In [2]:
%matplotlib inline
import seaborn
seaborn.set()
import numpy as np
import pandas as pd

In [3]:
import re
import nltk
from nltk.tokenize import wordpunct_tokenize
from nltk.corpus import stopwords
from collections import defaultdict

In [4]:
#nltk.download()

##Task Description
The task is to identify links in email data which are important or relevant to emails, and links which are not important and irrelavant to email. For example, if there is a link in a body of the message regarding work, it should be important. And link which is just a part of the footer, ex, personal blog of the sender, is not so important.

Lets use some public dataset for the same. We will be using a spam classification dataset available here http://spamassassin.apache.org/publiccorpus/ .

In [5]:
ls -lh ../myemails/ | head

total 110M
-rw-rw-r-- 1 zopnow zopnow  233 Aug  8 17:41 1000
-rw-rw-r-- 1 zopnow zopnow 1.1K Aug  8 17:41 1001
-rw-rw-r-- 1 zopnow zopnow  993 Aug  8 17:41 1002
-rw-rw-r-- 1 zopnow zopnow 2.1K Aug  8 17:41 1003
-rw-rw-r-- 1 zopnow zopnow 2.7K Aug  8 17:41 1004
-rw-rw-r-- 1 zopnow zopnow 4.3K Aug  8 17:41 1005
-rw-rw-r-- 1 zopnow zopnow 1.8K Aug  8 17:41 1006
-rw-rw-r-- 1 zopnow zopnow 1.7K Aug  8 17:41 1007
-rw-rw-r-- 1 zopnow zopnow 3.5K Aug  8 17:41 1008
ls: write error


Each email has some headers and message body. Headers may be important in some cases such as spam classification, but for the task we are solving, we can get rid of all the headers. 
Run following python script which parses all messages and extracts only email body. Each email is a long string. And the output is list of emails.

In [6]:
import os
import sys

def loadAndExtractMessage(filename):
    email = open(filename, "r")
    message = email.readlines()
    #This is only applicable if you have headers in email, comment out if you dont have headers.
    first_blank_index = message.index('\n') if '\n' in message else 0
    first_signature_index = min(message.index('-- \n', first_blank_index) if '-- \n' in message else len(message),
                                message.index('___\n', first_blank_index) if '___\n' in message else len(message),
                                message.index('--\n', first_blank_index) if '--\n' in message else len(message), 
                                message.index('-----Original Message-----\n', first_blank_index) if '-----Original Message-----\n' in message else len(message), 
                                message.index('________________________________', first_blank_index) if '________________________________' in message else len(message),
                                message.index('From: ', first_blank_index) if 'From: ' in message else len(message), 
                                message.index('Sent from my ', first_blank_index) if 'Sent from my ' in message else len(message))
    message = message[(first_blank_index+1):(first_signature_index)]
    #cases to handle, remove quoted text
    return ''.join(message)

def getEmailsFromDir(path):
    filelist = os.listdir(path)
    filelist = filter(lambda x: x != 'cmds', filelist)
    all_messages = [loadAndExtractMessage(os.path.join(path, f)) for f in filelist]
    return all_messages

In [7]:
all_messages = getEmailsFromDir('../easy_ham/')

In [8]:
print all_messages[1]

Hi Kragen,

   This is an interesting analysis.  I think that there are a couple
of nits I might pick (for example, I don't expect that the market will
be well developed with highest bidders for while), I think that the
most important issue, which is that end users won't be able to fix
their systems, is almost passed over.  I know that you know this, and
you allude to it, but your essay is getting passed around, so you
might want to add to it bits about the sysadmin and others.

   There's one other point which you don't make, which I think is very
important, which is that research into defining and addressing classes
of vulnerabilities can't happen without libraries of available
vulnerability code.  I can think of three researchers into automated
methods for addressing vulnerabilities who griped, uninvited, about
the quality of the existing vulnerability sites.  Doing research into
a set requires that you have enough examples, in the open, that you
can define a set, and that the set i

The importance of link depends upon where it is placed in text. That means, sequence of words before and after the link matters and they largely decide whether link is important. For example, 
1. Please see the below link "http://www.google.com"
2. Regards, Chaitanya Bendre "http://chaitanya.com"

In the above text, first link is important and second link not since it only describes personal link of the sender.

