free page hit counter
Click the banner for the site map of NoticeBored.com, the information security awareness service
Email security resources

Ernest Hemingway quote

General email security resources

Search for email security books at Amazon dot comSearch for recently-released and forthcoming email security books at Amazon.

Wikipedia’s pages on S/MIME and PGP have useful explanations of these email security standards plus links to more technical sources and other standards.

In SP 800-45 Guidelines on Electronic Mail Security NIST offers 139 pages of free advice on the secure installation, configuration and maintenance of email servers and clients, from operating systems to administration and use. The standard was updated in February 2007.

A 3-lesson Email Security School [access requires free registration] consists of webcast presentations by an email security guru, technical papers and quizzes to check your comprehension.

Hushmail offers simple-to-use encrypted email for individuals and (small) corporates, including webmail and POP/IMAP access for Outlook etcSecure Webmail offers SSL access with anti-spam and antivirus functions included. At about $40 for a year’s subscription, services like these won’t break the bank.

CERT’s easy-to-swallow cyber security tips cover email clients, blind carbon copy, attachments, chain letters, hoaxes and urban legends and spam.

GFI MailSecurity is an email content checking, exploit detection, threats analysis and antivirus solution that incorporates multiple detection engines/methods.

Everyone seems to have their own idea of what email disclaimers should say. Typically they use curious pseudo-legal mumbo jumbo wording that has little if any force in law. A huge number of largely meaningless statements are in use worldwide (... “If you are not the intended recipient, this message should be destroyed without reading”...).

Find out how to back-trace the origins of an email using information in the mail header ... but be aware that pretty much anything in an ordinary (i.e. not cryptographically signed) email may be forged or manipulated en route to your inbox.

Sender Permitted From (SPF) is perhaps the most widely used email authentication standard, vying for the top slot with Microsoft’s Sender ID. Neither has gained sufficiently acceptance as yet to become a de facto standard and since they address slightly different problems, they may coexist for a while yet.

Spam

Please note: SPAM is not spam

Slamming Spam cover 200Slamming Spam: A Guide for System Administrators by Robert Haskins and Dale Nielson (~US$32 from Amazon) provides how-to guidance for IT pros on selecting and coBuy this book from Amazonnfiguring anti-spam controls for a good selection of email systems including Domino, Exchange, Outlook and more.

 

Recommended reading Spam wars - our last, best chance to defeat spammers, scammers and hackers by Danny Goodman (~$12 from Amazon) starts with a gentle introduction to the history of email scams, then moves on to discuss the strengths and weaknesses of a range of anti-spam and similar techniques. Gets good reviews from trusted reviewers.

Hot link - highly recommended reading Why am I getting all this spam? reports on the Center for Democracy and Technology’s fascinating research project into how spammers found valid email addresses in 2003. Although a little technical at times, the report provides practical advice on how to reduce the problem.

Hot link - highly recommended reading eWeek’s spam page carries dozens of articles on spam including pieces on CAN-SPAM and product reviews of spam filtering software.

The Register reports “Each active copy of the [HotLan] Trojan attempts to set up a webmail account, sending off the captcha image in an encrypted form to a spammer-controlled website. Servers behind this site process the image and extract the solution to the captcha challenge, which is then posted in the appropriate field. Once a webmail account is established, encrypted spam emails are sent from a website onto infected machines. The HotLan Trojan then decrypts these junk emails and sends them to (presumably valid) addresses taken from yet another website.” The Register’s spam page has all the spam news you can eat, and then some.

The US CAN-SPAM Act bans false/misleading email headers and deceptive subjects, and requires that email distributions contain an opt-out method. It also requires that commercial emails be identified as advertisements and include the sender's valid physical postal address. Unfortunately, CAN-SPAM has patently failed to stem the spam tsunami.

According to the New York Times, 11% of the 650 million computers on-line contain botnet code, 250,00 new systems get botted every day and 80% of all spam originates from botnets.

Support Intelligence monitors the Internet for spam, botnets etc. Many big-name companies are named and shamed, in other words spammers have evidently infitrated major corporate networks, setting up botnets that spew forth spam through the corporate email systems.

Anti-spam email systems that use “challenge-response” to confirm that human beings, not spam-bots, have sent emails that arrive unexpectedly in your inbox may seem at first glance like a good idea but they are blamed for creating even more spam. One unfortunate victim whose email address was used by a spammer to forge the sender field received over 25,000 ‘backscatter’ messages including a good number of automated challenges.

Abuse is an open source program to respond automatically to spam messages, automatically composing responses to go to the abuse addresses listed for the IPs of the sending machines. As the senders are commonly compromised zombie PCs, informing the owners and getting the machines cleaned up helps fight the avalanche of spam.

