Earlier this week, I heard an interesting interview on NPR’s Morning Edition with a recent victim of Business Email Compromise (BEC), a growing threat that uses social engineering to exploit human nature in order to divert massive amounts of money to cybercriminals.
Recent Business Email Compromise Trends show Evolving Tactics
First, let’s start with a little background information. In 2013, when Business Email Compromise scams were gaining popularity, attackers typically compromised a legitimate email account belonging to the company president, CEO or CFO in order to request the transfer of funds to an account controlled by the attacker. As awareness of BEC scams has grown, the tactics used by the scammers to avoid detection have evolved as well. These newer deception methods use compromised lawyer email accounts, requests for W-2 records, and the targeting of real estate transactions. Another recent trend involves spoofing a company executive or other position of authority and requesting the targeted victim purchase gift cards for personal or business reasons.
Over the past couple of years, BEC tactics have further evolved into a new trend known as Vendor Email Compromise in which cybercriminals target vendors or suppliers with phishing emails and then send realistic-looking invoices to their customers in order to steal money.
BEC scams have been wildly successful, with $1.2 billion in losses reported in 2018 by the FBI’s Internet Crime Complaint Center (nearly triple 2016 losses). Unfortunately, these are only REPORTED losses. Many incidents go unreported because companies don’t want to risk bad publicity.
While recent efforts by law enforcement agencies have led to many arrests, Michael J. Driscoll, FBI special agent in charge of the Criminal Division for the bureau’s New York Field Office, has named Business Email Compromise the #1 priority – replacing ransomware as the biggest threat facing businesses.
And that brings me to the interview I heard on NPR.
This week on Morning Edition, Martin Kaste interviewed “Mark” (not his real name), the owner of a Seattle-based real estate company and one of the earliest victims of Business Email Compromise. Mark discussed how the attack began and how it evolved.
It started with a scammer intercepting email traffic between Mark and a business partner. For a period of time, the scammer monitored this email traffic and studied their speech, writing patterns and message timing (see Step 1 here). When Mark and his partner discussed a $50,000 disbursement owed to the partner, the scammers took action and inserted their own wire transfer instructions (see Step 3 here).
Mark was convinced the request was legitimate, and transferred the $50,000 (Step 4) to the scammer’s bank account. His partner never received the money. By the time they alerted the bank, the money had already been transferred to an overseas account.
Mark said, “We’re somewhat experienced businesspeople. The idea that we’ve been duped makes you feel pretty stupid,” and as I mentioned, this “shame” element, along with fear of a damaged business reputation, is why many of these incidents often go unreported.
Kaste points out, “The banks weren’t much help, either. Since he was the one who gave the scammers the account number, they saw this as his responsibility. He has learned one thing – never again trust wiring instructions that are sent by email.”
Don’t Risk Losing your Life Savings to Scammers. Follow these 10 Tips to Identify a Phishing Email.
Whether you run a Fortune-500 organization or a small boutique, by now you should be aware of the threats posed by cyber criminals to trick you into clicking a link, downloading an attachment, or parting ways with your money.
Modern day email scams are getting more sophisticated, leading to staggering losses for businesses of all sizes. According to the 2018 Verizon Data Breach Investigations Report, phishing was used in 93% of all reported breaches, with email being the main attack vector in 96% of reported cases.
While these figures are staggering, they continue to rise as scammers reap huge payouts from BEC (Business Email Compromise), CEO fraud and other phishing scams.
The real estate industry is a prime target for phishing because large sums of money change hands and there are various weak links in the transaction process. If any step within the transaction process becomes compromised with a successful phishing email, the attacker could gain access to a legitimate email address from which to launch other attacks. The fraudster could then lie in wait, scanning email messages for financial or transaction related details, and then send off fraudulent wire transfer instructions to an unsuspecting buyer, seller, or agent. For example, this happened to a 31 year-old first-time home buyer in San Antonio, Texas. You can read details about this case here, but the short version of the story is that she felt that she was in a time crunch to send in her down payment and finalize other closing tasks, and felt that the title company was dragging its feet. This state of high anxiety made her a prime target for a phishing email she received stating that she had previously been given the wrong wire transfer information, and that she needed to wire her down payment to a new account. With 5 hours left to get everything done, she attempted to contact her title company to confirm the change, but no one responded, so in a panic, she hastily ran to the bank and wire transferred her $52,000 down payment. Unfortunately, she sent her life savings to scammers.
