DEV Community: Jhade McConnell The latest articles on DEV Community by Jhade McConnell (@jhademcconnell). https://dev.to/jhademcconnell https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3198240%2Fc266e204-f784-4ab2-9ce3-fc278ecaa9bb.jpg DEV Community: Jhade McConnell https://dev.to/jhademcconnell en Swordphish: Visualizing Email Phishing Attacks with Postmark Jhade McConnell Mon, 09 Jun 2025 04:10:57 +0000 https://dev.to/jhademcconnell/swordphish-visualizing-email-phishing-attacks-with-postmark-2pfj https://dev.to/jhademcconnell/swordphish-visualizing-email-phishing-attacks-with-postmark-2pfj <p>This is a submission for the <a href="https://dev.to/challenges/postmark">Postmark Challenge: Inbox Innovators</a>.</p> <h2> What I Built </h2> <p><strong>Swordphish is an application that analyzes metadata associated with an email to detect and visualize phishing attempts</strong>. Swordphish has simple detection logic to highlight commonly used words and phrases used in phishing attacks.</p> <p>The key Postmark features it uses are: </p> <ol> <li> <a href="https://postmarkapp.com/developer/webhooks/inbound-webhook" rel="noopener noreferrer">Postmark’s inbound processing</a> to process an email.</li> <li> <a href="https://postmarkapp.com/developer/api/messages-api" rel="noopener noreferrer">Postmark Messages API</a> to retrieve the JSON of the email.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvv84g82m5yx1ug2g45o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvv84g82m5yx1ug2g45o.png" alt="Image description" width="800" height="704"></a> </p> <p><em>Swordphish visualizes suspicious content within your email and displays its threat indicators.</em></p> <h2> Demo </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxelwl7mg8857ki2w2522.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxelwl7mg8857ki2w2522.png" alt="Image description" width="800" height="686"></a></p> <p><em>You can test the frontend <a href="https://swordphish.jhademcconnell.com" rel="noopener noreferrer">here</a> or watch a quick walk through on <a href="https://www.loom.com/share/93bcdf34645745dea3e990076571cc97?sid=f67e628a-251a-4b2f-b2b5-641994503101" rel="noopener noreferrer">Loom</a>.</em></p> <h2> Code Repository </h2> <p>Swordphish has two repositories:</p> <ul> <li><a href="https://github.com/jhademcconnell/swordphish" rel="noopener noreferrer">Swordphish Frontend</a></li> <li><a href="https://github.com/jhademcconnell/swordphish-api" rel="noopener noreferrer">Swordphish Backend</a></li> </ul> <h2> How I Built It </h2> <h3> Inspiration </h3> <p>When I build applications on top of another service, the first thing I do is review its API responses and documentation. This is what I look for:</p> <ul> <li>Interesting information returned by the API</li> <li>The complexity of its JSON objects</li> <li>Are the API response attributes documented anywhere </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"OriginalRecipient"</span><span class="p">:</span><span class="w"> </span><span class="s2">"451d9b70cf9364d23ff6f9d51d870251569e+ahoy@inbound.postmarkapp.com"</span><span class="err">,</span><span class="w"> </span><span class="nl">"ReplyTo"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myUsersReplyAddress@theirDomain.com"</span><span class="err">,</span><span class="w"> </span><span class="nl">"Subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"This is an inbound message"</span><span class="err">,</span><span class="w"> </span><span class="nl">"MessageID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"22c74902-a0c1-4511-804f-341342852c90"</span><span class="err">,</span><span class="w"> </span><span class="nl">"Date"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Thu, 5 Apr 2012 16:59:01 +0200"</span><span class="err">,</span><span class="w"> </span><span class="nl">"MailboxHash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ahoy"</span><span class="err">,</span><span class="w"> </span><span class="nl">"TextBody"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[ASCII]"</span><span class="err">,</span><span class="w"> </span><span class="nl">"HtmlBody"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[HTML]"</span><span class="err">,</span><span class="w"> </span><span class="nl">"StrippedTextReply"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Ok, thanks for letting me know!"</span><span class="err">,</span><span class="w"> </span><span class="nl">"Tag"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="err">,</span><span class="w"> </span><span class="nl">"Headers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-Spam-Checker-Version"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SpamAssassin 3.3.1 (2010-03-16) onrs-ord-pm-inbound1.wildbit.