all those a= are encrypted names of the rules that are triggered. With some luck they are global across all Cloudmark Authority, or they are crypted per server.
That's exactly what I'd expect these a= to be. However, similarly to Microsoft's EOP/MDO detection rules, we're limited to blind reverse-engineering efforts. Since I have no Cloudmark-enabled mail server to test, I'm not able to dive deep into those.
Closing this now as I'm unable to resolve it without docs. That's the nature of blackboxed headers analysis :)
Feel free to open it up if there's anything that comes to you in regard to these headers.
Regards, Mariusz