feat: Extract IOC + CyberSignal cases query

README.md

@@ -34,9 +34,6 @@ User -> "Outlook" : Inspect suspicious email
 
 TODO: Rechercher si un case existe déjà dans TheHive
 TODO: Vérifier la conf nginx pour Cuckoo
-TODO: Faire un mock de l'api Cuckoo
-TODO: Retourner une erreur dans cuckoo.SendGetSummaryReport() quand le rapport n'est pas dispo
-TODO: Demander ou ça en est pour la création du mail (medium)
 TODO: Mettre le vrai mail (medium)
 TODO: Créer un vrai message pour le mail (low)
 TODO: Faire de la documentation (low) -> refaire PlantUML en mettant pour chaque étape quels blocs de code sont sollicités

internal/common/common.go

@@ -137,3 +137,13 @@ func BoolValueFromEnv(ev string, def bool) bool {
 	}
 	return v
 }
+
+// StringInSlice checks if a string element is in a string array
+func StringInSlice(a string, list []string) bool {
+	for _, b := range list {
+		if b == a {
+			return true
+		}
+	}
+	return false
+}

internal/cuckoo/cuckoo.go

@@ -3,6 +3,7 @@ package cuckoo
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -11,6 +12,7 @@ import (
 	"net/http"
 	"os"
 	"regexp"
+	"strings"
 
 	"forge.grandlyon.com/rpailharey/cyber-signal/internal/common"
 )
@@ -26,7 +28,8 @@ type UploadResponse struct {
 }
 
 // Uploads a file to Cuckoo and requests an analysis
-func SendPostRequestMultipart(url string, filename string) int {
+func SendPostRequestMultipart(filename string) int {
+	url := cuckooURL + "/tasks/create/file"
 	client := &http.Client{}
 	req, err := NewfileUploadRequest(url, nil, "file", filename)
 	if err != nil {
@@ -55,7 +58,7 @@ func SendPostRequestMultipart(url string, filename string) int {
 }
 
 // Get the analysis' report
-func SendGetSummaryReport(taskid int) (string, error) {
+func SendGetSummaryReport(taskid int) ([]byte, error) {
 	url := fmt.Sprintf("%s/tasks/summary/%d", cuckooURL, taskid)
 	fmt.Println(url)
 
@@ -70,36 +73,46 @@ func SendGetSummaryReport(taskid int) (string, error) {
 		log.Fatal(err)
 	}
 
-	type StringsResponse struct {
-		Strings []string `json:"strings"`
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New("Report couldn't be fetched")
 	}
 
 	content, err := ioutil.ReadAll(resp.Body)
+	return content, nil
+
+}
+
+func ExtractIOC(report []byte) (senderEmail string, subject string, urls []string, sha1 string, md5 string, err error) {
+
+	type StringsResponse struct {
+		Strings []string `json:"strings"`
+	}
 	var stringsResponse StringsResponse
-	err = json.Unmarshal(content, &stringsResponse)
+	err = json.Unmarshal(report, &stringsResponse)
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	var expediteur string
-	var subject string
-
 	for _, s := range stringsResponse.Strings {
 		rExp := regexp.MustCompile(`From:.*<(.*)>`)
 		rSub := regexp.MustCompile(`Subject: (.*)`)
+		rUrl := regexp.MustCompile(`(?:http(s)?:\/\/)?[\w.-]+(?:\.[\w\.-]+)$`)
 
 		resExp := rExp.FindStringSubmatch(s)
-		if len(resExp) != 0 {
-			expediteur = resExp[1]
+		if len(resExp) >= 2 {
+			senderEmail = resExp[1]
 		}
 
 		resSub := rSub.FindStringSubmatch(s)
-		if len(resSub) != 0 {
-			subject = resSub[1]
+		if len(resSub) >= 2 {
+			subject = strings.ReplaceAll(strings.TrimRight(strings.SplitN(resSub[1], "_", 2)[1], "?="), "_", " ")
+		}
+
+		resUrl := rUrl.FindStringSubmatch(s)
+		if len(resUrl) != 0 && !common.StringInSlice(resUrl[0], urls) {
+			urls = append(urls, resUrl[0])
 		}
 	}
-	fmt.Println(expediteur)
-	fmt.Println(subject)
 
