Don’t Get Hit by the Whaler’s Harpoon

What is Whaling?Harpoon-Whaling

Chances are you’re familiar with the term Phishing, where scammers use social engineering tactics to get users to give up personal information such as financial data, Social Security numbers, or other highly confidential and valuable information. That email you received from the “IRS” asking for your Social Security number? Don’t fall for it!

You may have also heard of spear-phishing, a more targeted form of phishing where specific individuals on any staff level may be targeted. But are you aware of the dangers of whaling? No, I’m not talking about the kind that keeps marine conservationists up at night. I’m talking about phishing attacks that are highly personalized to target high level executives.

While phishing emails are sent out to multiple recipients in the hopes that one or more will fall for the scam, whaling emails are usually only sent to select individuals who have a great deal of influence in a company. They are designed to masquerade as critical business communications sent to someone of importance, such as a CEO or other business authority, in an attempt to get the recipient to give up personal or financial information. Often, these messages contain spoofed addresses claiming to come from someone within the company. It is also common for a whaling email to claim to be from the Better Business Bureau or FBI.

Many whaling emails will contain a link that installs malware or leads the user to a familiar looking website that will likely ask for your login information. What happens next is when the problems begin. You submit your username and password, and are told that your credentials are incorrect and that you should try again. Sounds pretty harmless so far, right? Behind the scenes, however, your information has already been captured, and you are then redirected to the legitimate website, where you are able to successfully login on your next attempt – completely unaware that you just submitted valuable information to a scammer. This is why we always stress that you never click on links in an email message unless you’re 100% certain that the message is legitimate and from the purported sender.

How do “Whalers” get past Spam Filters?

Cybercriminals often use similar domain names or free email addresses, pretending to be business executives. They are able to bypass many security measures because their messages often don’t include malware links or attachments. And because they don’t typically contain links, and are often more well-written than the standard phishing attack, they are able to slip past spam filters more easily.

Do Executives Really Fall for These Scams? The Scary Statistics on Whaling

Whaling works because people often fall for these scams. The following high-level cases illustrate how lucrative the whaling business is for scammers:

In the 2008 US District Court subpoena whaling scheme, 20,000 CEOs were targeted. Approximately 2000 of them fell victim to this scheme & clicked on the malicious link in the email, which led to a key logger that secretly recorded the CEO’s passwords. It then led to further hacking attacks on the affected companies, resulting in significant financial loss or damage to company reputation.

Here is an example of the fake subpoena email. It looks official to the untrained eye, but notice the From address, which uses the domain of uscourts.com. The official domain of the US Court system is uscourts.gov, not uscourts.com. Also, it’s worth noting that official court business is never sent via email.

USCourtsWhaling

In 2015, Mattel lost $3 million in a whaling scheme in which a finance executive responded to a bogus funds transfer request claiming to come from the company’s new CEO.

In the first quarter of 2016, 41 companies were hit with phishing attacks targeting employee tax records.

More recently, the CEO of an Austrian aircraft parts manufacturer was let go after the company lost €40.9 million ($48 million USD) to a whaling attack.

And earlier this year, a 48 year-old Lithuanian man was charged with attacks on Facebook and Google. In his high-profile phishing attacks, he used forged invoices, contracts, and letters that looked like they had been signed by a company whose name he had mimicked by registering a company in Latvia with a name similar to that of a legitimate Asian-based vendor.

How do I recognize a whaling email?

So how do you know when you’re being targeted in a whaling attack? Here are some common whaling identifiers to look for in inbound email messages:

  • Is the name of the sender the same as one of my user names?
  • Is the sending domain similar to one of my domains?
  • Is the domain well-established, or is it a newly-created domain used specifically for attack purposes?
  • Does the email contain common whaling keywords, such as wire transfer, payment, etc.?

An email containing just one of these characteristics may not necessarily be a threat. For example, if the CEO’s name is John Smith, an email from another John Smith might not raise any red flags, especially considering how common this name is. But if you receive an email from John Smith that has one or more of the other characteristics listed above, such as one containing a request for payment, then you should treat it with extra scrutiny.

Avoiding whaling attacks is the responsibility of both management staff and employees alike. Follow these tips to help protect your business from falling victim.

Educate Senior Management Staff

One of the reasons spear phishing and whaling are so effective is that they target named individuals in executive or financial positions within an organization, and they often appear to come from someone known and trusted by the recipient, such as a colleague. Clever social engineering techniques are used to reel in these “big fish.” Senior management, financial staff and employees in other key roles should be educated on the effects of whaling attacks and how to spot them. They should learn to recognize common characteristics of phishing attacks like spoofed sender addresses, requests for funds transfer, unrecognized attachments, and spoofed hyperlinks. Let’s look at a few examples.

Example: Sender registered a domain similar to the company’s domain.

As you can see in this example, the sending domain looks similar to a legitimate domain, but if you look further, the domain is one digit off from the real domain.

SimilarDomain

Example: Display Name spoofing.

Does the display name in the From field match the email address?  In this example, I know my bank does not own the “fakedomain.com” domain. This is an example of display name spoofing, which is very common.

Spoofing

Example: FROM address spoofing.

Another common spoofing technique is From address spoofing. Any spammer can spoof any email address, making it look like the message came from a legitimate source. This works because email messages contain two sets of addresses – the envelope address and the message header address. I’ll explain further using U.S. postal mail as an example.

When sending a letter via US Mail, the sender needs an envelope, the address of the intended recipient, and the contents of the message (e.g. message body or letter). The sender places the address of the intended recipient on the envelope, but the recipient’s address usually appears inside the envelope as well, usually at the top of the letter. The address on the envelope is where the letter is sent, not the address on the letter itself. Thus, these addresses can be completely different.

Email works in a similar way. Like U.S. Mail, email messages also have two sets of addresses – the envelope addresses, where the message is actually from and who it is addressed to, and the address in the message header, which is what the user sees in the To: and From: fields in the message. These addresses do not have to match for the message to be delivered. Most spam messages contain spoofed From (header) addresses.

In the following example, the message appears to come from john.smith@example.com, but closer examination reveals that it actually came from frank.thomas@example.com. Most mail servers and email security products should have mechanisms in place to detect this kind of spoofing, such as reverse lookups, SPF, DKIM and DMARC, but users should be aware of this common technique used by spammers.

AddressSpoofing

Keep Personal Information Private

Scammers who want to steal your personal and financial information will look for publicly available information on social media and various other sites. Management staff should have as little personal information visible to the public as possible, including birthdays, interests, and friends and family. Social media users should review their privacy settings to ensure that this data remains hidden from the public.

