Skip to content

Security: overwrite00/EMLyzer

SECURITY.md

πŸ”’ Security Policy

Security Model

EMLyzer is designed with security-first principles:

  • Offline-first analysis β€” All email parsing and analysis runs locally; no data is sent externally by default
  • No cloud dependencies β€” Core functionality requires no internet connection or API keys
  • Optional reputation services β€” External API integrations (AbuseIPDB, VirusTotal, etc.) are entirely optional and user-configured
  • Local-first database β€” SQLite database stores results locally on disk
  • Transparent threat analysis β€” All detection logic is open-source and auditable

πŸ›‘οΈ Privacy Principles

What We Don't Do

  • ❌ No user accounts or authentication required
  • ❌ No telemetry or usage tracking
  • ❌ No data collection or analytics
  • ❌ No cloud processing or storage
  • ❌ No third-party tracking scripts

Data Control

  • βœ… All email data stays on your machine
  • βœ… You control which reputation services are used (or use none)
  • βœ… You own your analysis database
  • βœ… You can delete analyses at any time
  • βœ… Full source code transparency

πŸ” Technical Security

Email Parsing

  • Uses trusted, audited parsing libraries: mail-parser (EML) and extract-msg (MSG)
  • Input validation on all parsed email fields
  • HTML/JavaScript sanitization using bleach to prevent XSS in body analysis
  • Safe handling of MIME encodings and nested structures

URL Analysis

  • Domain and IP address extraction and validation
  • Punycode detection (homoglyph spoofing prevention)
  • WHOIS and DNS queries use read-only lookups (no modification)
  • Shortener detection and redirect chain analysis
  • No automatic navigation to URLs (reporting only)

Attachment Analysis

  • By design: Attachments are NOT executed
  • Hash computation (MD5, SHA1, SHA256) for integrity verification
  • MIME type validation against file extension
  • Detection of embedded macros and JavaScript in documents
  • Stream analysis for suspicious PDF patterns

Reputation Services

  • Optional and configurable per service
  • API keys stored locally in .env (not synced to git)
  • All reputation lookups are read-only queries
  • Rate limiting respected (no brute-force scanning)
  • Requests authenticated with user-provided credentials only

Temporary File Cleanup

  • Uploaded emails: stored in backend/uploads/ β€” deleted after analysis
  • Generated reports: stored in backend/reports/ β€” deleted when removed via UI
  • SQLite database: persists in backend/data/emlyzer.db β€” user controls deletion

πŸ“’ Responsible Disclosure

If you discover a security vulnerability in EMLyzer:

Reporting Process

  1. Do not open a public GitHub issue β€” This exposes the vulnerability
  2. Use GitHub Security Advisory:

Timeline

  • 48 hours: We will acknowledge receipt of your report
  • 2 weeks (critical): Target fix timeline for critical vulnerabilities
  • 30 days (high): Target fix timeline for high-severity vulnerabilities
  • Coordinated disclosure: We will work with you on a disclosure timeline

Recognition

We appreciate responsible disclosure and will credit you in our security advisory (unless you prefer anonymity).


⚠️ Known Limitations

What EMLyzer Does NOT Do

  • Prevents spear-phishing if you visually trust the sender β€” EMLyzer detects technical indicators but cannot override human judgment
  • Executes attachments β€” By design, EMLyzer analyzes attachments without running them (safe-by-default approach)
  • Performs OCR on images β€” Scanned PDFs or image-based phishing are not analyzed (future enhancement)
  • Detects zero-day exploits β€” Reputation services have detection delays; new threats may not be flagged
  • Guarantees 100% accuracy β€” Like all security tools, false positives and false negatives can occur

Defense-in-Depth Recommended

EMLyzer is one layer of email security. For comprehensive protection, also use:

  • Email gateway filters (at your email provider)
  • DMARC/SPF/DKIM enforcement
  • Endpoint protection software
  • User security training
  • Email authentication (2FA/MFA)

πŸš€ Future Security Work

Planned improvements (see CHANGELOG.md for full roadmap):

  • YARA rule engine for custom threat detection
  • PostgreSQL support for enterprise deployments
  • Plugin system for custom analyzers
  • Machine learning model improvements
  • Automated malware signature updates

πŸ”„ Security Updates

  • Subscribe to releases: Watch the Releases page
  • Check security advisories: GitHub Security Advisory
  • Update regularly: Use the latest version for security patches

πŸ“š Additional Resources


Last updated: 2026-06-07 ← Contributing | Back to README β†’

There aren't any published security advisories