# CLAUDE.md This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. ## Build Commands ```bash # Build the project dotnet build EmailSearch/EmailSearch.csproj # Build release version dotnet build EmailSearch/EmailSearch.csproj -c Release # Run the MCP server (connects via stdio) dotnet run --project EmailSearch/EmailSearch.csproj ``` ## Architecture This is an MCP (Model Context Protocol) server that provides Outlook email search capabilities to LLM clients. It runs as a stdio-based server using the Microsoft.Extensions.Hosting pattern. **Key Components:** - `Program.cs` - Entry point that configures the MCP server with stdio transport and registers `EmailSearchTools` - `EmailSearchTools.cs` - MCP tool implementations decorated with `[McpServerTool]`: - `SearchEmails` - Search emails with filters (keywords, sender, subject, date range, folder, attachments, importance, category, flag status) - `ReadEmail` - Retrieve full email body by subject and date - `MoveToJunk` - Move an email to the Junk folder - `AnalyzeSpam` - Analyze a specific email for spam indicators with detailed report - `ScanForSpam` - Scan recent emails and return spam scores for potential spam - `SearchFilters.cs` - Filter parameter container for email searches - `EmailResult.cs` - DTO for search results with factory method `FromMailItem()` **Spam Detection (`SpamDetection/` folder):** - `SpamDetector.cs` - Core rule-based spam detection engine with 50+ heuristic patterns - `SpamFeatures.cs` - Feature extraction model for spam analysis - `SpamAnalysisResult.cs` - Result container with score, likelihood, and red flags - `SpamDetectorConfig.cs` - Configuration model with customizable weights and keyword lists - `UrlAnalyzer.cs` - URL analysis (IP-based links, URL shorteners) - `AttachmentAnalyzer.cs` - Attachment risk scoring by file type - `FeatureExtractors.cs` - Helper methods for URL and header extraction **Dependencies:** - `ModelContextProtocol` - MCP SDK for .NET - `NetOfficeFw.Outlook` - COM interop wrapper for Outlook automation **Platform:** Windows-only (.NET 9.0-windows) due to Outlook COM dependency ## Spam Detection Features The spam detection system uses a weighted scoring approach (0.0-1.0) with the following detection patterns: **Authentication Checks:** - SPF, DKIM, DMARC authentication failures - Reply-To domain mismatch **Identity Spoofing:** - Display name impersonation (vendor name + different domain) - Subject domain impersonation - Unicode/homoglyph attacks in domains - Generic sender names (noreply, notification, etc.) - Company subdomain spoofing (e.g., company.fakevoicemail.net) **Link/URL Analysis:** - IP address-based URLs - URL shorteners (bit.ly, tinyurl, etc.) - Suspicious TLDs (.xyz, .top, .click, etc.) **Content Red Flags:** - Keyword bait (invoice, urgent, verify, etc.) - Placeholder text (failed mail merge) - Single link with minimal text - Tracking pixels (1x1 images) - Zero-width Unicode characters (filter evasion) - Random reference IDs in subject - Timestamps in subject (automation indicator) **Attachment Risk:** - Weighted scoring by file type (0.0-1.0) - Critical: .exe, .scr (1.0) - High: .bat, .cmd, .vbs, .js (0.9-0.95) - Medium: .docm, .xlsm, .html, .iso (0.6-0.8) - Low: .zip, .rar (0.3-0.35) **Advanced Phishing Patterns:** - Fake quarantine/spam reports - Fake voicemail notifications - Fake system notifications (verify email, account suspended) - Cold email solicitation (SEO, web design spam) **Configuration:** Optional `SpamDetectorConfig.json` and `BlockList.txt` files can be placed in the application directory to customize detection patterns, keywords, trusted domains, and score weights.