Establish a Verification Process

If an employee receives an email requesting financial information, funds transfers, or other business-critical information that is not typically handled by email, verify the request from the sender via another channel such as a phone call. Companies should have documented processes on how these requests should be handled.

Protect against Data Leaks

Implement a software-based data loss prevention solution such as SecurityGateway that intercepts sensitive data and quarantines it before it has a chance to leave your network. Data Leak Prevention techniques scan email messages and attachments for highly sensitive information such as Social Security or Tax-ID numbers, bank account numbers, and passport numbers.

SecurityGateway for Email Servers

Questions or Comments?

Phishing and whaling scams have been going on for years, and they will continue as long as human nature dictates that people will fall for these scams. Don’t be the next victim. Arm yourself with the facts and your email infrastructure with the tools to avoid the whaler’s harpoons! If you have questions about our email safety recommendations, leave us a comment below!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

10 Ways to Reduce Spam in Your Inbox

SpamBefore the invention of email, mail that arrived in your physical mailbox often contained pamphlets, sales brochures, credit card offers, and product catalogs. Much of this waste was thrown away and ended up in a landfill somewhere. Today, the equivalent and often more annoying nuisance is spam. Spam comes in many forms. Some examples include dubious product claims, miracle supplements, conspiracy theories, and offers of easy money.

Spam statistics are staggering. More than 100 billion spam messages are sent every day, representing around 85 percent of global email traffic.

So what can be done about this spam epidemic? There are numerous spam fighting tools in MDaemon and other mail servers, but server-side tools are only half of the spam-fighting equation. The other half is user education. With this in mind, here are 10 things users can do to reduce the amount of spam they receive.

  1. Unsubscribe – How often have you been asked by a store clerk for your email address or placed an order online? In either of these situations, chances are you may have ended up on a company’s mailing list. When you receive email from these companies, take the time to open the message and click on the Unsubscribe link. But first, make sure the email is in fact coming from a reputable company. If you’re not completely sure where the email came from, then report the message as spam instead of unsubscribing.
  2. Create a secondary email account – While we’re on the topic of retailers having your email address, you might also consider having a second email address that’s used solely for the purpose of store records or placing orders. This allows you to keep solicitations from these vendors out of your primary inbox.
  3. Keep your email address private – If your email address is visible on social networking sites like Facebook or Twitter, then it’s also visible to spammers. Spammers have tools that can easily detect visible email addresses and add them to their mailing lists. This is why it’s often recommended that, if you MUST use your email address on one of these sites, you mask it by changing its format. For example, type out “at” instead of using the “@” symbol.
  4. Before you join a list, make sure the list owner cannot sell your email address – If the list you’re joining has a privacy policy, read it thoroughly and make sure your information cannot be sold to a third party.
  5. Don’t reply to ANY spam or unsolicited marketing messages – Most spam messages use forged sender (return-path) addresses, so replying to a spam message will almost never result in the spammer getting your message. Replying to legitimate marketing messages tells the sender that your email address is valid, and thus, they may continue to send you spam.
  6. Never click on links – Often, when you click on a link in a spam email, it specifically identifies you to the spammer as having received the message. Not only can clicking links in spam messages identify you to the spammer; you can also end up getting infected with malware.
  7. Block Images – Even if you don’t click any links, an image opening in your email can alert spammers to a valid address. Spammers often try to be stealthy by inserting images that are only one pixel wide. If your mail client is configured to automatically open images, spammers can be alerted that your email address is valid. We recommend configuring your email client to automatically block images to reduce spam. You can always choose to view images in specific emails if you are sure the sender and content are legitimate.
  8. Make your email address unique – Spammers often use common names to try to guess email addresses. If your email address is unique, it makes it harder for spammers to guess your email address.
  9. Don’t fall for scams – If you receive an anonymous email from someone who appears to be in dire need, who promises you large sums of money for your small up-front investment, you may be witnessing the familiar Nigerian email scam, or one of many other variants. What are the odds that someone you’ve never met, who’s in a desperate situation, would contact you for help? Don’t fall for this scam.
  10. Never forward email from someone you don’t know – I often see email messages with some type of public service announcement, petition, or other bit of advice, and often, there’s a request to forward the message to your friends. Don’t fall for this, as it’s a prime opportunity for spammers to harvest email addresses.

Blocking junk email is not just the job of the mail server administrator. A well-informed email user can mean the difference between spam that is manageable and spam that is out of control. These ten tips will help you reduce spam, and help prevent you from becoming a victim to phishing or malware.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Encryption Options for Keeping Your Private Email Messages Safe

Email encryption options with MDaemonIs your company prepared for the next big data breach? According to a study by Ponemon Institute, which surveyed 567 executives in the United States on how prepared they think their companies are to respond to a data breach, the following findings were made:

  1. Most respondents believe their companies are not prepared to deal with the consequences of a data breach.
  2. Most companies have data breach response plans, but they are ineffective.
  3. Data breach response plans are often not effective because they are not reviewed in a timely manner.
  4. Data breach detection technologies are rarely deployed.

Also, consider these startling enterprise email security statistics from Virtru’s blog:

  1. 87% of senior managers upload business files to a personal email or cloud account.
  2. Email malware creation is up 26% year over year, with 317 million new pieces of malware created in 2014.
  3. Hackers targeted 5 out of 6 large companies using email attacks last year — an annual increase of 40%.
  4. Cybercrime has a 1,425% ROI.

With the proliferation of data theft and compromised systems, more companies are addressing data privacy concerns via a renewed focus on security and encryption technology.

To address these data privacy and security concerns, MDaemon administrators and users have three options for keeping confidential email messages and attachments secure – SSL/TLS, Virtru, and OpenPGP. When an email message is sent, SSL or TLS is used to encrypt the connection from the mail client to the server or from the sending mail server to receiving mail server. Virtru provides end-to-end message and attachment encryption, and OpenPGP provides server-side encryption and key management as well as client-side encryption (when used with an OpenPGP plug-in on the mail client).

Encrypting the Connection with SSL or TLS

When you use POP or IMAP to retrieve your email messages, your username and password are transmitted in clear-text across the internet. This means that anyone using the same network or wireless connection as you, or anyone who has access to internet traffic at your ISP, can potentially intercept your data and read your login credentials. A hacker with malicious intent can then read your email, steal confidential information, or send out thousands of spam messages from your account. Your email credentials are valuable to spammers because the success rate of their solicitations is much greater than if they had simply forged the return-path of the message (which is characteristic of most spam messages).

