Core Concepts¶

Understanding the fundamental concepts behind Smailander will help you use the platform effectively and maximize its security benefits.

Email Honeypot Fundamentals¶

What is an Email Honeypot?¶

An email honeypot is a decoy email address designed to attract and detect malicious emails. Think of it as a trap that catches attackers before they can harm your real systems.

Analogy

Imagine leaving a fake wallet in a public place. If someone tries to steal it, you know they're a thief. Email honeypots work similarly - they're fake email addresses that attract spammers and phishers.

How Honeypots Work¶

sequenceDiagram
    participant Attacker as Malicious Actor
    participant Honeypot as Honeypot Email
    participant Forward as Email Service
    participant Smailander as Smailander System
    participant User as Security Team

    Attacker->>Honeypot: Sends phishing email
    Honeypot->>Forward: Email forwarded
    Forward->>Smailander: Webhook notification
    Smailander->>Smailander: Analyze email
    Smailander->>Smailander: Detect threat (ClamAV, SpamScanner)
    Smailander->>User: Real-time alert
    Smailander->>Smailander: Log for intelligence

Types of Honeypot Addresses¶

Type	Purpose	Example
Monitoring	Collect all emails for analysis	`monitor@company.com`
Leak Detection	Track which service leaked data	`amazon@company.com`
Testing	Test spam filters and detection	`test@company.com`
Trap	Attract and capture malicious actors	`admin@company.com`

Email Forwarding Architecture¶

Forward Email Integration¶

Smailander receives emails through the Forward Email API. Here's the flow:

Email arrives at honeypot address (e.g., test@company.com)
Email service forwards to Smailander via webhook
Smailander processes and analyzes the email
Threat detection scans for malware and spam
Results stored in database and user alerted

Email Headers Analysis¶

Smailander extracts and analyzes critical email headers:

{
  "headers": {
    "from": "attacker@malicious.com",
    "to": "honeypot@company.com",
    "subject": "Urgent: Account compromised",
    "received_spf": "pass",
    "dkim": "fail",
    "dmarc": "fail",
    "smtp_server": "mail.bad-domain.com",
    "ip_address": "192.168.1.100",
    "country": "Russia",
    "timestamp": "2026-03-12T14:30:00Z"
  }
}

Threat Detection System¶

Multi-Layer Analysis¶

Smailander uses multiple analysis layers for comprehensive threat detection:

Email → ClamAV Scan → SpamScanner → Pattern Analysis → Threat Score → Alert

1. Malware Detection (ClamAV)¶

Scans all email attachments
Detects viruses, trojans, and ransomware
Uses signature-based and heuristic detection
Updates virus definitions daily

2. Spam Identification (SpamScanner)¶

Analyzes email content and structure
Identifies spam patterns and techniques
Uses machine learning models
Scores emails from 0-100 (spam probability)

3. Phishing Detection¶

Analyzes URLs and links for suspicious patterns
Checks sender reputation and domain age
Identifies urgency keywords ("Immediate action required")
Detects email spoofing attempts

4. SMTP Analysis¶

graph LR
    A[Email] --> B{SPF Check}
    B -->|Pass| C{DKIM Check}
    B -->|Fail| D[Mark Suspicious]
    C -->|Pass| E{DMARC Check}
    C -->|Fail| D
    E -->|Pass| F[Check Sender Reputation]
    E -->|Fail| D
    F -->|Reputable| G[Process Normally]
    F -->|Suspicious| D

Data and Privacy¶

Smailander is built with GDPR compliance at its core:

GDPR Principle	Implementation
Lawfulness, Fairness, Transparency	Legal basis: Legitimate Interest (Article 6(1)f)
Purpose Limitation	Data collected only for security monitoring
Data Minimization	Only necessary data collected and stored
Accuracy	Regular data validation and correction mechanisms
Storage Limitation	Data automatically deleted after 180 days
Integrity and Confidentiality	Encryption at rest and in transit
Accountability	Complete audit logging for all operations