 	type TargetResponse struct {
 		Target struct {
@@ -114,19 +127,12 @@ func SendGetSummaryReport(taskid int) (string, error) {
 	}
 
 	var targetResponse TargetResponse
-	err = json.Unmarshal(content, &targetResponse)
+	err = json.Unmarshal(report, &targetResponse)
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	fmt.Println(targetResponse.Target.File.Sha1)
-
-	for _, s := range targetResponse.Target.File.Urls {
-		fmt.Println(s)
-	}
-
-	return string(content), nil
-
+	return senderEmail, subject, targetResponse.Target.File.Urls, targetResponse.Target.File.Sha1, targetResponse.Target.File.Md5, nil
 }
 
 // Creates a new file upload http request with optional extra params

internal/cybersignal/cybersignal.go

@@ -16,8 +16,6 @@ import (
 
 var (
 	cybersignalAuthToken string
-	cuckooURL            string
-	cuckooAuthToken      string
 )
 
 func Init(keyfile string) {
@@ -37,50 +35,60 @@ func Init(keyfile string) {
 	}
 	log.Println("Authorization token set")
 	cybersignalAuthToken = string(tokenConfig.Token)
-
-	cuckooURL = common.StringValueFromEnv("CUCKOO_URL", "")
-	cuckooAuthToken = common.StringValueFromEnv("CUCKOO_AUTH_TOKEN", "")
 }
 
 // HandleUpload is a function allowing to analyze a file with Cuckoo and save the incident in TheHive.
-func HandleUpload(w http.ResponseWriter, r *http.Request) {
-	// TempFile allows you to create a new temp file in the /tmp directory
-	file, errTemp := ioutil.TempFile("", "mail*.msg")
-	if errTemp != nil {
-		panic(errTemp)
-	}
-	// Copy the received file locally
-	io.Copy(file, r.Body)
-	file.Close()
-	taskid := cuckoo.SendPostRequestMultipart(cuckooURL+"/tasks/create/file", file.Name())
-	log.Println(taskid)
+func HandleUpload() http.Handler {
+	handleUpload := func(w http.ResponseWriter, r *http.Request) {
+		// TempFile allows you to create a new temp file in the /tmp directory
+		file, errTemp := ioutil.TempFile("", "mail*.msg")
+		if errTemp != nil {
+			panic(errTemp)
+		}
+		// Copy the received file locally
+		io.Copy(file, r.Body)
+		file.Close()
+		taskid := cuckoo.SendPostRequestMultipart(file.Name())
+		log.Println(taskid)
 
-	// Try to get the report every 30 seconds
-	// TODO:  Return an error when the report is not available yet
-	var report string
-	var err error
-	for {
-		time.Sleep(30 * time.Second)
-		report, err = cuckoo.SendGetSummaryReport(taskid)
-		if err == nil {
-			break
+		// Try to get the report every 30 seconds
+		var report []byte
+		var err error
+		for {
+			time.Sleep(30 * time.Second)
+			report, err = cuckoo.SendGetSummaryReport(taskid)
+			if err == nil {
+				break
+			}
 		}
-	}
-	fmt.Println(report)
+		fmt.Println(report)
 
-	// Create a new case
-	tags := []string{"Cyber-Signal"}
-	caseCreated, err := thehive.SendPostCreateCase("Test", "Test Cyber-Signal", 1, 1, nil, tags, false)
-	if err != nil {
-		log.Fatal(err)
+		senderEmail, subject, urls, sha1, md5, err := cuckoo.ExtractIOC(report)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		log.Println("Expéditeur : " + senderEmail)
+		log.Println("Objet : " + subject)
+		log.Println(urls)
+		log.Println(sha1)
+		log.Println(md5)
+
+		// Create a new case
+		tags := []string{"Cyber-Signal"}
+		caseCreated, err := thehive.SendPostCreateCase("Test", "Test Cyber-Signal", 1, 1, nil, tags, false)
+		if err != nil {
+			log.Fatal(err)
+		}
+		fmt.Println(caseCreated)
+
+		mail.SendMail()
 	}
-	fmt.Println(caseCreated)
 
