Scamwatcher

Scamwatcher is an AI-assisted scam reporting and triage platform. Members of the public submit suspicious messages — either through a web form or by forwarding an email to a monitored address — and accredited analysts work the resulting case load through a dedicated dashboard.

A reference deployment runs at scamwatcher.mattpalmer.net. The codebase is self-hostable on any Supabase project plus a static host.

What it does

• Public submission. Anonymous web form plus inbound-email ingestion. Optional Cloudflare Turnstile for bot mitigation.
• Pre-assessment threat intel. Before AI triage, VirusTotal and AbuseIPDB are queried for sender domains, link domains, IPs and URLs, and the findings are fed into the prompt.
• AI triage. Each report is classified with a verdict (likely_scam / likely_legitimate / inconclusive), a UK PHIA probability yardstick confidence band, indicators, suggested tags and plain-English guidance.
• Automated reply. Reporters with an email address receive a tailored confirmation; a reforward flow lets analysts ask for the original message back when headers are missing.
• Threat intelligence panel. On-demand enrichment across eight sources — VirusTotal, AbuseIPDB, URLScan, RDAP/WHOIS, PhishTank, Spamhaus DBL/ZEN, Google Safe Browsing and ipinfo.io — with caching and analyst-gated file uploads.
• False positive management. Exact, wildcard and exception rules suppress spurious intel hits across all reports, with a human review queue.
• Indicator watchlist. Analysts subscribe to indicators (domain, registered domain, wildcard, ASN) and get email alerts when a new report mentions one.
• GeoIP enrichment. ipinfo lookups for malicious IPs, submitter IPs, and accredited-user logins in the audit log.
• Automated research reports. Multi-source intel fan-out plus an AI-synthesised deep assessment, weighting domain age, registrar and registration data as scam signals.
• Related reports. Event pages surface other reports sharing the same sender domain or scammer contact, helping spot campaigns.
• Email header forensics. Multi-level forward unwrapping, original-header recovery from inline forwards or .eml attachments, and SPF/DKIM/DMARC parsing.
• Export. Bulk CSV and single-report PDF, in Full mode (with reporter PII) or Redacted mode (safe for partner handoff).
• Accredited dashboard. Analysts, auditors and admins browse reports, events, tags, domain drilldowns, DNS audit, email deliverability and the audit log.
• Audit log. Logins (with geolocation), report views, edits, threat lookups and AI assessments — admin-only, filterable, paginated.
• DNS and deliverability tooling. Scheduled DNS / SPF / DKIM / DMARC checks plus end-to-end mail deliverability probes.
• Org-scoped access. Roles (admin, analyst, auditor, organisation_admin) in a dedicated user_roles table; organisation admins are scoped strictly to their own organisation.

Stack

• Frontend: React 18, Vite, TypeScript, Tailwind CSS, shadcn/ui, TanStack Query, React Router, React Hook Form + Zod.
• Backend: Supabase — Postgres + RLS, Auth, Storage, Edge Functions (Deno).
• AI: provider-agnostic gateway across OpenAI, Google Gemini and Anthropic, switchable from the admin UI.
• Email: Postmark (inbound and outbound) with server-rendered React Email templates.

Security model

• Roles live in a dedicated table, queried via SECURITY DEFINER helpers to avoid recursive RLS.
• No anon writes — public submissions flow through a service-role edge function with validated intake, idempotency, and signed-URL attachment uploads.
• Analyst consent is required before file bytes leave the platform for VirusTotal.
• Sensitive functions verify the caller's JWT role; errors are sanitised; everything sensitive is audit-logged.

If you work in trading standards, consumer protection, law enforcement or threat intelligence and would like to discuss a deployment or collaboration, please get in touch.