Documentation

Rubiscout Docs

Everything you need to analyze emails, investigate threats, and integrate Rubiscout into your security workflow.

Quick Start

Rubiscout analyzes email headers and full emails for phishing, spoofing, BEC attacks, and authentication failures. No account required.

1

Paste your email

Copy raw headers or the full email and paste into the input on the home page.

2

Click Analyze

Rubiscout runs AI forensics, live DNS lookups, IP reputation checks, and spam scoring in parallel.

3

Read the verdict

A plain-English verdict, risk score, and actionable recommendations appear within seconds.

Note: Full email (headers + body) gives richer analysis — body content adds spam scoring, URL reputation, MIME structure, and CAN-SPAM compliance checks. Headers-only is also fully supported.

Submitting Email

Paste — Headers or Full Email

Open any email in your client, find the "Show Original" or "View Source" option, copy everything, and paste it into the input box.

How to open raw email in common clients

Gmail: ⋮ menu → Show original
Outlook Web: ⋯ → View → View message source
Outlook Desktop: File → Properties → Internet headers
Apple Mail: View → Message → All Headers (⌥⌘H)
Yahoo Mail: ⋯ → View raw message
Thunderbird: Ctrl+U / Cmd+U

Forward to analyze@rubiscout.com

Forward any suspicious email to analyze@rubiscout.com and receive a complete analysis reply within seconds — verdict, risk score, authentication badges, routing hops, recommendations, and a link to the full interactive report.

For the most complete analysis, forward the email as an attachment rather than an inline forward. This preserves the original headers intact through the forwarding chain.
  • Gmail: ⋮ → Forward as attachment
  • Outlook: Ctrl+Alt+F
  • Apple Mail: Option+Cmd+F
Note: Recipient addresses (To:, Delivered-To:, X-Original-To:) are stripped before analysis and never stored. Only sender-side headers are processed.

Drag & Drop .eml Files

Drag an .eml file from your file manager directly onto the input area. Rubiscout reads the full file and populates the input automatically — supports full MIME emails including attachments.

Browser Bookmarklet

Install the Rubiscout bookmarklet once from the Features page. When you open an email's raw source in your browser, click the bookmarklet — Rubiscout opens in a new tab with the headers pre-filled.

This works on Gmail's "Show original" page, Outlook's message source view, and any page that displays raw email text.

Reading Results

Results are organized into tabs. The Summary tab is always shown first — the remaining tabs contain progressively deeper technical detail.

Summary

Plain-English verdict, risk score (Low/Medium/High/Critical), 2–4 specific signals that drove the score, and 3–5 actionable recommendations. This is the tab for non-technical users.

Auth

SPF, DKIM, and DMARC results in a semicircular gauge. Shows alignment mode (relaxed or strict), the published DMARC policy (none/quarantine/reject), and ARC chain validation for forwarded emails — per-hop auth results and chain integrity.

Routing

Step-by-step trace of every mail server the message passed through. Each hop shows the server name, IP, timestamp, and delay. Delays over 5 minutes are amber; over 30 minutes are red. The originating IP is shown with geolocation and flag.

DNS

Live DNS lookups run at analysis time for SPF, DMARC, MTA-STS, TLS-RPT, and BIMI records — showing what the domain actually publishes. Also shows IP reputation results across five DNSBL blacklists, DNSSEC status, and FCrDNS (forward-confirmed reverse DNS).

Content

Available when a full email (including body) is submitted. Shows spam score (0–10) with a breakdown of which rules triggered, CAN-SPAM compliance checks (List-Unsubscribe, physical address, non-deceptive subject, plain-text alternative), MIME structure tree with suspicious attachment flags, and a sanitized body preview in plain text or HTML.

Technical

All extracted header fields: From, Return-Path, Reply-To, Message-ID, X-Mailer, and more. Includes a toggle to view the full raw header with field names highlighted. Also shows hop count, ARC presence, and other structural metadata.

Verdicts

Community-submitted verdicts for this analysis (phishing, BEC, spam, legitimate, unknown) shown as a distribution chart. Any user can submit a verdict on a shared analysis page — no account required.

