Get Email MTA Path

LAST UPDATED: AUG 07, 2024

This command processes raw email data to extract the Mail Transfer Agent (MTA) path.

Implementation	System
Command Category	Cyber Utility
Tags	EMAIL ARTIFACT

READER NOTE

The MTA path reveals the route an email has taken through different servers from the sender to the recipient. This information is crucial for tracking email delivery, diagnosing issues, and identifying potential security threats such as email spoofing or phishing.

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Raw Email Data

Required

Raw data of an email

CODE

MIME-Version: 1.0

Received: from user01@example.com 2603:10b6:a03:1a0::47 by 2002:a19:4845:0:0:0:0:0 with HTTP; Thu, 28 May 2020 12:19:28 -0700 (PDT)

From: user01 <user01@example.com>

Date: Thu, 28 May 2020 12:19:28 -0700

Message-ID: <CAGwkv9ENZvxxcXkFJurBC7rjSRzhuziWPNi45kowY89ZMwDpqg@mail.gmail.com>

Subject: Test Send Email

To: user09 <user09@example.com>

Content-Type: multipart/alternative; boundary="0000000000001d2c8705a6ba354a"

Hello everyone,

This is a test email

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

Succeed

Context Data

The response data from the utility command.

SAMPLE DATA

JSON

{
    "MTAs": [
        "user01@example.com 2603:10b6:a03:1a0::47"
    ]
}

Key Fields

Important key-value pairs extracted from Raw Data.

SAMPLE DATA

JSON

{
    "MTAs": [
        "user01@example.com 2603:10b6:a03:1a0::47"
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/GetMTAPath

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Raw Email Data": <Raw Email Data here>
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Raw Email Data	`string`	Required	Raw data of an email

Sample Request

SAMPLE DATA

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Raw Email Data": "MIME-Version: 1.0\r\nReceived: from user01@example.com 2603:10b6:a03:1a0::47 by 2002:a19:4845:0:0:0:0:0 with HTTP; Thu, 28 May 2020 12:19:28 -0700 (PDT)\r\nFrom: user01 \r\nDate: Thu, 28 May 2020 12:19:28 -0700\r\nMessage-ID: \r\nSubject: Test Send Email\r\nTo: user09 \r\nContent-Type: multipart/alternative; boundary=\"0000000000001d2c8705a6ba354a\"\r\n\r\nHello everyone,\r\nThis is a test email"
  }
}

Response

Response Fields

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
keyFields	`JSON Object`	The key fields from the API request.
returnData	`string`	The return data from the API request.
contextData	`JSON Object`	The context data from the API request.

Sample Response

JSON

{
    "error": "",
    "keyFields": {
        "MTAs": ["user01@example.com 2603:10b6:a03:1a0::47"]
    },
    "returnData": "Succeed",
    "contextData": {
        "MTAs": [
            "user01@example.com 2603:10b6:a03:1a0::47"
        ]
    }
}