-	mail.SendMail()
+	return http.HandlerFunc(handleUpload)
 }
 
 // ValidateAuthMiddleware checks if the request contains the correct token to use Cyber-Signal
-// TODO: Use this middleware in he rootmux
 func ValidateAuthMiddleware(next http.Handler) http.Handler {
 	tokenChecker := func(w http.ResponseWriter, r *http.Request) {
 		authToken := r.Header.Get("Authorization")

internal/cybersignal/cybersignal_test.go

+package cybersignal
+
+import (
+	"net/http"
+	"net/http/cookiejar"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"forge.grandlyon.com/rpailharey/cyber-signal/internal/cuckoo"
+	"forge.grandlyon.com/rpailharey/cyber-signal/internal/mocks"
+	"forge.grandlyon.com/rpailharey/cyber-signal/internal/tester"
+)
+
+var (
+	noH map[string]string
+)
+
+func TestAll(t *testing.T) {
+	tsCuckoo, doCuckoo := createCuckooTester(t)
+	defer tsCuckoo.Close()
+
+	report := doCuckoo("GET", "/tasks/summary/1", noH, "", http.StatusOK, "")
+	senderEmail, subject, urls, sha1, md5, err := cuckoo.ExtractIOC([]byte(report))
+
+	tester.AssertEqual(t, err, nil)
+	tester.AssertEqual(t, senderEmail, "asp18@invitations.mailinblack.com")
+	tester.AssertEqual(t, subject, "RE: Vos codes pour l'acc=C3=A8s au site www.astredhor.fr")
+	tester.AssertStringArrayEqual(t, urls, []string{"www.astredhor.fr"})
+	tester.AssertEqual(t, sha1, "f77b584e202b6d7ec8fff9238783fa6e8df07fe6")
+	tester.AssertEqual(t, md5, "690cedf5b04ce05eb647cd7672c63cd1")
+
+}
+
+func createCuckooTester(t *testing.T) (*httptest.Server, func(method string, route string, headers map[string]string, payload string, expectedStatus int, expectedBody string) string) {
+	// Create the server
+	mux := mocks.CreateMockCuckooAPI()
+	ts := httptest.NewServer(mux)
+	url, _ := url.Parse(ts.URL)
+	port := url.Port()
+	// Create the cookie jar
+	jar, _ := cookiejar.New(nil)
+	// wrap the testing function
+	return ts, tester.CreateServerTester(t, "localhost", port, jar)
+}
+
+func createTheHiveTester(t *testing.T) (*httptest.Server, func(method string, route string, headers map[string]string, payload string, expectedStatus int, expectedBody string) string) {
+	// Create the server
+	mux := mocks.CreateMockTheHiveAPI()
+	ts := httptest.NewServer(mux)
+	url, _ := url.Parse(ts.URL)
+	port := url.Port()
+	// Create the cookie jar
+	jar, _ := cookiejar.New(nil)
+	// wrap the testing function
+	return ts, tester.CreateServerTester(t, "localhost", port, jar)
+}

