About
IMSpector is an Instant Messenger proxy with monitoring, blocking and content-filtering capabilities. Currently it supports MSN, Jabber/XMPP, AIM, ICQ, Yahoo, IRC and Gadu-Gadu to different degrees. MSN is the principle protocol, as it’s the most popular these days, at least in the UK where I’m based. The supported platforms are at present Linux and BSD when using the pf firewall, but porting to other UNIXs should be trivial. It is able to log to plain files, as well as several types of SQL database including MySQL, SQLite and PostreSQL.
IMSpector is normally deployed on the network’s router, but other options are available.
This software is licenced under the GPL v2, with an additional exception to allow linking with OpenSSL. The original author and copyright holder is Lawrence Manning.
The program is currently somewhere between alpha and beta quality, but the following features have been implemented and at least work to some degree:
- Written in C++, with a minimal set of dependiancies. Nice and small code footprint – 7000 lines thus far. Plugin based.
- Supports the following IM protocols via “protocol plugins”:
- MSN – Logging of messages and file transfers.
- Jabber/XMPP – Logging of messages and file transfers. If told do so, IMSpector will proxy the TLS/SSL handshake, via the so called man-in-the-middle attack method, and present the client with it’s own certificate, create on demand, instead of the servers. Therefore Google’s Gtalk (and other encrypted Jabber sessions) can be monitored.
- ICQ/AIM – Supports the “new” protocol, ie. prehistoric ICQ is not supported. AIM over SSL is supported, via the same man-in-the-middle interception method as described above.
- Yahoo – Logs chats and filetransfers. Also supports webcam events. Nice and easy protocol to examine.
- IRC – Kind of “play thing”. Logs channel and private messages. Currently proxying this protocol through IMSpector will break DCC SENDs.
- Gadu-Gudu – A protocol popular in Poland, this plugin currently only supports the logging of text messages.
- Can log to various places via “logging plugins”:
- Files – The conversations are written to a file within a path resembling {protocol}/{local id}/{remote id}/{year}-{month}-{day}. See the Configuration section for more info. There is also a minimal file logging plugin which logs only the filtered messages.
- MySQL – Can connect to a DB and dump the chats into a table. Not compiled by default.
- SQLite – Can log to a local SQLite DB file. Requires sqlite3. Not compiled by default.
- PostgreSql – Can connect to a DB and dump chats into a table. Not compiled by default.
- Debug – A trivial example plugin which logs to the syslog, which when in debug mde, will end up on STDERR.
- Can filter in various ways via “filtering plugins”:
- Content manipulation. Replace bad words with a user defined character. All protocols supported by IMSpector can be filtered in this way.
- Can block messages and other events based on an ACL. A database-backed filter (which uses SQLite) is able to automatically add remote users to the whitelist when local users send them messages.
- Can also blanket block file transfers (all protocols beside Gadu-Gadu) and webcam events (Yahoo only at present).
- Off-load the filtering and censoring decision to an external program via a UNIX socket and a simple API.
- Can inject messages into chats for the purpose of notifying IM users that their chats are being monitored. Every protocol except ICQ/AIM is supported.
- All the usual deamon things. Drop privs, a simple config file etc.
Logging my chats? You are evil!
Possibly. You may be wondering why people would want to log IM conversations on the network. Well, yes clearly there is an avenue for abuse with this program. Spouses can use it to spy on each other. Parents can use it to spy on their teenagers. Bosses can spy on their staff. The list is endless. However, there are legitimate reasons why people would want to log IM chats, so this tool has been written. At this point it should be pointed out that as IMSpector is a proxy and not just a traffic-snooper; other things beyond simple logging are possible, such as AV scanning of file transfers. See the Todo list for more information. As of 0.4, IMSpector can both block messages based on the parties making the chats, and it can also block file-transfers, keeping bad files out of your systems.
In addition, some people may be of the opinion that if they cannot monitor use, they must block it. But blocking something can lead to conversations simply being made by other channels. Logging means the user’s freedom to use IM is maintained, while giving the parents, teachers, etc, the knowledge that if they need to look at the chat logs for whatever reason, they can. So in some situations, IMSpector actually stimulates IM use.
Another use of this program is so an IM user can log his chats at a central location. If she uses multiple machines at multiple locations, IMSpector makes it easy to log all chats by proxying through it using a frontside proxy such as squid.
If you are really interested in your privacy then you should be using some kind of end-to-end encryption on your IM sessions. See the links elsewhere on this page for some IM encryption software.
