SpamScope is an advanced spam analysis tool that use Apache Storm with streamparse to process a stream of mails.
It's possible to analyze more than 5 milions of mails for day with a 4 cores server and 4 GB of RAM (without third party analysis).
- It's very fast: the job is splitted in functionalities that work in parallel.
- It's flexible: you can choose what SpamScope has to do.
- It's distributed: SpamScope uses Apache Storm, free and open source distributed realtime computation system.
- It makes JSON output that you can save where you want.
- It's easy to setup: there are docker images and docker-compose ready for use.
- It's integrated with Apache Tika, VirusTotal, Thug, Shodan and SpamAssassin (for now).
- It's free and open source (for special functions you can contact me).
- It can analyze Outlook msg.
SpamScope uses Apache Storm that allows you to start small and scale horizontally as you grow. Simply add more workers.
You can choose your mails input sources (with spouts) and your functionalities (with bolts).
SpamScope comes with the following bolts:
- tokenizer splits mail in token like headers, body, attachments and it can filter emails, attachments and ip addresses already seen
- phishing looks for your keywords in email and connects email to targets (bank, your customers, etc.)
- raw_mail is for all third party tools that analyze raw mails like SpamAssassin
- attachments analyzes all mail attachments and uses third party tools like VirusTotal
- network analyzes all sender ip addresses with third party tools like Shodan
- urls extracts all urls in email and attachments
- json_maker and outputs make the json report and save it
You can build your custom output bolts and store your data in Elasticsearch, MongoDB, filesystem, etc.
With streamparse tecnology you can build your topology in Python, add and/or remove spouts and bolts.
For now SpamScope doesn't have its own API, because it isn't tied to any tecnology.
If you use Redis
as spout (input), you'll use Redis API to put mails in topology.
If you use Elasticsearch
as output, you'll use Elasticsearch API to get results.
It's possible to develop a middleware API that it talks with input, output and changes the configuration, but now there isn't.
SpamScope can be downloaded, used, and modified free of charge. It is available under the Apache 2 license.
Fedele Mantuano (LinkedIn: Fedele Mantuano)
For more details please visit the wiki page.
Clone repository
git clone https://github.com/SpamScope/spamscope.git
then enter in SpamScope directory and install it:
python setup.py install
or
pip install SpamScope
Faup stands for Finally An Url Parser and is a library and command line tool to parse URLs and normalize fields. To install it follow the wiki.
SpamScope can use SpamAssassin an open source anti-spam to analyze every mails.
SpamScope can use Tika App to parse every attachments.
The Apache Tika toolkit detects and extracts metadata and text from over a thousand different file types (such as PPT, XLS, and PDF).
To install it follow the wiki.
To enable Apache Tika analisys, you should set it in attachments
section.
From release v1.3 SpamScope can analyze Javascript and HTML attachments with Thug.
If you want to analyze the attachments with Thug, follow these instructions to install it and enable it in attachments
section.
What is Thug? From README project:
Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.
You can see a complete SpamScope report with Thug analysis here.
It's possible add to results (for mail attachments and sender ip address) the VirusTotal report. You need a private API key.
It's possible add to results the Shodan report for sender ip address. You need a private API key.
It's possible to store the results in Elasticsearch. In this case you should install elasticsearch
package.
It's possible to store the results in Redis. In this case you should install redis
package.
For more details please visit the wiki page or read the comments in the files in conf
folder.
You can decide to filter emails, attachments and ip addresses already analyzed. All filters are in tokenizer
bolt section.
SpamScope comes with three topologies:
- spamscope_debug (save json on file system)
- spamscope_elasticsearch
- spamscope_redis
and a general configuration file spamscope.example.yml
in conf/
folder.
If you want submit SpamScope topology use spamscope-topology submit
tool. For more details spamscope-topology submit -h
:
$ spamscope-topology submit --topology {spamscope_debug,spamscope_elasticsearch,spamscope_redis}
It's very important to set the main configuration file. The default value is /etc/spamscope/spamscope.yml
, but it's possible to set the environment variable SPAMSCOPE_CONF_FILE
:
$ export SPAMSCOPE_CONF_FILE=/etc/spamscope/spamscope.yml
If you use Elasticsearch output, I suggest you to use Elasticsearch template that comes with SpamScope.
It's possible change the default settings for all Apache Storm options. I suggest for SpamScope these options:
- topology.tick.tuple.freq.secs: reload configuration of all bolts
- topology.max.spout.pending: Apache Storm framework will then throttle your spout as needed to meet the
topology.max.spout.pending
requirement - topology.sleep.spout.wait.strategy.time.ms: max sleep for emit new tuple (mail)
For more details you can refer here.
To simplify this operation, SpamScope comes with a custom tool spamscope-topology submit
where you can choose the values of all these parameters.
SpamScope comes with unittests for each modules. In bolts and spouts there are no special features, all intelligence is in external modules.
All unittests are in tests
folder.
To have complete tests you should set the followings enviroment variables:
$ export THUG_ENABLED=True
$ export VIRUSTOTAL_ENABLED=True
$ export VIRUSTOTAL_APIKEY="your key"
$ export ZEMANA_ENABLED=True
$ export ZEMANA_APIKEY="your key"
$ export ZEMANA_PARTNERID="your partner id"
$ export ZEMANA_USERID="your userid"
$ export SHODAN_ENABLED=True
$ export SHODAN_APIKEY="your key"
$ export SPAMASSASSIN_ENABLED=True
It's possible to use complete Docker images with Apache Storm and SpamScope. Take the following images:
For each image there are two tags: develop and latest.