People get hacked all the time. If your mailbox is compromised, one of the first things that happens is a filter is setup so the victim has no idea the hack has happened. After that you're sending out spam or viruses to all your contacts until one of them calls you.
Also emails containing a virus or phishing attacks can come from trusted contacts. They might make it past spam filters, and other virus monitoring systems. A second-line of defense is needed, monitoring what actually arrives in your mailboxes.
An early warning system, monitoring your mailboxes for threats is a great idea. But it must alert you via a different channel than email... A text message.
What it does
v-snitch Monitors sent email and sends a text message to alert you if you have been sending out spam. This is an early warning system, after compromised.
v-snitch Monitors received email and sends a text message to alert you if you have actually received a known threat, from a bad sender or matching a known bad message pattern. This is an early warning system, before compromised.
- All alerts are logged.
- No emails are stored, ever.
- No meta info is stored, ever.
- All email integration is securely done by our friends at Context.IO.
It takes 2 minutes to setup... then you're done and let the servers monitor your mailboxes in the background.
How I built it
This was a fun project that started out as a good idea, and evolved into a very compelling application. One that I would use personally and professionally.
The application pattern is: "sign up, and configure" via a web-application interface.
As such, to build it I used my favorite web-app toolkits...
- MeteorJS (node, mongo, handlebars, etc)
- Bootstrap (less)
And of course packages to integrate the public APIs I used:
The publicly available repositories for Context.IO integration were a great start, but just Meteor wrappers for the excellent NPM package for Context.IO. I chose to make another, simpler, wrapper for Meteor.
For Twilio the Meteor package I used was
accolver:twilio-meteor and it's implementation was super simple.
Wiring APIs together is pretty easy, but deciding on an architecture which allows them to be coordinated and orchestrated was a bit trickier. I eventually landed on a plugin structure, where I can add extra internal packages for each type of message scanner I want to implement, and since they have a consistent interface, stacking and running them is simple.
I have the full repo available on GitHub, and I'm happy to share privately, if you're interested...
Challenges I ran into
I thought it would be easier to get security threat dictionaries, to flesh out my threat scanners... but I have not found many. I will be looking into finding more in the future and more importantly, setting up a partnership with a security company to get on-going updates.
NodeJS is great at async queries, which do not block the main process thread and do not timeout. Meteor mostly runs inside fibers and thus is largely synchronous on the server, within a process call. I have run into complication trying to get Meteor to let loose and be asynchronous, which is important for long-running API request, followed by many iterative actions on each result from the API request.
Accomplishments that I'm proud of
As a result of this project, I created a pull request to the NPM package for ContextIO to fully implement an API which is documented but missing from the package.
The application itself serves as a useful tool in it's current state. A great proof-of-concept, and a reliable security monitor, easy to setup.
With a bit more effort (see the roadmap) it may evolve into a game over tool in the sysadmin's toolbelt.
Once we find a security group with the right kind of top grade security scanning to wire in... the application goes from pretty cool, to gotta have it.
What I learned
Learning what Context.IO can accomplish is a pretty big lesson. It's a tool to access emails - a resource, which has traditionally been very difficult to coordinate, especially when you think about different providers. Organizing most email providers into a single API and normalizing data structure takes 90% of the work off my shoulders. I'm excited to see what other's have come up with too.
Screencasting from Google Hangouts on-air is not as easy as it should be. (Audio issues, will resolve soon)
What's next for v-snitch
- [done] Authenticate with OAuth: Facebook, Google, Twitter, Github
- [done] Connect with Context.IO API and connect Mailboxes and Folders
- [done] Build unit tested, plugin based, system of scanning messaged
- [done] Implement a first draft implementation of scanners for:
- [done] Bad Senders (list)
- [done] Bad Body Patterns (regex)
- [done] Bad Repeat Send (subject-line compare)
- [todo] Partner with a security provider to get updated lists of threats and more scanning options.
- [todo] Improve "Bad Repeat Send" scanner to utilize NLP for more flexible content comparisons. WIP
- [todo] Add other scanners (?)
- [todo] Improve the dashboard.
- [todo] Improve the branding & interface.
- [todo] Send monthly update emails.