internal/mocks/mocks.go

@@ -68,6 +68,367 @@ func CreateMockTheHiveAPI() *http.ServeMux {
 
 func CreateMockCuckooAPI() *http.ServeMux {
 	mux := http.NewServeMux()
-	// TODO: Cuckoo API mock
+
+	mux.HandleFunc("/tasks/create/file", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.Write([]byte(`{
+			"task_id":1
+		}`))
+	})
+
+	mux.HandleFunc("/tasks/summary/1", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.Write([]byte(`
+		{
+			"strings":[
+        		"##]h2G",
+    		    "cgadoulet@grandlyon.com",
+				"SMTP:ASP18@INVITATIONS.MAILINBLACK.COM",
+				"/O=METROPOLE DE LYON/OU=EXCHANGE ADM_",
+				"INISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
+				"/O=METROPOLE DE LYON/OU=EXCHANGE ADM_",
+				"INISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
+				"EX:/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBO_",
+				"HF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
+				"EX:/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
+				"SMTP:ASP18@INVITATIONS.MAILINBLACK.COM",
+				"SMTP:ASP18@INVITATIONS.MAILINBLACK.COM",
+				"rcpg125",
+				"Chtml1",
+				"g96 \"<",
+				"0#@cell",
+				"P at: n",
+				"dth:100",
+				"%\">}!s",
+				"+O,Q)7)'5",
+				"\"3)\u001f*/0",
+				"$\u001f%/&?'O",
+				"(cM 67O@9",
+				"1S_To[\u001fWOX_=",
+				"o-5LA/@+h",
+				"QQrcM ",
+				"c949b037",
+				"1eY 9c7b",
+				"f1Qp{H",
+				"YPERLINK",
+				"ue. LD",
+				" _ 2sD",
+				"STREDHORr,",
+				"jNGY2OTk",
+				" Y7dHV",
+				"mNvbTtGU",
+				"xSWhzUE'",
+				"82Td05dG",
+				"d QlJ$@0k9",
+				",E02,0)",
+				"RQ#nA0#!",
+				"?/@?AO",
+				"BAUDUi",
+				",?-O._/o5",
+				"REDHOR",
+				":\u001f;/<?=O",
+				"2Y\"/td",
+				"rDtbody",
+				"x/y?zOdnj",
+				"p-top:2",
+				"<img/e",
+				"\\cf1\\ul",
+				"u@ widthZ",
+				"#?]/^?&?\u001f",
+				";/<?=O>_D/J",
+				"qBOC_(",
+				"66c93- 69f2-)",
+				"cdP-98b\\",
+				"ph0a5b",
+				"GOH_Io",
+				"*O+_,c8",
+				" p tchaC",
+				"ODIwYjE2",
+				"MTMyZDBl",
+				"OTAxNjNm",
+				"5YmY7Y2d",
+				"Hlvbi5jbA,",
+				"1SUtKSHh",
+				"3THBIRWg",
+				"zMks4bk",
+				"YvM2RZP",
+				"rg@b(255,",
+				"$?%O&_'o",
+				"({ASTREDH",
+				"-?.O/_2",
+				"MOB\u001fC/D?EOF_Go",
+				"R\u001fS/T?",
+				"l_moc5",
+				"i/j?kO",
+				"v.a~u\u001fwon",
+				"/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=USERDC5E740E",
+				"SMTP:ASP18@INVITATIONS.MAILINBLACK.COM",
+				"/o=Metropole de Lyon/ou=Exchange Adm_",
+				"inistrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6fb35904bfba4dcaa5db20d40441783c-IHN742",
+				"/o=Metropole de Lyon/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6fb35904bfba4dcaa5db20d40441783c-IHN742",
+				"EX:/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
+				"/o=Metropole de Lyon/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6fb35904bfba4dcaa5db20d40441783c-IHN742",
+				"Root Entry",
+				"__nameid_version1.0",
+				"__substg1.0_00020102",
+				"__substg1.0_00030102",
+				"ConversationIndexTrackingEx",
+				"DetectedLanguageJ",
+				"x-ms-exchange-organization-authsource",
+				"LatestMessageWordCount",
+				"IsSigned",
+				"IsRe__substg1.0_00040102",