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-Spam-Status"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"No"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="err">,</span><span class="w"> </span><span class="nl">"Attachments"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mypaper.doc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Content"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[BASE64-ENCODED CONTENT]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ContentType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/msword"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ContentLength"</span><span class="p">:</span><span class="w"> </span><span class="mi">16384</span><span class="p">,</span><span class="w"> </span><span class="nl">"ContentID"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p><em>I found the “HtmlBody”, “Headers”, and "Attachments" attributes interesting in Postmark's API response.</em></p> <p>This information is available within emails as metadata, but it’s rare for traditional email services to display this technical information to the end user. </p> <h3> Brainstorming Features </h3> <p>A big inspiration of this project is to be able to uncover phishing attempts within emails in real-time. I outlined these features for Swordphish's proof of concept:</p> <ul> <li>Use Postmark’s inbound processing feature to parse an email</li> <li>Provide simple insights that analyzes the email’s headers and content</li> <li>Use Postmark’s Message API to retrieve the raw JSON of inbound emails</li> </ul> <p>I outline the key features before building because it’s easy to get side tracked when you start the development process. Doing this helps me focus on what to build.</p> <h3> Starting from Scratch </h3> <p><a href="https://www.shadcn-svelte.com/docs/installation/sveltekit" rel="noopener noreferrer">SvelteKit</a> is an app framework that hides a lot of the complexity (like server side rendering, integrating TypeScript, and library packaging) when building web applications. </p> <p>I decided to use SvelteKit to build Swordphish’s frontend with. Its backend is a Python server that: </p> <ul> <li>exposes API endpoints using FastAPI</li> <li>integrates with Postmark’s APIs to handle inbound email processing and email retrieval</li> <li>uses a local SQLite database to store information</li> <li>calls Google Gemini 2.5 flash for AI analysis</li> </ul> <p>With a simple client server architecture in place, I started building out Swordphish’s features.</p> <h3> Feature 1: Process Inbound Emails </h3> <p>When architecting web API’s, I try to keep the JSON responses simple. Postmark’s dev team does a great job at this, which makes it straightforward to integrate email features into your application. </p> <p>My webhook can simply wait for Postmark to process an inbound email, and then I can parse the JSON and use it to create my custom object.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/webhook</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">receive_webhook</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">Session</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="n">payload</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Received webhook payload: </span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Create metadata dictionary from headers </span> <span class="n">metadata</span> <span class="o">=</span> <span class="p">{</span><span class="n">h</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">]:</span> <span class="n">h</span><span class="p">[</span><span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Headers</span><span class="sh">'</span><span class="p">,</span> <span class="p">[])}</span> <span class="c1"># Check if 'Received-SPF' is in metadata </span> <span class="n">spf_value</span> <span class="o">=</span> <span class="n">metadata</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Received-SPF</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">spf_value</span><span class="p">:</span> <span class="c1"># Extract client-ip using regex </span> <span class="n">match</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">client-ip=([\d\.]+)</span><span class="sh">'</span><span class="p">,</span> <span class="n">spf_value</span><span class="p">)</span> <span class="k">if</span> <span class="n">match</span><span class="p">:</span> <span class="n">client_ip</span> <span class="o">=</span> <span class="n">match</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">logging</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">Received-SPF value is missing or None.</span><span class="sh">"</span><span class="p">)</span> <span class="n">client_ip</span> <span class="o">=</span> <span class="bp">None</span> <span class="c1"># Prepare email content for analysis </span> <span class="n">email_content</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> Subject: </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Subject</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s"> From: </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">From</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s"> From Name: </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">FromName</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s"> SPF: </span><span class="si">{</span><span class="n">spf_value</span><span class="si">}</span><span class="s"> HTML Body: </span><span class="si">{</span><span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">HtmlBody</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s"> </span><span class="sh">"""</span> <span class="c1"># CODE CONDENSED </span> <span class="n">metadata</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="sh">"</span><span class="s">Return-Path</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">From</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">Date</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Date</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">From</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">From</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">fromName</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">FromName</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">htmlBody</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">HtmlBody</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">aiAnalysis</span><span class="sh">"</span><span class="p">:</span> <span class="n">analysis_response</span><span class="p">,</span> <span class="sh">"</span><span class="s">aiSenderAnalysis</span><span class="sh">"</span><span class="p">:</span> <span class="n">sender_response</span><span class="p">,</span> <span class="sh">"</span><span class="s">aiSecurityAnalysis</span><span class="sh">"</span><span class="p">:</span> <span class="n">security_response</span><span class="p">,</span> <span class="sh">"</span><span class="s">ipContext</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">ip</span><span class="sh">"</span><span class="p">:</span> <span class="n">client_ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">location</span><span class="sh">"</span><span class="p">:</span> <span class="sh">''</span><span class="p">,</span> <span class="sh">"</span><span class="s">asn</span><span class="sh">"</span><span class="p">:</span> <span class="sh">''</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <p>Postmark’s API response looks complex at first glance, but their JSON objects are simple and predictable. It’s actually very easy for builders to parse.</p> <p>Now that I can process inbound emails with Postmark, I can begin to build my core features around its API response.</p> <h3> Feature 2: Analyze the Email’s Headers and Content </h3> <p>A rule of thumb when creating your own JSON objects is to keep it simple. Stay away from nested JSON objects and try to keep the JSON as flat as possible. </p> <p>This is the JSON object that Swordphish's frontend will use to display information back to the user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"messageId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2e80bc5b-f613-432d-87e1-3d9b0c588b60"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Important: Verify Your Bank Information"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sender"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alerts@secure-bankupdate.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"date"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-05-25 00:00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"metadatas"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"X-Spam-Checker-Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SpamAssassin 3.4.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"X-Spam-Status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Yes"</span><span class="p">,</span><span class="w"> </span><span class="nl">"X-Spam-Score"</span><span class="p">:</span><span class="w"> </span><span class="s2">"8.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"X-Spam-Tests"</span><span class="p">:</span><span class="w"> </span><span class="s2">"URGENT_REQUEST,SPOOFED_DOMAIN,BANK_PHISH"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Received-SPF"</span><span class="p">:</span><span class="w"> </span><span class="s2">"fail"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Return-Path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alerts@secure-bankupdate.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Date"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sun, 25 May 2025 10:22:45 +0000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"From"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alerts@secure-bankupdate.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fromName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SecureBank Alerts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"htmlBody"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;p&gt;Your account has been flagged. &lt;a href='http://secure-bankupdate.com/verify'&gt;Click here to verify your banking info&lt;/a&gt; to avoid suspension.&lt;/p&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aiAnalysis"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Urgent financial request with spoofed sender domain. Highly likely phishing."</span><span class="p">,</span><span class="w"> </span><span class="nl">"ipContext"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"103.21.244.15"</span><span class="p">,</span><span class="w"> </span><span class="nl">"location"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mumbai, India"</span><span class="p">,</span><span class="w"> </span><span class="nl">"asn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AS55836 Reliance Jio Infocomm Limited"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Inside of my /webhook logic, I save the email’s metadata and content inside of my JSON object, and then perform operations to enrich that information.