The phishing industry is so lucrative for scammers because the barriers to entry are low relative to potential huge payouts. With botnets-for-hire and Malware as a Service (Maas), spammers have an impressive arsenal of tools at their disposal to propagate their campaigns, so to fight this scourge, an educated user is the best defense against phishing scams. With this in mind, here are my top 10 tips on how to identify and protect yourself from phishing attacks.
Watch out for messages disguised as something expected, like a shipment or payment notification. These often contain links to malware sites. Hover your mouse over any links to make sure they’re safe. Think before you click! Here’s an example using a phishing email I received claiming to come from HSBC.
Watch for messages asking for personal information such as account numbers, Social Security numbers, and other personal information. Legitimate companies will never ask for this over email.
Beware of urgent or threatening messages claiming that your account has been suspended and prompting you to click on a link to unlock your account.
Check for poor grammar or spelling errors. While legitimate companies are very strict about emails they send out, Phishing emails often contain poor spelling or grammar.
Hover before you click! Phishing emails often contain links to malware sites. Don’t trust the URL you see! Always hover your mouse over the link to view its real destination. If the link claims to point to a known, reputable site, it’s always safer to manually type the URL into your browser’s address bar.
Check the Greeting – Is the message addressed to a generic recipient, such as “Valued customer” or “Sir/Madam?” If so, be careful & think twice! Legitimate businesses will often use your real first and last name. In our HSBC example, notice the generic greeting.
Check the Signature – In addition to the greeting, phishing emails often leave out important information in the signature. Legitimate businesses will always have accurate contact details in their signature, so if a message’s signature looks incomplete or inaccurate, chances are it’s spam. In our HSBC example, the sender’s name and contact information are missing from the signature.
Don’t download Attachments – With the proliferation of Ransomware as a Service (Raas), spammers have an easy mechanism for distributing malware-laden spam messages to thousands of users. And because the payout for ransomware can be quite high, even one successful ransomware infection could net the spammer large amounts of money. If there’s ANY doubt about the identity of the message sender or the contents of an attachment, play it safe and don’t download the attachment.
Don’t trust the From address – Many phishing emails will have a forged sender address. The From address is displayed in two places. The Envelope From is used by mail servers to generate NDR messages, while the Header From is used by the email client to display information in the From field. Both of these headers can be spoofed. MDaemon Webmail has built-in security features to help users identify spoofed emails. Many mail clients hide the From address, only showing the From name, which can be easily spoofed. In MDaemon Webmail, the From address is always displayed, giving users a clearer view into the source of the email and helping them identify spoofed senders. Using our HSBC example, I’ve highlighted the actual sender.
MDaemon Webmail will also display information in the Security tag to help users identify messages from verified senders, as shown here.
Don’t Enable Macros – And while we’re on the subject of ransomware, another common vector for ransomware infections is through macros in Microsoft Word documents. These documents often arrive in phishing emails claiming to have important content from HR, Finance, or another important department, and to trick the user, they request the user to enable macros. Never trust an email that asks you to enable macros before downloading a Word document.
While anti-spam and anti-malware tools are quite effective at filtering out the majority of scams, there’s really no substitute for good old-fashioned user education. Know the potential costs to your business and don’t become the next victim!
If you’re the MDaemon or SecurityGateway administrator and need help with your security settings to help block as much phishing as possible before it reaches your users, give us a call or drop us an email support request.
