A professional-grade phishing detection system featuring multiple machine learning algorithms accessible via FastMCP servers. Built with clean architecture principles and trained on 160,000+ real spam/phishing emails.
All processing is done locally on your machine. No email content, subjects, or sender information is ever sent to external services, APIs, or cloud providers.
# Install the package
pip install -e ".[dev]"
# Start a server (e.g., Neural Network with 96.6% accuracy)
make serve-nn
# Or use the CLI
inbox-sentinel server start neural-network
# Check available models
inbox-sentinel models listinbox-sentinel/
โโโ inbox_sentinel/ # Main package
โ โโโ core/ # Base classes, types, exceptions
โ โโโ ml/ # Machine learning components
โ โ โโโ models/ # Model implementations
โ โ โโโ preprocessing/ # Feature extraction
โ โ โโโ training/ # Training utilities
โ โโโ servers/ # MCP server implementations
โ โ โโโ base/ # Base server class
โ โ โโโ mcp/ # FastMCP servers
โ โโโ config/ # Configuration management
โ โโโ utils/ # Utilities
โ โโโ scripts/ # CLI scripts
โโโ data/ # Data directory
โ โโโ models/ # Trained models (*.pkl)
โ โโโ datasets/ # Training datasets
โโโ tests/ # Test suite
โโโ docs/ # Documentation
| Model | Algorithm | Accuracy | Precision | Recall | F1-Score | Avg Time |
|---|---|---|---|---|---|---|
| SVM ๐ | Support Vector Machine | 93.7% | 93.6% | 98.9% | 96.2% | 12.9ms |
| Logistic Regression | Logistic Regression | 92.3% | 91.2% | 100.0% | 95.4% | 1.8ms |
| Neural Network | Neural Network (MLP) | 91.9% | 90.8% | 100.0% | 95.2% | 1.7ms |
| Naive Bayes | Multinomial Naive Bayes | 83.3% | 89.3% | 89.9% | 89.6% | 2.1ms |
| Random Forest | Random Forest | 79.3% | 81.3% | 96.3% | 88.2% | 114.0ms |
| Method | Accuracy | Precision | Recall | F1-Score | Avg Time | Key Features |
|---|---|---|---|---|---|---|
| RL Enhanced ๐ | 90.0% | 100.0% | 78.6% | 88.0% | 134.6ms | Q-Learning, 24 state features, adaptive weighting |
| Simple Consensus | 91.4% | 90.4% | 99.9% | 94.9% | 134.6ms | Majority voting across 5 models |
๐ 17.4% Improvement Achieved!
- Baseline Orchestrator: 76.7% accuracy
- RL Enhanced: 90.0% accuracy
- Improvement: +13.3% absolute (+17.4% relative)
- Perfect Precision: 100% precision (zero false positives)
- Training Time: 5.5 minutes on 100 samples
- Pre-trained Models: All models trained on 160,000+ real spam/phishing emails
- Feature Engineering: TF-IDF + 15 manual features (URLs, keywords, patterns)
- Reinforcement Learning: Q-Learning orchestrator with 17.4% performance improvement
- Ensemble Methods: 5 consensus strategies + RL-enhanced decision making
- Real-time Analysis: Fast inference (<100ms per email)
- Explainable AI: Feature importance, confidence scores, and RL state analysis
- LLM Orchestration: Use local LLMs to intelligently coordinate multiple models
- Forwarded Email Support: Automatically parse and analyze Gmail forwarded emails
- Comprehensive Testing: 1,000 sample test suite with detailed performance metrics
- Clean Architecture: Separation of concerns, SOLID principles
- Type Safety: Full type hints with custom types
- Configuration Management: Pydantic settings with env support
- Testing: Comprehensive test suite with pytest
- CLI Tools: Rich CLI interface for all operations
- Documentation: Complete API and usage docs
Models trained on 161,640 emails from 6 datasets:
- SpamAssassin (5,809 emails)
- Enron Spam (29,767 emails)
- Ling Spam (2,859 emails)
- CEAS 2008 (39,154 emails)
- Nazario Phishing (1,565 emails)
- Phishing Email Dataset (82,486 emails)
Distribution: 51% spam/phishing, 49% legitimate
Run all model servers simultaneously:
# Build and start all services
docker-compose up --build
# Start specific services
docker-compose up orchestrator naive-bayes svm
# Run in background
docker-compose up -dThe services will be available at:
- Orchestrator: http://localhost:8000 (coordinates all models)
- Naive Bayes: http://localhost:8001
- SVM: http://localhost:8002
- Random Forest: http://localhost:8003
- Logistic Regression: http://localhost:8004
- Neural Network: http://localhost:8005
# Build the image
docker build -t inbox-sentinel .
