Threat Detection¶
Smailander's threat detection system provides comprehensive analysis of emails to identify and classify threats. This guide explains how threat detection works and how to interpret threat scores.
Threat Detection Overview¶
Multi-Layer Analysis¶
Smailander uses multiple analysis layers for comprehensive threat detection:
graph LR
A[Email] --> B[ClamAV]
B --> C[SpamScanner]
C --> D[Phishing Analysis]
D --> E[SMTP Analysis]
E --> F[Threat Score]
F --> G[Classification]
style B fill:#ff6b6b
style C fill:#feca57
style D fill:#ff9ff3
style E fill:#54a0ff
style F fill:#5f27cd
style G fill:#1dd1a1
Threat Scoring System¶
Each email receives a comprehensive threat score from 0-100:
| Score Range | Classification | Color | Action Required |
|---|---|---|---|
| 80-100 | CRITICAL | 🔴 Red | Immediate investigation |
| 60-79 | THREAT | 🟠 Orange | Analyze within 24 hours |
| 40-59 | SUSPICIOUS | 🟡 Yellow | Monitor and review |
| 20-39 | LOW RISK | 🟢 Light Green | Log and archive |
| 0-19 | CLEAN | ✅ Green | No action needed |
Malware Detection (ClamAV)¶
How ClamAV Works¶
ClamAV is an open-source antivirus engine that scans email attachments:
sequenceDiagram
participant Email as Email with Attachment
participant ClamAV as ClamAV Scanner
participant DB as Signature Database
participant Smailander as Smailander
Email->>ClamAV: Submit attachment
ClamAV->>DB: Check signatures
DB-->>ClamAV: Signature match/no match
ClamAV->>ClamAV: Heuristic analysis
ClamAV-->>Smailander: Scan result
alt Malware Detected
Smailander->>Smailander: Threat score += 95
Smailander->>Smailander: Flag as CRITICAL
else Clean
Smailander->>Smailander: Threat score += 0
Smailander->>Smailander: Mark as CLEAN
end
Malware Types Detected¶
| Type | Description | Severity |
|---|---|---|
| Viruses | Self-replicating malicious code | 🔴 Critical |
| Trojans | Disguised malicious programs | 🔴 Critical |
| Ransomware | Encrypts files for ransom | 🔴 Critical |
| Worms | Spreads across networks | 🔴 Critical |
| Spyware | Steals sensitive data | 🟠 High |
| Adware | Displays unwanted ads | 🟡 Medium |
| Rootkits | Hides malicious processes | 🔴 Critical |
ClamAV Scan Results¶
{
"scanned_at": "2026-03-12T14:30:15Z",
"scanner": "ClamAV 0.103.8",
"database_version": "20260312",
"result": "FOUND",
"threat_name": "Trojan.GenericKD.12345",
"threat_type": "trojan",
"file_size": 1024576,
"scan_time": 0.523,
"signatures_matched": 2
}
Result Interpretation: - FOUND: Malware detected - OK: No malware found - ERROR: Scan failed (retry required)
File Type Support¶
ClamAV supports scanning of many file types:
| Category | Supported Types |
|---|---|
| Documents | PDF, DOC, DOCX, XLS, XLSX, PPT, PPTX |
| Archives | ZIP, RAR, 7Z, TAR, GZ |
| Images | JPG, PNG, GIF, BMP (steganography detection) |
| Scripts | JS, VBS, PS1, SH, PY |
| Executables | EXE, DLL, SO, ELF |
| Others | SWF, JAR, PKG, DMG |
Archive Scanning
ClamAV can scan files inside archives up to 10 levels deep. Nested archives are automatically extracted and scanned.