So, lets process each input message. We will do following things in sequence on this messages.
1. Remove '3D' character and HTML tags
2. Remove newline characters
3. Replace Multiple underscores with a single one
4. Remove '=\n' symbols from text, since they sometimes appear to indicate line wrapping.
5. Remove stopwords such as 'a','and','the'
6. Remove puncuation tokens, numbers and single letters 

In [9]:
def get_msg_words(message, strip_html = False):
    #remove 3D character
    message = re.sub('3D','', message)
    
    # Strip out html tags and attributes and html character codes,
    # like &nbsp; and &lt;.
    if strip_html:
        message = re.sub('<(.|\n)*?>', ' ', message)
        message = re.sub('&\w+;', ' ', message)
    
    #replace multiple underscores with single 
    message = re.sub('_+', '_', message)
    
    # remove '=' symbols before tokenizing, since these are
    # sometimes occur within words to indicate, e.g., line-wrapping.
    message = message.replace('=\n', '')
    
    # Get rid of stopwords
    #remove stopwords
    stop_words = set(stopwords.words('english'))
    msg_words = [word for word in message.lower().split() if word not in stop_words]
    
    #remove puncuation, numbers 
    msg_words = [w for w in msg_words if re.search('[a-zA-Z]', w) ]
    
    return msg_words

In [10]:
words = get_msg_words(all_messages[2], strip_html=True)
print words

['fri,', 'feb', '12:42:02pm', 'brian', 'french', 'wrote:', 'hey', 'problem:', 'rpms', 'installed', 'want', 'uninstall,', 'like', 'so:', 'rpm', '-e', '[rpm', 'package]', 'gives', 'error:', 'package', 'installed,', 'install', 'like', 'so:', 'little', 'confusing', 'install', 'rpms', 'like', 'rpm', '-ivh', 'packagename-0.1.1.rpm', 'uninstalls', 'must', 'done', 'without', 'version', 'info', 'like', 'rpm', '-e', 'packagename', 'ie:', 'rpm', '-e', 'sendmail', 'rpm', '-e', 'sendmail-devel.', 'give', 'go', 'work', 'np.', 'phil,', 'rpm', '-i', '[rpm', 'package]', 'gives', 'error:', 'package', 'already', 'installed,', 'force', 'install', 'like', 'so:', 'rpm', '-i', '--force', '[rpm', 'package]', 'installs', 'try', 'uninstall', 'still', 'gives', 'error:', 'package', 'installed.', 'get', 'recognize', 'package', 'indeed', 'installed', 'it,', 'and/or', 'get', 'unstall', 'it?', 'thanx', 'advance,', 'brian', 'french', '-french', 'rpm-list', 'mailing', 'list', 'http://lists.freshrpms.net/mailman/listinf

Now that we have tested our function, next step is analysing this links to find important ones.
Lets run one basic analysis, which is getting TF-IDF matrix of all words, and getting the words which starts with http://. We will sort them by tfidf score and print top ones. Of course, this approach regards all links in the email as same, wherever they are placed. 

In [11]:
def getAllMessagesAfterCleaning(all_messages):
    data = []
    for msg in all_messages:
        words = get_msg_words(msg, strip_html=True)
        data.append(words)
    return data

In [12]:
dataset = getAllMessagesAfterCleaning(all_messages)
dataset[0]

['hi',
 'all,',
 "i'm",
 'trying',
 'set',
 'following:',
 'linux',
 'server',
 'running',
 'modem',
 'internet',
 'connectivity',
 'ethernet',
 'card',
 'lan',
 'connectivity',
 'lan',
 'pcs',
 'ethernet',
 'cards,',
 'using',
 'linux',
 'server',
 'dns/dhcp',
 'etc.',
 'basically,',
 'want',
 'route',
 'non',
 'lan',
 'traffic',
 'ppp0.',
 "i've",
 'got',
 'way,',
 'like',
 'similar',
 'post',
 'earlier',
 'modem',
 'problems,',
 'connected',
 'internet',
 'eht0',
 'up,',
 'routing',
 'incorrect',
 'noting',
 'goes',
 'ppp0',
 '(eh0',
 'must',
 'default',
 'route',
 'something).',
 'standard',
 '"out',
 'box"',
 'linux',
 'tools',
 'carry',
 'portmapping',
 'behalf',
 'lan',
 'pcs',
 "(i'm",
 'planning',
 'non',
 'routable',
 'addresses',
 '192.168.x.x',
 'lan,',
 'routed',
 'outwards',
 'via',
 'ppp0',
 'interface).',
 'someone',
 'point',
 'right',
 'howtos',
 'routing',
 'documentation',
 'need',
 'follow',
 'thanks,',
 'dermot.']

Not Lets extract links from each item in datasets making two lists. Data list will contain that preceed the link. And label list will have name of the link.

In [13]:
def extractlinksfromdataset(dataset, numwords = 10):
    newdataset = []
    datalabels = []
    for data in dataset:
        starts = [n for n,l in enumerate(data) if l.startswith('http://')]
        for index in starts:
            newdataset.append(' '.join(data[(index-numwords):index] + data[(index+1):(index+numwords+1)]))
            datalabels.append(data[index])
    return newdataset, datalabels

In [14]:
newdataset, linklabels = extractlinksfromdataset(dataset)

In [15]:
newdataset[:3]

['08:42:12am eugen leitl wrote: eugen* leitl leitl icbmto: n48 e11 83e5ca02: ede4 a96b 07a7 1a88 aa58 0e89 83e5 ca02 forwarded',
 'contribute? vcp active. welcome begin contributing today. learn more, go questions would like sign contributor vcp, please contact us contributor@idefense.com.',
 'exploits malicious code discovers new software/hardware weaknesses controlled lab environment."']

In [16]:
linklabels[:3]

['http://eugen.leitl.org',
 'http://www.idefense.com/contributor.html.',
 'http://xent.com/mailman/listinfo/fork']

Now we will make a Term Frequency corpus of these docs. Our intuition is that links which are not important will appear more than once in the same context. For example, whenever comment appears on facebook or google group. Or if the link is part of some standard promotional mails. Having similar words before and after link, these links will be similar and form cluster. Therefore, links which do not fall into any cluster are outliers. And we will treat them as important links.

How do we detect outliers from clusters ? There are several approaches, but we will try two of them. 
1. Robust Estimator of co-variance
2. One-class SVM.
http://scikit-learn.org/stable/auto_examples/covariance/plot_outlier_detection.html

In [46]:
from sklearn.feature_extraction.text import CountVectorizer
vectorizer = CountVectorizer(stop_words='english', decode_error='ignore')

In [47]:
vectordata = vectorizer.fit_transform(newdataset)

In [48]:
len(linklabels)

2968

In [49]:
vectordata.shape

(2968, 8001)

In [None]:
from sklearn import svm
outliers_fraction = 0.95
clf = svm.OneClassSVM(nu = 0.95 * outliers_fraction + 0.05, kernel='rbf', gamma=0.1)
clf.fit(vectordata)
y_pred = clf.decision_function(vectordata).ravel()

In [40]:
y_pred

array([ -1.62039069e+294,  -1.60145404e+294,  -1.58811892e+294, ...,
        -1.53777594e+294,  -1.62039052e+294,  -1.62038711e+294])

In [41]:
from scipy import stats
threshold = stats.scoreatpercentile(y_pred, 100 * outliers_fraction)

In [42]:
y_pred = y_pred > threshold

In [43]:
from itertools import compress
imp_links = list(compress(linklabels, y_pred))

In [44]:
len(imp_links)

149

In [45]:
imp_links[:]

['http://www.post-gazette.com/columnists/20020905brian5.asp',
 'http://www.newsisfree.com/click/-2,8424915,1717/',
 'http://www.newsisfree.com/click/-4,8293089,1717/',
 'http://www.osnews.com/story.php?news_id=1890',
 'http://www.aaronsw.com/weblog/000647',
 'http://infomesh.net/2002/swhaiku/',
 'http://weblog.burningbird.net/archives/000581.php',
 'http://www.dooce.com/mtarchives/10_08_2002.html',
 'http://www.elegantwomen.net/mirasorvino/009.html',
 'http://www.safesearching.com/portiaderossi/gallery/',
 'http://images.amazon.com/images/p/0792846486.01.lzzzzzzz.jpg',
 'http://www.elegantwomen.net/jeriryan/003.html',
 'http://www.stylenetwork.com/shows/nigella/gallery/index.html',
 'http://www.elegantwomen.net/angelinajolie/009.html',
 'http://bitworking.org/oct2002.html#x631695997519494480',
 'http://www.winterspeak.com/columns/082001.html',
 'http://www.annoyances.org/exec/show/article02-013',
 'http://www.mozilla.org/',
 'http://www.gnu.org/software/emacs/windows/ntemacs.html',
 'h

Ok, we got some results. The model has captured some important links as checked manually. But it also seems like it has captured some spam links, irrelavant links as well. There can be number of explanations for this, 
1. We have not tuned parameters of OneSVM properly. We can optimize them.
2. We havent cleaned our data properly. Some signatures are still present. And quoted text is present too.
3. We are just considering term frequencies as a measure for calculating distances between two samples. May we can normalize them before running algorithm
4. We can use some other Vectorizer such TF-IDF vectorizer to calculate similarity.
5. Or Maybe, our assumption that two links are similar if the count of words just before and after the link is same, is wrong. 
6. We can also use some features other than just word tokens.

In [None]:
#Lets try with TF-IDF vectorizer
from sklearn.feature_extraction.text import TfidfVectorizer
vectorizer = TfidfVectorizer(stop_words='english', decode_error='ignore')
vectordata = vectorizer.fit_transform(newdataset)

In [None]:
#Lets try Robust Covariance Detector
from sklearn.covariance import EllipticEnvelope
clf = EllipticEnvelope(contamination=0.1)
vectordata = vectordata.toarray()
clf.fit(vectordata)
y_pred = clf.decision_function(vectordata).ravel()
threshold = stats.scoreatpercentile(y_pred, 100 * outliers_fraction)
y_pred = y_pred > threshold
imp_links = list(compress(linklabels, y_pred))
imp_links[:]