Fast Advanced Spam Analysis Tool
Alternatives To Spamscope
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Portainer26,696218 hours ago78April 21, 2021465zlibGo
Making Docker and Kubernetes management easy.
Setup Ipsec Vpn22,764
20 hours ago1otherShell
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Trivy18,781448 hours ago198July 31, 2023197apache-2.0Go
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Authelia17,47028 hours ago64October 28, 201998apache-2.0Go
The Single Sign-On Multi-Factor portal for web apps
Slim17,29432 days ago73April 25, 2021164apache-2.0Go
Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Hydra14,45693 days ago1May 08, 201988apache-2.0Go
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
4 months ago141apache-2.0PHP
This is a collection of tutorials for learning how to use Docker with various tools. Contributions welcome.
a month ago18November 07, 2022128gpl-3.0Rust
🤖 The Modern Port Scanner 🤖
Docker Bench Security8,549
7 days ago18apache-2.0Shell
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
2 days ago128July 13, 202387mitGo
Fast and secure standalone server for resizing and converting remote images
Alternatives To Spamscope
Select To Compare

Alternative Project Comparisons

PyPI version Build Status Coverage Status BCH compliance



SpamScope is an advanced spam analysis tool that use Apache Storm with streamparse to process a stream of mails. To understand how SpamScope works, I suggest to read these overviews:

In general the first step is run Apache Storm, then you can run the topologies on it. SpamScope has some topologies in topologies folder, but you can make others topologies.

Schema topology

What Does SpamScope do?

SpamScope gets the raw emails (both RFC822 and Outlook formats) in input and returns an JSON object. Then it extracts urls and attachments (if they are zipped extracts the content files). All informations are saved in JSON objects. This is the first analysis. After that SpamScope runs a phishing module, that gives a phishing score to the emails.

Then you can enable/disable post processing modules, that connect SpamScope with third party tools. There are three main categories:

  • raw emails analysis
  • attachments analysis
  • sender emails analysis

It's possible to add new modules in these three categories, if you want connect SpamScope with others tools.

Raw emails analysis

These modules (see here) analyze the raw emails:

  • SMTP dialect
  • SpamAssassin

Attachments analysis

These modules (see here) analyze the attachments of emails:

  • Apache Tika
  • Store sample on disk (as default SpamScope saves samples in JSON objects)
  • Thug
  • VirusTotal
  • Zemana

Sender emails analysis

SpamScope can detects the exact sender IP and then it can analyze it (see here):

  • Shodan
  • VirusTotal

Why should I use SpamScope

  • It's very fast: the job is splitted in functionalities that work in parallel.
  • It's flexible: you can choose what SpamScope has to do.
  • It's distributed: SpamScope uses Apache Storm, free and open source distributed realtime computation system.
  • It makes JSON output that you can save where you want.
  • It's easy to setup: there are docker images and docker-compose ready for use.
  • It's integrated with Apache Tika, VirusTotal, Thug, Shodan and SpamAssassin (for now).
  • It's free and open source (for special functions you can contact me).
  • It can analyze Outlook msg.


SpamScope uses Apache Storm that allows you to start small and scale horizontally as you grow. Simply add more workers.


You can choose your mails input sources (with spouts) and your functionalities (with bolts).

SpamScope comes with the following bolts:

  • tokenizer splits mail in token like headers, body, attachments and it can filter emails, attachments and ip addresses already seen
  • phishing looks for your keywords in email and connects email to targets (bank, your customers, etc.)
  • raw_mail is for all third party tools that analyze raw mails like SpamAssassin
  • attachments analyzes all mail attachments and uses third party tools like VirusTotal
  • network analyzes all sender ip addresses with third party tools like Shodan
  • urls extracts all urls in email and attachments
  • json_maker and outputs make the json report and save it

Store where you want

You can build your custom output bolts and store your data in Elasticsearch, MongoDB, filesystem, etc.

Build your topology

With streamparse tecnology you can build your topology in Python, add and/or remove spouts and bolts.


For now SpamScope doesn't have its own API, because it isn't tied to any tecnology. If you use Redis as spout (input), you'll use Redis API to put mails in topology. If you use Elasticsearch as output, you'll use Elasticsearch API to get results.

