November 16th, 2009 Leave a comment Go to comments

IMSpector is an Instant Messenger proxy with monitoring, blocking and content-filtering capabilities. Currently it supports MSN, Jabber/XMPP, AIM, ICQ, Yahoo, IRC and Gadu-Gadu to different degrees. MSN is the principle protocol, as it’s the most popular these days, at least in the UK where I’m based. The supported platforms are at present Linux and BSD when using the pf firewall, but porting to other UNIXs should be trivial. It is able to log to plain files, as well as several types of SQL database including MySQL, SQLite and PostreSQL.

IMSpector is normally deployed on the network’s router, but other options are available.

This software is licenced under the GPL v2, with an additional exception to allow linking with OpenSSL.  The original author and copyright holder is Lawrence Manning.

The program is currently somewhere between alpha and beta quality, but the following features have been implemented and at least work to some degree:

  • Written in C++, with a minimal set of dependiancies. Nice and small code footprint – 7000 lines thus far. Plugin based.
  • Supports the following IM protocols via “protocol plugins”:
    • MSN – Logging of messages and file transfers.
    • Jabber/XMPP – Logging of messages and file transfers. If told do so, IMSpector will proxy the TLS/SSL handshake, via the so called man-in-the-middle attack method, and present the client with it’s own certificate, create on demand, instead of the servers. Therefore Google’s Gtalk (and other encrypted Jabber sessions) can be monitored.
    • ICQ/AIM – Supports the “new” protocol, ie. prehistoric ICQ is not supported. AIM over SSL is supported, via the same man-in-the-middle interception method as described above.
    • Yahoo – Logs chats and filetransfers. Also supports webcam events. Nice and easy protocol to examine.
    • IRC – Kind of “play thing”. Logs channel and private messages. Currently proxying this protocol through IMSpector will break DCC SENDs.
    • Gadu-Gudu – A protocol popular in Poland, this plugin currently only supports the logging of text messages.
  • Can log to various places via “logging plugins”:
    • Files – The conversations are written to a file within a path resembling {protocol}/{local id}/{remote id}/{year}-{month}-{day}. See the Configuration section for more info. There is also a minimal file logging plugin which logs only the filtered messages.
    • MySQL – Can connect to a DB and dump the chats into a table. Not compiled by default.
    • SQLite – Can log to a local SQLite DB file. Requires sqlite3. Not compiled by default.
    • PostgreSql – Can connect to a DB and dump chats into a table. Not compiled by default.
    • Debug – A trivial example plugin which logs to the syslog, which when in debug mde, will end up on STDERR.
  • Can filter in various ways via “filtering plugins”:
    • Content manipulation. Replace bad words with a user defined character. All protocols supported by IMSpector can be filtered in this way.
    • Can block messages and other events based on an ACL. A database-backed filter (which uses SQLite) is able to automatically add remote users to the whitelist when local users send them messages.
    • Can also blanket block file transfers (all protocols beside Gadu-Gadu) and webcam events (Yahoo only at present).
    • Off-load the filtering and censoring decision to an external program via a UNIX socket and a simple API.
  • Can inject messages into chats for the purpose of notifying IM users that their chats are being monitored. Every protocol except ICQ/AIM is supported.
  • All the usual deamon things. Drop privs, a simple config file etc.

Logging my chats? You are evil!

Possibly. You may be wondering why people would want to log IM conversations on the network. Well, yes clearly there is an avenue for abuse with this program. Spouses can use it to spy on each other. Parents can use it to spy on their teenagers. Bosses can spy on their staff. The list is endless. However, there are legitimate reasons why people would want to log IM chats, so this tool has been written. At this point it should be pointed out that as IMSpector is a proxy and not just a traffic-snooper; other things beyond simple logging are possible, such as AV scanning of file transfers. See the Todo list for more information. As of 0.4, IMSpector can both block messages based on the parties making the chats, and it can also block file-transfers, keeping bad files out of your systems.

In addition, some people may be of the opinion that if they cannot monitor use, they must block it. But blocking something can lead to conversations simply being made by other channels. Logging means the user’s freedom to use IM is maintained, while giving the parents, teachers, etc, the knowledge that if they need to look at the chat logs for whatever reason, they can. So in some situations, IMSpector actually stimulates IM use.

Another use of this program is so an IM user can log his chats at a central location. If she uses multiple machines at multiple locations, IMSpector makes it easy to log all chats by proxying through it using a frontside proxy such as squid.

If you are really interested in your privacy then you should be using some kind of end-to-end encryption on your IM sessions. See the links elsewhere on this page for some IM encryption software.

Warnings and Limitations

This software should be considered beta quality at best. It has not been audited by anyone, including myself. That said, I have had it running on my machines for a couple of weeks and it now seems reliable – hence I am releasing it to the wild to see if there is any interest.

Note that some things are missing, noteably MSN over HTTP support. This means that if you wish to log people using MSN, you should probably also block HTTP traffic from getting to the MSN servers. How you do this depends on lots of factors, so you will have to work that out yourself. There may well be other ways to get around IMSpector chat logging. In addition, IMSpector may make a mess of logging group chats, which some IM protocols support.

  1. adopilot
    August 30th, 2010 at 14:52 | #1

    Thanx a lot Works like Charm on PFsense,

    Is there a way to log Google Talk

    Thany in advcanced

  2. October 6th, 2010 at 21:39 | #2

    Yes, certainly. It’s just jabber with SSL. See http://www.imspector.org/wordpress/?page_id=89 – you must have certs setup so the client trusts the IM box. I have no idea if pfsense has implented a config generator for this, but IMSpector itself is more then capable of logging GoogleTalk, as SmoothWall Express (http://smoothwall.org) and Corporate (http://smoothwall.net) shows.

  3. maxleonca
    March 26th, 2011 at 00:51 | #3

    This is an amazing tool, I have it working on Slackware 13.1, but I have a small problem.
    I’m wondering if you can point me to the right direction.
    I use pidgin as a client so I can trace one by one different protocols and so far:
    Gtalk works great
    Yahoo works great
    AIM bypass the proxy even doe the IPTABLES route for 5190 is set, so I just need to track port and connection, might be using port 80.
    Now MSN is iffy, I can see on the debug mode that connects, download the certs, there is a whole exchange of info. Pidgin reports it as online but no contacts are pulled so I’m not online.

    Can anyone through some light on this MSN problem?

    Thank you very much.

Comment pages
  1. No trackbacks yet.
You must be logged in to post a comment.