sikkerapi.com
  • Home
  • Single ReportBulk Report
  • Pricing
  • Blog
  • API OverviewIP CheckBlacklistReportBulk ReportTAXII FeedConfidence LevelData RetentionCLI ToolSikkerGuard
    IntegrationsFail2BanCSF FirewallNginxiptables / ipset
  • Email LookupUsername LookupDetection Catalog
  • Top CountriesTop ASNsTop ProtocolsTop IPs
    SMTP Wall of FameBehind The ScenesRange Alerts Guide
Log inSign up
Loading article
© 2026 SikkerAPI
ProductPricingDocsReportThreat MapStatus
ResourcesBlogFAQAboutContactComparisons
LegalTermsPrivacyRemove Me
Blog/Email Threat Check — Find Out If Your Email Is on Attacker Target Lists

Email Threat Check — Find Out If Your Email Is on Attacker Target Lists

February 27, 2026
securityupdatesthreat intelligencesmtpphishingspamemail
Email Threat Check — Find Out If Your Email Is on Attacker Target Lists

We just launched a new feature: a free tool that lets you check whether your email address has been observed as a target in real phishing and spam campaigns. Over 110,000 unique email addresses tracked, 140,000+ SMTP messages captured, all from live attacks hitting our global honeypot sensor network.

Search any email at /emails.

What This Is (And What It Isn't)

This is not a data breach checker. We're not telling you your password was leaked or your account was compromised. What we're telling you is whether attackers have your email address on their target lists.

Our sensors run fake mail servers worldwide. When attackers connect and send phishing emails, spam, or scam messages, we capture the full SMTP envelope — including every recipient address in the RCPT TO field. Those recipient addresses are the target list. If your email shows up, it means an attacker included it in at least one campaign we intercepted.

The distinction matters. Being targeted doesn't mean you were breached. It means your email address exists on a list that's actively being used by people sending malicious messages — and you should be aware of that.

What You'll See

Search for any email address and you'll get:

  • Total messages — how many SMTP attack messages targeted this address
  • First seen — when we first captured a message targeting this email
  • Last seen — when the most recent targeting occurred
  • Context — what this means and how to protect yourself

For example, addresses that appear in hundreds of messages over several months are on well-circulated spam lists that multiple attackers reuse. An address that appeared once in a single campaign is less concerning but still worth knowing about.

Where The Data Comes From

This feature is powered by the same SMTP honeypot infrastructure that captured the 378,000-email phishing campaign from our Qatar sensor in February. Every data point comes from a real attacker sending real messages to our fake mail servers.

Here's the pipeline:

  1. Attackers connect to our SMTP honeypots and send messages — phishing emails, lottery scams, advance-fee fraud, malware delivery
  2. Our sensors capture the full message envelope: sender, recipients, subject, headers, body
  3. Recipient email addresses are extracted, normalized, and indexed in our threat database
  4. The public email lookup queries this index in real time

We don't buy email lists. We don't scrape. Every address in our database was put there by an attacker who tried to use our honeypot as a mail relay. The source is 100% adversarial SMTP traffic.

The Numbers

As of today:

MetricCount
Unique email addresses tracked110,000+
SMTP messages captured140,000+
Honeypot sensors with SMTP44 sensors across 23 countries
Protocols monitored16 (SMTP is one of them)

These numbers grow daily as new campaigns hit our sensors. The SMTP threat data page shows live attack volume and trends.

What To Do If Your Email Appears

Finding your email in our database means it's on at least one attacker-circulated list. Here's what that means practically:

Expect more phishing. If your address appears in our data, it's likely on other lists too. Attackers buy, sell, and share target lists. One appearance usually means ongoing targeting.

Enable two-factor authentication everywhere. Phishing campaigns exist to steal credentials or extract financial means from their target. Even if you never click a malicious link, 2FA ensures a stolen password alone isn't enough. Our sikker CLI can help you check whether IPs hitting your infrastructure are known threats.

Scrutinize unexpected emails. Knowing your address is actively targeted changes how you evaluate incoming messages. That "lottery win notification" or "account verification" email isn't random, it's a campaign.

Check the source IPs. If you receive a suspicious email, look up the sending IP in our IP reputation API. Chances are we've already flagged the infrastructure behind it.

Complements Our Username Database

This release pairs with our existing username attack database: 77,000+ credentials from brute-force attacks across 13 protocols. Together they answer two different questions:

  • Usernames: What credentials are attackers trying against your servers?
  • Emails: Is your email address being targeted in phishing campaigns?

Both draw from the same honeypot network but surface different slices of attacker behavior. The detection catalog ties it all together with behavioral pattern matching across protocols.

Free To Use

The email lookup is free, no account required. Just go to /emails and search. Rate limited to 10 lookups per day for unauthenticated users.

For programmatic access, the REST API exposes the same data:

GET /v1/emails/lookup/{email}
GET /v1/emails/stats

Returns the email address, total message count, and first/last seen timestamps. Integrate it into your security workflows, SOAR playbooks, or threat enrichment pipelines.

Need higher limits? Check pricing — plans start at $7/month with expanded API quotas across all endpoints.

Share:TwitterLinkedIn

Comments

No comments yet. Be the first to share your thoughts!