It's possible to develop a middleware API that it talks with input, output and changes the configuration, but now there isn't.

Apache 2 Open Source License

SpamScope can be downloaded, used, and modified free of charge. It is available under the Apache 2 license.


SpamScope on Web


Main Author

Fedele Mantuano (LinkedIn: Fedele Mantuano)


For operating system requirements you can read Ansible playbooks, that go into details.

For Python requirements you can read:

Thug is another optional requirement, that it's not in requirements. See Thug section for more details.

Apache Storm

Apache Storm is a free and open source distributed realtime computation system.


streamparse lets you run Python code against real-time streams of data via Apache Storm.


mail-parser is the parsing for raw email of SpamScope.


Faup stands for Finally An Url Parser and is a library and command line tool to parse URLs and normalize fields.

rarlinux (optional)

rarlinux unarchives rar file.

SpamAssassin (optional)

SpamScope can use SpamAssassin an open source anti-spam to analyze every mails.

Apache Tika (optional)

SpamScope can use Apache Tika to parse every attachments. The Apache Tika toolkit detects and extracts metadata and text from over a thousand different file types (such as PPT, XLS, and PDF). To use Apache Tika in SpamScope you must install tika-app-python with pip and Apache Tika.

Thug (optional)

From release v1.3 SpamScope can analyze Javascript and HTML attachments with Thug. If you want to analyze the attachments with Thug, follow these instructions to install it. Enable it in attachments section of main configuration file.

What is Thug? From README project:

Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.

You can see a complete SpamScope report with Thug analysis here.

Thug analysis can be very slow and you can have heartbeat timeout errors in Apache Storm. To avoid any issue set supervisor.worker.timeout.secs:

nr. user agents * timeout_thug < supervisor.worker.timeout.secs

The best value for threshold is 1.

VirusTotal (optional)

It's possible add to results (for mail attachments and sender ip address) the VirusTotal report. You need a private API key.

Shodan (optional)

It's possible add to results the Shodan report for sender ip address. You need a private API key.

Elasticsearch (optional)

It's possible to store the results in Elasticsearch. In this case you should install elasticsearch package.

Redis (optional)

It's possible to store the results in Redis. In this case you should install redis package.


Read the example of main configuration file. The default value where SpamScope will search the configuration file is /etc/spamscope/spamscope.yml, but it's possible to set the environment variable SPAMSCOPE_CONF_FILE:

$ export SPAMSCOPE_CONF_FILE=/etc/spamscope/spamscope.yml

When you change the configuration file, SpamScope automatically reloads the new changes.


You can use:


SpamScope comes with six topologies:

If you want submit SpamScope topology use spamscope-topology submit tool. For more details see SpamScope cli tools:

$ spamscope-topology submit --topology {spamscope_debug,spamscope_elasticsearch,spamscope_redis}

It's possible to change the default settings for all Apache Storm options. I suggest to change these options:

  • topology.tick.tuple.freq.secs: reload configuration of all bolts
  • topology.max.spout.pending: Apache Storm framework will then throttle your spout as needed to meet the topology.max.spout.pending requirement
  • max sleep for emit new tuple (mail)

You can use spamscope-topology submit to do these changes.


If you are using Elasticsearch output, I suggest you to use Elasticsearch templates that comes with SpamScope.


SpamScope comes with unittests for each modules. In bolts and spouts there are no special features, all intelligence is in external modules. All unittests are in tests folder.

To have complete tests you should set the followings enviroment variables:

$ export THUG_ENABLED=True
$ export VIRUSTOTAL_APIKEY="your key"
$ export ZEMANA_ENABLED=True
$ export ZEMANA_APIKEY="your key"
$ export ZEMANA_PARTNERID="your partner id"
$ export ZEMANA_USERID="your userid"
$ export SHODAN_ENABLED=True
$ export SHODAN_APIKEY="your key"

Output example

This is a raw email that I analyzed with SpamScope:

This is another example with Thug analysis.


Apache Storm


SpamScope Topology

SpamScope Map

Popular Docker Projects
Popular Security Projects
Popular Virtualization Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Docker Image
Ansible Playbook
Application Security
Apache Storm