Software

10 essential e-mail security measures

E-mail security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of e-mail security is ensuring you don't shoot yourself in the foot. These best practices will help you avoid any mistakes.

E-mail security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of e-mail security is ensuring you don't shoot yourself in the foot. These best practices will help you avoid any mistakes.


There's a lot of information out there about securing your e-mail. Much of it is advanced and doesn't apply to the typical end user. Configuring spam filters such as SpamAssassin, setting up encrypted authentication on mail servers, and e-mail gateway virus scanner management are not basic end-user tasks.

When one can find end-user e-mail security tips, they're usually specific to a single mail client or mail user agent, such as Microsoft Outlook, Mozilla Thunderbird, or Mutt. This sort of information is of critical importance to many users of these applications, but there are few sources of more general security information for e-mail users that aren't specific to a given client application.

The following is a list of some important security tips that apply to all e-mail users - not just users of a specific application. The first five are listed in the order one should employ them, from the first priority to the last. This priority is affected not only by how important a given tip is, but also by how easy it is to employ. The easier something is to do, the more likely one is to actually do it and move on to the next tip. The last five pointers are best practices that will help prevent users from making careless mistakes.

Note: This article is based on the IT Security blog posts Basic e-mail security tips and More e-mail security tips by Chad Perrin. It's also available as a PDF download.

#1: Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought.

At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML - or "Original HTML," as some clients label the option. Even better is to configure it to render only plain text. When rendering HTML, you run the risk of identifying yourself as a valid recipient of spam or getting successfully phished by some malicious security cracker or identity thief. My personal preference is, in fact, to use a mail user agent that is normally incapable of rendering HTML e-mail at all, showing everything as plain text instead.

#2: If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail.

This means avoiding the use of Web-based e-mail services, such as Gmail, Hotmail, and Yahoo! Mail for e-mail you want to keep private for any reason. Even if your Webmail service provider's policies seem sufficiently privacy-oriented to you, that doesn't mean that employees won't occasionally break the rules. Some providers are accused of selling e-mail addresses to spamming "partners." Even supposedly security-oriented Webmail services, such as Hushmail, can often be less than diligent in providing security to their users' e-mail.

#3: Ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not.

The reason for this is simple: You do not want some malicious security cracker listening in on your authentication session with the mail server. Someone who does this can then send e-mails as you, receive your e-mail, and generally cause all kinds of problems for you (including spammers). Check with your ISP's policies to determine whether authentication is encrypted and even how it is encrypted (so you might be able to determine how trivial it is to crack the encryption scheme used).

#4: Digitally sign your e-mails.

As long as you observe good security practices with e-mail in general, it is highly unlikely that anyone else will ever have the opportunity to usurp your identity for purposes of e-mail-but it is still a possibility. But if you use an encryption tool, such as PGP or GnuPG, to digitally sign your e-mails, recipients who have your public key will be able to determine that nobody could have sent the e-mail in question without having access to your private key-and you should definitely have a private key that is well protected.

#5: Avoid unsecured networks.

If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances.

Be aware of both your virtual and physical surroundings when communicating via e-mail. Be careful. Trust no one that you do not absolutely have to trust, and recognize the dangers and potential consequences of that trust.

Your e-mail security does not just affect you; it affects others, as well, if your e-mail account is compromised. Even if the e-mail account itself is not compromised, your computer may be if you do not take reasonable care with how you deal with e-mails - and that, in turn, can lead to affecting both you and others adversely as well.

#6: Turn off automated addressing features.

As communication software accumulates more and more automated convenience features, we'll see more and more cases of accidentally selecting the wrong recipients. A prime example is Microsoft Outlook's "dreaded auto-fill feature," where it is all too easy to accidentally select a recipient adjacent to your intended recipient in the drop-down list. This can be particularly problematic when discussing private matters such as business secrets.

#7: Use BCC when sending to multiple recipients.

It's a bad idea, from a security perspective, to share e-mail addresses with people who have no need for them. It is also rude to share someone's e-mail address with strangers without permission. Every time you send out an e-mail to multiple recipients with all the recipients' names in the To: or CC: fields, you're sharing all those e-mail addresses with all the recipients. E-mail addresses that are not explicitly meant to be shared with the entire world should, in e-mails addressed to multiple recipients, be specified in the BCC: field - because each person will then be able to see that he or she is a recipient, but will not be able to see the e-mail addresses of anyone else in the BCC: field.

#8: Save e-mails only in a safe place.

No amount of encryption for sent e-mails will protect your privacy effectively if, after receiving and decrypting an e-mail, you store it in plain text on a machine to which other people have access. Sarah Palin found out the hard way that Webmail providers don't do as good a job of ensuring stored e-mail privacy as we might like. Many users' personal computers are not exactly set up with security in mind, either, as in the case of someone whose Windows home directory is set up as a CIFS share with a weak password.

#9: Only use private accounts for private e-mails.

Any e-mail you share with the world is likely to get targeted by spammers - both for purposes of sending mail to it and spoofing that e-mail address in the From: field of the e-mail headers. The more spammers and phishers who spoof your e-mail address that way, the more likely your e-mail address is to end up on spam blocker blacklists used by ISPs and lazy mail server sysadmins -- and the more likely you are to have problems with your e-mails not getting to their intended recipients.

#10: Double-check the recipient, every time - especially on mailing lists.

Accidentally replying directly to someone who sent an e-mail to a mailing list, when you meant to reply to the list, isn't a huge security issue. It can be kind of inconvenient, though, especially when you might never notice your e-mail didn't actually get to the mailing list. The converse, however, can be a real problem: if you accidentally send something to the list that was intended strictly for a specific individual, you may end up publicly saying something embarrassing or, worse, accidentally divulging secrets to hundreds of people you don't even know.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

6 comments
ben20092
ben20092

Use services like www.mytrashmail.com to protect your private email address. This comes handy when you sign up for newsletters, etc. on the web.

ron.jo880
ron.jo880

this good but does not tell us how to implement the recommendations

vickaprili
vickaprili

Great Article, I also personally disable the Save Password feature in my E-mail client to prevent email harvesting. A tech savy Rat could get an E-Mail/Contact List this way via malicious code on a webpage. Cheers Vic buytodayathome.com

pdr5407
pdr5407

I think that #10 is the most important, especially if you e-mail classified company information. I frequently send emails to either one person, using Reply in Outlook or to a group, by using the Reply-All button. Do you think that selecting Reply-All for e-mail may be a security problem?

ian3880
ian3880

Maybe I've missed something here. In the Opera browser it is possible to "Turn all headers on" and in the info that is dispayed are all the BCC recipients. Maybe lesser browsers can't do this. :-) Usually I email the sender and call them a "Spammer" as a warning, then refuse to accept their emails if they continue bulk forwarding (usually crappy) jokes etc. Personally, I use a simple but very effective program called "Mailwasher" (from Firetrust) which allows me to view, select and delete emails on my ISP's mail server. Emails from people/companies I don't know get the flick BEFORE even opening them in my browser. Nothing but the first 100 lines of text (selectable) are downloaded to my computer. Those people who insist on forwarding multiple recipients go onto my blacklist and Mailwasher automatically sets them for deletion. Otherwise most of the info in the article is valid. Nothing really beats vigilance and good housekeeping techniques.