Software compare

Five tips for avoiding self-inflicted email security breaches

Email security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of email security is ensuring you don't shoot yourself in the foot.

In my article Basic e-mail security tips, I discussed five steps everyone should employ to secure their email, regardless of the client they use. Here are five more recommendations. These tips focus on the ways users break their own security rather than on protecting against the predations of malicious security crackers. Security can be violated through careless acts more easily than by outside forces.

Note: These tips are based on an entry in our IT Security blog.

1: Turn off automated addressing features

As communication software accumulates more and more automated convenience features, we'll see more and more cases of accidentally selecting the wrong recipients. A prime example is Microsoft Outlook's "dreaded auto-fill feature," where it is all too easy to accidentally select a recipient adjacent to your intended recipient in the drop-down list. This can be particularly problematic when discussing private matters, such as business secrets.

2: Use BCC when sending to multiple recipients

It's a bad idea, from a security perspective, to share email addresses with people who have no need for them. It is also rude to share someone's email address with strangers without permission. Every time you send out an email to multiple recipients with all the recipients' names in the To: or CC: fields, you're sharing all those email addresses with all the recipients. Email addresses that are not explicitly meant to be shared with the entire world should, in emails addressed to multiple recipients, be specified in the BCC: field. Each person will then be able to see that he or she is a recipient but will not be able to see the email addresses of anyone else in the BCC: field.

3: Save emails only in a safe place

No amount of encryption for sent emails will protect your privacy effectively if, after receiving and decrypting an email, you then store it in plain text on a machine to which other people have access. Sarah Palin found out the hard way that Webmail providers don't do as good a job of ensuring stored email privacy as we might like. Many users' personal computers are not exactly set up with security in mind, as in the case of someone whose Windows home directory is set up as a CIFS share with a weak password.

4: Use private accounts for private emails

Any email you share with the world is likely to get targeted by spammers -- both for purposes of sending mail to it and spoofing that email address in the From: field of the email headers. The more spammers and phishers spoof your email address that way, the more likely your email address is to end up on spam blocker blacklists used by ISPs and lazy mail server sysadmins --  and the more likely you are to have problems with your emails not getting to their intended recipients.

5: Double-check the recipient, every time -- especially on mailing lists

Accidentally replying directly to someone who sent an email to a mailing list, when you meant to reply to the list, isn't a huge security issue. It can be kind of inconvenient, though, especially when you might never notice your email didn't actually get to the mailing list. The converse, however, can be a real problem: If you accidentally send something to the list that was intended strictly for a specific individual, you may end up publicly saying something embarrassing or worse, accidentally divulging secrets to hundreds of people you don't even know.


Check out Five Tips... the newsletter

Get a concise roundup of solutions and techniques that will make your IT job go more smoothly. TechRepublic's Five Tips newsletter, delivered every Tuesday, gives you instant access to the information you need. Automatically sign up today.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

3 comments
Deborahg
Deborahg

Good tips. Though I would caution the use of the BCC field when sending to multiple recipients (although it is better than using the CC field). If the BCC field is used for a mass mailing, the message is likely to be blocked as spam and you could end up being black listed. Also, it is very confusing not to see yourself as an adressed recipient. I would recommend using mailing list software and blocking these type of mailings on corporate mail servers.

Jaqui
Jaqui

most of the easily accessed mailing lists, like those used for support with many open source projects, have PUBLICLY accessible archives of the list, a screwup where confidential information went to such a list potential has the information exposed to the entire world, not just those on the list.

yakupm
yakupm

creates disposable email addresses linked to your email address. Someone starts spamming you? Get rid of that disposable email and no more spam.