+				"__substg1.0_100D0102",
+				"__substg1.0_100E0102",
+				"__substg1.0_10120102",
+				"adReceipt",
+				"__substg1.0_10140102",
+				"__substg1.0_10150102",
+				"__substg1.0_10170102",
+				"__substg1.0_10190102",
+				"__substg1.0_101C0102",
+				"__substg1.0_001A001F",
+				"__substg1.0_002C0102",
+				"__substg1.0_0037001F",
+				"IPM.Note",
+				"Re: RE: Vos codes pour l'acc",
+				"s au site www.astredhor.fr",
+				"__substg1.0_003B0102",
+				"__substg1.0_003D001F",
+				"__substg1.0_003F0102",
+				"__substg1.0_0040001F",
+				"Claudine GADOULET",
+				"Quentin BAUDUIN",
+				"asp18@invitations.mailinblack.com",
+				"Quentin BAUDUIN",
+				"__substg1.0_00410102",
+				"__substg1.0_0042001F",
+				"__substg1.0_00430102",
+				"__substg1.0_0044001F",
+				"Claudine GADOULET",
+				"cgadoulet@grandlyon.com",
+				"asp18@invitations.mailinblack.com",
+				"cgadoulet@grandlyon.com",
+				"__substg1.0_004C0102",
+				"__substg1.0_004D001F",
+				"__substg1.0_00510102",
+				"__substg1.0_00520102",
+				"asp18@invitations.mailinblack.co__substg1.0_00560102",
+				"__substg1.0_0064001F",
+				"__substg1.0_0065001F",
+				"__substg1.0_0070001F",
+				"RE: Vos codes pour l'acc",
+				"s au site www.astredhor.fr",
+				"/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB3590__substg1.0_00710102",
+				"__substg1.0_0075001F",
+				"__substg1.0_0076001F",
+				"__substg1.0_0077001F",
+				"4BFBA4DCAA5DB20D40441783C-IHN742EX",
+				"/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=6FB35904BFBA4DCAA5DB20D40441783C-IHN742SMTP",
+				"asp18@invitations.mailinblack.co__substg1.0_0078001F",
+				"__substg1.0_0079001F",
+				"__substg1.0_007A001F",
+				"__substg1.0_007D001F",
+				"Quentin BAUDUIN",
+				"asp18@invitations.mailinblack.com",
+				"Quentin BAUDUIN",
+				"asp18@invitations.mailinblack.coReceived: from NTHCM783.oscar.gly (10.130.12.52) by NTHCM782.oscar.gly",
+				" (10.130.12.51) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Mailbox",
+				" Transport; Mon, 12 Oct 2020 12:54:17 +0200",
+				"Received: from NTCTI783.oscar.gly (10.130.12.48) by NTHCM783.oscar.gly",
+				" (10.130.12.52) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 12 Oct",
+				" 2020 12:54:17 +0200",
+				"Received: from fx409.security-mail.net (192.168.246.54) by NTCTI783.oscar.gly",
+				" (10.130.12.48) with Microsoft SMTP Server id 15.0.1497.2 via Frontend",
+				" Transport; Mon, 12 Oct 2020 12:54:17 +0200",
+				"X-HUMAIL-SINGLE-LINK: true",
+				"X-Quarantine-ID: <MDuqC4Zuw13I>",
+				"X-Virus-Scanned: E-securemail",
+				"X-Spam-Status: No, score=1.812 tagged_above=-1000 required=5",
+				"tests=[AB_FROM_WITH_NUMERIC_END_2=0.5, AB_LONG_SUBJ_30=0.001,",
+				"BO_HUMAIL_SINGLE_LINK=0.0001, DKIM_SIGNED=0.1, DKIM_VALID=-1,",
+				"FAKE_REPLY_SURE_A=1, FAKE_REPLY_SURE_B=1, FSL_HTML_BLOCK_LOTS_1=0.01,",
+				"FSL_HTML_BLOCK_LOTS_2=0.01, FSL_HTML_BLOCK_LOTS_3=0.01,",
+				"FSL_HTML_ENT_LOTS_1=0.01, FSL_HTML_ENT_LOTS_2=0.01,",
+				"FSL_HTML_ENT_LOTS_3=0.01, FSL_RCVD_EX_3=0.01, FSL_RCVD_UT_3=0.01,",
+				"HTML_MESSAGE=0.001, MISSING_MID=0.14, T_RP_MATCHES_RCVD=-0.01]",
