Online email archives are an under-protected yet extremely sensitive information resource. Email archives can store years worth of personal and business email in an easy-to-access form, one that is much easier to compromise than messages being transmitted “on the wire.” Most email archives, however, are protected by reusable passwords that are often weak and can be easily compromised. To protect such archives, we propose a novel user-specific design for an anomaly-based email archive intrusion detection system. As a first step towards building such a system, we have developed a simple probabilistic model of user email behavior that correlates email senders and a user’s disposition of emails. In tests using data gathered from three months of observed user behavior and synthetic models of attacker behavior, this model exhibits a low rate of false positives (generally one false alarm every few weeks) while still detecting most attacks. These results suggest that anomaly detection...