Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Email & messaging security resources

   

Hello Due to a catastrophic email incident

Email security

Sender Policy Framework (SPF) is perhaps the most widely used email sender authentication standard, a valiant attempt to allow recipients to identify forged From: addresses.  Two other approaches to securing email are TLS (Transport Layer Security) and DKIM (DomainKeys Identified Mail).  A BITS paper ably describes all three.

VaporStream emails are encrypted and self-destruct after reading, making eDiscovery less likely. 

Sample policies covering email and other forms of messaging are here and here, plus one on email retention.  SecurityDocs also has a collection of email policy examples.

Advice on choosing email clients according to their security features.

Wikipedia explains S/MIME and PGP and has links to more technical sources and other standards.  Here’s a short article on the technical architecture options for email encryption.  Why do so few people use email encryption?  Is it just ‘too hard’?  If so, Thomas Green’s SOHO security book [reviewed on this site] should help.

NIST’s SP 800-45 Guidelines on Electronic Mail Security offers 139 pages of free advice on the secure installation, configuration and maintenance of email servers and clients, from operating systems to administration and use. 

CERT’s easy-reading cyber security tips on email security cover email clients, blind carbon copy, attachments, chain letters, hoaxes and urban legends, free email services, digital signatures and phishing.

There are many stupid email disclaimers in circulation.  Read a lawyer’s sentence-by-sentence dismantling of a disclaimer to appreciate the complexities involved.

Find out how to back-trace the origins of an email using information in the mail header.

Spam

Hot link - highly recommended reading Fed up with websites that ask you to register before they will impart useful information?  Worried about being spammed as a result?  Check out free email services such as Mailinator, SpamMotel, SneakEmail and SpamGourmet: instant email addresses you just make up on-the-fly, visit once to collect your information then abandon to the spammers.

Hot link - highly recommended reading Why am I getting all this spam? reports on the Center for Democracy and Technology’s fascinating research project into how spammers found valid email addresses in 2003.  Although a little technical at times, the report provides practical advice on how to reduce the problem.

Hot link - highly recommended reading eWeek’s spamSlamming Spam cover 150 page carries dozens of articles on spam including pieces on CAN-SPAM and product reviews of spam filtering software.

Buy this book from AmazonRecommended reading Spam wars - our last, best chance to defeat spammers, scammers and hackers by Danny Goodman (~$18 from Amazon) starts with a gentle introduction to the history of email scams, then moves on to discuss the strengths and weaknesses of a range of anti-spam and similar techniques.

Slamming Spam: A Guide for System Administrators by Robert Haskins and Dale Nielson (~US$50 from Amazon) provides how-to guidance for IT pros on selecting and configuring anti-spam controls for a good selection of email systems including Domino, Exchange, Outlook and more.

Ending SpamJonathan A. Zdziarski’s Ending Spam: Bayesian Content Filtering and the Art of Statistical Language Classification (~US$29 from Amazon) helps sysadmins fight the scourge of spam.

A spammer based in Australia and selling drugs from a Mauritius company to people all over the world was convicted under New Zealand anti-spam law and fined NZ$110k.  It seems the authorities are getting on top of the jurisdictional complexities arising from virtual life on the Internet.

Spamhaus maintains a database of public information on known spammers, many of whom are evidently US-based.

US CERT advises PC users on how to tackle spam.

Spammers can’t escape their legal obligations through disclaimers.

If I had an inch for every penis enlargement spam ... :-)

The Register’s spam page has all the spam news you can eat, and then some.

Report abuse of Hotmail, Yahoo and a zillion other email services to their respective abuse@domain addresses with the full email headers.  Report spam to SpamCop, Spamhaus, SURBL and/or Abuse.net (the latter has a lot of helpful information about spam).

The Coalition Against Unsolicited Commercial Email (CAUCE) is a worthy body of volunteers trying to curb the spam problem by applying pressure to governments.

Spam and other obnoxious marketing techniques, such as adware and spyware, are addressed by cexx.org

419s (advance fee frauds) and similar scams

Scammers hoping to entice victims often use social engineering techniques.  By exposing 9 dirty tricks, CSO Magazine hopes to inform and hence forewarn.

A global self-help initiative to counteract the 419 scammers is run by the South African police.  It’s a name -and-shame deal, with police and community backing lending some weight to their efforts to get scammer sites and services closed down.  Awareness/education is a primary and very worthy aim.

A list of around 130 websites fighting 419 scams is maintained by the 419 Coalition.

A gallery contains hundreds of examples of 419 emails.  If you are fed up dealing with wave after wave of 419 scammers, EbolaMonkeyMan may be just the antidote you need [site contains adult material and juvenile humor].  And wait there’s more: here’s a succinct scam test.

Yale University’s page on 419 scams is a good example of the proactive use of awareness to reduce information security risks.

Security for IM, ICQ, Skype Text, VoIP etc.

New hot Find out how IM works.

Top three VoIP security risks.

Three tools can help manage IM security.

NIST’s Special Publication 800-58 Security Considerations for Voice over IP Systems  (a free 100 page book !) is a useful security guide and VoIP primer.

Like Wi-Fi, VoIP is a commercially attractive technology with significant security concerns.  The VoIP Security Alliance, an ‘industry body’ (funded by VoIP vendors - spot the potential conflict of interest), is defining security standards for VoIP implementations.

Were you aware that, in addition to Voice over IP, Skype permits file transfers between users? ...  Simson Garfinkel’s high-level assessment of the information security risks of Skype makes for interesting reading.  See the Skype security centre for more, particularly the admin guide.

Other messaging security stuff

Messages concerning cool utilities (such as a spam blocker) are a common way to fool naïve social media users into infecting their systems with malware.

Are you comfortable allowing third parties to maintain security of your Blackberry

Read here and here about a classic email security incident: the compromise of Sarah Palin’s Yahoo! email by a social engineer.

‘Typosquatters’ benefit from emails accidentally sent to mis-typed addresses.

“Sending a confidential office document unencrypted and without proper permissions to your workgroup is like attaching a $100 bill with a paper clip to a postcard and passing it around your office. Will it come back to you with the money still attached?”  Read the rest in Triangle Tech Journal.

If you slander someone by email, it is treated in law as libel since email is a written form of communication.  Libel is legally defined by several criteria.  Read this FAQ for more information and CONSULT A QUALIFIED LEGAL EXPERT for the definitive, if a tad more expensive, answer. 

Related NoticeBored links collections

See also the office security links page

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk.  None of this is legal advice.
HomeLinks > Email & messaging security >

Copyright © 2012  IsecT Ltd.