Lafayette is a system to store various email abuse reports sent in ARF.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
static
templates adding a spamtrap feed to lafayette, forensic-mysql.py requires an ar… Feb 27, 2014
.gitignore Move config file to a template and add gitignore Oct 18, 2013
CHANGELOG adding a spamtrap feed to lafayette, forensic-mysql.py requires an ar… Feb 27, 2014
README
forensic-mysql.py
forensic.cfg-template adding a spamtrap feed to lafayette, forensic-mysql.py requires an ar… Feb 27, 2014
forensic.py
forensic.sql
forensic_auth.py config fixes Jan 17, 2013

README

Lafayette
=========

Lafayette is a system to store various email abuse reports sent in ARF. It is organized in such a way that fraudulent emails can be easily selected, sorted and reported back to the resource owners. For instance it can be used to receive DMARC failure reports.

Documentation and Screenshots at https://github.com/linkedin/lafayette/wiki

How to install
==============

This requires python, flask and mysql server.

1) create the database using the forensic.sql file
2) edit forensic.cfg with your parameters
3) run the web server forensic.py
4) install in a cron job the script forensic-mysql.py
5) send failure reports to the appropriate mailbox that forensic-mysql.py will read

Quick Guide
===========

Detecting fraudulent emails is a combination of an automatic process, and a manual one. The DMARC failure reports indicate a non authenticated email, sometimes it is a bounce (people forget to sign their bounces), sometimes it is an auto-reply. So the system tries to classify each email so we can ignore reports of bounces and others. A cursory look of the rest of the failure reports allows to identify patterns. For instance "all emails in the last 2 days with the subject containing 'wire transfer'" or "all emails in the last 2 days which contain an URL that terminates by mail.htm". Once the emails are identified they can be selected to be reported to the abuse email address of the network owner of the original sending IP.

Lafayette collects, identifies and reports fraudulent emails, so the zombies get fixed and removed from the botnet they belong to, at the same time the URLs are added in blocking lists that browsers use.

For ease of use, a graph of the last few days report indicates visually when there is a potential fraudulent activity going on and a world heat map of reported emails give an indication from which networks fraudulent activity is coming from.

Dependencies
============

* requires mysql-server >=5.6.3 for INET6_ functions
* dnspython
* flask
* dateutil
* MySQL-python
* mysql
* requests
* multiprocessing
* operator
* argparse
* ConfigParser