Warnings and Limitations
This software should be considered beta quality at best. It has not been audited by anyone, including myself. That said, I have had it running on my machines for a couple of weeks and it now seems reliable – hence I am releasing it to the wild to see if there is any interest.
Note that some things are missing, noteably MSN over HTTP support. This means that if you wish to log people using MSN, you should probably also block HTTP traffic from getting to the MSN servers. How you do this depends on lots of factors, so you will have to work that out yourself. There may well be other ways to get around IMSpector chat logging. In addition, IMSpector may make a mess of logging group chats, which some IM protocols support.
I would like IMSpector installed on my proxy server which is not the router in my network. Is this possible and how would I configure MSN? At the moment I’m trying this out with Smoothwall and have MSN configured to use HTTP Proxy on port 800, however no messages are being logged.
Kind regards..
The official Microsoft MSN client, when configured to use a HTTP proxy, connects to the MSN servers using HTTP GET requests. There’s are not understood by IMSpector as it only understands the “real” MSN protocol on port 1863, not the inefficient GET-based protocol.
Other clients, eg. pidgin and Adium more sensibly use the CONNECT method when they connect through a HTTP proxy, and those clients can be used with IMSpector’s built in HTTP proxy port.
There may be other methods. A SOCKS server could be put inline with the IMSpector box (or even on the same machine) and the connection forwarded through IMSpector using iptables rules similar to those described at the bottom of the Install page. In this mode the client will generate real MSN packets, but through the SOCKS server.
HTH…
Hi.
Excuse my bad english.
I try to use imspector on smoothwall.
but when MSN do petition on imspector, i have this error:
imspector Error: Don’t know how to handle connection to login.live.com:443
How i can resolve?.
Thanks!.
What version of SmoothWall? Perhaps you should send your query directly to them. It sounds like you’re accessing the IMSpector through a proxy?
@lawrence
My version is SmoothWall Express 3.0-polar-i386.
and it’s exactly. I have squid proxy, on port 3128.
and redirect to 16667. on debug mode, imspector show me the activities on the protocol.
then, disconnect in :
imspector Error: Don’t know how to handle connection to login.live.com:443
this is by the proxy?
if I want use not proxy, only with port 1863. how i can do it?
Simple: don’t configure the MSN client with proxy, but have it connect directly through the SmoothWall. The MSN client will then use port 1863.
@lawrence
Ok. I try to use directly, by socks, on port 1863, redirect to 16667.
with pidgin and live msn. in debug mode, i have this:
imspector Error: Don’t know how to handle connection to 192.168.1.68
what I do it wrong?
Muchas gracias.
@raviela
It sounds like you are connecting directly to IMSpector. You might need a -t nat -A OUTPUT redirect, as explained on the installation page. If your socks proxy and IMSpector are running on the same machine, you will need a -j REDIRECT rule in OUTPUT to direct the outgoing traffic from SOCKS into IMSpector.
@ lawrence
Maybe you could configure squid to proxy HTTPS conections that involved to MSN (ips or .msn.com domain) to https proxy port of imspector. Just Wondering.
Hi.
Excuse my bad english.
There is a problem in displaying icq logs in imspector.cgi both in UTF-8 and WIN-1251 formats. Is it possible to make imspector recode everything in one format (e.g. UTF-8-) at once?
Thanks!.
This problem should be fixed in IMSpector 0.8. Are you using the latest version?
I used imspector version dated 2009.07.14. The site default setting is UTF-8. the browser setting is also UTF-8. Here is what we have:
http://pic.ipicture.ru/uploads/090715/ZoidR6U4iK.jpg
Could you email me the contents of the log file? Or else have a look yourself to see if those lines are the UTF-8 encoded. Basically we need to figure out if the problem is with the logviewer CGI or with the log files IMSpector is making.
In the log file the lines are both UTF-8 and WIN-1251 encoded. I think the problem is in the IMSpector.
I’ve created .deb package of imspector which can be found at http://mweldan.net/mambang/debian/imspector/ . thanks
Hello!
I have a problem with IMSpector 0.9.
When I running the program in debug mode:
imspector -d
imspector: Protocol Plugin name: ICQ-AIM IMSpector protocol plugin
imspector: Logging Plugin name: Debug IMSpector logging plugin
imspector: Non-HTTP port listening on 0.0.0.0:16667
imspector: Logging Plugin name: File IMSpector logging plugin
imspector: Non-HTTP connection from: 192.168.10.63:2084
imspector: Redirect address, PF (/dev/pf) open failed: No such file or directory
imspector: Check permissions on /dev/pf. IMSpector needs read/write privileges.
imspector: Client is connecting to:
imspector: Error: Don’t know how to handle connection to
imspector: Finished with child: 192.168.10.63:2084
I don’t have pf. I use ipfw.
