Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Email & messaging security resources

   

Spamhaus quotation

General email security resources

New hotNew new yellow The 25 most common mistakes on email covers several email security issues.

Sample policies covering email and other forms of messaging here, here and here, plus one on email retention.   SecurityDocs also has a collection of email policy examples.

Advice on choosing email clients according to their security features.

With input from PGP, a short article on the technical architecture options for email encryption (e.g. endpoint -to-endpoint vs endpoint-to-email-gateway) covers principles and concerns that also apply to other email encryption systems.

‘Enforced disclosure’ of emails can be a concern for organizations facing regulatory and legal inquiries into their business practices, such as British supermarket chains Tesco and Asda.  Thousands of internal emails that the senders and recipients probably considered confidential may soon be exposed to the glare of public scrutiny.

A US court ruled that email users have the same reasonable expectation of privacy as they do in respect of their phone calls.  A search warrant is therefore required before the Government can legitimately access and search emails stored by ISPs, and the owner of the emails must be notified and given the right to object.

The 25 most common mistakes on email covers several email security issues.

Why do so few people use email encryption?  Is it just ‘too hard’?  If so, Thomas Green’s book explains the process of installing and using PGP or GPG quite well.

119 University students who failed classes inadvertently found out who shared their misfortune. The email informing them was sent “To:” all 119 students so all recipients could see who else received the email - if it had been “cc’d” instead, the recipients might have remained anonymous.

Wikipedia explains S/MIME and PGP and has links to more technical sources and other standards.

NIST’s SP 800-45 Guidelines on Electronic Mail Security offers 139 pages of free advice on the secure installation, configuration and maintenance of email servers and clients, from operating systems to administration and use. 

A 3-lesson Email Security School [access requires free registration] consists of webcast presentations by an email security guru, technical papers and quizzes to check your comprehension.

Hushmail offers simple-to-use encrypted email for individuals and (small) corporations, including webmail and POP/IMAP access for Outlook etcSecure Webmail offers SSL access with anti-spam and antivirus functions included.

CERT’s easy-to-swallow cyber security tips on email security cover email clients, blind carbon copy, attachments, chain letters, hoaxes and urban legends and spam.

GFI MailSecurity is an email content checking, exploit detection, threats analysis and antivirus solution that incorporates multiple detection engines/methods.

Everyone seems to have their own idea of what email disclaimers should say.  Typically they use curious pseudo-legal mumbo jumbo wording that has little if any force in law.  A huge number of largely meaningless statements are in use worldwide (... “If you are not the intended recipient, this message should be destroyed without reading”...).   Read a lawyer’s sentence-by-sentence dismantling of a Time Inc. disclaimer to understand some of the issues and reasons why adding a disclaimer can make things worse not better.

Find out how to back-trace the origins of an email using information in the mail header ... but be aware that pretty much anything in an ordinary (i.e. not cryptographically signed) email may be forged or manipulated en route to your inbox.

Sender Permitted From (SPF) is perhaps the most widely used email authentication standard, vying for the top slot with Microsoft’s Sender ID.  Neither has gained sufficiently acceptance as yet to become a de facto standard and since they address slightly different problems, they may coexist for a while yet.

Spam

CERT advises PC users on how to tackle spam.

Spammers can’t escape their legal obligations through disclaimers.

A Kiwi spammer based in Australia and selling drugs from a Mauritius company to people all over the world was convicted under New Zealand anti-spam law and fined NZ$110k.  It seems the authorities are finally getting on top of the jurisdictional complexities arising from virtual life on the Internet.

Buy me from AmazonSlamming Spam: A Guide for System Administrators by Robert Haskins and Dale Nielson (~US$32 from Amazon) provides how-to guidance for IT pros on selecting and coBuy this book from Amazonnfiguring anti-spam controls for a good selection of email systems including Domino, Exchange, Outlook and more.

 

Recommended reading Spam wars - our last, best chance to defeat spammers, scammers and hackers by Danny Goodman (~$12 from Amazon) starts with a gentle introduction to the history of email scams, then moves on to discuss the strengths and weaknesses of a range of anti-spam and similar techniques.  Gets good reviews from trusted reviewers.

Hot link - highly recommended reading Why am I getting all this spam? reports on the Center for Democracy and Technology’s fascinating research project into how spammers found valid email addresses in 2003.  Although a little technical at times, the report provides practical advice on how to reduce the problem.

