Home and Links
 Your PC and Security
 Server NAS
 DVD making
 Raspberry Pi
 PIC projects
 Other projects
 Next >>

Securing your eMail

eMail Security

How do I secure my eMail ?

Hopefully you already know to NEVER, EVER, click on any 'link' in any eMail (no matter who you think it's from), and (of course) you will have setup your eMail provider to 'filter' known SPAM.

There was a time when simply OPENING an email could result in a virus infection taking over your email client software. Indeed, if you make the mistake of using Microsoft Outlook Express there is every possibility that this will happen again. So if it looks like SPAM, it probably is - there's no need to 'open it to make sure' (unless you want to emulate the moron who stuck his hand in a lion's cage and asked "does it bite ?")

By far the most likely 'close encounter' you will have with a 'virus' or 'phishing' attack is when some-one you know gets virus infected and the virus sends you an eMail. So just because the eMail claims it is 'From:' some-one you know, DON'T assume 'it must be safe' ! Mail systems display the 'subject' - READ IT before opening (a lot of SPAM will have a 'busines' style Subject - like "Re: your email" - for sure you should be able to 'recognise' when the Subject is not in the 'style' of your friend)

Sometimes friends will complain you are sending them 'spam' when your computer has not actually 'infected' at all - rather it's the email service provider that's been 'hacked' and lost your Address Book (and those of thousands of other customers). When these address books are used by spammers, they insert your address in the 'From:' field in the hope that the recipient will 'trust' the mail when they see it's from you. Once your Address Book has been stolen in this way it can be used for years afterwards, being sold on from one spammer to the next.

1) So, 'precaution number one' == NEVER hold your address book 'on-line' (who do you think will take better care of your Address Book ? yourself or some 'free' email service provider ??) = see later

2) So you can 'detect' when the 'style' of 'Subject:' reveals it's SPAM, you need to maintain more than one eMail account (plus a few 'dummy' accounts - see later). One 'real' account is for real friends ONLY (i.e. actual people you have met i.e. those you went to school with or lived next door etc, not 'anonymous' people you have 'friended' on some social netwroking site like Face-Book etc. = for each of which you use a seperate account - see later). Always maintain a totally seperate account for 'business' (Banks, eBay, PayPal etc).

The 'real' accounts should be setup with whitelist 'filters' set to 'accept' your friends addresses / business addresses and divert everything else to the 'spam' folder

As for the 'dummy' accounts - well these are for 'throw away' use when you are 'required' to register in order to achieve some benefit but have no reason to 'interact' with them ever again eg. to register for some 'software' that you wish to 'Trial' (before discovering it's rubbish and going back to the Open Source alternative ...).

You only need to read the 'dummy' email after Registering etc. to get you 'licence code'. After that you can just ignore it ..

What eMail address should I use for Social networking ?

If you use 'social networking' sites, ALWAYS use a separate email address for each. That way, when your account is 'hacked' you can delete both the account & it's attached email address and start again

Needless to say, you must NEVER 'give away' on any social networking system anything that might help a criminal = those who 'post' pictures of their house (easily 'matched' to the Google Street Map view) and set their status to 'Gone on Holiday' (or Twitter about living alone) are just begging to be robbed (or worse).

If you imagine that Social Networking sites ever think about abuse when setting up their systems, just Google 'Please rob me'. This recounts the story of one of the most 'criminal friendly' social networking systems ever invented (every time you 'sent a text' it noted your location, which it then revealed 'to the world' - so even the dumbest criminal could work out 'where you lived' (location you were at most of the night) and then arrange to visit your home when you were on holiday (ie. when 'your location' was 'out of the country').

How does an eMail virus infect my computer ?

Windows just loves to 'run' a Virus. When you 'double click' on anything (such as an eMail attachment), if it is of a 'type' of executable 'known' to Windows (there are dozens and dozens, not just .exe, .com, .bat, .cmd, .vbs etc.), Windows will just 'run' it - and allow it to take over your PC. So you must NEVER, EVER, double click an eMail 'attachment' !

