Software

More email security tips

Email security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of email security is ensuring you don't shoot yourself in the foot.

In February this year, I listed five basic email security tips that everyone should employ. The following is a list of five more good pieces of email security advice:

  1. Turn off automated addressing features. As communication software accumulates more and more automated convenience features, we'll see more and more cases of accidentally selecting the wrong recipients. A prime example is Microsoft Outlook's "dreaded auto-fill feature", where it is all too easy to accidentally select a recipient adjacent to your intended recipient in the drop-down list. This can be particularly problematic when discussing private matters such as business secrets.
  2. Use BCC when sending to multiple recipients. It's a bad idea, from a security perspective, to share email addresses with people who have no need for them. It is also rude to share someone's email address with strangers without permission. Every time you send out an email to multiple recipients with all the recipients' names in the To: or CC: fields, you're sharing all those email addresses with all the recipients. Email addresses that are not explicitly meant to be shared with the entire world should, in emails addressed to multiple recipients, be specified in the BCC: field -- because each person will then be able to see that he or she is a recipient, but will not be able to see the email addresses of anyone else in the BCC: field.
  3. Save emails only in a safe place. No amount of encryption for sent emails will protect your privacy effectively if, after receiving and decrypting an email, you then store it in plain text on a machine to which other people have access. Sarah Palin found out the hard way that Webmail providers don't do as good a job of ensuring stored email privacy as we might like, and many users' personal computers are not exactly set up with security in mind, as in the case of someone whose MS Windows home directory is set up as a CIFS share with a weak password.
  4. Only use private accounts for private emails. Any email you share with the world is likely to get targeted by spammers -- both for purposes of sending mail to it and spoofing that email address in the From: field of the email headers. The more spammers and phishers spoof your email address that way, the more likely your email address is to end up on spam blocker blacklists used by ISPs and lazy mail server sysadmins, and the more likely you are to have problems with your emails not getting to their intended recipients.
  5. Double-check the recipient, every time -- especially on mailing lists. Accidentally replying directly to someone who sent an email to a mailing list, when you meant to reply to the list, isn't a huge security issue. It can be kind of inconvenient, though, especially when you might never notice your email didn't actually get to the mailing list. The converse, however, can be a real problem: if you accidentally send something to the list that was intended strictly for a specific individual, you may end up publicly saying something embarrassing or, worse, accidentally divulging secrets to hundreds of people you don't even know.

These tips are more related to the ways that users break their own security, rather than protecting oneself against the predations of malicious security crackers. Security can be violated through careless acts more easily than by outside forces. Don't be your own biggest security concern.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

7 comments
clevercat17
clevercat17

Postini or JumbleMe allow you to encrypt emails w/o installing software and using your current email address and client. JumbleMe even lets you restrict the number of times an email is read and how many times it is forward. There are other products/techs out there that do similar stuff. Have a look.

Jaqui
Jaqui

most mailing lists I have been on have the list configured to be the reply-to address, so when you click reply it goes to the list. only one list actually has reply-to set to the original sender. [ and the VanLUG list members have developed the habit of reply all to compensate for public comments on the list. ]

apotheon
apotheon

I cannot possibly stress the importance of spreading the advice to start using the BCC: field when sending emails. Even supposedly technically proficient people send out emails to lists of people who don't know each other, addressed to their private email accounts, with all the addresses crammed into the To: or CC: field. [b]DON'T DO THIS.[/b] You will violate the trust others place in your discretion and piss them off. You'll also look stupid. Learn to use the BCC: field, for the security of your friends, and for your own peace of mind and reputation.

pgit
pgit

All good advice. I had been diligently using bcc for a mailing list I maintained, and ONCE sent the whole list in the clear... about 30 people jumped on me by the end of the day... Unfortunately once is enough. A couple of those folks changed their email accounts, I felt about 1/2 inch tall.

Jaqui
Jaqui

when using the cc is a valid option. such as when sending to public email addresses for agencies. or when stomping on someone's head and sending to his/her boss because they are NOT resolving an issue. otherwise, use mailing lists, like mailman, for sending to many recipients, with the reply-to being the list address. if that option isn't available, then the bcc field is the best option.

Sterling chip Camden
Sterling chip Camden

I had sent a message to friends and family months before, and used the main address line instead of BCC. Then one of my friends contracted Melissa. Everyone in that distribution list was given the opportunity to contract it as well.