# Run single model server
docker run -p 8000:8000 -v $(pwd)/data:/app/data inbox-sentinel \
inbox-sentinel server start neural-network
# Run with custom command
docker run -it inbox-sentinel inbox-sentinel --helpThe container includes:
- Python 3.11 slim base
- All required dependencies
- Pre-trained models in
/app/data/models/ - Non-root user for security
- Volume mounts for data persistence
The orchestration feature runs multiple ML models in parallel and combines their results for more accurate detection:
# Simple consensus-based orchestration (no dependencies)
inbox-sentinel orchestrate -F email.txt --forwarded
# LLM-powered orchestration with Ollama (requires setup)
inbox-sentinel orchestrate -F email.txt --forwarded --llm-provider ollama --model-name llama2Two Orchestration Modes:
-
Simple Consensus (Default)
- Runs all 5 ML models in parallel
- Uses majority voting (e.g., 4/5 models = spam)
- Calculates average confidence scores
- No additional dependencies required
- Fast and reliable
-
LLM-Powered (Advanced)
- Uses local LLM to coordinate analysis
- LLM selects which models to query
- Provides natural language explanations
- Can adapt strategy based on results
- Requires Ollama + LangChain setup
How It Works:
- Each MCP server (Naive Bayes, SVM, Random Forest, Logistic Regression, Neural Network) is wrapped as a tool
- In simple mode: All tools are called and results are combined
- In LLM mode: The AI agent decides which tools to use and interprets results
# View available models and their status
inbox-sentinel models list
# Train all models
inbox-sentinel models train
# Verify trained models
inbox-sentinel models verify
# Analyze an email
inbox-sentinel analyze -c "Email content" -s "Subject" -f "[email protected]"
# Analyze a forwarded Gmail email
inbox-sentinel analyze -F forwarded_email.txt --forwarded
# Orchestrate multiple models with consensus
inbox-sentinel orchestrate -F email.txt --forwarded
# Start a specific MCP server
inbox-sentinel server start neural-networkEach server provides these tools:
analyze_email- Analyze an email for spam/phishingtrain_model- Train with new datainitialize_model- Initialize/load pre-trained modelget_model_info- Get model information
For advanced analysis using a local LLM to orchestrate multiple detection models:
Windows:
# 1. Download and install from https://ollama.ai/download/windows
# 2. Start Ollama server (in a separate terminal)
ollama serve
# 3. Pull a model (in your main terminal)
ollama pull llama2 # 7B parameters, balanced
# Or use smaller/faster models:
ollama pull phi # 2.7B parameters, very fast
ollama pull mistral # 7B parameters, fastmacOS/Linux:
# 1. Install Ollama
curl -fsSL https://ollama.ai/install.sh | sh
# 2. Start Ollama server
ollama serve
# 3. Pull a model
ollama pull llama2# Option 1: Install LangChain dependencies as an extra
pip install -e ".[langchain]"
# Option 2: Install LangChain dependencies separately
pip install langchain langchain-community langchain-openai
# Option 3: Use the requirements file
pip install -r requirements-langchain.txt# Analyze forwarded email with LLM orchestration
inbox-sentinel orchestrate -F email.txt --forwarded --llm-provider ollama --model-name llama2
# Or use simple consensus-based orchestration (no LLM required)
inbox-sentinel orchestrate -F email.txt --forwarded --llm-provider simpleRecommended Models for Tool Use:
# Mistral - Better at following tool-use instructions
ollama pull mistral
inbox-sentinel orchestrate -F email.txt --forwarded --llm-provider ollama --model-name mistral
