1.
Haaga‐Helia University of Applied Sciences
E‐mail Security
When can I consider my e‐mail to be secure?
Ralph van der Pauw – a1000513
27/4/2010
2. Table of Contents
What is e‐mail? ........................................................................................................................................ 2
Simple Mail Transfer Protocol ......................................................................................................... 2
Post Office Protocol & Internet Message Access Protocol ............................................................. 2
Why should e‐mail be secure? ................................................................................................................ 4
How the internet works .................................................................................................................. 4
Common sense ................................................................................................................................ 5
Which threats exist in e‐mail? ................................................................................................................. 6
Trojans ............................................................................................................................................. 6
Viruses ............................................................................................................................................. 6
Worms ............................................................................................................................................. 7
How can these threats be eliminated? ................................................................................................... 9
Antivirus software ........................................................................................................................... 9
Think before you act ....................................................................................................................... 9
.
Which vulnerabilities exist in email? ..................................................................................................... 11
Privacy ........................................................................................................................................... 11
Spam & Phishing ............................................................................................................................ 12
How can these vulnerabilities be reduced? .......................................................................................... 13
Encryption (SSL, TLS & PGP) .......................................................................................................... 13
Spamfilters .................................................................................................................................... 13
.
Awareness ..................................................................................................................................... 14
Sources .................................................................................................................................................. 16
1
11. Approach attachments with caution. If you are not expecting an attachment or you don’t
know from whom it is from, do not open it. Opening an attachment can trigger a malicious
code that wasn’t picked up by your anti‐virus software.
Do not forward chain e‐mail messages. Your e‐mail address is stored in the mail and you are
not able to keep track of who gets to see the e‐mail.
Always report suspicious e‐mail when received from a trusted address. If you receive
suspicious e‐mail from an address you know, contact the recipient about the suspicious e‐
mail to avoid possible spreading of a malicious code and to warn the client about what he or
she has sent.
As stated before it is not possible to eliminate a full 100% of the threats but by letting your (up‐to‐
date) anti‐virus application scan your e‐mail and by taking the above mentioned precautions, you
lower your risk level to the very minimum.
10
15. Awareness
Awareness in using your e‐mail account might be just as important as installing technical precautions.
In corporations it is very important for the administrators to create this awareness among the
employees. Important precautions for e‐mail users are listed below.
Keep the number of e‐mail accounts to a minimum. It is wise to split personal and corporate
e‐mail over different accounts but to keep the number of accounts as low as possible.
Besides a personal and corporate account it is recommended to create a separate account
for less secure traffic, a so called spam‐account. This account can be used for internet forms
and unsecure communication (IT Security, 2008).
A more secure way of communication is the telephone. If your message can be sent by a
telephone call it is wise to choose this more secure and private option.
Spam traffic is usually cumulative. This means once you start to receive a lot of spam, the
amount will slowly increase. It is therefore smart to discard accounts which are receiving an
immense amount of spam (IT Security, 2007).
When accessing your e‐mail on a public computer, never use an e‐mail client but always use
the web‐interface of your e‐mail provider. When you are done with the session, close the
browser, log‐out and delete the cache, cookies, history and passwords so there are no traces
of your session left.
Avoid using the reply‐all or BCC option in sending e‐mails. This way you show your own and
other’s e‐mail addresses to a lot of users. Try using the CC option where other e‐mail
addresses are hidden to obtain privacy (IT Security, 2008).
Never send sensitive company information with your (unsecure) personal account, always
use your corporate account where your privacy can be protected by the company’s IT
department. If the information happens to be intercepted, you are less vulnerable in possible
law conflicts (IT Security, 2007).
Create regular backups of you e‐mail account. Important e‐mail might be stored in your mail
directories, always make sure these e‐mails are backed up on your computers. Also when
accessing your e‐mail on a mobile platform and using the POP protocol, make sure there is a
copy of the e‐mail on your server. A cellphone is easily lost and with that you would lose all
your e‐mails too.
An often used technique to obtain your e‐mail address is to send you newsletters with an
unsubscribe option. When you have clicked this option you will be linked to a webpage and
your e‐mail address will be stored. Don’t unsubscribe for these e‐mails unless you remember
subscribing to them (IT Security, 2007).
Phishing mails might slip through your spamfilter depending on the level of thoroughness
you set it to. Identify a phishing mail by looking for anything that implies the mail is not from
who it pretends to be. In the mail you will probably be asked to fill in personal information.
Most banks, web payments and auction sites use web‐forms for these matters so if you are
asked to mail your account details you can assume it is fake. If they give you a link to go to,
always hold your mouse cursor on the link to see where the address may lead you to. Check
carefully for spelling errors in the link which is a common trick to masquerade as a
trustworthy identity (Microsoft, 2010).
14