Standing on the shoulders of owls.
Mailstrix is mostly glue. The detection comes from threat-intel feeds and YARA rule sets other people maintain, and the extraction owes its shape to a generation of open-source malware-analysis tools. This page credits every one of them — with licenses where they exist — plus the reading material and sibling MyGUARD projects worth your time.
Live reputation lookups and rule supply, queried at runtime or rebuilt daily. Almost all of it is abuse.ch — a non-profit run at the Bern University of Applied Sciences. If you use their data, support them.
| Feed | What Mailstrix uses it for | Terms |
|---|---|---|
| URLhaus | Looks up malware-distribution URLs found inside extracted attachment content. | CC0 — free for any use |
| MalwareBazaar | Checks every attachment's SHA-256 against the known-malware sample corpus. | CC0 — free for any use |
| ThreatFox | IOC enrichment (hashes / URLs / domains) for matched content. | CC0 — free for any use |
| Feodo Tracker | Botnet C2 IP / address intelligence. | CC0 — free for any use |
| YARAify (YARAhub) | One of the eight baked-in YARA rule sources (see below). | CC0 — free for any use |
Mailstrix does not author rules. The image bakes ~10,000 public rules from eight curated sources, precompiled and rebuilt daily — each set keeps its own upstream license. Any source can be pinned or toggled off with a build arg.
| Rule set | Maintainer | License |
|---|---|---|
| YARA-Forge | YARAHQ/yara-forge | aggregator (each rule keeps its upstream license) |
| signature-base | Neo23x0/signature-base | DRL 1.1 |
| Didier Stevens Suite | DidierStevens/DidierStevensSuite | public domain |
| bartblaze/Yara-rules | bartblaze/Yara-rules | MIT |
| InQuest yara-rules-vt | InQuest/yara-rules-vt | MIT |
| ANY.RUN | anyrun/YARA | per-repo |
| CAPEv2 (curated) | kevoreilly/CAPEv2 | per-repo |
| YARAify | abuse.ch YARAhub | CC0 |
Mailstrix re-implements, borrows from, or stands directly beside these. If you do malware analysis, you already know them.
The pattern-matching engine the whole thing rides on. Mailstrix's only job is to feed it the cleartext it would never otherwise see.
BSD-3 · VirusTotal
Philippe Lagadec's OLE / VBA toolkit — the reference for office-macro extraction and the bar Mailstrix's internal/extract measures itself against. A complement, not a competitor.
BSD-2 · decalage2
The Go OLE2 / VBA parser Mailstrix vendors and hardens in third_party/oleparse. Velocidex's port of the olevba logic.
MIT · Velocidex
The CGO bindings that let a Go daemon drive libyara. Hillu's work is what makes strixd possible at all.
BSD-2 · hillu
Florian Roth's scanners pioneered filename/extension YARA externals — Mailstrix maps attachment names the same way so THOR/Loki-style rules fire correctly.
Loki: GPL-3 · Nextron Systems
The reference open-source mail AV. Mailstrix is not a replacement — it's the YARA-shaped second opinion you run beside it.
GPL-2 · Cisco Talos
The async spam filter Mailstrix slots into. Its out-of-process worker model is exactly why the scanner runs over HTTP instead of in-tree.
Apache-2 · Vsevolod Stakhov
Heinlein's olevba-over-socket bridge for rspamd — the direct predecessor idea Mailstrix generalises into deep extraction + YARA.
GPL-3 · Heinlein Support
Mailstrix is one piece of a larger mail-hardening stack. Our other open-source mail work:
And the long-form reading — cornerstone articles on the MyGUARD blog about building a modern mail stack:
Everything above is free, and Mailstrix is too. If it saves you grief — or if you're making big bucks off it — a coffee keeps the owl awake.
Mailstrix is another MyGUARD project, built and maintained alongside the rest of our mail- and web-hardening work — most of which ships through our hardened Debian/Ubuntu APT repo. There's a donate button on the contact page — and if you ship something on top of this, don't forget us. We need a coffee drip :-)