How fix? What rules need for ipfw? Working IMspector with ipfw?
Another use of this program is so an IM user can log his chats at a central location. If she uses multiple machines at multiple locations, IMSpector makes it easy to log all chats by proxying through it using a frontside proxy such as squid.
Can you tell how can I use this feature on my server. Because it is definitely usefull for me. But in the internet there are only servers that requiring payment and I’m not sure that my privacy will be safe.
You mean that I can connect throuth my proxy.. but my mobile phone im client can’t do it. If there possibility to connect directly to server throuth IMSpector?
The way to do central logging is by putting a HTTP or SOCKS proxy infront of IMSpector. So the client connects to (say) SOCKS proxy and then the SOCKS proxy connects through IMSpector, allowing you to log all messages centrally. The limitation of this is that the client has to be ale to act as a SOCKS client, and it seems unlikely that a mobile-phone based client could.
hi. i have imspector installed on smoothwall 3sp1. proxy non-transp port 3128, and FFC instaled….I log every msn chats, but no sucess to log gtalk (gmail chat). give the way to do this (log gtalk)…
[]s
Did you install the certificate? You need to export the SSL certificate and then import it into each client. This is because gtalk uses SSL and you must run the IM proxy in SSL man in the middle mode.
can i log Skype communication (chat ) ??
Genius product. Thanks for making it!
Works great, but I’ve noticed that it doesn’t seem to grab AIM messages from the new client (7.0 on Windows, I think it’s 2.0 on Mac). Do you know anything about this?
I’ve looked at the packets with tcpdump, briefly. On Mac there is a lot of noise but the buddy name and text of the message is there when dumping as ASCII. On Windows the buddy name appears but the message appears to be noise (simple encryption?).
Anyway, just wondering if you’ve seen this. I don’t know much, but maybe I can help.
Thanks!
Skype is a proprietary protocol that uses end-to-end encryption. So in short, you cannot log Skype. If IMSpector could log Skype I would be very rich….
Unfortuantely AIM 7 is a completely different protocol, and it uses some encryption. IMSpector doesn’t support it yet, and it looks like alot of effort to decode it. If you want to help then feel free to drop me a mail: lawrence at aslak dot net.
@mini-casper
привет, у меня есть пропатченная версия IMSpector, которая автоматически транслирует кириллические кодировки в utf8
@mini-casper
>Is it possible to make imspector recode everything in one format (e.g. >UTF-8-) at once?
It is possible, i have version of IMSpector, which translate all cyrillic encodings to utf8
lawrence, tell me please – is there any frontend to mysql database of IMSpector? thanks
Hello,
Im try to use SmoothWall (SmoothWall Express 3.0-polar-i386 /update5-i386)
IMSpector is good. But today IMSpector not working, Today im Checked Smoothwall/System Logs/IM Proxy logs see this logs.
12:01:48 imspector Protocol Plugin name: Gadu-Gadu IMSpector protocol plugin
12:01:48 imspector Protocol Plugin name: ICQ-AIM IMSpector protocol plugin
How i can resolve this problem ?
12:02:49 imspector Error: Unable to log an event (1) via File IMSpector logging plugin
Sorry
My English is bad but
IMSpector is perfect
Thanx,
The only cause I can think of for this is a full disk. Is your /var/log partition full? Also, check that the dir /var/log/imspector exists. If not, make it:
mkdir /var/log/imspector
chown imspector:imspector /var/log/imspector
Hope that helps….
I thnk some people have made a frontend for viewing IMSpector MySQL tables, but nothing has been given to me to include in the package. It would be great if someone could write one and send it to me so I can include it… Perl, PHP, python.. all are fine with me so long as it works.
@lawrence
It would be really great…
@jakal
можно ссылку можно на мыло casper.dns@gmail.com
Буду очень признателен если поделишься своей пропатченной версией или патчем
Hello
I have a squid/dansguardian proxy server (on ubuntu 8.04). Its not network gateway just a proxy. Clients have http proxy settings in IE connections settings and connect to 8080 port of dansguardian and cannot be changed in live messenger to use different port (I gave it a good search). Is there any way i can make this work?
lawrence hi!
i use imspector on my proxy for collect AIM/ICQ messages! but my users with official version ICQ programm not insert in history. Imspector not see official ICQ programm.
Miranda and QIP its ok.
Hello,
I have pfSense 1.2.2 dev and full updates are configured. I install and
configured only imspector and Squid.