AI Investigative Bench

The Investigative Bench is a persistent AI chat panel alongside the analysis results. It loads every detail of the analysis automatically — you never need to re-paste anything. Powered by Claude Opus 4.8.

Getting Started

After running an analysis, the bench panel appears on the right side of the results. Four questions tailored to the specific risk signals found are pre-generated — click any to start immediately, or type your own question.

What to Ask

The bench has full context of the analysis. Useful question types:

Explain a signal

"Why does a DMARC p=none policy matter? What can an attacker do with it?"

Verify intent

"Could this Reply-To mismatch be legitimate, or is it always suspicious?"

Understand routing

"What does it mean that this email originated in Russia but claims to be from PayPal.com?"

Draft a response

"Write an IT security alert I can send to all staff warning them about this phishing campaign."

Escalation

"Write a report I can send to our bank's fraud team about this wire transfer request."

Technical deep dive

"What is the significance of the ARC chain being broken at hop 2?"

Drafting Security Content

The bench can produce complete, copy-paste-ready documents based on the analysis context:

  • — IT security alerts and all-staff warnings
  • — HR notices for BEC / CEO fraud attempts
  • — Phishing incident reports (internal ticketing)
  • — Fraud reports for financial institutions
  • — CISO briefings with technical and business impact
  • — End-user security awareness training snippets

Bench via API

The bench experience is powered by the POST /api/v1/investigate endpoint. For SOC integration and automation, use the API directly — see the Streaming Investigation Agent section below.

API — POST /analyze

Fast synchronous endpoint. Submit raw email headers or a full email, receive a complete forensic verdict as JSON in 3–8 seconds.

Authentication

Include your API key in the Authorization header.

Authorization: Bearer rbs_live_...
Note: API keys are available on the API Reference page after signing in. Rate limits: 60 req/hour, 200 req/day per key.

Request

POST https://rubiscout.com/api/v1/analyze
Content-Type: application/json
Authorization: Bearer rbs_live_...

{
  "header": "Delivered-To: ...\nReceived: from ...\n..."
}

The header field accepts the full raw email text including body, or headers only. Max 500 KB.

Response

{
  "id": "a1b2c3d4-...",          // UUID — use with GET /analyses/:id
  "verdict": "High",
  "summary": "This email...",
  "riskScore": "High",
  "riskReasoning": [
    "SPF hard fail — originating IP not authorized",
    "Reply-To domain differs from From domain",
    "DMARC p=none — no enforcement"
  ],
  "fields": {
    "from": "support@paypal.com",
    "returnPath": "bounce@malicious.xyz",
    "replyTo": "collect@attacker.net",
    "messageId": "<abc@malicious.xyz>",
    "subject": "Your account has been suspended"
  },
  "routingPath": ["mail.malicious.xyz", "mx.example.com"],
  "hops": [...],
  "recommendations": [
    "Do not click any links in this email",
    "Report to your IT security team immediately"
  ],
  "spf_result": "fail",
  "dkim_result": "none",
  "dmarc_result": "fail",
  "dnsCheck": { "spf": true, "dmarc": true, "mtaSts": false, ... },
  "ipBlacklist": { "listed": true, "lists": ["Spamhaus ZEN"] },
  "ipCountry": { "code": "RU", "name": "Russia" },
  "bodyAnalysis": {             // null if no body submitted
    "hasBody": true,
    "spamScore": { "total": 6.8, "level": "High", "rules": [...] },
    "mimeStructure": { ... },
    "compliance": [...],
    "preview": { "text": "...", "html": "..." }
  }
}

curl Example

curl -X POST https://rubiscout.com/api/v1/analyze \
  -H "Authorization: Bearer rbs_live_..." \
  -H "Content-Type: application/json" \
  -d '{"header": "'"$(cat suspicious.eml)"'"}'

API — POST /investigate (Streaming Agent)

The investigation endpoint runs a multi-step AI agent over a full RFC 2822 email. It streams results in real time via Server-Sent Events (SSE). Designed for SOC teams, SOAR integration, and security automation pipelines.