As I was coaxing myself awake this morning with my usual jolt of strong coffee, I checked my favorite news sites & was informed of yet another ransomware attack. This one, which is believed to have originated from Ukraine, was first thought to be a variation of last year’s Petya ransomware outbreak, but upon further investigation, it appears that today’s malware is a new type – a worm that some computer experts are referring to as “NotPetya“. This attack demands a smaller ransom (in comparison to other attacks) of approximately $300, and then begins to serve its primary purpose – to wipe files on the computer. According to researchers at Symantec, this attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry outbreak, as well as two other methods to spread the attack. According to information provided by this article on CNN, if you’ve installed all of the latest Windows patches, you should be safe from this particular strain of malware, however, by no means is this a reason to be complacent. Administrators and end users must still be mindful of safety precautions.
Due to the proliferation of Malware as a Service (MaaS), just about anyone with the desire and the funds can initiate a malware attack, making new & emerging threats a real concern for the foreseeable future. This presents a good opportunity to review best practices for avoiding ransomware – for end users, and for administrators via the tools available in MDaemon and SecurityGateway.
How can end users protect themselves from ransomware?
End users should be aware of the following 18 email safety tips, which originally appeared in this post.
Change your password often.
Use strong passwords. Never use a password that contains “password” or “letmein”.
Use a different password for each of your accounts. If you use the same password for your bank account as you do for your email account, you become much more vulnerable to data theft.
Don’t open an attachment unless you know who it is from & are expecting it. Many of today’s social engineering tactics rely on the ability to trick users into opening attachments.
Use anti-virus software on your local machine, and make sure it’s kept up-to-date with the latest virus definitions.
If you receive an attachment from someone you don’t know, don’t open it. Delete it immediately.
Learn how to recognize phishing
– Messages that contain threats to shut your account down
– Requests for personal information such as passwords or Social Security numbers
– Words like “Urgent” – false sense of urgency
– Forged email addresses
– Poor writing or bad grammar
Hover your mouse over links before you click on them to see if the URL looks legitimate.
Instead of clicking on links, open a new browser and manually type in the address.
Don’t give your email address to sites you don’t trust.
Don’t post your email address to public websites or forums. Spammers often scan these sites for email addresses.
Don’t click the “Unsubscribe” link in a spam email. It would only let the spammer know your address is legitimate, which could lead to you receiving more spam.
Understand that reputable businesses will never ask for personal information via email.
Don’t send personal information in an email message.
Don’t reply to spam. Be aware that if you reply to a spam email, your reply most-likely will not go back to the original spammer because the FROM header in the spam message will most-likely be forged.
Don’t share passwords.
Be sure to log out.
How can administrators protect their systems from ransomware?
The battle against ransomware cannot be fought by users alone. Administrators must also take steps to lock down their email infrastructure. These best practices will help protect your network and users.
Best Practices for MDaemon Administrators
Enable account hijack detection. This feature will automatically disable an account if a designated number of messages are sent from it via an authenticated session in a given period of time. When the account is disabled, the administrator receives a notification so that corrective action can be taken. Instructions for configuring account hijack detection can be found in this knowledge base article.
Enable dynamic screening. Dynamic screening is a feature that blocks future connections from a connecting server or client based on its behavior. Instructions for configuring dynamic screening can be found here.
Configure the IP Shield. The IP Shielding feature allows administrators to assign an IP address (or IP address range) to email messages from a given domain. Messages claiming to come from a specific domain must originate from one of the approved IP addresses. Exceptions can be made for users connecting from outside of the network who are using SMTP authentication. Click here for instructions.
Require SMTP Authentication. This helps ensure that the user authenticates with a valid username and password. Instructions can be found here.
Use DKIM & SPF to detect spoofing. DKIM uses a private/public key pair to authenticate a message. When an incoming message is signed with DKIM, a DNS record lookup is performed on the domain taken from the signature and the private key taken from the signature is compared with the public key in the domain’s DNS records. SPF uses a DNS record that lists hosts that are allowed to send mail on behalf of a domain.
Enable DMARC & configure your DMARC record. DMARC (Domain-Based Message Authentication, Reporting & Conformance) allows domain owners to instruct receiving servers on how to handle messages claiming to come from their domain that did not pass DKIM and SPF lookups. Learn more here.