One method for preventing hackers from being able to “sniff out” private data that’s in transit over the network is to use SSL or TLS. SSL and TLS are methods for encrypting the connection between two mail servers (SMTP) or between the mail server & mail client (POP & IMAP). In other words, the communication channel is encrypted – not the email message itself. A good explanation of SSL can be found here: https://www.digicert.com/ssl.htm

Normally, SMTP traffic is sent from client-to-server or server-to-server over port 25, but if you’d like the SMTP connection to be encrypted using SSL, by default you can configure your mail client to send outbound SMTP traffic over port 465, and you can also configure MDaemon or SecurityGateway to use port 465. Likewise, the default POP3 SSL port is 995, and the default IMAP SSL port is 993.

This knowledge base article contains instructions for configuring SSL features for SMTP, POP, and IMAP for MDaemon.
http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=841

This knowledge base article explains how to configure SSL features for SMTP & HTTP in SecurityGateway:
http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=481

When SSL or TLS is used, the data itself is not encrypted, but the connection is. If you’d like the data itself to be encrypted, then continue reading for how to encrypt email messages and attachments using Virtru and OpenPGP.

Client-Side Message & Attachment Encryption with Virtru

While SSL & TLS encrypt the connection, Virtru (included with MDaemon) encrypts the actual email message. Virtru provides end-to-end encryption – meaning the message is encrypted on the sending client and decrypted on the receiving client. Messages encrypted via Virtru are stored in their encrypted state on the server and cannot be decrypted without the proper keys. Virtru is included with MDaemon.

Click here for more information on Virtru.

Server-Side Message & Attachment Encryption with OpenPGP

With OpenPGP, messages are encrypted on the server, but they can also be encrypted on the mail client if an OpenPGP plug-in has been installed. The MDaemon administrator enables the OpenPGP features, creates public & private keys for users, and selects users who are allowed to use OpenPGP. Use the MDPGP configuration screen (located under the Security menu) to configure automatic encryption & key exchange, encryption key size and expiration, and to import keys. You can also create content filter rules to encrypt messages that meet specific criteria using OpenPGP.

This knowledge base article contains step-by-step instructions for enabling MDaemon’s OpenPGP features, configuring who can use it, and creating public & private keys for users.

Are These Features Easy to Use?

SSL and TLS are enabled by simply enabling the SSL ports on the mail server and configuring your mail client to use the SSL ports.

With Virtru, you’re up and running by simply enabling the feature in WorldClient. When you enable Virtru in WorldClient, your request is first sent to Virtru for processing. Within seconds, you’ll receive a pop-up message indicating that Virtru is now ready to start encrypting and decrypting your messages and message attachments. It’s that simple!

And for OpenPGP, options are available to help automate the encryption, decryption, and key import/exchange processes.

Conclusion

To recap, SSL & TLS can be used to help prevent eavesdropping on your email communication channel by encrypting the connection, while Virtru & OpenPGP can be used to help keep your email messages safe from unauthorized access by encrypting the actual email messages and attachments. Together, these security measures help to ensure that your confidential business data remains safe from unauthorized access.

Are you ready to ensure your important business communications are safe from prying eyes? Then download MDaemon and get started with SSL, Virtru, and OpenPGP!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

18 Email Safety Tips Every User Should Know

danger_phishing_scam_sq_1000

As mail server administrators, we may have extensive knowledge on how to use email safely and securely, but what about end users? You do everything you can to block spam & malware, but if you don’t educate your users and one of them clicks on a link in a spam message, your network can be made vulnerable. Consider these recent cases that could have been avoided if users were armed with the right information to identify phishing scams and other threats.

  •  CEO fraud (a scam in which the attacker spoofs the boss or CEO in order to trick someone into wiring funds to the scammer) and W-2 Phishing (in which scammers impersonate the boss in order to get access to employee tax forms) are being combined in new & more widespread attacks.
  • A malware development team known as The Dukes may have been responsible for targeting think tanks and NGOs in multiple spear phishing attacks. These attacks purported to be from individuals at Transparency International, the Center for a New American Security (CNAS), the International Institute for Strategic Studies (IISS), Eurasia Group, and the Council on Foreign Relations (CFR). In addition to these spear phishing attacks, other attacks included less-targeted spam email blasts that contained Word or Excel documents. The recipient is instructed to enable macros which, when enabled, allow hackers to automatically download and run malicious code.
  • Toy maker Mattel was hit with a phishing email requesting a new vendor payment to China. Their finance executive received the phishing email claiming to come from their new CEO. Standard protocol required two high-ranking officials to approve of these types of transactions. Because the finance executive and the CEO both qualified as high-ranking officials, she approved the transaction and wired over $3 million to the Bank of Wenzhou, in China. You can read more about this story here.

These are just a few high-profile incidents among many others that could have been prevented if the user had been better informed on email safety and security.

Email security isn’t just the email provider or administrator’s responsibility. It’s everybody’s responsibility. Here is a list of safety tips all mail server administrators should share with their users to help keep spam & malware to an absolute minimum

  • Change your password often.
  • Use strong passwords. Never use a password that contains “password” or “letmein”.
  • Use a different password for each of your accounts. If you use the same password for your bank account as you do for your email account, you become much more vulnerable to data theft.
  • Don’t open an attachment unless you know who it is from & are expecting it.
  • Be cautious about email messages that instruct you to enable macros before downloading Word or Excel attachments.
  • Use anti-virus software on your local machine, and make sure it’s kept up-to-date with the latest virus definitions.
  • If you receive an attachment from someone you don’t know, don’t open it. Delete it immediately.
  • Learn how to recognize phishing
    – Messages that contain threats to shut your account down
    – Requests for personal information such as passwords or Social Security numbers
    – Words like “Urgent” – false sense of urgency
    – Forged email addresses
    – Poor writing or bad grammar
  • Hover your mouse over links before you click on them to see if the URL looks legitimate.
  • Instead of clicking on links, open a new browser and manually type in the address.
  • Don’t give your email address to sites you don’t trust.
  • Don’t post your email address to public websites or forums. Spammers often scan these sites for email addresses.
  • Don’t click the “Unsubscribe” link in a spam email. It would only let the spammer know your address is legitimate, which could lead to you receiving more spam.
  • Understand that reputable businesses will never ask for personal information via email.
  • Don’t send personal information in an email message.
  • Don’t reply to spam. Be aware that if you reply to a spam email, your reply most-likely will not go back to the original spammer because the FROM header in the spam message will most-likely be forged.
  • Don’t share passwords.
  • Be sure to log out.

