S 5.94 Security issues relating to the use of e-mail clients by Internet PCs
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
E-mail is one of the most important intranet and Internet services. In modern office communications, e-mail supplements and sometimes replaces classic means of communication, such as telephone, fax, letters and telex. The usefulness of e-mail has been vastly increased by the ability to send files with them as attachments. This has also increased its use for groupware solutions, e.g. when several parties are working sequentially on the same document and communicating with each other.
From a technical point of view, there are several ways of using e-mail. One option is to use webmail services, as offered by several Internet service providers, e.g. Web.de or gmx. These services provide users with all the functions needed to receive, read, write, send and manage e-mails via a web-based interface. As for all web-based content, a browser is needed to use these services. The advantages of webmail services are as follows:
- No software components need to be installed on the client in addition to the browser
- Users are not tied to a particular computer or location to access their e-mail.
The drawback of webmail, however, is that e-mail security is largely in the hands of the webmail provider. For recommendations on the secure use of webmail, see safeguard S 5.96 The secure use of webmail.
The classic method for managing e-mail is to use corresponding client software, such as Microsoft Outlook, Outlook Express, Thunderbird or KMail. Incoming e-mail is usually retrieved from the provider using POP3 (Post Office Protocol Version 3) or IMAP (Internet Message Access Protocol), while outgoing e-mail is sent by SMTP (Simple Mail Transfer Protocol). To allow e-mails to be sent and received, the server addresses for incoming and outgoing e-mails need to be entered in the client program configuration. The required IP addresses can be obtained from the e-mail service provider and should be entered permanently in the e-mail client.
Before the client can pick up incoming e-mail from the provider, the client usually needs to be authenticated by the e-mail server. This is usually done with passwords, which - unless additional security safeguards are implemented - the client sends to the server in plain text. This poses the risk that the password could be intercepted by a third party during transmission over the Internet and then misused. In order to prevent this, all communications with the e-mail server should be encrypted with TLS or SSL. This also protects e-mails from being compromised or manipulated during their transmission. Many providers now support encryption of POP3 or IMAP communications with TLS or SSL (see also RFC 2595).
The access password to the provider's e-mail server should be long enough and difficult to guess in order to prevent unauthorised access to e-mail. It should also be changed regularly. No general recommendation can be given as to whether the e-mail password should be saved on the Internet PC or whether it should have to be entered manually each time a user wants to access the mailbox. This depends on the total number of authentication processes the user has to go through (logging on to the client, dialling into the ISP, etc.) and on the estimated magnitude of the risk of password misuse. For further recommendations about passwords, see safeguard S 2.11 Provisions governing the use of passwords.
Some e-mail clients allow users to create e-mails in HTML or in Rich Text Format (RTF). The problem with HTML is that it can also contain active content, e.g. JavaScript, and links to other objects on the Internet. This has caused many security problems in the past. Therefore, HTML format should be avoided when sending e-mails. If certain formatting elements are absolutely necessary, e.g. font types and colours, then RTF should be used instead. The client programs should therefore be configured so that they create and send e-mails in plain text or Rich Text Format.
The client should be configured so that it does not run any active content when displaying incoming HTML-formatted e-mails. Some e-mail clients do not even show HTML-formatted messages, but open an external viewer or browser. In that case, it is advisable to use a viewer or browser which does not run active content. It is also advisable to make sure that other objects on the Internet cannot be accessed while e-mail is being read, e.g. by disconnecting from the Internet beforehand. Alternatively, HTML-formatted e-mails can also be opened with a text editor. However, this can often make the e-mail difficult to read because of the HTML tags.
Some e-mail clients have a message preview function which allows the content of a selected e-mail to be displayed without it being explicitly opened by the user. This could allow harmful content in the e-mail to be run unintentionally. It is therefore advisable to disable the preview function.
