" smtp Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘smtp’

SMTP TLS: All About Secure Email Delivery over TLS

Monday, October 2nd, 2017

TLS stands for “Transport Layer Security” and is the successor of “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers on the Internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

  1. Computer A connects to Computer B (no security)
  2. Computer B says “Hello” (no security)
  3. Computer A says “Lets talk securely over TLS” (no security)
  4. Computer A and B agree on how to do this (secure)
  5. The rest of the conversation is encrypted (secure)

In particular:

  • The meat of the conversation is encrypted
  • Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
  • The conversation cannot be eavesdropped upon (without Computer A knowing)
  • The conversation cannot be modified by a third party
  • Other information cannot be injected into the conversation by third parties.

Basic email security starts with SMTP TLS

TLS (and SSL) is used for many different reasons on the Internet and helps make the Internet a more secure place, when used. One of the popular uses of TLS is with SMTP for transmitting email messages between servers in a secure manner.  See also:

Read the rest of this post »

Save Yourself From “Yourself”: Stop Spam From Your Own Address

Friday, September 22nd, 2017

I just got junk email … from me!

It is surprisingly common for users to receive Spam email messages that appear to come from their own address (i.e. “joe@domain.com” gets a Spam email addressed so it appears to be from “joe@domain.com”).  We discussed this issue tangentially in a previous posting: Bounce Back & BackScatter Spam – “Who Stole My Email Address”?  However, many users wonder how this is even possible, while others are concerned if their Spam filters are not catching these messages.

Spam from your own email address

How can Spammers use your email address to send Spam?

The way that email works at a fundamental level, there is very little validation performed on the apparent identity of the “Sender” of an email.  Just as you could mail a letter at the post office and write any return address on it, a Spammer can compose and send an email address with any “From” email address and name.  This is in fact extremely easy to do, and Spammers use this facility with almost every message that they send.

Read the rest of this post »

Do you expect email carriers to require TLS v1.2 or better in the future?

Friday, July 28th, 2017

Our latest “Ask Erik” question involves the future of TLS delivery:.

Hello Erik,

I am aware of an e-mail server of a Carrier refuses any TLS connections that are not using TLS v1.2. Is it reasonable to expect more Carriers to follow this tact in the future?

Thank you.

This question involves the use of “TLS” to transparently encrypt email communications between email servers over the SMTP protocol.  For a little background, see: “All about secure email delivery over TLS“.

Read the rest of this post »

Email Encryption Showdown: SMTP TLS vs PGP vs S/MIME vs Portal Pickup

Monday, May 29th, 2017

While messaging apps may have become more popular over the last ten or so years, email remains an important method of communication, particularly for business. Despite its common use, there are many security problems associated with regular email:

Message Tampering

False messages are a significant threat, particularly when it comes to business and legal issues. Imagine someone else sends an email from your account – how can you prove it wasn’t you? There are many viruses that spread in this way, and with regular email, there is no concrete way to tell whether a message is false or not.

Email Encryption

Normal emails can also be modified by anyone with system-administrator access to the SMTP servers that your emails pass through. They can alter or completely delete the message, and your recipient has no way of knowing if the message has been tampered with or not.

In the same way, messages can be saved by the SMTP system administrator, then altered and sent again at a later time. This means that subsequent messages may appear valid, even if they are actually just copies that have been faked.

Read the rest of this post »

How do I fix the reputation of my IP address?

Tuesday, April 19th, 2016


It happens — you’re sending email messages without issue, and then suddenly they’re not being delivered, or they’re being tagged as spam.  A little digging reveals that the problem is that your “IP reputation” is now poor, and you need to fix it somehow.

This is our latest “Ask Erik” question, from Angelo Correa or Living Legacy, Inc.

How do I fix the reputation of my IP address?

What is IP Reputation?

Email service providers (e.g. AOL, Gmail, LuxSci) and email filtering systems (e.g. Barracuda, McAfee, Proofpoint, SenderScore) collaborate on and track the sending of unwanted email in order to reduce the blight of email spam that continues to plague the Internet.  Some of the significant factors that they track include:

  1. Quantity of email sent from your IP address
  2. The spam-like characteristics of these messages (based on spam filter analysis)
  3. The number of spam complaints by recipients of these messages
  4. The number of messages sent to invalid recipients or honey pots. Honey pots are email addresses that do not belong to real people and only exist as traps for senders who have acquired these email addresses via web site scraping or some other illegitimate manner.

Put together, these factors end up determining the reputation of that IP address with respect to the sending of email messages.  If the reputation becomes poor, then spam filters will start to quarantine or reject your messages, resulting in poor deliverability.

Read the rest of this post »

Does TLS Corruption Spell the end of SMTP TLS?

Tuesday, November 3rd, 2015

We have seen discussions recently about how attackers can interfere with SMTP TLS, influencing connections, and causing them to be downgraded to insecure — SMTP without TLS.  E.g. Ars Technica’s – “Don’t Count on STARTTLS to Automatically Encrypt your Sensitive Emails“.

What is being discussed here is a very real attack on Opportunistic TLS. I.e. the kind of automated establishment of encryption that can happen when two email servers being their dialog and discover that “hey, great, we both support TLS so lets use it!”  In such cases, servers take the “opportunity” to use TLS to encrypt the delivery of an email message from one server to another.  Opportunistic TLS is great as it is enabling automatic encryption of more and more email over time (see: Who supports TLS?).