</p> <p>In this code example I use Gemini to analyze the email content, and then save Gemini's response under the "aiAnalysis" attribute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># Create tasks for concurrent execution </span> <span class="n">analysis_task</span> <span class="o">=</span> <span class="nf">generate_ai_content</span><span class="p">(</span><span class="n">analysis_prompt</span><span class="p">)</span> <span class="n">sender_task</span> <span class="o">=</span> <span class="nf">generate_ai_content</span><span class="p">(</span><span class="n">sender_prompt</span><span class="p">)</span> <span class="n">security_task</span> <span class="o">=</span> <span class="nf">generate_ai_content</span><span class="p">(</span><span class="n">security_prompt</span><span class="p">)</span> <span class="c1"># Gather all responses concurrently </span> <span class="n">analysis_response</span><span class="p">,</span> <span class="n">sender_response</span><span class="p">,</span> <span class="n">security_response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">gather</span><span class="p">(</span> <span class="n">analysis_task</span><span class="p">,</span> <span class="n">sender_task</span><span class="p">,</span> <span class="n">security_task</span> <span class="p">)</span> <span class="n">metadata</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="sh">"</span><span class="s">Return-Path</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">From</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">Date</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Date</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">From</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">From</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">fromName</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">FromName</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">htmlBody</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">HtmlBody</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">aiAnalysis</span><span class="sh">"</span><span class="p">:</span> <span class="n">analysis_response</span><span class="p">,</span> <span class="sh">"</span><span class="s">aiSenderAnalysis</span><span class="sh">"</span><span class="p">:</span> <span class="n">sender_response</span><span class="p">,</span> <span class="sh">"</span><span class="s">aiSecurityAnalysis</span><span class="sh">"</span><span class="p">:</span> <span class="n">security_response</span><span class="p">,</span> <span class="sh">"</span><span class="s">ipContext</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">ip</span><span class="sh">"</span><span class="p">:</span> <span class="n">client_ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">location</span><span class="sh">"</span><span class="p">:</span> <span class="sh">''</span><span class="p">,</span> <span class="sh">"</span><span class="s">asn</span><span class="sh">"</span><span class="p">:</span> <span class="sh">''</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <p><strong>Enriching IP Address Through a Reverse Lookup</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff2bc317yiuyew8upxclm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff2bc317yiuyew8upxclm.png" alt="Image description" width="800" height="504"></a><br> <em>The "Sender Reputation" tab shows the ASN information for the IP address extracted from "Received-SPF"</em></p> <p>Postmark’s API response returns the “Received-SPF” object. The “Received-SPF” contains the “client-ip” value, which is the IP address of the SMTP client the email was sent from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Received-SPF"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.160.180; helo=mail-gy0-f180.google.com; envelope-from=myUser@theirDomain.com; receiver=451d9b70cf9364d23ff6f9d51d870251569e+ahoy@inbound.postmarkapp.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You can do a reverse lookup of this IP address to find its ASN. If the IP address and the ASN has a bad reputation, you can be on guard as the sender may not be reputable.</p> <p><strong>SpamAssassin Deep Dive</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc8z0bzg4tg30z6nefsi7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc8z0bzg4tg30z6nefsi7.png" alt="Image description" width="800" height="759"></a><br> <em><a href="https://spamassassin.apache.org/" rel="noopener noreferrer">Apache SpamAssassin</a> returns a spam score and performs tests to check if the email is likely spam.</em></p> <p>Apache SpamAssassin is a widely used open source project to detect email spam. Postmark includes the tests ran through SpamAssassin in the email’s headers. </p> <p>Here are some examples:</p> <ul> <li> <strong>DKIM_VALID</strong> - Message has at least one valid DKIM or DK signature.</li> <li> <strong>SPF_PASS</strong> - Sender matches SPF record.</li> </ul> <p>SpamAssassin provides a risk score that tells you how likely the email can be considered spam. The “Spam Risk” tab of Swordphish visualizes this risk score, along with the SpamAssassin tests ran by Postmark.