Welcome to yaramail’s documentation

yaramail is a Python package and command line utility for scanning emails with YARA rules. It is Ideal for automated triage of phishing reports.

Features

• Scans all parts of an email via API or CLI

  • Headers

    • Removes header indents by default for consistent scanning

  • Plain text and HTML body content

    • Converts body content to Markdown by default for consistent scanning

  • Attachments

    • Raw file content

    • Emails attached to emails

    • PDF document text

    • ZIP file contents, including nested ZIP files

      • Uses message body content as a list of possible ZIP passwords

      • Customizable list of passwords to use when attempting to scan encrypted ZIP files

• Provides a built-in methodology for categorizing emails

• Parses Authentication-Results headers

Further reading

• Installation
  • System dependencies
  • Install yaramail
• Tutorial
  • Best practices
  • Getting started
  • Methodology
  • Anatomy of a YARA rule
  • Practical YARA rule examples
  • Using the CLI
  • Automating phishing report triage
• Collecting email samples
  • AOL webmail
  • Apple Mail on macOS
  • Gmail/Google Workspace webmail
  • GoDaddy and Rackspace webmail
  • GroupWise
  • Notes
  • Microsoft Outlook
  • Thunderbird
  • Windows 10 Mail app
  • Yahoo webmail
• API
  • MailScanner
• CLI
• regex quick reference

Indices and tables

• Index

• Module Index

• Search Page