+				"autolearn=disabled",
+				"Authentication-Results: fx409.security-mail.net (amavisd-new);",
+				"dkim=pass (1024-bit key) header.d=mailinblack.com",
+				"Secumail-id: <4596.5f8435b8.7d886.0>",
+				"Received: from da4-mrs.mailinblack.com (da4-mrs.mailinblack.com [185.209.208.14])",
+				"by fx409.security-mail.net (Postfix) with ESMTPS id 637148A2B2D",
+				"for <cgadoulet@grandlyon.com>; Mon, 12 Oct 2020 12:53:44 +0200 (CEST)",
+				"Received: from asp18.mailinblack.com (ip-160.49.mrs.mailinblack.com [192.168.160.49])",
+				"by da4-mrs.mailinblack.com (Postfix) with ESMTP id 425411402EB",
+				"for <cgadoulet@grandlyon.com>; Mon, 12 Oct 2020 12:53:44 +0200 (CEST)",
+				"DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailinblack.com;",
+				"s=invitations; t=1602500024;",
+				"bh=3a0CQzWWuacTNtecfxJr8ctFcesyNRiaviQ1hd82ahA=;",
+				"h=From:To:Subject:Date:From;",
+				"b=oFNf2Lyb9CbZ1fdTGQHqpgA0nFr51pN//KQWLxNVmZ8uxxHxbg60cU+JjxNxJt0vX",
+				" 1stkueMTEAlOaFfY6/oDVWAMTFvNKiy7y6+fhnQzZSqBBNJ2nhtrYmzrd8swWCW1xl",
+				" 4Wb1KiScNgl+CdD8QTmdX5JWNhOKl3zwb9PmTMXM=",
+				"Received: from 127.0.0.1 (localhost [127.0.0.1])",
+				"by asp18.mailinblack.com (Postfix) with ESMTP id 3D93510B809",
+				"for <cgadoulet@grandlyon.com>; Mon, 12 Oct 2020 12:53:44 +0200 (CEST)",
+				"From: Quentin BAUDUIN <asp18@invitations.mailinblack.com>",
+				"To: cgadoulet@grandlyon.com",
+				"Message-ID: <451182687.14562.1602500023399.JavaMail.root@asp18.mailinblack.com>",
+				"Subject: =?UTF-8?Q?Re:_RE:_Vos_codes_pour_l'acc=C3=A8s_au_site_www.astredhor.fr?=",
+				"MIME-Version: 1.0",
+				"Content-Type: multipart/mixed;",
+				"boundary=\"----=_Part_14560_248524585.1602500023399\"",
+				"X-MIB: 0jze9djKvVI0JfgM5GillodAvPM=",
+				"Date: Mon, 12 Oct 2020 10:53:38 +0000",
+				"X-Virus-Scanned: by Secumail",
+				"Return-Path: asp18@invitations.mailinblack.com",
+				"X-MS-Exchange-Organization-Network-Message-Id: f5094e1e-7a53-49f2-ce86-08d86e9d2aa3",
+				"X-MS-Exchange-Organization-AuthSource: NTCTI783.oscar.gly",
+				"X-MS-Exchange-Organization-AuthAs: Anonymous",
+				"__substg1.0_0C190102",
+				"__substg1.0_0C1A001F",
+				"__substg1.0_0C1D0102",
+				"__substg1.0_0C1E001F",
+				"__substg1.0_0C1F001F",
+				"__substg1.0_0E02001F",
+				"__substg1.0_0E03001F",
+				"__substg1.0_0E04001F",
+				"Claudine GADOULET",
+				"RE: Vos codes pour l'acc",
+				"s au site www.astredhor.fr",
+				"__substg1.0_0E4B0102",
+				"__substg1.0_0E580102",
+				"__substg1.0_0F030102",
+				"__substg1.0_1000001F",
+				"__substg1.0_10090102",
+				"__substg1.0_1015001F",
+				"__substg1.0_1035001F",
+				"linblack.com/upload/imageRoot/1c949b0371e649c7b527e666b31edd55/Nouveau%20logo%20Astredhor(3).jpg>",
+				"        Bonjour,",
+				"Vous venez de m'envoyer un message mais votre adresse email m'est pour le moment inconnue. L'antispam Mailinblack utilis",
+				" par ASTREDHOR, l'Institut technique de l'horticulture, a ainsi temporairement bloqu",
+				" votre email. Il ne m'est donc pas encore parvenu.",
+				"Afin de d",
+				"livrer votre message, je vous invite ",