If it's something you are expecting from some-one you know, right click on it and use 'save as' to save the attachment to a folder on your PC (or use the 'save attachment' option from the email client's 'File' or 'Edit' menu etc). Your anti-virus software will then have a chance to check it out, and (hopefully) you will spot the trick of naming the file "I am not a virus.txt                         .exe" (or AnnaKournikova.jpg.vbs, or goto-virus.cmd, etc etc)

How much should you trust your eMail provider ?

Not at all. There have been numerous cases of web based eMail systems being compromised - see, for example, AOL. If you leave your eMail on a web server, it can be accessed from ANYWHERE IN THE WORLD. Ask yourself, is this accessibility (so heavily promoted as a 'benefit' by the provider) of more use to you, or the criminal ?

Note that it's not just eMail providers who loose your details. If you ever wondered how the 'cold caller' scum got hold of your phone number, well if you were on T-mobile wonder no more. Unfortunately, it turns out that even Banks loose customers details.

Anyway, chances are, you have 'saved' all sorts of 'important' emails 'to the archive folder' which will reveal all sorts of interesting details to the ID thief and 'phishing' criminal - such as who you Bank with, the names of your eBay and PayPal accounts and maybe even some 'forum' log-in details etc.

If you have on-line anything and your eMail account is compromised, a criminal anywhere in the world can simply visit eBay, PayPal or your Bank's web site, enter your details and click on 'I forgot my password'.

All they then have to do is sit back and wait for the web site to send a message to your web eMail telling them how to access the account and reset your password

What about my Address Book ?

You should never, EVER, create an Address Book 'on-line'. The contents of any on-line Address Book will, eventually, be lost, hacked & copied or stolen or even sold (yes - there have been cases of 'disaffected' employees selling customer details) to spammers.

I have friends who have been contacted by some-one at an addresses that was deleted from their Address Book years ago complaining of being sent a virus. Since both used the same on-line email service, plainly this can only have come from copies of their Address Books backed-up years ago by the eMail service provider

Whilst it's possible that the back-ups were lost or stolen, it seems much more likely that they were 'recovered' from an old Server or disk sold on eBay (or found on a rubbish tip).

The plain fact is, ANYTHING you put 'on-line' can turn up years later anywhere in the world - this is well known in the 'physical' world (which is one reason why the forgotten Credit Card that was thrown out in the trash always 'expires' after a few years).

What about my passwords ?

A1. The only reason why people use the same password for 'all' their accounts is because it's hard to remember lots of different ones. So I suggest you write them down but follow some variant of the scheme outlined below ...

I never write down the 'accounts', only the passwords - and then 'disguise' them in a 'simple' way. Here, for example, is the password 'list' you might find on a 'Post-It Note' stuck to the front of my computer (and on the back of a business card in my wallet) :-

Previous Address
Red Lion
Mister Jones
Sister Mary
Home Work
Xmas Prezzie

To use this list, you have to know the 'rule' .. for example, to get the 'real' password the rule could be "swap the 'space' for an 'underscore'" .. or perhaps something a bit more complex (eg. add a '+' at the start, remove the spaces and swap letters into numbers (so 1 for i, 0 for o, 3 for e, 5 for s, 6 for b etc.) .. but only the first occurrence in first word & last occurrence in last word ... (thus Sister = 5ister, not 515t3r :-) ) .... Whatever you come up with, USE IT FOR THEM ALL so you won't forget

But whilst you now have 'all' my passwords you still can't use them unless you also know that :-

1) I first used eBay when moving house to sell a load of old stuff found in the loft/garage = so '+Pr3viousAddres5' could be my eBay password
2) The Red Lion pub is where I met with friends who told me all about PayPal = so '+R3dLi0n' could be my eBay password
3) My next door neighbour (Mr Jones) uses the same on-line Banking service as I = '+M1sterJone5' might get you into my on-line banking account
4) Then there's my sister Mary, who also uses Tesco Home Delivery = so '+5isterMary' could be for my next on-line grocery order

