August 28th, 2017

Does secure email make you more vulnerable to spam and viruses?

Does secure email make you more vulnerable to spam and viruses?

It can, but I really wouldn’t worry about it too much, and here’s why. There’s really two kinds of secure email. There’s TLS, where the messages are encrypted as they sail between your servers, decrypted when they arrive, and because of that, your spam filter and your virus filter can do all the normal things. They fully protect you.

Every other kind of secure email system encrypts the bodies of the messages and all the attachments, so they’re encrypted while traveling and encrypted at rest. When these arrive to your server, the filters can’t do anything with that information, and that has implications. For spam, the filters can’t tell if the message looks spam-like, but they can look at metadata in the message, the subject, who it’s from, what servers it went through, et cetera. This can allow the spam filters to use some rules and filter out some of that bad message, but some spam can still get through.

For viruses, the situation is much worse. As you can imagine, all the malware is hiding in the message content and in the attachments. The filters on the server side really can’t touch that at all. They can’t tell what’s there, so if you get a virus in an encrypted email, you won’t know it until you actually decrypt the message and open it up in your program. At that point, you better hope that your client side virus scanner pops up and says, “Whoa, better stop there and quarantine this,” but situation’s not so dire.

Why is that? It’s because most systems don’t send messages securely. For example, PayPal, they send you messages, or all the spammers who send you messages, have to send messages that look like PayPal’s normal email, not secure. If you suddenly get an encrypted message from PayPal that makes you go to some portal and make an account and log in, you’re going to be instantly wary about that and you’re not going to want to do it, and for good reason. This kind of thing makes people unlikely to open secure messages that they’re not waiting for. If it’s from their actual doctor or actual lawyer, they may want to open it because they might expect a secure message.

If it’s from PayPal or some Nigerian prince, there’s not a chance they’re going to open it. That’s why this method of email delivery, while it sounds like it might be a good way to get messages to you that you don’t want, there’s really not a good choice for spammers and virus disseminators. However, it could be a good choice for someone who’s doing a targeted attack on you. If they know you get secure email from a specific source and they can get access to that source and make a message that looks and works like that, then you may trust that even more than a regular message.

As with everything, in email, it’s all about education and being vigilant and knowing what to expect and what to do, and never open attachments and click on links from messages that you are not expecting or that you didn’t solicit or you didn’t talk to people about ahead of time.

I’m Erik Kangas, the CEO of LuxSci, and this was the latest answer to an Ask Erik question.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.