Software

Basic e-mail security tips


There's a lot of information out there about securing your e-mail. Much of it is advanced and doesn't apply to the typical end user. Configuring spam filters such as SpamAssassin, setting up encrypted authentication on mail servers, and e-mail gateway virus scanner management are not basic end-user tasks.

When one can find end-user e-mail security tips, they're usually specific to a single mail client or mail user agent such as Microsoft Outlook, Mozilla Thunderbird, or Mutt. This sort of information is of critical importance to many users of these applications, but there are few sources of more general security information for e-mail users that aren't specific to a given client application.

The following is a short list of some important security tips that apply to all e-mail users -- not just users of a specific application. They are listed in the order one should employ them, from the first priority to the last. This priority is affected not only by how important a given tip is, but also by how easy it is to employ; the easier something is to do, the more likely one is to actually do it and move on to the next tip.

  1. Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought. At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML -- or "Original HTML" as some clients label the option. Even better is to configure it to render only plain text. When rendering HTML, you run the risk of identifying yourself as a valid recipient of spam or getting successfully phished by some malicious security cracker or identity thief. My personal preference is, in fact, to use a mail user agent that is normally incapable of rendering HTML e-mail at all, showing everything as plain text instead.
  2. If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail. This means avoiding the use of Web-based e-mail services such as Gmail, Hotmail, and Yahoo! Mail for e-mail you wish to keep private for any reason. Even if your Webmail service provider's policies seem sufficiently privacy-oriented to you, that doesn't mean that employees won't occasionally break the rules. Some providers are accused of selling e-mail addresses to spamming "partners." Even supposedly security-oriented Webmail services such as Hushmail can often be less than diligent in providing security to their users' e-mail.
  3. It's always a good idea to ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not. The reason for this is simple: You do not want some malicious security cracker "listening in" on your authentication session with the mail server. If someone does this, that person can then send e-mails as you, receive your e-mail, and generally cause all kinds of problems for you (including spammers). Check with your ISP's policies to determine whether authentication is encrypted and even how it is encrypted (so you might be able to determine how trivial it is to crack the encryption scheme used).
  4. Digitally sign your e-mails. As long as you observe good security practices with e-mail in general, it is highly unlikely that anyone else will ever have the opportunity to usurp your identity for purposes of e-mail, but it is still a possibility. If you use an encryption tool such as PGP or GnuPG to digitally sign your e-mails, though, recipients who have your public key will be able to determine that nobody could have sent the e-mail in question without having access to your private key -- and you should definitely have a private key that is well protected.
  5. If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances.

Be aware of both your virtual and physical surroundings when communicating via e-mail. Be careful. Trust no one that you do not absolutely have to trust, and recognize the dangers and potential consequences of that trust.

Your e-mail security does not just affect you; it affects others, as well, if your e-mail account is compromised. Even if the e-mail account itself is not compromised, your computer may be if you do not take reasonable care with how you deal with e-mails -- and that, in turn, can lead to affecting both you and others adversely as well.

Don't be a victim.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

9 comments
mlafflin
mlafflin

How does using a mail client keep employees from the company from viewing your mail through the web interface? I guess that's if downloaded mail doesn't leave a copy on server option is enabled.

richard.munden
richard.munden

A very informative post. More on the topic can be found at www.novo-ordo.com. There you will also find links to a variety of information sources and service providers. Ordo also offers what they call "Sub Rosa" secure email service. It supports POP and IMAP over encrypted links as well as the less desirable webmail using SSL encryption.

Jaqui
Jaqui

"Trust no one that you do not absolutely have to trust, and recognize the dangers and potential consequences of that trust." yet every system is shipped with default configuration of "TRUST EVERYONE" specially with web browsers and email clients. This is why I always delete the list of CAs that are included on the "trusted" list in every browser, on every os. trust no one. or, better yet: trust them to screw you over if they get the chance. Every secured login online, I get a warning box, since my browser does NOT trust the Certificate Authority [ CA ], this means I know when a login is secured or not before touching anything on the page.

boxfiddler
boxfiddler

And thanks once again. Another great commentary that my students can relate to. Better still, it's not 'come carping' from the teacher yet again! Another link to post. Hmmm... does this mean I need to start paying you? ;)

seanferd
seanferd

Good advice for those with no inclination toward the technical side of computing and communicating. Actually, it's good advice to those with a technical inclination as well. Thanks, Chad. Now I have another article I can point out when the subject arises.

JCitizen
JCitizen

next article; hopefully "the not so basic" list of things to do for email security. I had never thought of that one though, thanks! Seems like it could be near the top of the list too!

apotheon
apotheon

"[i]Hmmm... does this mean I need to start paying you?[/i]" Maybe we should talk.

Editor's Picks