</p> <p><strong>Using an LLM to Analyze Email Content</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7vh8n8r4mz1whid6e8ja.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7vh8n8r4mz1whid6e8ja.png" alt="Image description" width="800" height="740"></a><br> <em>Google Gemini provides AI security analysis at the top of each page.</em></p> <p>The model Swordphish uses is Google’s Gemini 2.0 Flash-Lite. We configure Gemini to provide a high level security summary by prompting it to look for common phishing language. </p> <p>You’ll see insights from “Swordphish AI” on the top of each page. We pass data from our custom JSON object into the prompt, and display what Gemini returns back from its analysis.</p> <p>For these insights to be effective in a real-world scenario, extensive prompting with MCP servers to feed in additional context would be needed to accurately detect complex phishing attempts.</p> <p>I recommend using a platform like <a href="https://steponeis.com" rel="noopener noreferrer">Step One</a> where you can monetize an LLM that you’ve worked hard to configure. That way, you can reward yourself by selling access to your chatbot.</p> <h3> Feature 3: Retrieving Inbound Email Logs </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe4cp1twu9yskknlr85y8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe4cp1twu9yskknlr85y8.png" alt="Image description" width="800" height="754"></a><br> <em>The raw JSON for an email parsed by Postmark.</em></p> <p>We want to give security researchers the ability to inspect the email's raw JSON response. We can use <a href="https://postmarkapp.com/developer/api/messages-api#inbound-message-details" rel="noopener noreferrer">Postmark’s Inbound Message Details API</a> to retrieve the JSON response that was sent into our webhook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"https://api.postmarkapp.com/messages/inbound/{messageid}/details"</span> <span class="se">\</span> <span class="nt">-X</span> GET <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Accept: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Postmark-Server-Token: server token"</span> </code></pre> </div> <p>If we pass in the “MessageID” associated with each email in the {messageid}, we’ll be returned the raw JSON response associated with that "MessageId".</p> <p>Traditional email inboxes don't show this information because they know their average user isn’t technical. Displaying the raw email log for security researchers would allow them to use Swordphish for email forensics.</p> <h3> Challenges </h3> <p>Postmark's APIs are easy to use. Their documentation is straightforward, and the setup process for your account is a breeze with their support team.</p> <p>I did notice that after I've activated my account, my Postmark server wasn’t fully processing inbound emails:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvvvz9tzj1yunlc94bazg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvvvz9tzj1yunlc94bazg.png" alt="Image description" width="800" height="455"></a></p> <p>It was surprising to see this because the test webhook from the inbound processing settings showed that my application was ready to receive Postmark's webhooks:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu9duq9h9hsohsbup75rn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu9duq9h9hsohsbup75rn.png" alt="Image description" width="800" height="170"></a></p> <p>On the "Email Analysis" tab my application successfully parsed the test email sent from Postmark:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7rj9brt50hq7buk51j8s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7rj9brt50hq7buk51j8s.png" alt="Image description" width="800" height="739"></a></p> <p>I suspect this may be due to a network issue between Postmark and my application. I like how Postmark has sections outlined in their documentation that covers how to test and troubleshoot their APIs. After <a href="https://postmarkapp.com/developer/webhooks/inbound-webhook#testing-with-curl" rel="noopener noreferrer">testing the inbound webhook with curl</a>, my backend returned a successful response in my production environment.</p> <p>I will have to reach out to Postmark support to check this issue, but I’m confident their support team will get me up and running.</p> <h2> Summary </h2> <p>Swordphish can be used as a tool to help visualize what phishing attacks look like through email. </p> <p>Another challenge I faced was being able to consistently detect links within the “htmlBody” attribute. Since the “htmlBody” contents can contain unpredictable HTML, it’s best if an LLM was used to detect the links rather than a regex.</p> <p>I would also update the fear, promotional, and urgent words list to be returned from an API response. This would allow the words list detection to be more dynamic as I can update words list in the backend alongside using an LLM. </p> <p>I continue to use Postmark because of how straightforward their APIs are, and how friendly their support staff is. If you have any questions about the app, feel free to comment them!</p> devchallenge postmarkchallenge webdev api