In many ways, your network is only as strong as its weakest link. Don’t be that weak link. In addition to the tools administrators use to keep unwanted threats out, user education is key to keeping your network secure.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Follow These 13 Tips to Avoid Being Blacklisted

Tips to Avoid Being BlacklistedWith the prevalence of spam circulating the globe in massive amounts, it becomes increasingly important for administrators to understand the potential causes of their IP address ending up on a blacklist. Spammers employ all kinds of tricks to try to send out as many spam messages as possible without revealing their identities. They do this through various techniques such as social engineering, employing malware, botnets, forging of message headers, and exploiting weaknesses in email systems or network infrastructures. For the spammer, it’s basically a numbers game. It costs next to nothing to send out thousands of spam messages, and if even a small handful of people click on a link or purchase a product advertised in a spam message, the spammer can profit. If your email infrastructure is not properly secured, then you risk being infected with malware and becoming part of a spam botnet. Even if your server is not infected with malware, if your firewall and mail server security settings are not configured properly, your IP address could wind up on a blacklist. To protect yourself from being blacklisted, consider the following recommendations:

  • Require strong passwords – It is common for spammers to perform dictionary attacks on mail servers. A dictionary attack uses a large list of words that are commonly used as passwords to try to guess a password and take over an account. To combat this, your users should always use strong passwords. Passwords such as “password1” should be avoided. Users should use passwords that contain both uppercase and lowercase letters, numbers, and symbols. In MDaemon, you can require strong passwords via the Accounts | Account Settings | Passwords menu.
  • Require SMTP Authentication – We recommend requiring all users to use SMTP authentication. In MDaemon, go to Security | Security Settings | Sender Authentication | SMTP Authentication. Then, check the box “Authentication is always required when mail is from local accounts.” Make sure “…unless message is to a local account” is unchecked. In SecurityGateway, these settings can be found under Security | Anti-Abuse | SMTP Authentication.
  • Do not allow relaying – Relaying occurs when mail that is neither to nor from a local account is sent through your mail server. It is very common for spammers to exploit open relays; therefore, you should ensure that your server does not relay mail. In MDaemon, go to Security | Security Settings | Relay Control, and check the following three boxes:

–          Do not allow message relaying

–          SMTP MAIL address must exist if it uses a local domain

–          SMTP RCPT address must exist if it uses a local domain

We do not recommend checking the exclusion boxes on this screen.

In SecurityGateway, these settings can be found at Security | Anti-Abuse | Relay Control.

  • Make sure you have a valid PTR record that matches your outbound public IP to your mail server name or fully qualified domain name or FQDN (mail.example.com). Your ISP can create this record for you. A PTR record allows receiving servers to perform a reverse DNS lookup on the connecting IP address to verify that the server name is actually associated with the IP address from where the connection was initiated.
  • Set up an SPF record – SPF (Sender Policy Framework) is an anti-spoofing technique that determines if an incoming email from a domain was sent from a host that is authorized to send mail for that domain. This is basically the opposite of an MX record, which specifies hosts that are authorized to receive mail for a domain.
  • Configure the IP Shield – IP Shielding is a security feature that allows you to specify IP addresses or IP address ranges that are allowed to send mail for a particular domain.  You should configure your IP shield to only accept mail from your local domain if it came from an authorized IP address (such as one on your local network). This feature can be found under Security | Security Settings | IP Shield. For your users who may be sending email from outside of your network, you can configure exceptions by checking the box “Don’t apply IP Shield to authenticated sessions.” In SecurityGateway, the IP shield can be found under Security | Anti-Abuse | IP Shielding.
  • Enable SSL – SSL (Secure Sockets Layer) is a method for encrypting the connection between a mail client and the server. In MDaemon, go to Security | Security Settings | SSL & TLS. Click on MDaemon, and check the box “Enable SSL, STARTTLS, and STLS.” Also, make sure you have a valid certificate in the blank below. More information on configuring SSL can be found in this knowledge base article:
    http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=KBA-02305

Make sure all mail clients are communicating with the mail server over the SSL ports (587 – MSA, 465 – SMTP, 995 – POP or 993 – IMAP).

In SecurityGateway, these settings can be found under Setup/Users | System | Encryption.

  • Enable Account Hijack Detection – The account hijack detection feature can be used to limit the number of messages an account can send in a given period of time. This feature applies to authenticated sessions only, and is used to prevent a compromised account from being used to send out massive amounts of spam and risk getting your server blacklisted. In MDaemon, this setting can be found under Security | Security Settings | Screening | Hijack Detection. In SecurityGateway, it can be found under Security | Anti-Abuse | Account Hijack Detection.
  • Enable Dynamic Screening – Similar to account hijack detection, dynamic screening can be used to block connections from IP addresses based on the behavior of activity coming from those IPs. For example, dynamic screening can be used to block connections from IPs that fail a specified number of authentication attempts, or IPs that try to connect a specified number of times in a given period of time. In MDaemon, this feature can be found under Security | Security Settings | Screening. In SecurityGateway, it can be found under Security | Anti-Abuse | Dynamic Screening.
  • Sign Messages with DKIM – DomainKeys Identified Mail (DKIM) helps protect email users against email address identity theft and email message content tampering. It does this by providing positive identification of the signer’s identity along with an encrypted “hash” of the message content.  With DKIM, a private & public key are created. The public key is published to the signing domain’s DNS records, and outbound messages are signed with the private key. The receiving server can then read this key from the DKIM-Signature header of the message, and then compare it with the public key in the sending domain’s DNS records. For more information on DKIM signing in MDaemon, please see the following knowledge base article: http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=KBA-02577. In SecurityGateway, these settings are located at Security | Anti-Spoofing | DKIM Signing.
  • Trusted Hosts & Trusted IPs – Make sure only hosts or IPs that you trust are listed on the Trusted Hosts and Trusted IPs screens. Trusted Hosts and trusted IPs are exempt from various security settings, so if any IPs or hosts that you do not completely trust are listed, your server may become vulnerable to relaying and sending out spam. In MDaemon, this feature is located under Security | Security Settings.
  • Block port 25 outbound on your network – Configure your firewall to only allow outbound connections on port 25 from your mail server or spam filter appliance. No other computers on your network should be allowed to send outbound data on port 25. If you suspect that you have a device on your network that is sending out spam over port 25, then see my post “Tracking Down a Spambot” for more information.
  • Configure your firewall to log all outbound activity on port 25 from all machines on your network – to help track down any machines that may be relaying mail.
  • Use a static IP– Various problems can arise from using a dynamic IP on your mail server. If the server loses its internet connection, then comes back online with a different IP address, your DNS records will still point to the old IP address. If another computer gets your old IP address, then other problems can arise. For example, if the computer has a properly configured MTA on port 25, then your mail would be bounced. If the computer has an open relay MTA on port 25, then your mail will be relayed by this machine. If the machine is on a blacklist, your mail will be lost. For these reasons, we recommend using a static IP on the mail server.