Ensure that all connections (SMTP, POP, IMAP), are using SSL. SSL (Secure Sockets Layer) is a method for encrypting the connection between a client and server, as well as between to servers. Learn more here.
Have a backup strategy. If by chance malware still manages to infect your network, your last resort is to have a reliable backup strategy. Ideally, you should have your systems backed up off-site and, for added safety, secondary backup data should be saved to media that is not connected to the network.
More information on these settings can be found in the following guide on best practices for protecting your users:
SecurityGateway provides an extra layer of anti-spam, anti-spoofing and anti-malware security, in addition to your mail server’s built-in security settings. These best practices will help keep ransomware and other malicious content from reaching your mail server. Each item includes a link with more information.
Don’t whitelist local addresses. If a spam messages was spoofed with one of your local addresses, this could allow the spam message to bypass various security features. This why it is recommended that no local addresses be added to your whitelist.
Of course, no system is 100% fool-proof, which is why user education is so important. Remember – your network and email infrastructure are only as secure as their weakest link. It is the responsibility of all parties involved – administrators and end users, to help ensure a secure messaging and collaboration environment.
The holidays are upon us, and with all of the giving and sharing come scams aimed at exploiting human nature and stealing our personal information, such as names, addresses and credit card numbers. This year, the scammers are at it again, with a phishing scam designed to look like an email from Amazon.com claiming that there is a problem processing your order. The scam asks you to click on a link to verify your personal information. A good example of this scam email is described on the AARP blog.
As a reminder, here are a few tips to avoid falling victim to phishing scams.
Never click on unfamiliar or suspicious links. If a link claims to refer to a familiar website, then manually enter the web address in the address bar.
Hover your mouse over images & links to review the URL they refer to.
Beware of “Unsubscribe” links in phishing emails. When clicked, these links can let the spammer know that your address is valid, which often leads to more spam.
For many of us, email has become our primary method of communication in both our business and personal lives. An email address, however, is often used for many more purposes than simply sending electronic messages. Many of us use our email address to log into social networking sites, utility and credit card sites, banking sites, and much more.
Your email account is often the gateway to your personal life, and thus, is a valuable target for hackers. John McAfee said, “Email accounts are the fundamental identifying elements of the internet. The assumption is that if a person has access to an email account then that is the real person. Yet these accounts are the easiest elements of the digital world to hack into.” According to a recent ZDNet study, with a single phishing email, about 45% of all recipients submitted their full login credentials. Another study by Intel found that 97% of all computer users could not identify all 10 out of 10 phishing emails.
Hackers have a variety of tools at their disposal, from sophisticated spear-phishing to malicious documents to social engineering tricks, so are you doing enough to protect your email privacy?
Follow these 8 best practices to help ensure that your email communications are kept private.
Use strong passwords
A strong password that is not easily guessed should contain a combination of upper and lower-case letters, numbers, and symbols. Never use a password that can be easily guessed, and never use any of the passwords listed on the “most popular and therefore worst” passwords list. MDaemon includes tools that allow administrators to enforce strong password policies. See this blog post for more information.
Spammers know that many people use the same password across multiple sites and services. Therefore, you should be using a different password for each site.
Never click on suspicious links
Spammers have gotten very creative at making spam email messages look legitimate, using HTML and images that, when clicked, lead to fake websites designed to collect your personal information or to deliver malware, including keyloggers designed to capture everything you type, and ransomware, therefore, never click on links in an email message unless you’re absolutely sure you have verified and trust the sender.
Many phishing messages contain images such as logos that look legitimate, but, when clicked, lead to malicious sites. If you hover your mouse over a link, you can often see the destination URL, which often does not match the word or image associated with it.
If you see an “unsubscribe” link, don’t click on it! This would only serve to let the spammer know your address is valid and, more importantly, these links are easily forged and could lead to malware infections.
If you are prompted to click on a link that appears to point to a legitimate site that you know and trust, it is better to manually type the URL into your browser than to click on a link that has not been verified.