Or perhaps not - maybe Previous Address is my house insurance, Red Lion is the password of my ING Bank account etc ... I'm betting no-one could possibly have a clue = so here's a couple more .. when I was a kid, Miss Barclay used to mark my home-work (so maybe I Bank at Barclays with a password based on 'Home Work') .. and I always buy Christmas presents from Amazon (or perhaps on eBay ... or at John Lewis) ... or maybe the Teachers name was Mr Westminster and I buy Christmas presents with my Barclay Card ... :-)

The 'key' is to use as a password 'something' that has sufficient meaning to 'prompt' you into remembering which 'account' it relates to, but can't be discovered by simply reading your 'postings' on social networking sites etc.

There's no point in being too clever = no-one ever 'cracks' on-line passwords by 'guessing' (or entering all possible combinations of letters and numbers) any more - or at least not since even the dumbest of on-line systems now implement an 'auto lock-out' on (typically) 3 wrong attempts ...

However, even if you drop the 'letter / number' substitution, you should always add some 'special' character at the start (or end = pick one & stick with it 'for ever') - so anyone who gets a look at your list (and works out which 'password' is for which account) still won't have your actual full password. If you can't be bothered to do anything else, just add a 'space' at the start (or end, or both)

A2. Another 'trick' would be to use things you already have in your wallet or things you already have to remember .. for example, you could use the 'CVV' digits off the back of your Credit Card or your Debit Card 'PIN' number or your phone number as part of your on-line Banking, PayPal or eBay password .. you could even use a 16 digit Card number (transposing letters for numbers so '1' become 'L', '3' becomes 'E', '6' = 'b' or whatever)

Whatever method you use, it's vital to avoid writing down accounts and passwords in the same place .. and PLEASE don't use your REAL 'date of birth', 'mothers maiden name' or 'first school' as part of the 'I forgot my password' backdoor implemented by many dumb Banks :-)

NB. If you haven't changed your passwords for over a year, now might be a good time to do so - but do make sure your write down the new ones :-)

What's the 'best' eMail client to use ?

Use the Open Source Thunderbird for ALL your eMail.

Start by using Thunderbird to 'connect' to each of your different web mail accounts and then move all your saved emails from the web-mail providers site to the Thunderbird 'Inbox' on your own computer. You can then setup category 'folders' (eg 'friends', 'family', 'eBay', 'spam' etc) and create 'filters' that will 'scan' the Inbox and move the emails into the various folders.

Next, setup Thunderbird to check each web account every few minutes and automatically fetch (i.e. move) any new emails. Ideally it should launch automatically at power-on and start fetching eMails immediately.

Your address book should exist only within Thunderbird and never 'on-line' - so 'export' any on-line Address Book and then delete the contents

Since the on-line eMail provider will have made 'backups', your Address Book will still be 'vulnerable' for some years

Are there any drawbacks to using Thunderbird ?

Yes, unfortunately ...

a1. Your saved email will now exist only on your desktop computer. Unless you include your eMail 'archives' in your regular 'backups', you risk loosing the lot come the next hard drive crash

a2. To be fully automatic you have to allow Thunderbird to 'remember' your on-line eMail account names (and passwords). In general, it's never a good idea to have your computer 'remember' any account names & passwords, since your details can be 'extracted' should your PC ever fall into the hands of criminals

As a compromise, I let it remember my account names but not my passwords. I put a 'link to' Thunderbird in my 'Startup' folder (so it launches on boot), which means I have to enter my passwords after rebooting. I never turn off my computer (I've set it up to 'hibernate' instead) but MS Windows Update reboots often enough to prevent me forgetting my passwords :-)

a3. If Thunderbird (or any other software) is setup to keep accessing the Internet from your computer every few minutes, this may stop your computer from ever 'going to sleep' or hibernating. This may mean you have to manually 'close' Thunderbird each evening (or set up a CMD script to do that for you automatically)

However, in my view, the massive advantage of ensuring that your eMails are no longer held on a system that is 'accessible' to everyone else on the planet far outweighs any other risk

How do I avoid 'Advanced Fee Fraud' (aka '419 Scam') eMails ?