If you follow these recommendations, your chances of being blacklisted are greatly reduced.  These practices will help ensure that you are not relaying mail, that your communications are encrypted, that users are authenticated, and that spambots have not been able to send out mail from your network.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Are You Suffering from Inbox Overload?

Too_Much_Mail

Are you suffering from Inbox Overload? Do you spend too much time trying to keep your inbox under control without losing productivity? Do you find yourself checking your work email well into the evening, or checking personal email during business hours? In today’s always-on, always-connected society, many people struggle with work-life balance. With email being such a ubiquitous communication tool, it is more important than ever to keep the clutter out of your inbox, and to reduce your time spent dealing with email.   These tips can help you keep your inbox organized & free up time that you would have spent managing your email for other, more productive or rewarding tasks.

Keep spam under control

Know how to identify phishing and scams and don’t respond to them
Phishing scams often have the following characteristics:

  • Links in the email asking you to enter your personal information on an online form
  • Threats such as “If you do not fill out the attached form, your account will be deleted.”
  • Spelling and grammar errors
  • Links to malicious sites. It is good practice to hover your mouse over a link in an email before you decide to click on it. Often, phishing emails will show a link to a well-known URL, such as www.amazon.com, but when you hover your mouse over it, the real address that the link points to is a site containing malware, so know how to spot these links & if you are unsure about a link’s legitimacy, do not click on it.
  • Official-looking company logos and graphics. It’s very easy to create a malicious website that looks identical to a legitimate website. When in doubt, never click on an image or link in an email message. Open your browser and manually type in the company’s URL.

Use the Bayesian Learning Feature (Don’t just Delete It)
Spam messages that find their way into your inbox  can be fed into MDaemon’s Bayesian Learning system so that MDaemon’s spam filter can become more accurate over time.  The Bayesian classification system is enabled via Security | Spam Filter |Bayesian Classification in MDaemon.  Make sure the first box “Enable Bayesian Classification” is checked. On the bottom of that screen, you will see the paths to the Bayesian spam and non-spam folders. In WorldClient, a user will see two buttons (a thumbs-up & a thumbs-down button). When that user has been given proper rights to view the Bayesian Learning folders, he or she will be able to mark message as spam or non-spam using these buttons in WorldClient.  More information can be found in the following knowledge base article:

Training the Bayesian Learning Process in MDaemon Pro

Use Extra Email Addresses for Specific Purposes
Do you give the same email address to your friends, family, sales associates, or to just about anyone else who asks for it? If so, then you’re probably getting more spam than you would like. A good practice is to have an email address that you give to friends & family, one for business, and one that you would use for shopping,  or for signing up for mailing lists or newsletters.

Take Action Immediately

When you receive a new email message, it’s good practice to take action on it immediately. A popular method for this is to use the four D’s: delete it immediately, do it (if it can be done in less than two minutes), delegate it (forward it) or defer it (if it will take longer than two minutes). You may also want to archive it or set a reminder to look at it later. You can also file it into another folder (see Create & Use Folders later in this article).

Unsubscribe from Newsletters You No Longer Need

Are you still receiving newsletters from something you signed up for three years ago? If they are no longer relevant or you are no longer interested, you should be able to unsubscribe from them. Newsletters from reputable sources will often include instructions on how to unsubscribe.

Don’t Abuse the “Reply all” Feature

If you received an email addressed to multiple recipients, and you need to reply to the sender, be careful with the “Reply all” feature. If you only need to reply to the message sender, then reply directly & help keep unwanted mail out of others’ inboxes.

Stop Forwarding from Old Accounts

When someone changes his or her email address, it is common practice to forward all mail from the old address to the new one – at least until all parties involved have been made aware of the new email address. Often, forwarding will be left active on the old account indefinitely. Over time, once all parties involved have been made aware of the new address, the only mail still being forwarded from the old address tends to be spam or perhaps old newsletters.  At this point, it is safe to turn off forwarding from this account (or delete the account entirely).

Mask Your Email Address on Public Sites

Spam robots are constantly crawling thousands of sites, looking for email addresses they can harvest for their next spam campaign. Some of the most common places these spam crawlers look for email addresses are blogs, message boards, forums, and guest books. If you must post your email address on these sites, consider replacing the @ symbol with <at> and the .com with (dot)com. For example: <frank.thomas>(at)<example> (dot) <com>.

Create & Use Folders

In time, your inbox can become cluttered with all types of email messages. One way to stay organized is to create multiple email folders and label them so that you can categorize your messages for easy retrieval. In WorldClient, you can easily create mail folders (or folders of any other type) via the Options menu.

Use Rules or Filters

You can also create rules to automatically filter messages that meet certain criteria into your other mail folders. In WorldClient, these filters can be created via the Options | Filters menu. For example, I have a special folder created for a particular newsletter that I’m subscribed to. I use the filter to automatically place those messages into the designated folder. Not only does this keep me more organized, but it also keeps me from getting a “New Email” notification for these messages since they aren’t going directly into my Inbox. Fewer notifications = fewer interruptions = greater productivity.

Keep Inbox Message Count to a Minimum

When you check your email, decide what you want to do with any new messages that arrive (see Take Action Immediately above). By acting immediately, you will keep your inbox at a reasonable size. Inbox Zero is a technique many people use to keep their inboxes down to a manageable size. You can learn more about Inbox Zero in this blog post.

Send & Receive Less Frequently

In today’s face-paced business environment, it’s quite easy to get distracted with phone calls, emails, meetings, and other distractions. If your mail client is notifying you every three minutes that you have an email message waiting, you may be tempted to click on it every time. Ask yourself: Does this have to be tended to at this very moment? You might try configuring your mail client to check for new mail every 15 minutes instead of every three minutes. If a matter must be addressed in less than 15 minutes, then it may be better to meet in person or over the phone.

These are just a few tips to help keep your Inbox under control. With these practices, your inbox will be better organized, you’ll receive less junk email, and you’ll be spending less time dealing with email & more time doing what you’d rather be doing – being productive.