Data Anonymization¶

Personally Identifiable Information (PII) is automatically redacted:

Email addresses: john.doe@example.com → j***@example.com
IP addresses: 192.168.1.100 → 192.168.1.***
Phone numbers: +1 555-123-4567 → +1 ***-***-****
Credit cards: Full redaction in logs

Webhook System¶

Webhook Events¶

Smailander sends real-time notifications via webhooks:

Event	Description	Payload
`email.received`	New email arrived at honeypot	Email object with headers and content
`threat.detected`	Malware or spam identified	Threat details and score
`pattern.detected`	Attack pattern recognized	Pattern type and confidence
`system.alert`	System-level event	Alert type and metadata

Webhook Security¶

All webhooks include a signature header for verification:

{
  "event": "threat.detected",
  "data": { ... },
  "timestamp": "2026-03-12T14:30:00Z",
  "signature": "sha256=abc123..."
}

Verify signature:

signature=$(echo -n "$payload" | openssl dgst -sha256 -hmac "$secret" -binary | base64)

Intelligence Database¶

Correlation Engine¶

Smailander correlates data across multiple dimensions:

Email addresses: Track malicious senders over time
Domains: Build reputation scores for domains
SMTP servers: Identify spam infrastructure
IP addresses: Geolocation and threat mapping
Attack patterns: Recognize coordinated campaigns

Threat Scoring¶

Each email receives a comprehensive threat score:

{
  "overall_score": 85,  // 0-100, higher = more dangerous
  "components": {
    "malware": 95,     // ClamAV result
    "spam": 88,        // SpamScanner result
    "phishing": 82,     // URL and content analysis
    "reputation": 70,   // Sender and domain reputation
    "anomaly": 75       // Behavioral pattern analysis
  },
  "classification": "THREAT"
}

Authentication & Security¶

Passwordless Authentication¶

Smailander uses magic link authentication:

sequenceDiagram
    participant User
    participant Dashboard
    participant API
    participant Email

    User->>Dashboard: Enter email
    Dashboard->>API: POST /auth/login
    API->>Email: Send magic link
    Email->>User: Click link
    User->>API: Verify token
    API->>User: Create session
    User->>Dashboard: Logged in

Benefits: - No passwords to remember or steal - Reduced attack surface - Better user experience - Automatic session management

API Key Security¶

API keys provide secure access to the API:

Scoped permissions: Keys can be limited to specific endpoints
Rate limiting: Each key has individual quota
Revocation: Keys can be instantly disabled
Audit logging: All key usage is logged

Analytics and Reporting¶

Real-Time Dashboard¶

The dashboard provides live insights:

Email volume: Incoming email rate and patterns
Threat detection: Malware, spam, and phishing statistics
Honeypot status: Active honeypots and their activity
Geographic distribution: Where attacks are originating from
Trend analysis: Threat evolution over time

Report Generation¶

Scheduled reports can be generated:

Report Type	Frequency	Format
Daily Digest	Every 24 hours	Email + PDF
Weekly Summary	Every 7 days	Email + CSV
Monthly Analysis	Every 30 days	Email + CSV + Charts
On-Demand	Manual trigger	Any format

Integration Patterns¶

SIEM Integration¶

Smailander can integrate with SIEM systems:

{
  "siem_config": {
    "type": "splunk",
    "endpoint": "https://splunk.company.com:8088",
    "index": "smailander-threats",
    "format": "hec"
  }
}

SOAR Integration¶

Automated response through SOAR platforms:

Block senders automatically based on reputation
Update firewall rules with new threat IPs
Create tickets in ITSM systems
Notify security teams via multiple channels

Next Steps¶

Now that you understand the core concepts:

Quick Start - Get Smailander running
User Guide - Learn to use the dashboard
API Documentation - Integrate with your systems
Technical Guide - Deep dive into architecture

Need Help?¶

FAQ - Common questions
Troubleshooting - Solve issues
Contact - Get support