Unlike virus & phishing email (which rely on the victim 'double clicking the link' in the body (or 'launching' the attachment) - and thus have fake 'From:' addresses), the '419 Scam' faudsters email must have a 'real' From: address (so you can 'Reply' to the criminals).

The vast majority of fraudsters use accounts created with one of the free email service providers .. and, for some years now, the most common of these are (in order) @gmail.com & @yahoo.com, closely followed by @msn.com & then @hotmail.com (see list of scammers addresses).

Indeed, the use of gmail.com & yahoo.com and @msn.com by fraudsters is so common that I have setup a special 'filter' (on Thunderbird) that automatically diverts all incoming with a 'From:' address 'containing' = "@gmail.com" or "@yahoo.com" or "@msn.com" straight into my 'spam' folder. I suggest you do the same

You might think that the 'free' email providers would make an effort to find and close the fraudsters and spammers accounts (and stop them setting up new ones).

Yeah, right - the fact is, if they removed all the fraudsters and spammers accounts, their 'user numbers' would drop dramatically - and this would effect their advertising revenue (which depends on user numbers). However 'stopping the fraudster' is actually the last thing we want the free providers to do - so long as most fraudsters continue to use a free .com address we can block them all by filtering out everything that arrives "From:" a *.com address

If you think I'm just a little bit too cynical about major corporations attitude to scammers, follow the 'thing again' link near the end of the next paragraph

What's being done to protect you from Internet fraudsters ?

Essentially, nothing. The sad fact is that neither the ISP's nor the Government are willing (or able) to 'protect' you, the customer / tax payer, from being 'ripped off' by Internet fraudsters.

Take, for example, SPAM and 'phishing' emails with their bogus 'Reply To:' addresses and attached virus payloads. Despite numerous proposed technical solutions suggested to verify Reply addresses over the last 10 years, virtually nothing has been implemented. SPAM continues to rise, up from 70% of all traffic in Q2 2013 rising to 80% by Nov 2014

At the same time, ISP's are happily allowing criminals to set up their 'phishing' servers and register their fake Domains .. and despite the fact that some ISP's are plainly 'in league' with criminals, these are never 'shut down' or 'shut out' (it's a simple matter for ICAN to revoke an ISP's entire IP address range)

Even today, most Banks really couldn't care less, giving almost anyone - who is willing to pay them - access to Direct Debit and VISA services - and some financial 'service' organisations (specifically, Western Union) actually seem to run systems specifically designed to allow criminals untraceable international access to the proceeds of their crimes

No-one is safe - and the less 'aware' you are, the more 'attractive' you are as a 'target' - and just because a 'scam' has been know about for years, don't think anything has been done to prevent it happening to you

You might think that no 'reputable' company would 'turn a blind eye' to scammers and criminals ripping off their (disabled) customers for over 8 years, whilst the Government & it's Law enforcement arm did almost nothing to stop it ? Well think again !!

The plain fact is, if you get 'scammed' by some Internet based criminal, you are on your own. First the 'forces of law enforcement' will be hard to convince that any 'crime' has actually been committed (like all good 'confidence tricks', phishing relies on your willing participation in the scam and you voluntarily handing over access to your accounts or handing over your money). Next, when it comes to 'tracking down' the criminal, most officers of law enforcement are essentially clueless. Finally, even if you manage to track down the criminals yourself, 99% of the time they will be based 'abroad' and thus essentially 'untouchable'

Next subject :- Dual boot Windows with Linux