Lots more intelligence checking in SMTP traffic.

scripts/policy/frameworks/intel/smtp.bro

@@ -15,11 +15,56 @@ event mime_end_entity(c: connection)
 				             $where=SMTP::IN_RECEIVED_HEADER]);
 				}
 			}
-		
+
 		if ( c$smtp?$user_agent )
 			Intel::seen([$str=c$smtp$user_agent,
 			             $str_type=Intel::USER_AGENT,
 			             $conn=c,
 			             $where=SMTP::IN_HEADER]);
+
+		if ( c$smtp?$x_originating_ip )
+			Intel::seen([$host=c$smtp$x_originating_ip,
+			             $conn=c,
+			             $where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
+
+		if ( c$smtp?$mailfrom )
+			Intel::seen([$str=c$smtp$mailfrom,
+			             $str_type=Intel::EMAIL,
+			             $conn=c,
+			             $where=SMTP::IN_MAIL_FROM]);
+
+		if ( c$smtp?$rcptto )
+			{
+			for ( rcptto in c$smtp$rcptto )
+				{
+				Intel::seen([$str=rcptto,
+				             $str_type=Intel::EMAIL,
+				             $conn=c,
+				             $where=SMTP::IN_RCPT_TO]);
+				}
+			}
+
+		if ( c$smtp?$from )
+			Intel::seen([$str=c$smtp$from,
+			             $str_type=Intel::EMAIL,
+			             $conn=c,
+			             $where=SMTP::IN_FROM]);
+
+		if ( c$smtp?$to )
+			{
+			for ( email_to in c$smtp$to )
+				{
+				Intel::seen([$str=email_to,
+				             $str_type=Intel::EMAIL,
+				             $conn=c,
+				             $where=SMTP::IN_TO]);
+				}
+			}
+
+		if ( c$smtp?$reply_to )
+			Intel::seen([$str=c$smtp$reply_to,
+			             $str_type=Intel::EMAIL,
+			             $conn=c,
+			             $where=SMTP::IN_REPLY_TO]);
 		}
 	}

scripts/policy/frameworks/intel/where-locations.bro

@@ -13,8 +13,9 @@ export {
 		SMTP::IN_RCPT_TO,
 		SMTP::IN_FROM,
 		SMTP::IN_TO,
-		SMTP::IN_CC,
 		SMTP::IN_RECEIVED_HEADER,
+		SMTP::IN_REPLY_TO,
+		SMTP::IN_X_ORIGINATING_IP_HEADER,
 		SSL::IN_SERVER_CERT,
 		SSL::IN_CLIENT_CERT,
 		SSL::IN_SERVER_NAME,