The problem is that the initial negotiation of the SMTP email connection, before TLS is established, occurs over an insecure channel.  A man-in-the-middle attacker can interfere with this connection so that it appears that TLS (i.e. the STARTTLS command) is not supported by the server (when it really is).  As a result, the sending server will never try to use TLS and the connection will remain insecure — transmitting the email message “in the clear” and ripe for eavesdropping.

Read the rest of this post »

Toggling Between TLS-Only and More Secure Encryption Methods

Thursday, September 10th, 2015

There are many ways to send an email securely.  These range from the super-easy-to-use but less secure “TLS” method (see About SMTP TLS) to the universal “pick it up on a secure portal method” (that we call Escrow), to the very secure but harder to deal with PGP and S/MIME methods.

Many people like to use just TLS for email transmission security whenever possible, simply because it is so easy for everyone to use — you can encrypt everything, using TLS when possible and Escrow when TLS is not supported by your recipients.

However, if you have compliance needs or deal with sensitive information, there are many situations where you may like to “jack up” the level of encryption from just enforced TLS to TLS if possible plus one of the other methods … one that is more secure and which provides for encryption at rest.  (See: Is Email Encryption via Just TLS Good Enough for Compliance with Government Regulations?)

Disabling “Just TLS” on a per-message basis is quite easy with LuxSci.

Read the rest of this post »

Is Email Encryption via Just TLS Good Enough for Compliance with Government Regulations?

Monday, August 24th, 2015

There are many ways to encrypt email, TLS being the simplest and most seamless.  With SMTP TLS (the use of TLS encryption to secure the “SMTP Protocol” used for the transmission of email between computers), messages are transported between the sender, recipient, and all servers securely.  TLS is a layer that fits seamlessly over “regular email” to ensure transport email encryption when supported by both the message sender and the recipient.  With SMTP TLS, sending a secure message works and feels the same as sending any other email message.

“It just works.” That is the ideal combination of security and usability.

SMTP TLS for Email Encryption

However, SMTP TLS only solves the problem of email encryption during transmission from sender to recipient.  It does not in any way secure an email message while it is at rest, whether while in the sender’s “sent email” folder, queued or backed up on the email servers of the sender or recipient, or saved and stored in the email recipient’s folders.  While SMTP TLS is really easy to use, it is important to consider if use of SMTP TLS alone is “good enough” for companies to comply with the many U.S. government laws which apply to email.

When it  is “good enough,” organizations may opt for the seamless simplicity of TLS over the added complexity of other modes of secure email communication.

In this article, we shall examine the security afforded by SMTP TLS and compare that to other modes of email encryption such as PGP, S/MIME, and Escrow (i.e. picking up your message from a secure web portal).  We shall then look at many of the most important laws (HIPAA, GLBA, Sarbanes-Oxley, SB1386, NASD 3010, FRCP, SEX 17a-4, FINRA, and PCI DSS)  to see what is said or implied about using “Just TLS” vs. other, stronger forms of encryption.  We won’t spend a lot of time explaining each law; if you are interested there are innumerable articles on the web for that.  We  focus only on what they say or imply about encryption for email transmission and storage.

The short answer is that many of these laws outline various requirements for email storage, archival, and retrieval for legal proceedings without specifically delineating requirements for the encryption of those messages.  So, use of TLS is just fine with respect to those.

For PCI compliance, avoid email if at all possible; however, if you must use email for sending credit card data, “Just TLS” is not sufficient.

For the rest, the burden ends up being on each individual organization to decide for itself the level of encryption appropriate to protect sensitive data.  Use of encryption methods that provide protection for data at rest can mitigate liability in the case of a breach, but they are not mandated.  There are also ways of protecting data at rest that do not involve more onerous methods of email encryption.

Indeed, your internal risk analysis may find that “Just TLS” is best in some cases and methods that provide explicit data-at-rest email encryption are warranted in others.

Read the rest of this post »

The Case For Email Security

Tuesday, March 31st, 2015

Section 1: Introduction to Email Security

You may already know that email is insecure; however, it may surprise you to learn just how insecure it really is. For example, did you know that messages which you thought were deleted years ago may be sitting on servers half-way around the world? Or that your messages can be read and modified in transit, even before they reach their destination? Or even that the username and password that you use to login to your email servers can be stolen and used by hackers?

This article is designed to teach you about how email really works, what the real security issues are, what solutions exist, and how you can avoid security risks.

Information security and integrity are centrally important  as we use email for personal and business communication: sending confidential and sensitive information over this medium every day. While you are reading this article, imagine how these security problems could affect your business or personal life and your identity…. if they have not already.

Read the rest of this post »

Tracing the Origin of an Email Message — and Hiding it

Tuesday, March 17th, 2015

We are often asked by our users to help  them determine from where an email message has originated. “Where did this spam come from?”

In general, it is fairly easy to do this if you have access to the “headers” of the message.  In this post, we will show you how to determine a message’s original location yourself and also how you can protect yourself from others determining your location when you send email messages to them.

Why would you need to protect yourself — If you are traveling and do not want people to know where you are; if your messages are not going through because your ISP is blacklisted or has a poor reputation.

 

Read the rest of this post »