Do you have other Inbox Management tips? Share them with us via the Comments section below!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Outlook Connector Performance Tips

With the recent release of Outlook Connector 4.0, I wanted to review with you some guidelines for improving the performance of Outlook Connector. Outlook’s performance is affected by many things, including the amount of data it has to keep track of, any add-ons that are installed, how often it checks for new mail, and various other factors. The following guidelines will help ensure you get the best performance out of Outlook when using Outlook Connector.

  1. With each new version of Outlook Connector, various performance enhancements are made, thus, we recommend using the latest version of Outlook Connector on the MDaemon server and the latest Outlook Connector plug-in on each client. On the MDaemon server, you can check the version of Outlook Connector that’s installed by navigating to Help – View the release notes for your version of Outlook Connector. Users can verify their version of the Outlook Connector plug-in by clicking on the “About” tab on the Outlook Connector toolbar in Outlook. Click here to download the latest version of Outlook Connector. On this page, click on the “Download Now” button to download Outlook Connector on the server. There are also links to download the 32-bit and 64-bit versions of the Outlook Connector client.
  2. We recommend using Outlook Connector with MDaemon 14 and above. Newer versions of MDaemon also have various performance enhancements. You can get the latest version of MDaemon here.
  3. We recommend disabling all Outlook Add-ins except the Outlook Connector plug-in. In Outlook 2016, 2013 & 2010, add-ins are located under File – Add-ins. In Outlook 2007, they’re located under Tools – Trust Center – Add-ins.
  4. Regular defragmentation of the MDaemon server’s hard disk is recommended. Server performance can be further improved by reducing the amount of logging MDaemon is doing (Setup – Server Settings – Logging – Settings) along with moving the Logs folder and User, Public and Queues folders to a physically separate disk. When moving logs, queues, or public folders to a separate drive, simply map a drive letter to the drive, then update the Directories section of the MDaemon.lni file (located in the MDaemon/App directory) with the new path to these directories.

    MDaemon directories
    Where MDaemon stores mail, queues, logs, etc.
  5. We recommend periodically purging and compacting the Outlook Connector database file (local cache). Follow these steps to compact the local cache file:
    1. Make sure Outlook is shut down, and navigate to the Windows control panel.
    2. Click on the Mail control panel.
    3. Click on Email Accounts.
    4. Double-click on your Outlook Connector account.
    5. Click on the Database Management tab.
    6. Locate the Purge Database section and click on the Purge button.
    7. Locate the Compact Database section, and click on the Compact button. You can also check “Compact database on Outlook shutdown” to compact the database each time Outlook is shut down.

      Outlook Connector Database Managemen
      Outlook Connector Database Managemen
  6. The local Outlook Connector cache file should be excluded from real-time scanning by third party desktop antivirus applications. By default, the local Outlook Connector cache is located at C:/Documents and Settings/-username-/Application Data/Alt-N/ Outlook Connector 4.x/ProfileName/account-name/User’sEmail@YourCompany.com.
  7. Outlook should only be configured to use HTML or Plain Text format for sending emails. Depending on the version of Outlook you are using, these settings can usually be found via Tools – Options – Mail Format tab. Outlook should not be configured to use Word as its email editor or to use Rich Text Format (RTF). Both of these methods result in emails which do not adhere to Internet standards.
  8. We recommend configuring Outlook Connector’s Send/Receive tab (located under the Account button in the Outlook Connector toolbar) to only check the Inbox folder for new items at each Outlook send/receive interval.
  9. Outlook Connector includes the option “Download Headers Only” under the Send/Receive tab of the Outlook Connector Client configuration screen. When this option is enabled, Outlook only downloads the information needed to show messages in the message list, and not the full content of each message. When you click on a message, the rest of the message is downloaded for viewing. Users may experience a slight delay in viewing messages in the preview pane when “Download Headers Only” is enabled because Outlook has to download the rest of the message when it is selected.
  10. We recommend configuring the Send/Receive schedule to check for new mail every 3 minutes.
  11. We recommend performing these housekeeping tasks regularly:
    1. Delete any email messages, calendar items, and contacts that are no longer needed.
    2. Empty the Deleted Items folder by right-clicking it and selecting Empty Folder.
    3. Delete unwanted items from the Sent Items folder.
    4. Move items out of the Inbox to other mail folders.
    5. Archive old messages. Mail server administrators can implement a server-wide archiving solution such as MailStore to help cut down on the amount of data stored in user mailboxes.

Following these guidelines will help ensure that Outlook Connector continues to run smoothly. For more information, please see our Outlook Connector how-to guides. As always, I’m available if you have questions!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Are you doing enough to protect your email privacy?

Email PrivacyFor many of us, email has become our primary method of communication in both our business and personal lives. An email address, however, is often used for many more purposes than simply sending electronic messages. Many of us use our email address to log into social networking sites, utility and credit card sites, banking sites, and much more.

Your email account is often the gateway to your personal life, and thus, is a valuable target for hackers. John McAfee said, “Email accounts are the fundamental identifying elements of the internet. The assumption is that if a person has access to an email account then that is the real person. Yet these accounts are the easiest elements of the digital world to hack into.” According to a recent ZDNet study, with a single phishing email, about 45% of all recipients submitted their full login credentials. Another study by Intel found that 97% of all computer users could not identify all 10 out of 10 phishing emails.

Hackers have a variety of tools at their disposal, from sophisticated spear-phishing to malicious documents to social engineering tricks, so are you doing enough to protect your email privacy?

Follow these 8 best practices to help ensure that your email communications are kept private.

Use strong passwords

A strong password that is not easily guessed should contain a combination of upper and lower-case letters, numbers, and symbols. Never use a password that can be easily guessed, and never use any of the passwords listed on the “most popular and therefore worst” passwords list. MDaemon includes tools that allow administrators to enforce strong password policies. See this blog post for more information.

Spammers know that many people use the same password across multiple sites and services. Therefore, you should be using a different password for each site.

Never click on suspicious links

Spammers have gotten very creative at making spam email messages look legitimate, using HTML and images that, when clicked, lead to fake websites designed to collect your personal information or to deliver malware, including keyloggers designed to capture everything you type, and ransomware, therefore, never click on links in an email message unless you’re absolutely sure you have verified and trust the sender.

Many phishing messages contain images such as logos that look legitimate, but, when clicked, lead to malicious sites. If you hover your mouse over a link, you can often see the destination URL, which often does not match the word or image associated with it.

If you see an “unsubscribe” link, don’t click on it! This would only serve to let the spammer know your address is valid and, more importantly, these links are easily forged and could lead to malware infections.