Never reply to spam or unsolicited email messages
Spam can be a very annoying nuisance, so as humans, we may let our emotions get the best of us and reply to a spam message with “Please take me off your email list” or “Quit spamming me!” There are two problems with replying to spam. First, many spam messages come from forged addresses, so the spammer is unlikely to receive your message. Second, replying can let the spammer know your address is legitimate, which may lead to even more spam.
Don’t post your email address in blog posts, online comments, or social media
Scammers often scrub social media sites for email address that they can exploit, so if you must post an email address to one of these sites, mask the address by adding spaces or spelling out (at) instead of using the @ symbol.
Email messages, by default, are transmitted in plain-text. This can potentially open them up to interception by a nefarious third-party. While SSL & TLS are used to encrypt the connection between mail clients and mail servers, it is good practice to encrypt the email message itself. Encryption protects sensitive data by converting plain-text to cipher text. This cipher text can only be decrypted using the proper private encryption key.
MDaemon has options for encrypting connections using SSL & TLS, as well as server-side and client-side encryption options using Virtru and OpenPGP. A couple of months ago, I wrote a blog post about these options. Click here to read about MDaemon’s encryption options.
Use Two-Factor Authentication
Passwords alone are often not enough to protect your data against increasingly sophisticated attacks. With two-factor authentication, users must provide a password and a unique verification code that is obtained via a client that supports Google Authenticator (available in the Google Play store). This blog post contains more information on how to use two-factor authentication with MDaemon and WorldClient.
Know the risks of using public Wi-Fi
Public Wi-Fi provides a convenient way to access the internet while on the go, but if you’re not careful, it may come at a great price. Unsecured Wi-Fi hotspots are prime targets for hackers, who are often able to position themselves between you and the internet connection, allowing them to intercept every bit of information you transmit. Hackers can also use unsecured Wi-Fi hotspots to distribute malware. If you have file sharing enabled, you are especially vulnerable. To reduce risk, make sure any Wi-Fi hotspot you connect to is secured and from a reputable source that you trust. If you must connect to a public hotspot, it is good practice to use a VPN to ensure that transmitted data is encrypted.
Lock your computer when away from your desk
This may sound like a given, but an unattended computer that has not been locked allows anyone access to your information. You might not consider this a big issue if you work for a small business, but if you work in an industry with privacy regulations, such as health care or financial institutions, or if you store sensitive company information such as revenue or other confidential information, leaving your computer unlocked could have serious consequences, including loss of job, damaged company reputation, or even legal problems.
Whether your primary interest is protecting company information or your own personal data, email privacy is everyone’s responsibility, and often, the weakest point of entry into a treasure trove of sensitive data is a negligent or uninformed user. Don’t let that user be you. Use these tips to stay ahead of the bad guys!
Unless you live in a cave, chances are you use email as a primary method of business communication. You’re also likely to receive tons of annoying, non-business related email, such as newsletters, press releases, mailing list messages, and follow-up messages that clutter up your Inbox. Without a clear strategy for dealing with all of this distracting junk, valuable time is wasted on unimportant tasks, and productivity suffers. In other words, you may be afflicted with “email overload.”
So how do we deal with the influx of email that grabs at our limited supply of attention? Merlin Mann invented the concept of Inbox Zero. From TechTarget, Inbox Zero is defined as “a rigorous approach to email management aimed at keeping the inbox empty — or almost empty — at all times.” According to Mann, zero does not refer to the number of messages in your Inbox. Instead, it refers to the amount of time one spends thinking about his Inbox. A key point that is made is that when one confuses his Inbox with a to-do list, productivity suffers. Mann states, “It’s about how to reclaim your email, your attention, and your life. That zero? It’s not how many messages are in your inbox–it’s how much of your own brain is in that inbox – especially when you don’t want it to be. That’s it.”
So with the daily influx of email, how can we achieve Inbox Zero? Mann says that for every email message, there are five possible actions to take:
Let’s take a closer look at these actions.