+				" cliquer sur ce lien<http://asp18.mailinblack.com> et ",
+				" saisir les quelques lettres et chiffres demand",
+				"s. Ceci validera votre adresse et le message me parviendra. Notez qu' ",
+				" votre prochain envoi d'email, vous serez alors directement reconnu et vous n'aurez plus ",
+				" recommencer cette ",
+				"Vous en remerciant par avance.",
+				"Bien cordialement,",
+				"Quentin BAUDUIN",
+				"ASTREDHOR",
+				" <http://asp18.mailinblack.com/images/line.jpg>",
+				"        Every new contact matters to",
+				"Quentin BAUDUIN and ASTREDHOR !",
+				" <http://asp18.mailinblack.com/upload/1f466c93-69f2-48cd-98bd-7dd4f77caa5b>",
+				"        Hello,",
+				"I woud like to invite you to join my network of trusted contacts.",
+				"Click on this link<http://asp18.mailinblack.com/captchaCom/captcha.jsp?id=NDAyODIwYjE2MTMyZDBlOTAxNjNmNDYxNzE4MzE5YmY7Y2dhZG91bGV0QGdyYW5kbHlvbi5jb207RU47MTN1SUtKSHh3THBIRWgzMks4bk5jTHYvM2RZPQ==&loc=en> to ensure the delivery of your message and to benefit from all the advantages of being part of my network.",
+				"Kind regards.",
+				"Quentin BAUDUIN",
+				"ASTREDHOR",
+				"89EAE165E252DE449C21229F317C714F@grandlyon.com",
+				"<451182687.14562.1602500023399.JavaMail.root@asp18.mailinblack.com>",
+				"__substg1.0_300B0102",
+				"__substg1.0_30140102",
+				"__substg1.0_3FF8001F",
+				"__substg1.0_3FF90102",
+				"Contact Informatique de la M",
+				"tropole",
+				"cgadoulet@grandlyon.com",
+				"__substg1.0_3FFA001F",
+				"__substg1.0_4022001F",
+				"__substg1.0_4023001F",
+				"__substg1.0_4024001F",
+				"/O=METROPOLE DE LYON/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=USERDC5E740E",
+				"asp18@invitations.mailinblack.com",
+				"__substg1.0_4025001F",
+				"__substg1.0_4030001F",
+				"__substg1.0_4031001F",
+				"__substg1.0_4034001F",
+				"Quentin BAUDUIN",
+				"Quentin BAUDUIN",
+				"6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
+				"6FB35904BFBA4DCAA5DB20D40441783C-IHN742",
+				"Contact Informatique de la M",
+				"tropole",
+				"__substg1.0_4035001F",
+				"__substg1.0_4038001F",
+				"__substg1.0_4039001F",
+				"__substg1.0_405E001F",
+				"Quentin BAUDUIN",
+				"Quentin BAUDUIN",
+				"Quentin BAUDUIN",
+				"asp18@invitations.mailinblack.com",
+				"asp18@invitations.mailinblack.com",
+				"__substg1.0_4060001F",
+				"__substg1.0_40610102",
+				"__substg1.0_5D01001F",
+				"__substg1.0_5D02001F",
+				"__substg1.0_5D06001F",
+				"__substg1.0_5D07001F",
+				"__substg1.0_5D08001F",
+				"__substg1.0_8001001F",
+				"asp18@invitations.mailinblack.com",
+				"cgadoulet@grandlyon.com",
+				"cgadoulet@grandlyon.com",
+				"BT=0;II=<invalid>;SBT=230;THA=3701817737;FIXUP=233,5707;Version=Version 15.0 (Build 1497.0), Stage=H8",
+				"__substg1.0_8002001F",
+				"__substg1.0_8003001F",
+				"__substg1.0_8007001F",
+				"__substg1.0_8008001F",
+				"NTCTI783.oscar.gly",
+				"ext.dcs.nschwartzmann@grandlyon.com",
+				"00000002",
+				"fc86073d-9b2d-43b8-af8a-d9e9d69f36aa@grandlyon.com/o=Metropole de Lyon/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=6819bd85d5454336abcda3403f398314-PJX333",