I set Client gateway to pfsense’s lan ip adress and imspector successfully logs msn but when I set proxy adress to clients internet Explorer and remove the gateway (I must use another gateway for routing) and port 3128 imspector stops logging.How can I configure imspector to work with Squid.
My imspector.conf and pictures;
http://www.cehturkiye.com/imspector.conf
http://www.cehturkiye.com/imsstart.jpg
http://www.cehturkiye.com/imslog.jpg
Thanks for your Relation.
Hello,
I want use IMSpector with Socks5 server(i want save jimm messages). But when i try connect to socks server, it use all RAM. And imspector says: “imspector: Non-HTTP connection from: 94.181.95.192:45412
imspector: ICQ-AIM: uin: Unknown, unknown family: 0017 subtype: 0006
imspector: Client is connecting to: 205.188.251.43:5190
imspector: Finished with child: 94.181.95.192:45411 ” many times. Client trying to connect, but fail. What i do wrong?
@SiNNeR
Using IMSpector 0.9 and imspector-20091226
Hello i have problem with gg plugin it dosent work with new version of client is any posibility to upgrage this protocol ??
Hello,
Users connect to ICQ to port 443 via a proxy server squid (port 5190 is not allowed). Squid listens on port 3128. In iptables added the following line
-A OUTPUT-m tcp -p tcp –dport 443 -m owner -uid-owner 23 -j REDIRECT –to-ports 16667
To work requires launched imspector or error connections in ICQ clients.
When in imspector.conf comment “https_protocol = on” no connect, else all connected work, but logging is not conducted.
I start imspector-d and I get the following message(https_protocol = on)
imspector: Non-HTTP connection from: x.x.x.x:57392
imspector: Client is connecting to: 94.100.179.152:443
imspector: HTTPS: Got: 61
imspector: HTTPS: Got: 341
imspector: Finished with child: x.x.x.x:57392
Excuse my bad English
IMSpector understands the “real” IM protocol, not the IM protocol in HTTP format, which is what the client will be sending if it is going through Squid. Why is port 5190 blocked?
Yes, this is a known problem. I am waiting to get some captures of the packets so I can fix IMSpector. Are you able to help?
@lawrence
Because it was done for safety, since port 443 is a secure connection. And now we have the opposite:). I have unblocked port 5190 and it was working. But nevertheless I would like to work for 443.
But, only pidgin and icq clients. If client QIP
imspector: ICQ-AIM IMSpector protocol plugin: Warning, unknown message string type: 46
imspector: ICQ-AIM: Error: Unable to parse snac packet, icq.14229.85
Why?
@strafer – unfortuantely that traffic on port 443 is not the same traffic as on port 5190, it will be IM requests in HTTP GET requests, which IMSpector does not understand because it knows nothing about HTTP….
Security is more then blocking ports.
@Strafer – Not heard of that client. You’ll need to send me some packet captures. If you want to help, send me a email and I’ll tell you how to do some packet captures.
Um, is there any chance of adding facebook chat capturing??
Good day,
Love the program, works superbly. I do have one feature request: can you add Facebook Chat to Imspector?
Cheers,
Pete.
@ Pete
I think we should begin reading a good implementation
http://pidgin-facebookchat.googlecode.com/files/pidgin-facebookchat-source-1.65.tar.bz2
this code is clear engouht
Hi,
I’m looking for a free software to block files in msn protocol. I want to allow only the text chat.
The imspector is a great project, until now the best free code for manager the MSN that I found, but even when I set the in imspector.conf the parameter block_files=on the files can be transfered.
I made some research to block the file transfer in msn protocol. Here I found some information that describe how MSN work to prevent the file transfer block:
http://blog.imfirewall.us/Block+MSN+File+Transfer+Impossible+Mission.aspx
*************************************************************
1. For two buddies, if one of them is connected to internet directly, direct connection will be established to transfer files. This is the quickest way. There has three type of direct connections with dynamic ports which is negotiated by two sides.
1.1) Direct TCP connection.
1.2) Direct TCP connection use TLS encryption.
1.3) Direct UDP transmission.
2. If direct connection can not be established, msn servers can act as a relay server to transfer files. The file transfer packets will be among with normal msn messages.
As you can see from above, there is no way to block msn file transfer simply by blocking some ports in the firewall. The firewall should be smart enough to recognize msn file transfer direct connections, and it shall be able to pick up file transfer packets from normal msn messages.
***********************************************************
There is some way to block any files? Maybe I can help with any task in this project if this is possible.
Best Regards,
Cássio Seffrin