Attachments, i.e. files appended to a e-mail messages, are a common route by which computer viruses, worms and other malware are distributed. The file extensions shown in the e-mail program (.jpg, .exe, etc.) do not always match the actual file type. There are methods whereby the actual file extension can be hidden in certain e-mail clients. Attachments in incoming e-mails should therefore always be treated with suspicion, especially if they are unexpected or the sender is unknown. Before opening or running an attachment, it is advisable to save the file and run a virus check.
Executable files and files which can make changes to the system configuration, such as .exe, .vbs and .reg under Windows or shell scripts under Linux, should not be run without the administrator's permission. Caution should also be exercised in respect of attachments which are clearly not related to the usual business relationship with the sender, e.g. pornography services being offered by your accountant, or e-mails written in another language. In the event of any such discrepancies, users should not open any attachments and should notify the administrator or the IT security officer. For clarification, it is also possible to ask the sender what the attachment is about.
Ideally, the only programs which should be configured as default applications under Windows are those which cannot run macros or embedded scripts. Viewers are available for the most widely used file types, such as Word and Excel documents. The installation of complete applications and suites, such as Microsoft Office, should be avoided as far as possible. The default setting merge for .reg files should be discarded in favour of the configuration of a text editor as the default application. Otherwise, the registry entries contained in this file are entered in the registry of the Internet PC when the file is opened by double-clicking or otherwise. One effect of this configuration change could be that the security settings are unintentionally disabled. The default application for file types can be changed in Explorer by selecting View | Options | File Types.
E-mail is often used to send information which requires protection en route from sender to recipient in terms of its confidentiality and integrity. This protection can be achieved with encryption and digital signatures. One problem associated with this is that there are several established encryption methods, such as S/MIME, GnuPG, PGP and MailTrusT, which are either totally incompatible or are only partially compatible with each other. Before e-mails can be encrypted or digitally signed, the communication partners need to agree on which method or methods will be used (see also S 5.63 Use of GnuPG or PGP). The software components required for this are often available as plug-ins for popular mail clients. If several different plug-ins are to be used for e-mail encryption, it should be ensured that installing these plug-ins in the same e-mail program will not cause any technical problems.
Popular e-mail programs offer the option of requesting confirmation that incoming e-mails have been received and read. The recipient's server must support the DSN standard (Delivery Service Notification) for confirmation of receipt, while the e-mail client needs to support the MDN standard (Message Disposition Notification) for read confirmation. Depending on the e-mail client, it may be possible to configure it in such a way that it always or never responds to a confirmation request or that it responds to requests from specific senders or sender groups only.
These confirmation messages do not usually present a problem in terms of IT security. However, in connection with unsolicited e-mail advertisements which are sent at random to a large number of e-mail addresses, this function can have disadvantages, because it indicates to the sender that the address actually exists and may even acknowledge that the advertisement has been read.
Some e-mail clients can automatically forward incoming or outgoing e-mails on request to a specified recipient or to a mailing list, e.g. as a BCC (Blind Carbon Copy). In Thunderbird, for example, corresponding e-mail addresses can be entered under Preferences | Accounts | Copies and Folders | BCC to these e-mail addresses. This function should only be used after making sure that all of the users who can access the e-mail address entered there are entitled to read any incoming or outgoing e-mails. Otherwise, there is a risk that confidential information is sent unintentionally to third parties.
The Outlook Express e-mail client is supplied as standard with some versions of the Windows operating system. Outlook Express should be removed if it is not required, e.g. because a different e-mail client or a webmail service is being used.
It should be ensured that all available security patches and updates are installed as soon as they become available for all the software components installed on the Internet PC.
Review questions:
- When using external webmail services, are all communications encrypted?
- Is the password for access to the e-mail server of the provider complex enough and also changed regularly?
- Has the format in which e-mails should be created and sent been defined?
- Are the e-mail clients configured so that they do not run any active content from e-mails?
- Has it been ensured that e-mail attachments are checked with an anti-virus program before being opened?
- Are there rules for e-mail attachments with executable and/or security-critical files?
- Are there rules specifying whether and how automatic e-mail forwarding is to take place?