If you are prompted to click on a link that appears to point to a legitimate site that you know and trust, it is better to manually type the URL into your browser than to click on a link that has not been verified.

Never reply to spam or unsolicited email messages

Spam can be a very annoying nuisance, so as humans, we may let our emotions get the best of us and reply to a spam message with “Please take me off your email list” or “Quit spamming me!” There are two problems with replying to spam. First, many spam messages come from forged addresses, so the spammer is unlikely to receive your message. Second, replying can let the spammer know your address is legitimate, which may lead to even more spam.

Don’t post your email address in blog posts, online comments, or social media

Scammers often scrub social media sites for email address that they can exploit, so if you must post an email address to one of these sites, mask the address by adding spaces or spelling out (at) instead of using the @ symbol.

Use Encryption

Email messages, by default, are transmitted in plain-text. This can potentially open them up to interception by a nefarious third-party. While SSL & TLS are used to encrypt the connection between mail clients and mail servers, it is good practice to encrypt the email message itself. Encryption protects sensitive data by converting plain-text to cipher text. This cipher text can only be decrypted using the proper private encryption key.

MDaemon has options for encrypting connections using SSL & TLS, as well as server-side and client-side encryption options using Virtru and OpenPGP. A couple of months ago, I wrote a blog post about these options. Click here to read about MDaemon’s encryption options.

Use Two-Factor Authentication

Passwords alone are often not enough to protect your data against increasingly sophisticated attacks. With two-factor authentication, users must provide a password and a unique verification code that is obtained via a client that supports Google Authenticator (available in the Google Play store). This blog post contains more information on how to use two-factor authentication with MDaemon and WorldClient.

Know the risks of using public Wi-Fi

Public Wi-Fi provides a convenient way to access the internet while on the go, but if you’re not careful, it may come at a great price. Unsecured Wi-Fi hotspots are prime targets for hackers, who are often able to position themselves between you and the internet connection, allowing them to intercept every bit of information you transmit. Hackers can also use unsecured Wi-Fi hotspots to distribute malware. If you have file sharing enabled, you are especially vulnerable.  To reduce risk, make sure any Wi-Fi hotspot you connect to is secured and from a reputable source that you trust. If you must connect to a public hotspot, it is good practice to use a VPN to ensure that transmitted data is encrypted.

Lock your computer when away from your desk

This may sound like a given, but an unattended computer that has not been locked allows anyone access to your information.  You might not consider this a big issue if you work for a small business, but if you work in an industry with privacy regulations, such as health care or financial institutions, or if you store sensitive company information such as revenue or other confidential information, leaving your computer unlocked could have serious consequences, including loss of job, damaged company reputation, or even legal problems.

Conclusion

Whether your primary interest is protecting company information or your own personal data, email privacy is everyone’s responsibility, and often, the weakest point of entry into a treasure trove of sensitive data is a negligent or uninformed user. Don’t let that user be you. Use these tips to stay ahead of the bad guys!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

5 Steps to Achieving Inbox Zero

Inbox-ZeroUnless you live in a cave, chances are you use email as a primary method of business communication. You’re also likely to receive tons of annoying, non-business related email, such as newsletters, press releases, mailing list messages, and follow-up messages that clutter up your Inbox. Without a clear strategy for dealing with all of this distracting junk, valuable time is wasted on unimportant tasks, and productivity suffers. In other words, you may be afflicted with “email overload.”

So how do we deal with the influx of email that grabs at our limited supply of attention?  Merlin Mann invented the concept of Inbox Zero. From TechTarget, Inbox Zero is defined as “a rigorous approach to email management aimed at keeping the inbox empty — or almost empty — at all times.” According to Mann, zero does not refer to the number of messages in your Inbox. Instead, it refers to the amount of time one spends thinking about his Inbox. A key point that is made is that when one confuses his Inbox with a to-do list, productivity suffers. Mann states, “It’s about how to reclaim your email, your atten­tion, and your life. That zero? It’s not how many mes­sages are in your inbox–it’s how much of your own brain is in that inbox – especially when you don’t want it to be. That’s it.”

So with the daily influx of email, how can we achieve Inbox Zero? Mann says that for every email message, there are five possible actions to take:

  • Delete
  • Delegate
  • Respond
  • Defer
  • Do

Let’s take a closer look at these actions.

Delete:  When a new message arrives, the first thing you should ask yourself is “Am I REALLY going to read or respond to this email?” If you’re not sure, then chances are you’re not going to make it a priority, and then it will sit there in your Inbox while other messages that should have been deleted come piling in after it. As Merlin Mann says in this article, “every email you read, re-read, and re-re-re-re-re-read as it sits in that big dumb pile is actually incurring mental debt on your behalf.” So if you’re not going to do anything with a message, simply delete it and move on.

Delegate: If there’s a message that can be best answered by someone else, then immediately forward it on. Don’t try to handle it if it will take you twice as long as someone else.

Respond: Immediately respond to any new messages that can be answered in two minutes or less.

Defer: If a message cannot be answered in two minutes or less, or if a message can be answered later, then move it to a separate “requires response” folder and reply later.

Do: Set aside time each day to respond to email in the “requires response” folder or respond to mail in this folder throughout the day when you have time.

Mann also recommends what he calls “Email dashes.” Here are his recommendations.

  • Check for new email & look for items that can be responded very quickly: Two minutes every 20 minutes.
  • Non-critical responses – Every 90 minutes, answer 5 emails or spend 10 minutes responding.
  • Processing “the pile” – Two minutes every hour, plus 15 minutes at the end of the day.
  • Metawork – 15 minutes twice a week.
  • Further culling, responding & cleaning out “the pile” – Throughout the day, when available, in 5-8 minute dashes. These email dashes help you prioritize, avoid constant email notifications, and manage your time and attention.

Other tips for achieving Inbox Zero:

Don’t leave your email client open. An open email client can be a persistent distraction. It could be too tempting to check email when you’re working on another project while your email client is running in the background.

Use templates: You can use templates for often repeated messages that may only require a short or generic response, such as “Thank you” responses or responses to common questions. If you’re using WorldClient, MDaemon’s webmail client, this article has instructions for creating email templates.

Use Filters: Filters are useful for dealing with frequent, non-urgent items that can be dealt with later. Some examples include:

  • Mailing lists and forum threads
  • Social media “Friend” requests from sites like Facebook and Google+
  • Newsletters and product updates
  • Blog comments
  • Twitter follower notifications

Be careful when creating filters to ensure that you are only filtering out content that isn’t important. It is possible to filter out too much – for example, important but non-urgent messages that would be better addressed by dealing with them according to a schedule.