Hot link - highly recommended reading eWeek’s spam page carries dozens of articles on spam including pieces on CAN-SPAM and product reviews of spam filtering software.

If I had an inch for every penis enlargement spam ... :-)

The Register reports “Each active copy of the [HotLan] Trojan attempts to set up a webmail account, sending off the captcha image in an encrypted form to a spammer-controlled website. Servers behind this site process the image and extract the solution to the captcha challenge, which is then posted in the appropriate field.  Once a webmail account is established, encrypted spam emails are sent from a website onto infected machines. The HotLan Trojan then decrypts these junk emails and sends them to (presumably valid) addresses taken from yet another website.”  The Register’s spam page has all the spam news you can eat, and then some.

The US CAN-SPAM Act bans false/misleading email headers and deceptive subjects, and requires that email distributions contain an opt-out method.  It also requires that commercial emails be identified as advertisements and include the sender's valid physical postal address.  Unfortunately, CAN-SPAM has patently failed to stem the spam tsunami.

According to the New York Times, 11% of the 650 million computers on-line contain botnet code, 250,00 new systems get botted every day and 80% of all spam originates from botnets.

Support Intelligence monitors the Internet for spam, botnets etc.  Many big-name companies are named and shamed, in other words spammers have evidently infitrated major corporate networks, setting up botnets that spew forth spam through the corporate email systems.

Anti-spam email systems that use “challenge-response” to confirm that human beings, not spam-bots, have sent emails that arrive unexpectedly in your inbox may seem at first glance like a good idea but they are blamed for creating even more spam.  One unfortunate victim whose email address was used by a spammer to forge the sender field received over 25,000 ‘backscatter’ messages including a good number of automated challenges.

Abuse is an open source program to respond automatically to spam messages, automatically composing responses to go to the abuse addresses listed for the IPs of the sending machines.  As the senders are commonly compromised zombie PCs, informing the owners and getting the machines cleaned up helps fight the avalanche of spam.

If you use Spamassassin, visit uribl.com for a blacklist built around the ‘click here to buy’ links in spam messages.  These links are, allegedly, a more reliable guide to spammers than the ‘to’ and ‘from’ address fields which (as we know to our cost) are all too easily spoofed: we are emphatically NOT responsible for spams that appear to have been sent from IsecT.com email addresses.  We don’t spam.  We really hate spam. 

If you experience problems with abusers of Google’s Gmail service, report them through the Gmail security center.  Report abuse of Hotmail, Yahoo and a zillion other email services to their respective abuse@domain addresses with the full email headers but be quick: it’s hardly worth reporting 419s, phish or spams more than a few minutes after they arrive since a zillion other well-meaning complainants will have already notified them, and most have their own early-warning abuse detection processes.  Report spam to SpamCop, Spamhaus, SURBL and/or Abuse.net (the latter has a lot of helpful information about spam).

The Coalition Against Unsolicited Commercial Email (CAUCE) is a worthy body of volunteers trying to curb the spam problem by applying pressure to governments.

The OECD reports that parts of the developing world (such as Nigeria) are being overwhelmed with spam.  [Given the volume of 419 advance fee frauds still originating from those same parts of the world, some might call this poetic justice ... but spam is an indiscriminate problem that does not just affect fraudsters].

Fed up with websites that ask you to register before they will impart useful information?  Worried about being spammed as a result?  Check out Mailinator for one solution: instant email addresses you just make up on-the-fly, then visit once to collect your information and never again.

Jeremy Jaynes was the first person in the US to get a prison term (9 years) for spamming.

Information Security News (ISN), an excellent source of topical news articles and new resources for this links collection, has a number of mirror/archive sites.  These are regularly updated by automated data feeds.  The Security Focus ISN archive, however, evidently has a problem with spam, republishing messages that some might find offensive. Site owners Symantec have been informed several times since 2004 but (as of August 2007 at least) seem to be unable to resolve the problem.  [This seems particularly ironic, given that Symantec supplies Norton Antispam and similar tools ...]

Sophos releases quarterly lists of the top 12 countries relaying spam.  USA, the global pinnacle of the marketing art, typically wins the [fools-]gold medal.

