Mailuminati Guardian

Mailuminati Guardian is a local email threat detection engine designed to operate close to mail delivery pipelines. It provides fast, deterministic decisions while benefiting from shared intelligence through the Mailuminati Oracle.

Guardian follows a local first design: most decisions are taken locally, with minimal latency, and only a small subset of messages require remote confirmation.

Technology Agnostic by Design

Guardian does not depend on a specific mail stack.

It can be integrated with any antispam or analysis engine capable of calling an HTTP API, including but not limited to:

Rspamd
SpamAssassin
Custom filtering engines

Likewise, Guardian does not require a specific MDA or IMAP server. Any system supporting IMAP Sieve or post delivery hooks can be used, whether it is Dovecot or another compatible implementation.

Position in the Mail Flow

SMTP
 |
 v
Antispam / Analysis Engine
(Rspamd, SpamAssassin, ...)
 |
 |  Structural analysis
 |  TLSH fingerprint
 |  Guardian API call
 v
Mail Delivery (LMTP / MDA)
 |
 v
IMAP Server
(Message stored)

Guardian complements existing filters by providing structural proximity detection and collaborative intelligence. It does not replace scoring engines or policy logic.

Structural Fingerprinting

Guardian computes TLSH structural fingerprints from normalized message content instead of relying on static signatures.

This approach is resilient to minor content variations and template changes, making it effective against campaign based threats.

Local Proximity Detection (LSH)

Fingerprints are split into overlapping bands using Locality Sensitive Hashing (LSH).

This enables fast proximity detection with constant time lookups and minimal CPU overhead.

Immediate Local Learning

When a message is reported or confirmed locally, Guardian immediately integrates the fingerprint into its local dataset.

Subsequent messages showing similar structure are detected instantly, without waiting for external confirmation.

Oracle Confirmation

When local proximity thresholds are reached, Guardian may query the Mailuminati Oracle.

The Oracle correlates signals coming from multiple Guardian instances, providing a community driven confirmation layer without sharing raw content.

Decision and Enforcement

All decisions are enforced locally by Guardian and integrated into existing filtering logic.

Guardian provides signals, not policies. Operators remain in control.

Privacy and Autonomy

Guardian never shares raw email content. Collaboration relies exclusively on structural fingerprints, distance metrics, and aggregated reports.

Guardian remains fully operational even if disconnected from the Oracle.

Position in the Ecosystem

Custos: global architecture and protocols
Guardian: local detection and enforcement
Oracle: shared intelligence and confirmation

Together, they form a collaborative and scalable defense model for email infrastructure.