Spam Detection (SpamScanner)¶
How SpamScanner Works¶
SpamScanner uses machine learning and rule-based analysis to identify spam:
graph TD
A[Email] --> B{Content Analysis}
B --> C{Pattern Matching}
B --> D{ML Model}
C --> E{Reputation Check}
D --> E
E --> F[Spam Score 0-100]
style B fill:#feca57
style C fill:#ff9ff3
style D fill:#54a0ff
style E fill:#5f27cd
style F fill:#1dd1a1
Spam Analysis Components¶
1. Content Analysis¶
- Keyword detection: Common spam words and phrases
- Urgency indicators: "Immediate action required", "Act now"
- Obfuscation detection: Hidden text, random characters
- URL analysis: Suspicious link patterns
- Email formatting: Unusual formatting, excessive capitalization
2. Pattern Matching¶
- Blacklisted phrases: Known spam patterns
- Blacklisted URLs: Links to spam sites
- Blacklisted senders: Known spam sources
- Recurring patterns: Similar spam campaigns
3. Machine Learning¶
- Bayesian filtering: Probability-based classification
- Neural networks: Deep learning for pattern recognition
- Anomaly detection: Unusual email characteristics
- Adaptive learning: Improves over time
4. Reputation Analysis¶
- Sender reputation: Historical sender behavior
- Domain reputation: Domain trustworthiness
- IP reputation: IP address history
- Server reputation: SMTP server track record
SpamScanner Results¶
{
"score": 88,
"classification": "SPAM",
"confidence": 0.92,
"analysis": {
"content_score": 85,
"pattern_score": 90,
"ml_score": 89,
"reputation_score": 88
},
"indicators": [
"Contains urgency keywords",
"Links to suspicious domains",
"Excessive capitalization",
"Blacklisted phrases present"
],
"matched_rules": [
"URGENCY_KEYWORDS_1",
"SUSPICIOUS_URLS_2",
"EXCESSIVE_CAPS_3"
]
}
Spam Score Interpretation¶
| Score | Classification | Action |
|---|---|---|
| 0-30 | NOT SPAM | No action |
| 31-50 | LIKELY NOT SPAM | Monitor |
| 51-70 | LIKELY SPAM | Flag for review |
| 71-90 | SPAM | Mark as spam |
| 91-100 | DEFINITE SPAM | Automatically block |
Phishing Detection¶
Phishing Analysis¶
Phishing detection identifies attempts to steal sensitive information:
graph TD
A[Email] --> B{URL Analysis}
A --> C{Content Analysis}
A --> D{Sender Analysis}
B --> E{Domain Reputation}
B --> F{URL Patterns}
C --> G{Urgency Keywords}
C --> H{Brand Impersonation}
D --> I{SPF/DKIM/DMARC}
D --> J{Sender Reputation}
E --> K[Phishing Score]
F --> K
G --> K
H --> K
I --> K
J --> K
style K fill:#ff6b6b
Phishing Indicators¶
1. URL Analysis¶
Suspicious URL Patterns: - IP addresses instead of domains: http://192.168.1.100/login - Subdomain spoofing: login-paypal.com - URL shorteners: bit.ly/3x7k9l2 - Typosquatting: goggle.com, facebooke.com
URL Analysis Example:
{
"url": "http://paypa1-secure.com/login",
"analysis": {
"domain": "paypa1-secure.com",
"is_suspicious": true,
"typosquatting": true,
"similar_to": "paypal.com",
"reputation_score": 15,
"threat_type": "brand_impersonation"
}
}
2. Content Analysis¶
Phishing Keywords: - "Verify your account" - "Confirm your identity" - "Your account will be closed" - "Immediate action required" - "Security alert"
Urgency Tactics: - Time pressure: "You have 24 hours" - Fear: "Your account has been compromised" - Authority: "From the security team" - Scarcity: "Limited time offer"
3. Brand Impersonation¶
Smailander detects brand impersonation attempts:
| Target Brand | Common Impersonations |
|---|---|
| PayPal | paypa1.com, paypal-secure.com |
| Microsoft | microsoft-support.com, office365-login.com |
| goggle.com, google-verify.com | |
| Amazon | amazonn.com, amazon-verify.com |
| Banking | Various bank impersonations |
Phishing Detection Results¶
{
"score": 82,
"classification": "PHISHING",
"confidence": 0.87,
"indicators": [
"Brand impersonation detected",
"Suspicious URL patterns",
"Urgency keywords present",
"Sender authentication failures"
],
"impersonated_brand": "PayPal",
"suspicious_urls": [
"http://paypa1-secure.com/login"
],
"urgency_score": 90,
"auth_failures": {
"spf": "fail",
"dkim": "fail",
"dmarc": "fail"
}
}
SMTP Analysis¶
SMTP Authentication Analysis¶
Email authentication protocols verify sender legitimacy:
SPF (Sender Policy Framework)¶
Verifies that the sender is authorized to send from the domain:
| Result | Meaning | Threat Level |
|---|---|---|
| pass | Sender authorized | ✅ Low |
| neutral | SPF record not configured | ⚠️ Medium |
| softfail | Sender likely not authorized | ⚠️ Medium |
| fail | Sender not authorized | 🔴 High |
