EMLyzer is designed with security-first principles:
- Offline-first analysis β All email parsing and analysis runs locally; no data is sent externally by default
- No cloud dependencies β Core functionality requires no internet connection or API keys
- Optional reputation services β External API integrations (AbuseIPDB, VirusTotal, etc.) are entirely optional and user-configured
- Local-first database β SQLite database stores results locally on disk
- Transparent threat analysis β All detection logic is open-source and auditable
- β No user accounts or authentication required
- β No telemetry or usage tracking
- β No data collection or analytics
- β No cloud processing or storage
- β No third-party tracking scripts
- β All email data stays on your machine
- β You control which reputation services are used (or use none)
- β You own your analysis database
- β You can delete analyses at any time
- β Full source code transparency
- Uses trusted, audited parsing libraries:
mail-parser(EML) andextract-msg(MSG) - Input validation on all parsed email fields
- HTML/JavaScript sanitization using
bleachto prevent XSS in body analysis - Safe handling of MIME encodings and nested structures
- Domain and IP address extraction and validation
- Punycode detection (homoglyph spoofing prevention)
- WHOIS and DNS queries use read-only lookups (no modification)
- Shortener detection and redirect chain analysis
- No automatic navigation to URLs (reporting only)
- By design: Attachments are NOT executed
- Hash computation (MD5, SHA1, SHA256) for integrity verification
- MIME type validation against file extension
- Detection of embedded macros and JavaScript in documents
- Stream analysis for suspicious PDF patterns
- Optional and configurable per service
- API keys stored locally in
.env(not synced to git) - All reputation lookups are read-only queries
- Rate limiting respected (no brute-force scanning)
- Requests authenticated with user-provided credentials only
- Uploaded emails: stored in
backend/uploads/β deleted after analysis - Generated reports: stored in
backend/reports/β deleted when removed via UI - SQLite database: persists in
backend/data/emlyzer.dbβ user controls deletion
If you discover a security vulnerability in EMLyzer:
- Do not open a public GitHub issue β This exposes the vulnerability
- Use GitHub Security Advisory:
- Navigate to: https://github.com/overwrite00/EMLyzer/security/advisories
- Click "Report a vulnerability"
- Describe the vulnerability in detail
- 48 hours: We will acknowledge receipt of your report
- 2 weeks (critical): Target fix timeline for critical vulnerabilities
- 30 days (high): Target fix timeline for high-severity vulnerabilities
- Coordinated disclosure: We will work with you on a disclosure timeline
We appreciate responsible disclosure and will credit you in our security advisory (unless you prefer anonymity).
- Prevents spear-phishing if you visually trust the sender β EMLyzer detects technical indicators but cannot override human judgment
- Executes attachments β By design, EMLyzer analyzes attachments without running them (safe-by-default approach)
- Performs OCR on images β Scanned PDFs or image-based phishing are not analyzed (future enhancement)
- Detects zero-day exploits β Reputation services have detection delays; new threats may not be flagged
- Guarantees 100% accuracy β Like all security tools, false positives and false negatives can occur
EMLyzer is one layer of email security. For comprehensive protection, also use:
- Email gateway filters (at your email provider)
- DMARC/SPF/DKIM enforcement
- Endpoint protection software
- User security training
- Email authentication (2FA/MFA)
Planned improvements (see CHANGELOG.md for full roadmap):
- YARA rule engine for custom threat detection
- PostgreSQL support for enterprise deployments
- Plugin system for custom analyzers
- Machine learning model improvements
- Automated malware signature updates
- Subscribe to releases: Watch the Releases page
- Check security advisories: GitHub Security Advisory
- Update regularly: Use the latest version for security patches
- Code of Conduct β Community guidelines
- Contributing Guide β How to contribute securely
- REQUIREMENTS.md β Dependency information
- CHANGELOG.md β Version history and security fixes
Last updated: 2026-06-07 β Contributing | Back to README β