Skip to content

feat(heuristics): add Fake Email analyzer to validate maintainer email domain #1106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(heuristics): add Fake Email analyzer to validate maintainer email domain #1106

wants to merge 4 commits into from
+259 −8

Conversation

AmineRaouane
Copy link
Member

@AmineRaouane AmineRaouane commented Jun 16, 2025
edited
Loading

Summary

This PR adds a new heuristic analyzer called FakeEmailAnalyzer. It verifies the validity of maintainer email addresses listed in a PyPI package by checking both the format and the existence of MX records for their domains. This helps detect packages with fake or throwaway emails, which are often indicative of malicious intent.

Description of changes

  • Implemented FakeEmailAnalyzer that:
    • Validates email format using a regex.
    • Verifies the existence of MX records for the email domain via DNS resolution.
  • Updated detect_malicious_metadata_check.py to include and invoke this new analyzer.
  • The analyzer handles DNS errors and skips analysis if no email is present.
  • The logical reason for combining quickUndetailed with a failed(Heuristics.FAKE_EMAIL.value) is that a package that is rushed onto a platform by someone using a fake email address points to an actor who may be trying to quickly distribute a package while obscuring their identity and avoiding being investigated.

Related issues

None

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jun 16, 2025
@AmineRaouane AmineRaouane force-pushed the fake-emails-heuristic branch from c6f35f7 to 8d29103 Compare June 16, 2025 21:26
@AmineRaouane AmineRaouane force-pushed the fake-emails-heuristic branch 5 times, most recently from f945882 to a7103e4 Compare July 5, 2025 18:59
benmss
benmss reviewed Jul 9, 2025
View reviewed changes
benmss
benmss reviewed Jul 9, 2025
View reviewed changes
benmss
benmss reviewed Jul 9, 2025
View reviewed changes
@AmineRaouane
feat(heuristics): add Fake Email analyzer to validate maintainer emai…
34a69a0 
…l domains

Signed-off-by: Amine <amine.raouane@enim.ac.ma>
@AmineRaouane
refactor: remove redundant package download
18715d1 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
@AmineRaouane
docs: update documentation
59f4c61 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
@AmineRaouane AmineRaouane force-pushed the fake-emails-heuristic branch from 759ab97 to d99495c Compare July 12, 2025 15:55
benmss
benmss reviewed Jul 14, 2025
View reviewed changes
benmss
benmss reviewed Jul 14, 2025
View reviewed changes
@AmineRaouane
refactor(fake-email): replace dns_resolver with email-validator for e…
a8d373b 
…mail domain validation

Signed-off-by: Amine <amine.raouane@enim.ac.ma>
@AmineRaouane AmineRaouane force-pushed the fake-emails-heuristic branch from d99495c to a8d373b Compare July 15, 2025 09:40
behnazh-w
behnazh-w requested changes Jul 18, 2025
View reviewed changes
src/macaron/malware_analyzer/pypi_heuristics/metadata/fake_email.py
"""
emailinfo = None
try:
emailinfo = validate_email(email, check_deliverability=True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please make check_deliverability configurable via defaults.ini so that you can turn it off in unit tests? We try to avoid network calls in our unit tests.

tests/malware_analyzer/pypi/test_fake_email.py
analyzer: FakeEmailAnalyzer, pypi_package_json_asset_mock: MagicMock, mock_validate_email: MagicMock
) -> None:
"""Test analyzer passes when only maintainer_email is present and valid."""
email = "maintainer@example.net"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is example.net supposed to be a valid domain?

Copy link
Member Author

@AmineRaouane AmineRaouane Jul 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes and no. The domain is technically valid, but it’s reserved by IANA and not intended for real-world use. So to ensure the email is actually usable by a real user, Should I add a list of reserved domains and TLDs and check against them before proceeding with validation or acceptance, or should I keep it as it is?

tests/malware_analyzer/pypi/test_fake_email.py
validated_emails = info.get("validated_emails")
assert isinstance(validated_emails, list)
assert len(validated_emails) == 2
assert {"normalized": "author@example.com", "local_part": "author", "domain": "example.com"} in validated_emails
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question, if example.com is supposed to be a valid domain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w behnazh-w requested changes

@benmss benmss benmss approved these changes

@tromai tromai Awaiting requested review from tromai tromai is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AmineRaouane @benmss @behnazh-w