SpamScope is an advanced spam analysis tool that use Apache Storm with streamparse to process a stream of mails.
It's possible to analyze about 5 milions of mails (without Apache Tika analisys) for day with a 4 cores server and 4 GB of RAM. If you enable Apache Tika, you can analyze about 1 milion of mails.
SpamScope use Apache Storm that allows you to start small and scale horizontally as you grow. Simply add more worker.
You can chose your mails input sources (with spouts) and your functionalities (with bolts). SpamScope come with a tokenizer (split mail in token: headers, body, attachments), attachments and phishing analyzer (Which is the target of mails? Is there a malware in attachment?) and JSON output.
You can build your custom output bolts and store your data in Elasticsearch, Mongo, filesystem, etc.
With streamparse tecnology you can build your topology in Python, add and/or remove spouts and bolts.
SpamScope can be downloaded, used, and modified free of charge. It is available under the Apache 2 license.
Fedele Mantuano (Twitter: @fedelemantuano)
For more details please visit the wiki page.
Clone repository
git clone https://github.com/SpamScope/spamscope.git
Install requirements in file requirements.txt with python-pip:
pip install -r requirements.txt
Faup stands for Finally An Url Parser and is a library and command line tool to parse URLs and normalize fields. To install it follow the wiki.
SpamScope can use Tika App to parse every attachment mail.
The Apache Tika toolkit detects and extracts metadata and text from over a thousand different file types (such as PPT, XLS, and PDF).
To install it follow the wiki.
To enable Apache Tika analisys, you should set it in attachments section.
From release v1.3 SpamScope can analyze Javascript and HTML attachments with Thug.
If you want to analyze the attachments with Thug, follow these instructions to install it and enable it in attachments section.
What is Thug? From README project:
Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.
You can see a complete SpamScope report with Thug analysis here.
It's possible add to results (for mail attachments) VirusTotal report. You need a private API key.
It's possible to store the results in Redis. In this case you should install redis package.
For more details please visit the wiki page or read the comments in the files in conf folder.
From SpamScope v1.1 you can decide to filter mails and attachments already analyzed. If you enable filter in tokenizer section you will enable the RAM database and
SpamScope will check on it to decide if mail/attachment is already analyzed or not. If the mail is in RAM database, SpamScope will not analyze it and will store only the hashes.
SpamScope comes with two topologies:
- spamscope_debug
- spamscope_elasticsearch
- spamscope_redis
and a general configuration file spamscope.example.yml in conf/ folder.
To run topology for debug:
sparse run --name topology
If you want submit topology to Apache Storm:
sparse submit -f --name topology
It's very important to set the main configuration file. The default value is /etc/spamscope/spamscope.yml, but it's possible to set the environment variable SPAMSCOPE_CONF_FILE:
$ export SPAMSCOPE_CONF_FILE=/etc/spamscope/spamscope.yml
If you use Elasticsearch output, I suggest you to use Elasticsearch template that comes with SpamScope.
It's possible change the default settings for all Apache Storm options. I suggest for SpamScope these options:
- topology.tick.tuple.freq.secs: reload configuration of all bolts
- topology.max.spout.pending: Apache Storm framework will then throttle your spout as needed to meet the
topology.max.spout.pendingrequirement - topology.sleep.spout.wait.strategy.time.ms: max sleep for emit new tuple (mail)
If you don't enable Apache Tika, Thug and VirusTotal, could use:
topology.tick.tuple.freq.secs: 60
topology.max.spout.pending: 200
topology.sleep.spout.wait.strategy.time.ms: 10
If Apache Tika is enabled:
topology.max.spout.pending: 100
To submit above options use:
sparse submit -f --name topology -o "topology.tick.tuple.freq.secs=60" -o "topology.max.spout.pending=100" -o "topology.sleep.spout.wait.strategy.time.ms=10"
Thug analysis can be very slow, it depends from attachment. To avoid Apache Storm timeout, you should use these two switches when submit the topology:
supervisor.worker.timeout.secs=600
topology.message.timeout.secs=600
As you can see, the timeouts are both to 600 seconds. 600 seconds is the default timeout of Thug.
The complete command is:
sparse submit -f --name topology -o "topology.tick.tuple.freq.secs=60" -o "topology.max.spout.pending=50" -o "topology.sleep.spout.wait.strategy.time.ms=10" -o "supervisor.worker.timeout.secs=600" -o "topology.message.timeout.secs=600"
For more details you can refer here.
It's possible to use complete Docker images with Apache Storm and SpamScope. Take the following images:
