Email Monitoring¶
Email monitoring is at the heart of Smailander. This guide explains how to analyze, search, and manage emails captured by your honeypots.
Email Overview¶
Email Data Model¶
Each email captured by Smailander contains comprehensive information:
{
"id": "email_1234567890",
"honeypot_id": "honeypot_abc123",
"received_at": "2026-03-12T14:30:15Z",
"headers": {
"from": "attacker@malicious.com",
"to": "test@company.com",
"subject": "Urgent: Account compromised",
"message_id": "<abc123@malicious.com>",
"date": "Wed, 12 Mar 2026 14:30:15 +0000",
"received_spf": "fail",
"dkim": "fail",
"dmarc": "fail"
},
"body": {
"text": "Plain text content...",
"html": "<html><body>HTML content...</body></html>"
},
"attachments": [
{
"filename": "document.pdf",
"size": 1024576,
"content_type": "application/pdf",
"malware_detected": true,
"threat_name": "Trojan.GenericKD.12345"
}
],
"smtp": {
"server": "mail.bad-domain.com",
"ip_address": "192.168.1.100",
"port": 25,
"tls": false,
"country": "Russia",
"city": "Moscow",
"asn": "AS12345"
},
"threat_analysis": {
"overall_score": 85,
"malware_score": 95,
"spam_score": 88,
"phishing_score": 82,
"reputation_score": 70,
"classification": "THREAT"
}
}
Viewing Emails¶
Email List View¶
The email list shows all captured emails with key information:
| Column | Description | Example |
|---|---|---|
| Received | When email was received | 2 min ago |
| From | Sender email address | attacker@evil.com |
| To | Honeypot email address | test@company.com |
| Subject | Email subject | Urgent: Action required |
| Threat Score | Overall threat rating | 85 - THREAT |
| Attachments | Number and status | 1 file (🦠) |
| Actions | Available actions | View, Analyze, Delete |
Sorting and Pagination¶
Sort Options: - Received Time: Newest or oldest first - Threat Score: Highest or lowest first - Sender: Alphabetical - Subject: Alphabetical
Pagination: - Page size: 10, 25, 50, or 100 emails per page - Navigation: Previous, Next, or jump to specific page - Total: Shows total emails matching filters
Filtering Emails¶
Apply filters to find specific emails:
{
"dateRange": {
"start": "2026-03-01",
"end": "2026-03-12"
},
"honeypot": "test@company.com",
"threatScore": {
"min": 70,
"max": 100
},
"threatType": ["malware", "phishing"],
"sender": "malicious.com",
"hasAttachments": true,
"malwareDetected": true,
"country": "Russia",
"search": "account compromised"
}
Filter Categories: - Date Range: Custom or preset (Last 7 days, Last 30 days, etc.) - Honeypot: Filter by specific honeypot - Threat Score: Min/Max range - Threat Type: Malware, Spam, Phishing - Sender: Filter by sender domain - Attachments: With or without attachments - Malware: Malware detected or clean - Country: Source country - Text Search: Search in subject and body
Email Details¶
Overview Section¶
The email detail page provides comprehensive information:
┌─────────────────────────────────────────────────────────┐
│ Email Details │
│ ID: email_1234567890 | Status: Analyzed │
├─────────────────────────────────────────────────────────┤
│ From: attacker@malicious.com │
│ To: test@company.com │
│ Subject: Urgent: Account compromised │
│ Received: 2026-03-12 14:30:15 UTC │
│ Threat Score: 85 - THREAT │
├─────────────────────────────────────────────────────────┤
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Malware: 95 │ │ Spam: 88 │ │ Phishing: 82 │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
├─────────────────────────────────────────────────────────┤
│ SMTP Server: mail.bad-domain.com (192.168.1.100) │
│ Country: Russia, Moscow │
│ TLS: No │
│ SPF: Fail | DKIM: Fail | DMARC: Fail │
└─────────────────────────────────────────────────────────┘
Email Headers¶
Complete email header analysis:
{
"basic": {
"from": "attacker@malicious.com",
"to": "test@company.com",
"subject": "Urgent: Account compromised",
"date": "Wed, 12 Mar 2026 14:30:15 +0000"
},
"authentication": {
"spf": {
"result": "fail",
"record": "v=spf1 -all",
"detail": "Sender not authorized"
},
"dkim": {
"result": "fail",
"domain": "malicious.com",
"selector": "default"
},
"dmarc": {
"result": "fail",
"policy": "reject",
"from_domain": "malicious.com"
}
},
"tracking": {
"message_id": "<abc123@malicious.com>",
"references": [],
"in_reply_to": null
}
}
Header Analysis: - SPF (Sender Policy Framework): Verifies sender is authorized - DKIM (DomainKeys Identified Mail): Verifies email authenticity - DMARC: Combines SPF and DKIM with policy enforcement
Email Body¶
View email content in multiple formats:
Plain Text¶
Raw text version of the email:
Dear User,
Your account has been compromised. Immediate action required.
Please click here: http://phishing-site.com/login
Best regards,
Security Team
HTML¶
Rendered HTML version with link highlighting:
<p>Dear User,</p>
<p>Your account has been compromised. Immediate action required.</p>
<p>Please click here: <a href="http://phishing-site.com/login">Login</a></p>
<p>Best regards,<br>Security Team</p>
Link Analysis: - ⚠️ Suspicious: Links to known phishing domains - 🟡 Unknown: Links to unverified domains - ✅ Safe: Links to legitimate domains
Source View¶
Complete email source code:
Received: from mail.bad-domain.com ([192.168.1.100])
by mail.company.com (Postfix) with ESMTP id ABC123
for <test@company.com>; Wed, 12 Mar 2026 14:30:15 +0000
From: attacker@malicious.com
To: test@company.com
Subject: Urgent: Account compromised
Message-Id: <abc123@malicious.com>
Date: Wed, 12 Mar 2026 14:30:15 +0000
...
Attachments¶
List of email attachments with analysis:
| Filename | Size | Type | Malware | Threat Name | Action |
|---|---|---|---|---|---|
document.pdf | 1.0 MB | 🦠 Yes | Trojan.GenericKD | Download | |
image.jpg | 256 KB | Image | ✅ No | N/A | Download |
invoice.docx | 512 KB | DOCX | 🦠 Yes | Word.Macro.12345 | Download |
Attachment Actions: - Download: Download the file (sandboxed) - Preview: Safe preview for images and documents - Scan: Re-scan with ClamAV - Extract: Extract compressed files
Danger
Only download attachments in a secure, isolated environment. Never open attachments from suspicious emails on production systems.
SMTP Analysis¶
Detailed analysis of the email's delivery path:
{
"server": {
"hostname": "mail.bad-domain.com",
"ip_address": "192.168.1.100",
"port": 25,
"tls": false
},
"geolocation": {
"country": "Russia",
"region": "Moscow",
"city": "Moscow",
"latitude": 55.7558,
"longitude": 37.6173,
"asn": "AS12345",
"organization": "Bad ISP"
},
"reputation": {
"ip_reputation": 25,
"domain_reputation": 30,
"server_reputation": 20,
"overall": 25
}
}
Reputation Scores: - 0-20: Very suspicious - 21-40: Suspicious - 41-60: Neutral - 61-80: Reputable - 81-100: Highly reputable
Threat Analysis¶
Comprehensive threat assessment:
{
"overall_score": 85,
"classification": "THREAT",
"components": {
"malware": {
"score": 95,
"details": "Trojan.GenericKD.12345 detected in attachment"
},
"spam": {
"score": 88,
"details": "High spam probability based on content analysis"
},
"phishing": {
"score": 82,
"details": "Suspicious URL patterns and urgency keywords"
},
"reputation": {
"score": 70,
"details": "Sender and domain have low reputation"
},
"anomaly": {
"score": 75,
"details": "Unusual sending pattern for this time"
}
},
"indicators": [
"Malware detected in attachment",
"SPF/DKIM/DMARC authentication failures",
"Links to known phishing domains",
"Urgency keywords present",
"Low sender reputation"
]
}
Advanced Analysis¶
Correlation View¶
See how this email relates to others:
┌─────────────────────────────────────────────────────────┐
│ Correlation Analysis │
├─────────────────────────────────────────────────────────┤
│ Same Sender (234 emails): │
│ • 45% contain malware │
│ • 67% have phishing links │
│ • Top threat: Trojan.GenericKD │
├─────────────────────────────────────────────────────────┤
│ Same Domain (156 emails): │
│ • 52% contain malware │
│ • 71% have phishing links │
│ • Associated with 12 IP addresses │
├─────────────────────────────────────────────────────────┤
│ Same SMTP Server (89 emails): │
│ • 34% contain malware │
│ • 61% have phishing links │
│ • Server reputation: 25/100 │
├─────────────────────────────────────────────────────────┤
│ Same Country (Russia, 1,234 emails): │
│ • 38% contain malware │
│ • 54% have phishing links │
│ • 12 senders share this geographic pattern │
└─────────────────────────────────────────────────────────┘
Pattern Recognition¶
Identify attack patterns:
graph TD
A[Email 1] -->|Same sender| B[Email 2]
B -->|Similar subject| C[Email 3]
C -->|Same attachment type| D[Email 4]
D -->|Same URL pattern| E[Pattern Detected]
style E fill:#ff6b6b
Pattern Types: - Campaign: Coordinated attack from same source - Variant: Modified version of same attack - Sequence: Progressive attack stages - Cluster: Related but independent attacks
Timeline View¶
Visual timeline of related emails:
Activity Timeline for attacker@malicious.com
Volume
↑
10│ ●●●
8│ ●●●●●
6│ ●●●●●●●●
4│ ●●●●●●●●●●●
2│●●●●●●●●●●●●●●
0└─────────────────────────→ Time
00:00 04:00 08:00 12:00 16:00 20:00
Current email ⬆
Features: - Zoom in/out for different time scales - Click to view related emails - Color-coded by threat score - Hover for details
Email Actions¶
Export Email¶
Download email in multiple formats:
| Format | Description | Use Case |
|---|---|---|
| EML | Original email format | Email clients |
| JSON | Structured data | Analysis tools |
| Formatted report | Documentation | |
| CSV | Spreadsheet data | Excel analysis |
Share Email¶
Generate a shareable link for collaboration:
{
"shareable": true,
"url": "https://smailander.com/share/abc123",
"expires_at": "2026-03-19T14:30:15Z",
"password_protected": false,
"allow_download": true
}
Options: - Expiration: Set link expiration (never, 1 day, 7 days, 30 days) - Password: Require password for access - Download: Allow or prevent downloading
Collaboration
Share sensitive emails with password protection and set expiration to limit access.
Flag Email¶
Mark email for follow-up or categorization:
- ⭐ Star: Important email
- 🚩 Flag: Needs investigation
- 📌 Pin: Reference email
- 🔴 Critical: High-priority threat
Delete Email¶
Permanently remove email:
Permanent Deletion
- Email is permanently removed
- Cannot be undone
- Deletion is logged for audit
- May affect GDPR compliance
Search and Query¶
Advanced Search Syntax¶
Use powerful search queries:
Basic Searches:
- from:attacker@malicious.com
- to:test@company.com
- subject:"account compromised"
- attachment:true
- malware:true
Boolean Operators:
- threat_score:>70 AND threat_score:<90
- from:malicious.com OR from:evil.com
- (subject:"urgent" OR subject:"immediate") AND malware:true
Field Searches:
- threat_type:malware
- country:Russia
- date_range:"last_7_days"
- honeypot:test@company.com
Combination:
- from:malicious.com AND malware:true AND date_range:"last_30_days" AND threat_score:>80
Saved Searches¶
Save frequently used searches:
{
"name": "High Threat Malware",
"query": "malware:true AND threat_score:>80",
"description": "Emails with malware and high threat score"
}
Manage Saved Searches: - Create: Save current search - Edit: Modify search parameters - Delete: Remove saved search - Share: Share with team members
Batch Operations¶
Select Multiple Emails¶
Select multiple emails for batch operations:
- Click checkbox next to emails
- Select action from dropdown:
- Export: Export selected emails
- Delete: Delete selected emails
- Archive: Archive selected emails
- Tag: Add or remove tags
- Flag: Mark as important
Bulk Actions
Bulk delete is permanent. Review selected emails carefully before confirming.
Bulk Export¶
Export multiple emails at once:
{
"format": "json",
"include_attachments": false,
"include_headers": true,
"include_analysis": true,
"compression": "zip"
}
Export Options: - Format: JSON, CSV, EML, PDF - Include Attachments: Include attachment data - Include Headers: Include email headers - Include Analysis: Include threat analysis - Compression: None, ZIP, GZIP
Best Practices¶
1. Regular Review¶
- Daily: Review high-threat emails (score ≥ 80)
- Weekly: Review medium-threat emails (score 60-79)
- Monthly: Review all emails and trends
2. Correlation Analysis¶
- Track senders: Monitor repeat offenders
- Identify patterns: Spot coordinated attacks
- Share intelligence: Share findings with security team
3. Documentation¶
- Document findings: Keep records of important threats
- Export evidence: Save emails for incident response
- Create reports: Generate periodic security reports
4. Response Prioritization¶
- Critical (80-100): Immediate investigation
- Threat (60-79): Investigate within 24 hours
- Suspicious (40-59): Review weekly
- Low Risk (0-39): Archive and monitor
Troubleshooting¶
Email Not Showing¶
Symptom: Expected email not in list
Solutions: 1. Check filters - may be excluding the email 2. Verify date range - may be outside selected range 3. Refresh page - may need manual refresh 4. Check honeypot status - may be suspended
Attachment Download Fails¶
Symptom: Cannot download attachment
Solutions: 1. Check file size - may be too large 2. Verify network connection 3. Try different browser 4. Contact support if persistent
Search Returns No Results¶
Symptom: Search returns empty list
Solutions: 1. Verify search syntax 2. Check for typos 3. Clear filters 4. Use broader search terms
Next Steps¶
- Threat Detection - Understanding threat analysis
- Analytics - Advanced analytics and reporting
- API: Emails - Programmatic email access
Need Help?¶
- FAQ - Common questions
- Troubleshooting - Solve issues
- API Documentation - API reference
- Contact - Get support