Essential Email Security Advice

The internet is a public network. The world wide web gives you the freedom to access your Email from anywhere, but this also means that anyone from anywhere can attempt to access your Email accounts. For this reason, it is vital that you take the necessary precautions to ensure your Email accounts are secure. The following guidelines represent best practice and should help you to make the right decisions when it comes to maintaining your Email Security.

Public Email Address Exposure.

One of the first mistakes made by web designers and site owners is to list your contact Email addresses on the internet. Of course, you want people to send you Emails, but there are ways to do this without exposing your Email accounts to the world. In the early days, it was common to use mailto links on wesbsites. These are the links you click on a web page that automatically open up your Email software and pre-fill the recipient address. Adding your Email address either in plain text, or in a mailto link on your website is a very bad idea. Spammers use web bots to harvest addresses from the web. They use these lists of addresses as recipients of spam and as the return addresses in spam emails they send out. These lists are also sold on to marketing firms, other spammers and hackers. In addition to this, they know your Email address, so can start trying to login to it with different passwords, in order to try and compromise your account and send more spam.

So, the first rule is not to expose your Email address to the public via your website. You should use a contact form, or an image containing your Email address. An image is not text, so your address can't be harvested that way.

Choice of Email Address.

Another mistake is to use common names in Email addresses such as sales@ support@ info@ david@ etc. Common addresses come under attack from spammers and hackers constantly - if your Email address can be easily guessed, it is more likely to be a target. If you are using automated enquiry forms on your website that don't expose your Email address, you don't need to use a common address. The same goes for addresses associated with individuals. Instead of using david@ try using david.g@ for example. If a spammer is trying to compromise accounts on your domain, they will use all the common names first and all known first names alphabetically. One thing a spammer has in their favour is time. They could try to login to your account 500 times a day for 3 years until they finally get a match on your Email address and password.

Choice of Password.

Using a weak password is fundamentally the most common cause of Email accounts being compromised. Using place names, people's names and single words will almost certainly allow your Email account to be cracked. A huge mistake made very often is to use a person's name and date of birth - for example david1982. If you consider that there are few people under the age of 100, that's only 100 numbers for the spammers to try. Another trick people try is to use numbers and capitals inside names - for example dAv1d1982. This is no more secure because spammers know all these tricks and incorporate them into their cracking tools.

The only safe password is one that does not contain any actual words or recognizable number combinations. Your password should be at least 10 characters and contain a combination or letters, numbers, mixed case and symbols - like this one - 7h@L6k5D=bBs&2 The reluctance to use good passwords is generally that they are considered more difficult to memorise. This isn't actually true. We manage to memorise people's phone numbers, home addresses etc. In addition to this, you can reset your email password whenever you want if you forget it - and if you only ever use your Email software to access your messages, you don't actually need to remember your password at all. You can choose an extremely complicated one - you only have to enter it once. If you use webmail a lot and choose to enter your password manually, you can still remember a more complicated combination - it just takes practice. Write it down on a bit of paper and carry it around with you for a few days.

If you really do need to remember your Email password, a good password creation technique is to use the first letters of people's names, things around the house, the last two digits of dates of birth, plus some symbols in combination. Here's is an example of this....

1. Pick out some items, people or numbers like this... David has a Sony Phone Janet has a Panasonic Television. David's last three letters of his car reg are SSUand his parents live at number 33.

2. Put them together in a combination like this... Da=So+Ja=PaTV@SSU33

So if you use only small snippets of identifiable information, you are much more likely to remember the password, but no-one else will be able to guess it, or crack it with software.

Another good way to choose a memorable password is to create a memorable sentence and then create a rule - like this....

1. Create a sentence that you can remember. "my wife janet really likes lasagne!"
2. Create a rule such as "take the first two letters of each word and capitalize the second"

So, mYwIfejAnetrEallylIkeslAsagne! creates the password mYwIjArElIlA!

The idea is to try and remember the password, but if you forget it, you know the sentence and the rule used, so you can always re-create it.

SSL

SSL stands for "Secure Sockets Layer" which won't mean much to most people. Essentially, when you enable SSL in your Email account, you encrypt the data sent between your computer and the server.
When you connect to send and receive Email, the password information is by default sent in plain text. If you don't use SSL to encrypt the connection, potentially someone could intercept this information. While this type of compromise is rare, it is becoming more common due to the widespread use of unsecured WIFI networks and the increase in mobile devices. We advise that you use SSL whenever possible. Please see Email Account Settings for All Email Clients and Devices for more informaton.

Brute Force Attacks.

Brute force password attacks are on the increase. Spammers and hackers are using increasingly more sophisticated techniques to try to login to Email accounts over the public network. They use botnets comprising of thousands of IP addresses - many of these are compromised home computers with trojans running without the owners knowledge. These botnets connect to domains over the internet and try to login. As mentioned above, they start with known Email accounts, then they try accounts starting with A, then B, then C etc. Each time trying a different password. This can go on for many months until a match is found.
We use software to detect these attacks. If our system finds a particular IP address that has attempted to login to a certain account lots of times, without a successful login, it will block the IP of the computer trying to access the account. Our software will also block IP's from different locations that commonly try to access the same account without success. This software can help to stop brute force attacks, but where a botnet contains several thousand IP's and attempts to attack accounts over long periods of time - it is almost impossible to stop those accounts with weak passwords from being compromised. As mentioned earlier, it just takes time.

The most important point to mention is that conventional brute force attacks like this can only get into your account if your password is quite weak. Very strong passwords cannot be cracked in this way.

Trojans and Viruses.

As you'd expect, a virus on your computer can do lots of damage. It can also sit there without your knowledge and record your keystrokes to obtain your passwords, or hack into your Email. A good anti virus and anti malware checker is essential, not only for PC's but for Apple Mac's too. Many Mac owners think they are somehow immune to viruses, but they are equally as prone as Windows based PC's.

Keep your passwords Unique.

Last year, six million accounts on the social networking site LinkedIn were compromised. The hackers obtained email address and password info. Upon discovery of this, the passwords on the LinkedIn site were changed, but that didn't stop thousands of those people having their Email accounts hacked. This happened because people tend to use the same password for lots of things - and where the password and email address combination is used on a website and the same password is also the password for that Email account. Anyone with those details can gain access to the Email account. The lesson here is to make sure that the password you use for your Email is not used for anything else.

Summary.

To conclude this article, the following points should be considered..

1. We recommend that you don't publically list your Email addresses on the web.
2. It is more secure to choose an Email address that is not easy to guess.
3. Make sure your password is very strong.
4. Use SSL whenever possible.
5. Use a good anti virus / anti malware application.
6. Never use the same password twice.

If you'd like any further help or advice regarding Email security, please contact us via our support helpdesk and a member of staff will be more than happy to advise you.

Was this answer helpful?

 Print this Article

Also Read

Email Settings - Apple iPad

If you have an ipad, you can use it to send and receive email from your UK Web Hosting account....

Email Account Settings for All Email Clients and Devices

These settings will work for any email client, any device or software that uses the standard...

Email Settings - Windows Mail

Windows Live mail is an email client that is easy to use and simple to configure. This article...

Error Number: 0x800CCC0E

The connection to the server has failed. Account 'mail.yourdomain', Server: 'mail.yourdomain',...

I'm Receiving Delivery Failures for Messages I Didn't Send

If you have suddenly started receiving delivery failure emails from people you didn't send any...