Use labels or folders: This tip could perhaps be combined with the above tip on using filters. The idea is to automate the process of acting on message that meet certain criteria by applying certain labels or moving them to designated folders. For example, I get a lot of blog comments from spambots, so by creating a filter that filters on the subject of a comment notification message, I can send those messages directly to my “Blog Comments” folder. Sometimes, I’ll get up to 200 comments in a day, so this saves me lots of time and headache weeding through all of that stuff in my Inbox.

Unsubscribe from email lists: How many times have you been asked by a retailer for your email address, or left the box checked when making a purchase on a company’s website authorizing them to bombard you with sales pitches on their other products?  Taking the time to unsubscribe from these mailing lists now can save you from having to deal with all that Inbox clutter later.

The concept of Inbox Zero is not to have zero messages in your Inbox. It’s to set up processes that allow you to spend as little time as possible THINKING about your Inbox. Merlin Mann created the concept several years ago, when there was far less email and far fewer distractions than there are today, so his ideas are even more relevant today. I hope you find these tips useful & that you can use them to take back any control your Inbox may have over you.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

SSL & TLS Best Practices

You may have heard the terms SSL and TLS, but do you know what they are and how they’re different?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are methods of securing (encrypting) the connection between a mail client and mail server (Outlook and MDaemon, for example) or between mail servers (MDaemon and another mail server, for example). They are also methods for securing communications between websites and your browser. In this post, we’ll focus on its uses for encrypting email connections.

Without SSL or TLS, data sent between mail clients and servers would be sent in plain text. This potentially opens up your business to theft of confidential information, credentials being stolen and accounts being used to send spam. SSL and TLS can be used to help protect that data. SSL and TLS allow users to securely transmit sensitive information such as social security numbers, credit card numbers, or medical information via email.

How do SSL and TLS work?

In order to use SSL or TLS, you’ll need an SSL certificate to establish an SSL/TLS connection. SSL certificates use a key pair (a public and private key) to establish a secure connection. When a mail client or server wants to connect to another server using SSL, an SSL connection is established using what’s known as an “SSL handshake.” During this process, three keys are used to establish an SSL connection – a public key, a private key, and a session key. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice-versa. Encryption via the public & private keys only takes place during the SSL handshake to create a symmetric session key. Once the secure connection is made, all transmitted data is encrypted with the session key.

This diagram provides a simplified overview of how an SSL connection is established.

How SSL & TLS workBoth SSL and TLS protect data privacy through data-in-motion encryption, provide server-side and (optionally) client-side encryption of the communication channel, and help ensure message integrity.

POP, IMAP and SMTP traffic are transmitted over designated ports. By default, IMAP uses port 143, POP uses port 110, and SMTP uses port 25. IMAP over SSL/TLS uses port 993. POP over SSL/TLS uses port 995, and SMTP over SSL/TLS uses port 465. For SSL to take place over these connection types, the mail client and mail server must both be configured to use the proper ports, and a valid SSL certificate must be installed on the server.

What are the Differences between SSL and TLS?

So what are the differences between SSL and TLS? TLS is the successor to SSL. It was introduced in 1999 as an upgrade to SSL 3.0, so TLS 1.0 is most similar to SSL 3.0 & is sometimes referred to as SSL 3.1, though TLS is not compatible with SSL 3.0. The version numbers for SSL are 1.0, 2.0 and 3.0, while TLS uses a different numbering pattern – 1.0, 1.1, 1.2.

Because TLS is incompatible with SSL 3.0, the client and server must agree on which protocol to use. This is accomplished via what’s known as a “handshake.” If TLS cannot be used, the connection may fall back to SSL 3.0.

Without getting too technical (there are plenty of online resources that explain the technical differences between SSL and TLS), here are some of the differences between SSL and TLS:

TLS has more alert descriptions – When a problem is encountered with an SSL or TLS connection, the party who encountered the problem would send an alert message.

SSL had the following 12 alert messages:

  • Close Notify
  • Unexpected Message
  • Bad Record MAC
  • Decompression Failure
  • Handshake Failure
  • No Certificate
  • Bad Certificate
  • Unsupported Certificate
  • Certificate Revoked
  • Certificate Expired
  • Certificate Unknown
  • Illegal Parameter

TLS has the following additional alert messages:

  • Decryption Failed
  • Record Overflow
  • Unknown CA (Certificate Authority)
  • Access Denied
  • Decode Error
  • Decrypt Error
  • Export Restriction
  • Protocol Version
  • Insufficient Security
  • Internal Error
  • User Canceled
  • No Renegotiation
  • Unsupported Extension
  • Certificate Unobtainable
  • Unrecognized Name
  • Bad Certificate Status Response
  • Bad Certificate Hash Value
  • Unknown PSK
  • No Application Protocol

TLS uses HMAC for message authentication – SSL verifies message integrity (to determine whether a message has been altered) using Message Authentication Codes (MACs) that use either MD5 or SHA. TLS, on the other hand, uses HMAC, allowing it to work with a wider variety of hash functions – not just MD5 and SHA.

TLS uses a different set of cipher suites.

A cipher suite is basically a combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate security settings for a network connection. More information can be found here: https://en.wikipedia.org/wiki/Cipher_suite

Why are SSL and TLS Important?

Businesses have a responsibility to protect financial data such as credit card information, and consumer records such as names, addresses, phone numbers, and medical information. Without some form of encryption, whether via an encrypted connection using SSL & TLS, or by encrypting the message itself using Virtru or OpenPGP, sensitive data may be vulnerable to hackers & other forms of unauthorized access.

Which method is recommended?

SSL 3.0 suffers from a well-known vulnerability called the POODLE vulnerability. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. Click here for a thorough overview of this vulnerability and recommended actions.  One workaround recommended in the overview is to completely disable the SSL 3.0 protocol on the mail client and server. This might not be practical, as it may affect legacy systems that are still using SSL 3.0.

We recommend using TLS whenever possible. TLS 1.2 is currently the best version for security, but it is not yet universally supported. TLS 1.1+ support was not added until Windows 7 and Server 2008 R2, in 2009.

The encryption protocol and cipher used by MDaemon and SecurityGateway depend on the operating system and can be configured via the registry. You can use the free IIS Crypto tool to set the appropriate registry keys. More information can be found here:
https://www.nartac.com/Products/IISCrypto

I hope this information helps clarify any questions about SSL and TLS, and which encryption method is recommended. As always, if you have questions or comments, let us know!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •