Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Lafayette is a system to store various email abuse reports sent in ARF.
Python JavaScript CSS
branch: master

README

Lafayette
=========

Lafayette is a system to store various email abuse reports sent in ARF. It is organized in such a way that fraudulent emails can be easily selected, sorted and reported back to the resource owners. For instance it can be used to receive DMARC failure reports.

Documentation and Screenshots at https://github.com/linkedin/lafayette/wiki

How to install
==============

This requires python, flask and mysql server.

1) create the database using the forensic.sql file
2) edit forensic.cfg with your parameters
3) run the web server forensic.py
4) install in a cron job the script forensic-mysql.py
5) send failure reports to the appropriate mailbox that forensic-mysql.py will read

Quick Guide
===========

Detecting fraudulent emails is a combination of an automatic process, and a manual one. The DMARC failure reports indicate a non authenticated email, sometimes it is a bounce (people forget to sign their bounces), sometimes it is an auto-reply. So the system tries to classify each email so we can ignore reports of bounces and others. A cursory look of the rest of the failure reports allows to identify patterns. For instance "all emails in the last 2 days with the subject containing 'wire transfer'" or "all emails in the last 2 days which contain an URL that terminates by mail.htm". Once the emails are identified they can be selected to be reported to the abuse email address of the network owner of the original sending IP.

Lafayette collects, identifies and reports fraudulent emails, so the zombies get fixed and removed from the botnet they belong to, at the same time the URLs are added in blocking lists that browsers use.

For ease of use, a graph of the last few days report indicates visually when there is a potential fraudulent activity going on and a world heat map of reported emails give an indication from which networks fraudulent activity is coming from.

Dependencies
============

* requires mysql-server >=5.6.3 for INET6_ functions
* dnspython
* flask
* dateutil
* MySQL-python
* mysql
* requests
* multiprocessing
* operator
* argparse
* ConfigParser
Something went wrong with that request. Please try again.