Spam and other obnoxious marketing techniques, such as adware and spyware, are addressed by cexx.org

419s (advance fee frauds) and similar scams

Scammers hoping to entice victims often use social engineering techniques.  By exposing 9 dirty tricks, CSO Magazine hopes to inform and hence forewarn.

It's hot! Recommended resource. A global self-help initiative to counteract the 419 scammers is run by the South African police.  It’s a name-and-shame deal, with police and community backing lending some weight to their efforts to get scammer sites and services closed down.  Awareness/education is a primary and very worthy aim.

A BBC World broadcast gave an account of 419 and “black money” scams committed by Nigerian (and other) fraudsters, and the UK police investigating corruption and money laundering.

A list of around 130 websites fighting 419 scams is maintained by the 419 Coalition.

A gallery contains hundreds of examples of 419 emails.  If you are fed up dealing with wave after wave of 419 scammers, EbolaMonkeyMan may be just the antidote you need [site contains adult material and juvenile humor].  And there’s more: sweet chilli sauce includes a succinct scam test.

Yale University’s page on 419 scams is a good example of the proactive use of information security awareness to help reduce risks.

Security for messaging via IM, VoIP, Skype etc.

Three tools can help manage IM security.

Microsoft is suing alleged IM spammers and phishers.

A lady who complained on Twitter about mold in her apartment is being sued for the alleged defamatory comments by the apartment owner.  Remember this story when sending email, IM, Tweets or whatever.

Links to an extensive collection of guidelines for those who use social networking, blogging and so forth is a great way to make staff aware of the dangers and, better still, give them the skills to avoid them.

The transition from POTS (Plain Old Telephone System) to VoIP (Voice over IP) or IPtel (IP telephony) is likened by CSO Magazine to when Swedes changed the side of the road on which they drive - this dramatic analogy challenges the hackneyed claims about VOIP simply replicating POTS security issues.

NIST’s Special Publication 800-58 Security Considerations for Voice over IP Systems  (a free 100 page book !) is a useful security guide and VoIP primer.

Like Wi-Fi, VoIP is a commercially attractive technology with significant security concerns.  The VoIP Security Alliance, an ‘industry body’ (funded by VoIP vendors - spot the potential conflict of interest), is defining security standards for VoIP implementations.

Were you aware that, in addition to Voice over IP, Skype permits file transfers between users? ...  Simson Garfinkel’s high-level assessment of the information security risks of Skype makes for interesting reading.  See the Skype security centre for more.

Other stuff

Do you have a Blackberry?  Are you comfortable to trust third parties to maintain security of your device?  Perhaps it’s time to reconsider what you use the Blackberry for.

Read about Sarah Palin’s Yahoo! email account being hacked by a social engineer here, here, here, here, here and here.  A similar attack recently compromised the organization behind Twitter.

‘Typosquatters’ are not just a threat for website visitors who accidentally mis-type your organization’s URL: they also tap into emails accidentally sent to mis-typed addresses.

If you find yourself lost for words when writing an email to management, try this.

Be careful how you configure your email software.  A cautionary tale concerns the misconfiguration of Microsoft Small Business Server systems which led to emails being rebroadcast to numerous recipients, eventually causing a rather  embarrassing service outage.  Way back in 1996, the RISKS newsgroup reported a story about a deputy prosecutor who set his email to auto-reply before leaving the office for a few days.  Unfortunately, he set it to autoreply to all 2,000 subscribers on the email system and request confirmation of all messages ... within hours, the system was awash with 150,000 emails including the autoreply/forwards and confirmations.  Modern email systems prevent this kind of thing, or at least some do, but human error has an amazing knack of bypassing technical controls.

“Sending a confidential office document unencrypted and without proper permissions to your workgroup is like attaching a $100 bill with a paper clip to a postcard and passing it around your office. Will it come back to you with the money still attached?”  Read the rest in Triangle Tech Journal.

If you slander someone by email, it is treated in law as libel since email is a written form of communication.  Libel is legally defined by several criteria.  Read this FAQ for more information and CONSULT A QUALIFIED LEGAL EXPERT for the definitive, if somewhat more expensive, answer. 

Related NoticeBored links collections

See also the office security links page

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk.  This is not legal advice.
NB homeLinks collection > Email & messaging >

Copyright © 2010  IsecT Ltd.