If you use Spamassassin, visit uribl.com for a blacklist built around the ‘click here to buy’ links in spam messages. These links are, allegedly, a more reliable guide to spammers than the ‘to’ and ‘from’ address fields which (as we know to our cost) are all too easily spoofed: we are emphatically NOT responsible for spams that appear to have been sent from IsecT.com email addresses. We don’t spam. We really hate spam. 

If you experience problems with abusers of Google’s Gmail service, report them through the Gmail security center. Report abuse of Hotmail, Yahoo and a zillion other email services to their respective abuse@domain addresses with the full email headers but be quick: it’s hardly worth reporting 419s, phish or spams more than a few minutes after they arrive since a zillion other well-meaning complainants will have already notified them, and most have their own early-warning abuse detection processes. Report spam to SpamCop, Spamhaus, SURBL and/or Abuse.net (the latter has a lot of helpful information about spam).

The Coalition Against Unsolicited Commercial Email (CAUCE) is a worthy body of volunteers trying to curb the spam problem by applying pressure to governments.

The OECD reports that parts of the developing world (such as Nigeria) are being overwhelmed with spam. [Given the volume of 419 advance fee frauds still originating from those same parts of the world, some might call this poetic justice ... but spam is an indiscriminate problem that does not just affect fraudsters].

Fed up with websites that ask you to register before they will impart useful information? Worried about being spammed as a result? Check out Mailinator for one solution: instant email addresses you just make up on-the-fly, then visit once to collect your information and never again.

Jeremy Jaynes was the first person in the US to get a prison term (9 years) for spamming.

Information Security News (ISN), an excellent source of topical news articles and new resources for this links collection, has a number of mirror/archive sites. These are regularly updated by automated data feeds. The Security Focus ISN archive, however, evidently has a problem with spam, republishing messages that some might find offensive. Site owners Symantec have been informed several times since 2004 but (as of August 2007 at least) seem to be unable to resolve the problem. [This seems particularly ironic, given that Symantec supplies Norton Antispam and similar tools ...]

Sophos releases quarterly lists of the top 12 countries relaying spam. USA, the global pinnacle of the marketing art, typically wins the [fools-]gold medal.

Spam and other obnoxious marketing techniques, such as adware and spyware, are addressed by cexx.org

Hackers broke into an Employment Development Department server containing personal information of 90,000 nannies, butlers, gardeners and their employers. The hackers gained access to names, Social Security numbers and wage records. Investigators think the hackers broke in to the server to use it to send spam, not to collect information for identity theft ... although how they reached this conclusion is not mentioned by USA Today.

Other email security stuff

If you find yourself lost for words when writing an email to management, try this.

Telecom New Zealand’s disastrous launch of a new email service cost the company at least NZ$7m, according to press releases and media reports.

Be careful how you configure your email software. A cautionary tale concerns the misconfiguration of Microsoft Small Business Server systems which led to emails being rebroadcast to numerous recipients, eventually causing a rather embarrassing service outage. Way back in 1996, the RISKS newsgroup reported a story about a deputy prosecutor who set his email to auto-reply before leaving the office for a few days. Unfortunately, he set it to autoreply to all 2,000 subscribers on the email system and request confirmation of all messages ... within hours, the system was awash with 150,000 emails including the autoreply/forwards and confirmations. Modern email systems prevent this kind of thing, or at least some do , but human error has an amazing knack of bypassing technical controls.

Acceptable Use Policies (AUPs) typically explain to employees what the organization considers to be acceptable vs. unacceptable use of the corporate IT systems. Auckland University’s AUP for email is a good example. 

The US Department of Justice fact sheet on Operation Global Con noted the arrest of hundreds of fraudsters involved in running 419, lottery and investment scams through Internet email. Some 565 people were arrested in five countries, indicating the cooperation of international law enforcement bodies to tackle these so-called borderless crimes.

“Sending a confidential office document unencrypted and without proper permissions to your workgroup is like attaching a $100 bill with a paper clip to a postcard and passing it around your office. Will it come back to you with the money still attached?” Read the rest in Triangle Tech Journal.

If you slander someone by email, it is treated in law as libel since email is a written form of communication. Libel is legally defined by several criteria. Read this FAQ for more information and ** CONSULT A QUALIFIED LEGAL EXPERT ** for the definitive, if somewhat more expensive, answer. This is not legal advice. I am not a lawyer. I don’t even own a three piece suit.

Related NoticeBored links collections

 Laws and regulations, incident management, social engineering, privacy & data protection, IT fraud, network security, mobile computing & teleworking and, last but not least, malware

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
NB homeLinks collection > Email security >

Copyright © 2008 IsecT Ltd. and licensors