Delete: When a new message arrives, the first thing you should ask yourself is “Am I REALLY going to read or respond to this email?” If you’re not sure, then chances are you’re not going to make it a priority, and then it will sit there in your Inbox while other messages that should have been deleted come piling in after it. As Merlin Mann says in this article, “every email you read, re-read, and re-re-re-re-re-read as it sits in that big dumb pile is actually incurring mental debt on your behalf.” So if you’re not going to do anything with a message, simply delete it and move on.
Delegate: If there’s a message that can be best answered by someone else, then immediately forward it on. Don’t try to handle it if it will take you twice as long as someone else.
Respond: Immediately respond to any new messages that can be answered in two minutes or less.
Defer: If a message cannot be answered in two minutes or less, or if a message can be answered later, then move it to a separate “requires response” folder and reply later.
Do: Set aside time each day to respond to email in the “requires response” folder or respond to mail in this folder throughout the day when you have time.
Mann also recommends what he calls “Email dashes.” Here are his recommendations.
Check for new email & look for items that can be responded very quickly: Two minutes every 20 minutes.
Non-critical responses – Every 90 minutes, answer 5 emails or spend 10 minutes responding.
Processing “the pile” – Two minutes every hour, plus 15 minutes at the end of the day.
Metawork – 15 minutes twice a week.
Further culling, responding & cleaning out “the pile” – Throughout the day, when available, in 5-8 minute dashes. These email dashes help you prioritize, avoid constant email notifications, and manage your time and attention.
Other tips for achieving Inbox Zero:
Don’t leave your email client open. An open email client can be a persistent distraction. It could be too tempting to check email when you’re working on another project while your email client is running in the background.
Use templates: You can use templates for often repeated messages that may only require a short or generic response, such as “Thank you” responses or responses to common questions. If you’re using WorldClient, MDaemon’s webmail client, this article has instructions for creating email templates.
Use Filters: Filters are useful for dealing with frequent, non-urgent items that can be dealt with later. Some examples include:
Mailing lists and forum threads
Social media “Friend” requests from sites like Facebook and Google+
Newsletters and product updates
Twitter follower notifications
Be careful when creating filters to ensure that you are only filtering out content that isn’t important. It is possible to filter out too much – for example, important but non-urgent messages that would be better addressed by dealing with them according to a schedule.
Use labels or folders: This tip could perhaps be combined with the above tip on using filters. The idea is to automate the process of acting on message that meet certain criteria by applying certain labels or moving them to designated folders. For example, I get a lot of blog comments from spambots, so by creating a filter that filters on the subject of a comment notification message, I can send those messages directly to my “Blog Comments” folder. Sometimes, I’ll get up to 200 comments in a day, so this saves me lots of time and headache weeding through all of that stuff in my Inbox.
Unsubscribe from email lists: How many times have you been asked by a retailer for your email address, or left the box checked when making a purchase on a company’s website authorizing them to bombard you with sales pitches on their other products? Taking the time to unsubscribe from these mailing lists now can save you from having to deal with all that Inbox clutter later.
The concept of Inbox Zero is not to have zero messages in your Inbox. It’s to set up processes that allow you to spend as little time as possible THINKING about your Inbox. Merlin Mann created the concept several years ago, when there was far less email and far fewer distractions than there are today, so his ideas are even more relevant today. I hope you find these tips useful & that you can use them to take back any control your Inbox may have over you.
You may have heard the terms SSL and TLS, but do you know what they are and how they’re different?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are methods of securing (encrypting) the connection between a mail client and mail server (Outlook and MDaemon, for example) or between mail servers (MDaemon and another mail server, for example). They are also methods for securing communications between websites and your browser. In this post, we’ll focus on its uses for encrypting email connections.
Without SSL or TLS, data sent between mail clients and servers would be sent in plain text. This potentially opens up your business to theft of confidential information, credentials being stolen and accounts being used to send spam. SSL and TLS can be used to help protect that data. SSL and TLS allow users to securely transmit sensitive information such as social security numbers, credit card numbers, or medical information via email.
How do SSL and TLS work?