Powered by Claude Opus 4.8. The agent runs up to 12 tool-use turns, extracting IOCs, mapping TTPs to MITRE ATT&CK, and producing prioritized SOC recommendations.

What the Agent Does

The agent has access to five live tools it calls autonomously:

dns_lookupResolves SPF, DMARC, MX, A, and TXT records for sender and reply-to domains in real time.
ip_intelChecks the originating IP against DNSBL blacklists and returns geolocation and ASN information.
domain_intelEvaluates domain age, registration patterns, and suspicious TLD signals for sender domains.
extract_urlsParses the email body and headers to extract all URLs, including obfuscated and encoded links.
url_reputationChecks extracted URLs for phishing keywords, suspicious TLDs, IP-based hostnames, and excessive subdomain depth.

Request

POST https://rubiscout.com/api/v1/investigate
Content-Type: application/json
Authorization: Bearer rbs_live_...
Accept: text/event-stream

{
  "email": "From: support@paypal.com\r\nReceived: from...\r\n\r\nDear customer..."
}

The email field must be the full RFC 2822 email string. Both \\r\\n and \\n line endings are accepted. Max 2 MB.

SSE Stream Format

The response is a stream of text/event-stream events. Each event has a type field in the JSON data.

event: tool_call
data: {"type":"tool_call","tool":"dns_lookup","input":{"domain":"paypal.com","record_type":"TXT"}}

event: tool_result
data: {"type":"tool_result","tool":"dns_lookup","result":{"records":["v=spf1 ip4:..."],"error":null}}

event: tool_call
data: {"type":"tool_call","tool":"ip_intel","input":{"ip":"185.234.219.47"}}

event: tool_result
data: {"type":"tool_result","tool":"ip_intel","result":{"listed":true,"lists":["Spamhaus ZEN"],"country":"RU","asn":"AS12345 MALICIOUS-HOSTING"}}

event: reasoning
data: {"type":"reasoning","text":"The originating IP 185.234.219.47 is listed on Spamhaus ZEN and geolocates to Russia. The From domain paypal.com has a valid SPF record, but the sending IP fails SPF — meaning this server is not authorized to send on behalf of paypal.com. Combined with the Reply-To pointing to a .xyz domain registered 3 days ago..."}

event: complete
data: {"type":"complete","report":{...}}

Event Types

tool_callAgent is about to invoke a tool. Contains tool name and input parameters.
tool_resultTool execution result. Contains the raw data returned from the tool.
reasoningA text chunk of the agent's intermediate reasoning. Stream these to show live thinking.
completeFinal event. Contains the complete structured report (see below). Always the last event.
errorEmitted if the agent encounters a fatal error. Contains an error message string.

Complete Report Structure

The complete event payload contains:

{
  "type": "complete",
  "report": {
    "id": "a1b2c3d4-...",           // Stored analysis UUID
    "verdict": "Critical",
    "risk_score": 9,                 // 0–10
    "risk_reasoning": "...",         // Paragraph summary of key signals
    "summary": "...",                // Plain-English one-sentence summary

    "email": {
      "from": "support@paypal.com",
      "subject": "Your account has been suspended",
      "originating_ip": "185.234.219.47",
      "spf": "fail",
      "dkim": "none",
      "dmarc": "fail"
    },

    "iocs": {
      "ips":     ["185.234.219.47"],
      "domains": ["malicious-collect.xyz", "paypa1.com"],
      "urls":    ["https://malicious-collect.xyz/verify"],
      "emails":  ["collect@malicious-collect.xyz"]
    },

    "ttps": [
      {
        "id": "T1566.001",
        "name": "Phishing: Spearphishing Attachment",
        "tactic": "Initial Access"
      },
      {
        "id": "T1598.003",
        "name": "Phishing for Information: Spearphishing Link",
        "tactic": "Reconnaissance"
      }
    ],

    "recommendations": [
      "Block sending IP 185.234.219.47 at your email gateway",
      "Add malicious-collect.xyz to DNS blocklist",
      "Submit to APWG eCrime exchange: https://apwg.org/ecx/"
    ],

