We introduce the Email Mining Toolkit (EMT), a system that implements behavior-based methods to improve security of email systems. Behavior models of email flows and email account usage may be used for a variety of detection tasks. Behavior-based models are quite different from "content-based" models in common use today, such as virus scanners. We evaluate the soundness of these techniques for the detection of the onset of viral propagations. The results achieved for the detection of the onset of viral propagations suggest email delivery should be egress rate limited stored for a while and then forwarded or a record of recently delivered emails should be kept in order to develop sufficient statistics to verify a propagation is ongoing. EMT can form part of a larger security platform that deals with email security issues in general. We present the variety of EMT models implemented to date and suggest other security tasks that may benefit for its detection capabilities.