Class ForensicBot

java.lang.Object
com.mimecast.robin.bots.ForensicBot
All Implemented Interfaces:
BotProcessor

public class ForensicBot extends Object implements BotProcessor
AFRF (Authentication Failure Reporting Format) forensic report processing bot.

Parses forensic reports (RFC 6591) from multipart/report emails and sends them to the robin-admin API for storage and visualization.

These are individual email failure reports for DMARC, DKIM, or SPF authentication failures, as opposed to aggregate reports.

Expected MIME structure:

  • Part 1: text/plain - Human readable summary
  • Part 2: message/feedback-report - Machine readable report fields
  • Part 3: message/rfc822 or text/rfc822-headers - Original email or headers
  • Field Details

    • log

      private static final org.apache.logging.log4j.Logger log
    • gson

      private static final com.google.gson.Gson gson
  • Constructor Details

    • ForensicBot

      public ForensicBot()
  • Method Details

    • getName

      public String getName()
      Description copied from interface: BotProcessor
      Gets the name of this bot for factory registration.
      Specified by:
      getName in interface BotProcessor
      Returns:
      Bot name.
    • process

      public void process(Connection connection, EmailParser emailParser, String botAddress, BotConfig.BotDefinition botDefinition)
      Description copied from interface: BotProcessor
      Processes an email for bot analysis and generates a response.

      This method is called from a dedicated bot thread pool.

      Each bot receives its own EmailParser instance created from the message source, allowing safe concurrent access to the email content.

      Specified by:
      process in interface BotProcessor
      Parameters:
      connection - SMTP connection instance containing cloned session data.
      emailParser - Parsed email instance (headers only). May be null if the message source is unavailable or parsing failed.
      botAddress - The bot address that matched (e.g., "robot+token@example.com").
      botDefinition - Bot definition containing configuration like endpoint URL.
    • extractForensicReport

      private Map<String,Object> extractForensicReport(EmailParser emailParser)
      Extracts forensic report from email parts.
      Parameters:
      emailParser - Parsed email.
      Returns:
      Report data map, or null if not found.
    • parseFeedbackReport

      private void parseFeedbackReport(MimePart part, Map<String,Object> report) throws IOException
      Parses the message/feedback-report part into a map.
      Parameters:
      part - The MIME part containing the feedback report.
      report - Map to populate with parsed fields.
      Throws:
      IOException
    • cleanEmailAddress

      private String cleanEmailAddress(String email)
      Cleans an email address by removing angle brackets.
    • extractHeaderValue

      private String extractHeaderValue(String headers, String headerName)
      Extracts a header value from raw headers text.
    • getContentType

      private String getContentType(MimePart part)
      Gets content type from MIME part headers.
    • getPartContent

      private byte[] getPartContent(MimePart part) throws IOException
      Gets content bytes from a MIME part.
      Throws:
      IOException
    • sendToAdminApi

      private void sendToAdminApi(Map<String,Object> report, Connection connection, BotConfig.BotDefinition botDefinition)
      Sends forensic report to the robin-admin API.
      Parameters:
      report - Parsed forensic report.
      connection - SMTP connection.
      botDefinition - Bot config definition.