    "investigated_at": "2026-07-02T10:23:44.000Z"
  }
}

MITRE ATT&CK TTP Mapping

The agent maps observed behaviors to MITRE ATT&CK for Enterprise technique IDs. Tactics covered include Initial Access (T1566.x), Reconnaissance (T1598.x), Collection (T1114.x), and Command & Control (T1071.x). Each TTP includes the technique ID, full name, and parent tactic.

curl Example

# Stream the investigation to stdout
curl -N -X POST https://rubiscout.com/api/v1/investigate \
  -H "Authorization: Bearer rbs_live_..." \
  -H "Content-Type: application/json" \
  -H "Accept: text/event-stream" \
  -d '{"email": "'"$(cat suspicious.eml)"'"}'

Python Example (streaming)

import httpx, json

with httpx.stream(
    "POST", "https://rubiscout.com/api/v1/investigate",
    headers={
        "Authorization": "Bearer rbs_live_...",
        "Content-Type": "application/json",
    },
    json={"email": open("suspicious.eml").read()},
    timeout=120,
) as r:
    for line in r.iter_lines():
        if line.startswith("data: "):
            event = json.loads(line[6:])
            if event["type"] == "reasoning":
                print(event["text"], end="", flush=True)
            elif event["type"] == "tool_call":
                print(f"\n[tool] {event['tool']}({event['input']})")
            elif event["type"] == "complete":
                report = event["report"]
                print(f"\n\nVerdict: {report['verdict']}")
                print(f"IOCs: {report['iocs']}")
                print(f"TTPs: {[t['id'] for t in report['ttps']]}")

SOAR / Webhook Integration

For SOAR pipelines, listen for the complete event only — discard the intermediate events or log them separately. The report's iocs object maps directly to STIX indicator objects. The ttps array maps to STIX attack-pattern objects with ATT&CK IDs.

Note: Each investigation is stored and accessible via GET /api/v1/analyses/:id using the id field in the report.

CLI

The Rubiscout CLI is a standalone npm package for analyzing emails from the terminal.

Installation

npm install -g rubiscout

Configuration

rubiscout config set-key rbs_live_...

Stores your API key at ~/.config/rubiscout/config.json. Can also be set via the RUBISCOUT_API_KEY environment variable.

Commands

# Analyze from a file
rubiscout analyze suspicious.eml

# Analyze from stdin
cat suspicious.eml | rubiscout analyze -

# JSON output (for piping)
rubiscout analyze suspicious.eml --json

# List recent analyses
rubiscout list

# Get a specific analysis
rubiscout get a1b2c3d4-...

MCP Server

The Rubiscout MCP server exposes analysis tools via the Model Context Protocol — making them available to Claude Code, Cursor, GitHub Copilot, and any other MCP-compatible AI agent. It runs locally on your machine and calls the Rubiscout API on your behalf, so get a free API key at /dashboard before you configure it below.

Installation

No clone or build step required — npx fetches and runs it on demand:

npx rubiscout-mcp

Or install it globally:

npm install -g rubiscout-mcp

Configuration — Claude Desktop / Claude Code

// ~/.claude/settings.json or Claude Desktop config
{
  "mcpServers": {
    "rubiscout": {
      "command": "npx",
      "args": ["-y", "rubiscout-mcp"],
      "env": {
        "RUBISCOUT_API_KEY": "rbs_live_..."
      }
    }
  }
}

Get your key from /dashboard first. Alternatively, set RUBISCOUT_API_KEY as a system environment variable and omit the env block.

Available Tools

analyze_emailSubmit a raw email string for full forensic analysis. Returns verdict, risk score, authentication results, IOCs, and recommendations.
get_analysisRetrieve a stored analysis by UUID. Returns the full analysis object including all fields.
list_analysesList recent analyses with optional filters: page, per_page (max 50), risk_score (Low/Medium/High/Critical).

Example Usage in Claude

Once configured, you can ask Claude Code or Claude Desktop directly:

"Analyze this email for me and tell me if it's a phishing attempt" [paste email]

"Get my last 5 analyses and summarize the threat patterns"

"Analyze all .eml files in this directory and flag any Critical or High risk ones"