About PhishPond

PhishPond is a free, educational phishing-analysis toolkit. It exists to help people — analysts, IT staff, journalists, ordinary recipients of weird emails — look at a suspicious message and see why it's suspicious, instead of relying on a single black-box "verdict".

Three tools, three attack surfaces

• Email Inspector parses a raw .eml file (or pasted headers) entirely in your browser. It surfaces sender identity mismatches (From vs Return-Path vs Reply-To), brand impersonation, the SPF / DKIM / DMARC verdicts as reported by the receiving server, the full Received chain, every link in the body, and any attachments — flagging dangerous extensions, macro-enabled Office docs, RTLO filename tricks, and double-extension disguises (invoice.pdf.exe). It also pulls live MX / SPF / DMARC records and the registration age of the sender's domain.
• Link Scout walks the redirect chain of a shortened or obfuscated URL on a hardened serverless endpoint, decodes any Base64 / hex / URL-encoded payload buried in the link, and flags known malware-staging signatures.
• Heuristic Scanner grades suspicious text against a small, transparent vocabulary of social-engineering tactics — urgency, authority, coercion, reward, social proof — and explains the behavioural psychology behind each match.

The three tools talk to each other: a link found inside an email can be sent straight to Link Scout for full redirect-chain analysis, and the message body can be handed off to the Heuristic Scanner — all with one click and no copy-paste.

Privacy

PhishPond does not require an account. The Heuristic Scanner runs entirely in your browser. The Email Inspector parses your .eml file in the browser too — the raw message bytes never leave your device; only the sender's domain (e.g. example.com) is sent to the server for the DNS lookup. The Link Scout sends only the URL you submit to a serverless function; that URL is not logged or stored beyond the lifetime of the request. See the privacy page for details.

Limitations

Heuristics catch patterns; they do not catch novel attacks. The absence of a signature hit is not a guarantee of safety. Treat PhishPond's output as evidence, not a verdict — and never act on a suspicious message without verifying it through a second, trusted channel.

PhishPond is provided for educational use only and comes with no warranty. If you believe you've received a real phishing attempt, report it to your organisation's security team, your email provider, or your local CERT.

Who builds this

PhishPond is a project of Spicy Stromboli, who also publishes the security blog Stromboli Security (deeper-dive write-ups on attack techniques, threat hunting, and tooling) and maintains IP Recon, a free bulk IP-reputation tool on the Microsoft Store. PhishPond is the browser-based piece of that toolkit.

Editorial & AI Disclosure

PhishPond's blog posts are researched, structured, and reviewed by the editorial team and written with the assistance of AI language models. Every article is fact-checked against primary sources before publication, and all linked URLs are verified by a human editor. Hero images are AI-generated and credited individually on each post.

AI tools are used to support — not replace — editorial judgment. The analysis, opinions, and recommendations expressed on this site are those of the author.

Contact

• General — hello@phishpond.io
• Privacy / data requests — privacy@phishpond.io
• Legal / DMCA / trademark — legal@phishpond.io
• Security disclosures — security@phishpond.io (see also /.well-known/security.txt)
• Abuse reports — abuse@phishpond.io