| temperror | Temporary DNS error | ⚠️ Medium |
| permerror | Permanent DNS error | ⚠️ Medium |
DKIM (DomainKeys Identified Mail)¶
Verifies email authenticity and integrity:
| Result | Meaning | Threat Level |
|---|---|---|
| pass | Email authenticated | ✅ Low |
| neutral | No DKIM signature | ⚠️ Medium |
| softfail | DKIM verification failed | ⚠️ Medium |
| fail | DKIM verification failed | 🔴 High |
| temperror | Temporary error | ⚠️ Medium |
| permerror | Permanent error | ⚠️ Medium |
DMARC¶
Combines SPF and DKIM with policy enforcement:
| Result | Meaning | Threat Level |
|---|---|---|
| pass | Both SPF and DKIM pass | ✅ Low |
| none | No DMARC policy | ⚠️ Medium |
| quarantine | SPF/DKIM failed, quarantine | 🟠 Medium-High |
| reject | SPF/DKIM failed, reject | 🔴 High |
SMTP Server Analysis¶
Analysis of the sending SMTP server:
{
"server": {
"hostname": "mail.bad-domain.com",
"ip_address": "192.168.1.100",
"tls": false,
"port": 25
},
"geolocation": {
"country": "Russia",
"city": "Moscow",
"asn": "AS12345",
"organization": "Bad ISP"
},
"reputation": {
"ip_reputation": 25,
"domain_reputation": 30,
"server_reputation": 20,
"overall": 25
},
"blacklist_check": {
"is_blacklisted": true,
"blacklists": [
"Spamhaus ZEN",
"SpamCop",
"Barracuda"
]
}
}
Blacklist Check: - Email is checked against major blacklists - Multiple blacklists indicate high threat - Clean servers have no blacklist entries
Geographic Analysis¶
Geographic patterns can indicate threats:
graph TD
A[SMTP Server IP] --> B{Geolocation}
B --> C{Country Analysis}
B --> D{ASN Analysis}
C --> E{Threat Level by Country}
D --> F{Threat Level by ASN}
E --> G{Country Reputation}
F --> H{ASN Reputation}
G --> I[Geographic Threat Score]
H --> I
style I fill:#ff6b6b
High-Risk Countries: - Countries with high cybercrime rates - Countries with poor IP reputation - Countries on sanctions lists
Anomaly Detection: - Unexpected geographic sources - Geographic inconsistencies (sender location vs server location) - Multiple countries from same sender
Overall Threat Score¶
Score Calculation¶
The overall threat score is calculated from component scores:
{
"overall_score": 85,
"classification": "THREAT",
"components": {
"malware": {
"score": 95,
"weight": 0.35
},
"spam": {
"score": 88,
"weight": 0.25
},
"phishing": {
"score": 82,
"weight": 0.20
},
"reputation": {
"score": 70,
"weight": 0.10
},
"anomaly": {
"score": 75,
"weight": 0.10
}
},
"calculation": "(95 * 0.35) + (88 * 0.25) + (82 * 0.20) + (70 * 0.10) + (75 * 0.10) = 85"
}
Score Components¶
| Component | Weight | Description |
|---|---|---|
| Malware | 35% | ClamAV scan result |
| Spam | 25% | SpamScanner result |
| Phishing | 20% | Phishing analysis result |
| Reputation | 10% | Sender, domain, and server reputation |
| Anomaly | 10% | Behavioral anomaly detection |
Classification Logic¶
if (overall_score >= 80) {
classification = "CRITICAL";
priority = "immediate";
} else if (overall_score >= 60) {
classification = "THREAT";
priority = "high";
} else if (overall_score >= 40) {
classification = "SUSPICIOUS";
priority = "medium";
} else if (overall_score >= 20) {
classification = "LOW RISK";
priority = "low";
} else {
classification = "CLEAN";
priority = "none";
}
Threat Intelligence¶
Correlation Engine¶
Smailander correlates threats across multiple dimensions:
graph TD
A[Email] --> B{Same Sender}
A --> C{Same Domain}
A --> D{Same IP}
A --> E{Same Pattern}
B --> F[Sender Reputation]
C --> G[Domain Reputation]
D --> H[IP Reputation]
E --> I[Pattern Recognition]
F --> J[Threat Intelligence]
G --> J
H --> J
I --> J
style J fill:#5f27cd
Intelligence Database¶
Build comprehensive threat intelligence:
| Dimension | Data Points | Use Case |
|---|---|---|
| Senders | Email addresses, patterns | Blocklist creation |
| Domains | Domain reputation, history | DNS filtering |
| IPs | Geographic, reputation | Firewall rules |
| URLs | Phishing sites, patterns | Web filtering |
| Attachments | Malware types, hashes | Endpoint protection |
| SMTP Servers | Infrastructure analysis | Mail server filtering |
Threat Sharing¶
Smailander can share threat intelligence:
- External feeds: Integrate with threat intelligence platforms
- Community sharing: Share anonymized threat data
- Custom feeds: Create custom threat feeds for your organization
- API access: Programmatic threat intelligence access
False Positives and False Negatives¶
Managing False Positives¶
A false positive occurs when a legitimate email is marked as a threat.
