Personal E-mail Security: The Definitive Guide

Many of my friends have been on Internet for years and years. They have the knowing of the Way of the Machine. And they know what to do when it comes to keeping their mail accounts free of spam, worms, viruses, trojans and other bad mojo. But some of my friends do not. Now I have written about this on many, many, many occasions. But I think I finally want one definitive page, that I can always point the greenhorns to.

Thus this page:

Get your own mail server

In the best of all worlds you’ll want to get your own mail server or get an account on someone else’s mail server where that friend is willing to make special adjustments just for you. I am talking about being able to fine tune things in a way that most ISPs just don’t have the time to let you do.

Account names

On your new domain, choose a string for a username that won’t fall within any obvious lists of common first and last names. Ideally you want a string that is close to random as possible, but that probably won’t be memorable for you. To do nearly as well, just reverse your initials, add a few numbers, add a few safe symbols, or leave out a few letters, anything to generate a non-obvious, but still memorable string.

The reason for this is that spammers now do shotgun attacks on known domains. They just fire off e-mail to names on a list (Jill, Zelda, Bill, John, Tina, Arthur, Smith, Jones, Olsen, Clinton, etc.) and hope that some actually exist as accounts at that domain. If your username is a rare string, then it’s less likely to get hit with a dictionary attack.

Dummy accounts

Get yourself one or two dummy accounts with Yahoo, Hotmail, AOL, whatever. Use this account in any web forms that ask for an e-mail address. This protects your personal account from spam the company might send you. On the other hand, some of the material that company may send you, you may want. If so, just forward the mail from your dummy account to your real account.

Of course, you’ll have to check, maintain and regularly read and empty your dummy accounts. But better the spam happens there then in your real account.

Don’t post your address in public places

This one is so old, even many greenhorns know it. Don’t make posts to Usenet from your real account. Don’t post your real account on someone’s Web site. Don’t post your real account on bulletin boards, web logs, mailing lists, chat sessions, file-sharing tools, etc. You might get away with it if the chat is encrypted or the Web site sits behind a secure socket, but just assume everything on the Internet is public and behave appropriately.

Get a Web site with a mail form

Heck, just get a Web site. Web sites are pretty damn nifty and this is one of the reasons why. A form on your Web site will let your visitors and friends mail you, without them knowing your address. Whenever people ask you for your mail address, just point them to the location of your Web form and let them do the rest. Whenever you are posting a rant on someone’s bulletin board, you can just use that Web form location as your contact information instead of your address.

Of course spambots are getting more and more sophisticated now and some can automatically send mail through your form, but there are ways to thwart this and so far this is still rare.

Learn to munge

Munging is the deliberate obfustication of a string of text to thwart automatic pattern recognition. If you been around the Web for a while, you might have seen e-mail addresses posted in public places with strings like “DIE!SPAMMER!DIE!” interposed in the string of text the composes the address. For example, “abuse@mic_to_the_ninth_circle_roso_of_hell_with_you_spambot_ft.com” would be one good way to do this. There are many others. The goal is to create a create an obfuscated string that will slip by most pattern recognition recipes yet still be obvious to decode by humans.

Combined with other techniques, munging can be quite effective. The interested can look at the source markup of my contact page for a good example.

Think before putting your address in group mails

And tell your friends to do likewise with your address in any group mails they create or pass on.

This one is one that I’ve ranted on about one numerous occasions with my friends. The reason for caution is this: group mails have a tendency to be sent or forwarded on repeatedly, passing from inbox to inbox, accumulating addresses, until they wind up in the hands of a spammer. The spammer then culls the mail thread for usable addresses and the spamming commences.

Unfortunately this cautionary technique is not very useful, relies on personal judgement and strikes at the very reason for e-mail to exist. Group mails are often what e-mail is all about. Sometimes it’s necessary to mail a large number of people, of varying degrees of network experience. Sometimes it can’t be avoided.

But, there are things you can do. If you need to simply broadcast a message, without meaning to start a group conversation, put everyone on the blind carbon line, if your mail program supports it. This prevents group replies and mass fowarding. Anyone else who receives the mail will be forced to reply only to you or can only forward your address alone to someone else. Remember, the blind carbon copy is your friend. Use it to protect the privacy of your friends and ask them to do likewise with your address.

Learn how to build whitelists and blacklists

A whitelist performs an action if an object doesn’t fit a certain criteria. A blacklist performs an action if an object does fit certain criteria.

In the case of e-mail ,a whitelist filter might send all mail from strangers to certain folder for you to review later, if that mail comes from an address that isn’t your list of known contacts and friends. A blacklist filter might send all mail from a certain address to a certain folder for you to review later, if that address is on a list of known spammers. See the difference? See how setting up filtering rules like this in your mail program can save you time? All the mail from strangers who are not on your contact list are likely to be spam or worse. After you review these mails carefully, you can add new addresses to your whitelist to keep them from being filtered against.

Set your e-mail program to the highest possible security

This means turning off all preview and abstracting features. No mail should be opened automatically. If your mail program has features that do this,

turn them off!

If you friends can’t write precise, descriptive subject headers, tough, they’ll have to wait for your careful perusal later.

Set your mail program program not to load remote images or web beacons. Set it to not execute any embedded scripts in mail. Set it not follow redirects or load frames or iframes. Set it scan attachments for viruses, worms and trojans.

Some things I just mentioned may not make any sense to greenhorns, but many of the new mail programs have settings for security. Consult the program’s help files about the security features and turn on every single one. Hopefully in the process, you disable many of these useless and dangerous features I just mentioned.

Be suspicious of HTML-based e-mail from strangers

There are lots of good reasons why you should be suspicious of and avoid using HTML-based mail, but two reasons are worms and web beacons.

Web beacons are little transparent images (But many can also be plainly visible.) that point to other servers on the Internet to let those servers know that a mail has been opened or a page has been loaded. Web beacons can be used to track you and determine if your mail account is a live one. Once the bad guys get that signal, the flood of spam commences.

Since HTML supports embedded scripts that can load popups or take control of your mail program to reproduce and send copies to other victims. This is another main reason why HTML-based mail is very sketchy and should b
e viewed with suspicion.

Be suspicious of any e-mail attachment

This one is also almost common knowledge, but it bears repeating. Never open any attachment without saving it and scanning it first. Always save it to disk and scan it for viruses, worms and trojans first. Even if you think it’s safe, don’t do it. Save it and scan it first.

Other survival skills? Conclusions

Well, that should be enough to enlighten the populace. Now I can point people to it when their wanton ways set me ranting. I will add other bits as I learn them myself. I tried to keep this essay no platform specific because ignorance can be found in all operating systems.

If you have any suggestions, mail me or add a comment here.

This entry was posted in Computer Support, Security and Privacy. Bookmark the permalink.