Created the webmail identification script.

policy/smtp/base.bro

@@ -41,9 +41,6 @@ export {
 		last_reply:        string          &log &optional;
 		files:             set[string]     &log &optional;
 		path:              vector of addr  &log &optional;
-		## Boolean indicator of if the message was sent through a webmail 
-		## interface.  This is not being set yet.
-		is_webmail:        bool            &log &default=F;
 		user_agent:        string          &log &optional;
 		
 		## Indicate if this session is currently transmitting SMTP message 

policy/smtp/webmail-ident.bro

@@ -0,0 +1,35 @@
+##! Identify webmail interfaces.  This identification will be solely done 
+##! with the USER-AGENT (or other) header unless not possible and will resort
+##! to heuristics if necessary.
+##!
+##! TODO::
+##!     * Find some heuristic to determine if email was sent through 
+##!       a MS Exhange webmail interface as opposed to a desktop client.
+##! 
+
+module SMTP;
+
+redef record Info += {
+	## Boolean indicator of if the message was sent through a webmail 
+	## interface.
+	is_webmail: bool &log &default=F;
+};
+
+export {
+	## A regular expression to match USER-AGENT-like headers to find if a 
+	## message was sent with a webmail interface.
+	const webmail_user_agents = 
+	                     /^iPlanet Messenger/ 
+	                   | /^Sun Java\(tm\) System Messenger Express/
+	                   | /\(IMP\)/  # Horde Internet Messaging Program
+	                   | /^SquirrelMail/
+	                   | /^NeoMail/ &redef;
+}
+
+
+event smtp_data(c: connection, is_orig: bool, data: string) &priority=4
+	{
+	if ( c$smtp$current_header == "USER-AGENT" &&
+	     webmail_user_agents in c$smtp$user_agent )
+		c$smtp$is_webmail = T;
+	}

policy/smtp/webmail.bro

@@ -1 +0,0 @@
-##! Identify webmail interfaces.