# Mixtral - Excellent at structured outputs
ollama pull mixtral
inbox-sentinel orchestrate -F email.txt --forwarded --llm-provider ollama --model-name mixtralTroubleshooting LLM Orchestration:
If the LLM gets stuck or doesn't use tools correctly:
- Try a different model - Mistral and Mixtral are better at tool use than Llama2
- Check Ollama is running -
curl http://localhost:11434/api/tags - Use simple orchestration - Works reliably without LLM:
--llm-provider simple - Install dependencies -
pip install langchain langchain-community nest-asyncio
The LLM orchestration provides:
- Intelligent tool selection based on email characteristics
- Natural language explanations of decisions
- Adaptive analysis strategies
- Context-aware reasoning about phishing patterns
Note: Some models (like Llama2) may struggle with the structured format required for tool use. If you experience issues, the simple consensus-based orchestration provides excellent results without requiring an LLM.
Orchestrated Email Analysis
Subject: Claim Your Merlin Chain Early Users Reward Now
Sender: [email protected]
Using consensus-based orchestration
โ
Initialized all 5 models
โญโโโโโโโโโ Orchestrated Analysis Result โโโโโโโโโโฎ
โ SPAM/PHISHING โ
โ โ
โ Consensus: 4/5 models detected spam โ
โ Average Confidence: 58.8% โ
โ โ
โ Individual Results: โ
โ โข naive_bayes: LEGITIMATE (16.7%) โ
โ โข svm: SPAM (53.5%) โ
โ โข random_forest: SPAM (28.4%) โ
โ โข logistic_regression: SPAM (99.9%) โ
โ โข neural_network: SPAM (95.5%) โ
โ โ
โ Recommendation: DO NOT trust this email. โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
from inbox_sentinel.ml.models import NeuralNetworkDetector
from inbox_sentinel.core.types import Email
# Initialize detector
detector = NeuralNetworkDetector()
await detector.initialize(use_pretrained=True)
# Analyze email
email = Email(
content="Your account will be suspended...",
subject="Urgent Security Alert",
sender="[email protected]"
)
result = await detector.analyze(email)
print(f"Is Spam: {result.is_spam}")
print(f"Confidence: {result.confidence:.1%}")# Clone the repository
git clone https://github.com/your-org/inbox-sentinel.git
cd inbox-sentinel
# Create virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install in development mode
make install-dev
# Run tests
make test
# Format code
make formatmake help # Show all available commands
make serve-nn # Start Neural Network server
make serve-svm # Start SVM server
make train # Train all models
make test # Run test suite
make lint # Run code quality checks
make format # Format code with black/isort
make clean # Clean build artifacts# Run all tests
pytest
# Run with coverage
pytest --cov=inbox_sentinel
# Run specific test file
pytest tests/unit/test_detectors.pyEmail: Email data structurePredictionResult: Single model predictionEnsembleResult: Combined prediction from multiple modelsConsensusStrategy: Enum for ensemble strategies
BaseDetector: Abstract base for all detectorsBaseMCPServer: Base class for MCP servers
- Environment variables via
.envfile - Pydantic settings for type-safe configuration
- Model-specific configurations in
config/model_config.py
We welcome contributions! Please see our Contributing Guide for details.
- Additional ML algorithms (XGBoost, LightGBM)
- Deep learning models (BERT, Transformers)
- Real-time learning capabilities
- Email header analysis
- Attachment scanning
- Multi-language support
MIT License - See LICENSE file for details.
This project is for educational and defensive security purposes only.