Cenzic 232 Patent
Paid Advertising
web application security lab

99 Email Security Tips

I ran across this article today on 99 ways to secure your email. Largely it’s email etiquette and efficiency fluff and there are really only a small handful of actual ways to secure your email in it (numbers 78-99). There are a few tips that I’d tell people that are definitely not mentioned on their list. Here are a few from my personal list:

1) Turn off preview panes. When you click an email and it shows up in the preview you are rendering the remote images and the click-tracking that spammers use to verify the email lists executes. That alerts them to the fact that you a) are a real user and b) are a user who reads spam. Having your email automatically open also increases the likelihood of email client automatic exploitation. None of those are good, so turn off the preview pane.

2) Don’t put email addresses or sensitive corporate information into out of office emails. If you are out of office, just tell them the name of who to get in contact with. If they know anything about your company they’ll know how to get in touch with the front desk and use the person’s name to get in touch with them. A number of times people have set out of office messages with stuff like, “If you need information on super secret project x please contact….” Firstly, that’s bad if it’s someone who doesn’t really know you (sales people, etc…) secondly, if it contains email addresses those too can be scraped by the spammers who watch the return addresses for bounces.

3) Use domain keys, SPF (sender policy framework) records or other tools to reduce spoofing. If you want to allow people to know if you are legitimately sending email from all users on your domain without causing them too much grief, install domain keys or use SPF records to reduce the likelihood of people successfully spoofing your email. PGP signing is great but it only works for the one person using it, unlike domain keys.

4) Unlike what the article says do NOT use Yahoo or Hotmail as methods to send anonymous emails. Both send headers showing the recipient where you are originating from. Use something like hushmail instead.

5) Create custom email accounts for specific applications. I’ve seen a number of people who have begun building out vanity email addresses based on the specific site they are visiting, EG: ha.ckers.org@mysite.com

6) Validate users who are allowed to send email to you. This is an ugly one but by only allowing people who you have authorized to email you you can significantly reduce unsolicited email. You had better not use one of these accounts for anything you want to get electronic receipts for, but for personal accounts it’s a pretty decent solution.

7) Use a fake or modified name on each site you visit. If my name is “John Smith” I could use something like John Petsmart Smith will allow me to know that Petsmart has sold my email information when I get spam or phishing emails in the future.

Anyway, there are dozens of ways to secure your email. I’m sure everyone can contribute to this list. It’s a huge topic, that they really only scratched the surface of.

5 Responses to “99 Email Security Tips”

  1. ntp Says:

    i wish there was a provider (like GMail or Hushmail) that included identity-based encryption as a feature

    you should know that there are some ways to make any mail look very legitimate that spammers/phishers know about and employ (such as IP/ASN hijacking). the best recommendation is to never send passwords or any sensitive information over unencrypted email. i have seen spoofed emails with the correct IP space, hostnames, and completely legit-looking headers through and through.

    while both S/MIME and PGP/GPG are great for email signature and encryption, many implementations suffer from both easy and advanced vulnerabilities depending… many times can be user error or a security awareness/training issue. many organizations can’t rely on email signature/encryption, or do so with some degree of risk.

    identity-based encryption could solve a lot of these implementation and training/awareness issues with regards to public-key cryptography use for email. here’s a link to how ibe works.

  2. Edward Z. Yang Says:

    Most email providers now block remote images when you view email messages, so that shouldn’t be too much of a problem .Just switch ‘em off.

  3. dusoft Says:

    Thunderbird block remote image and scripts, so you can render everything without a security leak.

  4. John Herron Says:

    #5 I probably started doing that about 7 or 8 years ago. I would use a different email address for every site that required one. Or if a brick and mortar store wanted one on a form I made one up for that too (eg; rei@mydomain.com). Great way to see who sold your info to a spammer. Of course at the time I just had all incoming mail to that domain dumped to one box. That was before spam started coming in for sally@, joe3@, joe4@, etc. I think I was up to 6,000 / day before my spam controls become overwhelmed. So I had to change all those to a couple of addresses and dump undeliverable mail to /dev/null. So be careful and don’t make these boxes too generic and don’t be lazy and use a catch all mailbox.

  5. Dude Says:

    #5, you can also use something like ‘username+site@domain.com’, so for this site, it’d become: bill+ha.ckers.org@microsoft.com

    A little Greasemonkey tool to help you with this: http://userscripts.org/scripts/show/4893