Common Causes: - Overly aggressive spam filters - Legitimate marketing emails - Newsletters and notifications - Automated system emails
Resolution: 1. Mark email as "Not a Threat" 2. Add sender to allowlist 3. Adjust detection thresholds 4. Report false positive to improve detection
Managing False Negatives¶
A false negative occurs when a malicious email is not detected.
Common Causes: - New malware variants - Evolving phishing techniques - Zero-day exploits - Sophisticated evasion techniques
Resolution: 1. Manually mark email as "Threat" 2. Submit to malware analysis 3. Add to custom detection rules 4. Update signature databases
Custom Detection Rules¶
Creating Custom Rules¶
Create rules tailored to your organization:
{
"rule_id": "custom_rule_001",
"name": "Vendor-specific phishing",
"description": "Detect phishing emails impersonating our vendors",
"conditions": [
{
"field": "subject",
"operator": "contains",
"value": "invoice"
},
{
"field": "from",
"operator": "not_in",
"value": ["@trusted-vendor.com", "@approved-domain.com"]
},
{
"field": "attachments",
"operator": "has",
"value": "invoice.pdf"
}
],
"action": "flag",
"priority": "high"
}
Rule Examples¶
Example 1: Internal Email Spoofing
{
"name": "Internal spoofing detection",
"conditions": [
{"field": "from", "operator": "ends_with", "value": "@company.com"},
{"field": "spf", "operator": "equals", "value": "fail"}
],
"action": "flag_as_critical"
}
Example 2: High-Value Target Phishing
{
"name": "Executive phishing",
"conditions": [
{"field": "to", "operator": "in", "value": ["ceo@company.com", "cfo@company.com"]},
{"field": "subject", "operator": "contains", "value": "urgent"}
],
"action": "flag_as_critical"
}
Best Practices¶
1. Regular Monitoring¶
- Daily: Review critical threats (score ≥ 80)
- Weekly: Review all threats (score ≥ 60)
- Monthly: Review threat trends and patterns
2. Threshold Tuning¶
- Start conservative: Begin with higher thresholds
- Monitor false positives: Track accuracy
- Adjust gradually: Make small adjustments over time
- Document changes: Keep record of threshold changes
3. Rule Management¶
- Regular review: Update custom rules quarterly
- Test rules: Test in staging before production
- Monitor effectiveness: Track rule hit rates
- Remove obsolete rules: Delete unused rules
4. Threat Intelligence¶
- Correlate data: Look for patterns across threats
- Share intelligence: Share findings with security team
- Update feeds: Keep threat intelligence current
- Automate responses: Automate responses to known threats
Troubleshooting¶
High False Positive Rate¶
Symptom: Many legitimate emails flagged as threats
Solutions: 1. Adjust detection thresholds 2. Add trusted senders to allowlist 3. Update custom detection rules 4. Review and adjust SpamScanner settings
High False Negative Rate¶
Symptom: Malicious emails not detected
Solutions: 1. Update ClamAV virus definitions 2. Train SpamScanner with your data 3. Add custom detection rules 4. Review and adjust thresholds
Slow Threat Detection¶
Symptom: Emails taking too long to analyze
Solutions: 1. Check ClamAV resource usage 2. Optimize SpamScanner settings 3. Review database performance 4. Consider scaling infrastructure
Next Steps¶
- Analytics - Advanced threat analytics
- Reports - Generate threat reports
- API: Webhooks - Configure real-time alerts
Need Help?¶
- FAQ - Common questions
- Troubleshooting - Solve issues
- API Documentation - API reference
- Contact - Get support