Various aspects involve determining legitimacy of an email address for risk assessment or other purposes. For instance, a risk assessment computing system receives a risk assessment query that identifies an email address. The risk assessment computing system determines a set of features for the email address. For each feature, the risk assessment computing system calculates an illegitimacy score by calculating a deviation of the feature from an expected safe value for the feature that is determined from historical email addresses. The risk assessment computing system aggregates the illegitimacy scores of the plurality of features into an aggregated illegitimacy score and further transmits a legitimacy risk value to a remote computing system. The legitimacy risk value indicates the aggregated illegitimacy score and can be used in controlling access of a computing device associated with the email address to one or more interactive computing environments.