In order to use SSL or TLS, you’ll need an SSL certificate to establish an SSL/TLS connection. SSL certificates use a key pair (a public and private key) to establish a secure connection. When a mail client or server wants to connect to another server using SSL, an SSL connection is established using what’s known as an “SSL handshake.” During this process, three keys are used to establish an SSL connection – a public key, a private key, and a session key. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice-versa. Encryption via the public & private keys only takes place during the SSL handshake to create a symmetric session key. Once the secure connection is made, all transmitted data is encrypted with the session key.
This diagram provides a simplified overview of how an SSL connection is established.
Both SSL and TLS protect data privacy through data-in-motion encryption, provide server-side and (optionally) client-side encryption of the communication channel, and help ensure message integrity.
POP, IMAP and SMTP traffic are transmitted over designated ports. By default, IMAP uses port 143, POP uses port 110, and SMTP uses port 25. IMAP over SSL/TLS uses port 993. POP over SSL/TLS uses port 995, and SMTP over SSL/TLS uses port 465. For SSL to take place over these connection types, the mail client and mail server must both be configured to use the proper ports, and a valid SSL certificate must be installed on the server.
What are the Differences between SSL and TLS?
So what are the differences between SSL and TLS? TLS is the successor to SSL. It was introduced in 1999 as an upgrade to SSL 3.0, so TLS 1.0 is most similar to SSL 3.0 & is sometimes referred to as SSL 3.1, though TLS is not compatible with SSL 3.0. The version numbers for SSL are 1.0, 2.0 and 3.0, while TLS uses a different numbering pattern – 1.0, 1.1, 1.2.
Because TLS is incompatible with SSL 3.0, the client and server must agree on which protocol to use. This is accomplished via what’s known as a “handshake.” If TLS cannot be used, the connection may fall back to SSL 3.0.
Without getting too technical (there are plenty of online resources that explain the technical differences between SSL and TLS), here are some of the differences between SSL and TLS:
TLS has more alert descriptions – When a problem is encountered with an SSL or TLS connection, the party who encountered the problem would send an alert message.
SSL had the following 12 alert messages:
Bad Record MAC
TLS has the following additional alert messages:
Unknown CA (Certificate Authority)
Bad Certificate Status Response
Bad Certificate Hash Value
No Application Protocol
TLS uses HMAC for message authentication – SSL verifies message integrity (to determine whether a message has been altered) using Message Authentication Codes (MACs) that use either MD5 or SHA. TLS, on the other hand, uses HMAC, allowing it to work with a wider variety of hash functions – not just MD5 and SHA.
TLS uses a different set of cipher suites.
A cipher suite is basically a combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate security settings for a network connection. More information can be found here: https://en.wikipedia.org/wiki/Cipher_suite
Why are SSL and TLS Important?
Businesses have a responsibility to protect financial data such as credit card information, and consumer records such as names, addresses, phone numbers, and medical information. Without some form of encryption, whether via an encrypted connection using SSL & TLS, or by encrypting the message itself using Virtru or OpenPGP, sensitive data may be vulnerable to hackers & other forms of unauthorized access.
Which method is recommended?
SSL 3.0 suffers from a well-known vulnerability called the POODLE vulnerability. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. Click here for a thorough overview of this vulnerability and recommended actions. One workaround recommended in the overview is to completely disable the SSL 3.0 protocol on the mail client and server. This might not be practical, as it may affect legacy systems that are still using SSL 3.0.
We recommend using TLS whenever possible. TLS 1.2 is currently the best version for security, but it is not yet universally supported. TLS 1.1+ support was not added until Windows 7 and Server 2008 R2, in 2009.
The encryption protocol and cipher used by MDaemon and SecurityGateway depend on the operating system and can be configured via the registry. You can use the free IIS Crypto tool to set the appropriate registry keys. More information can be found here: https://www.nartac.com/Products/IISCrypto
I hope this information helps clarify any questions about SSL and TLS, and which encryption method is recommended. As always, if you have questions or comments, let us know!
If you’ve used Microsoft Outlook for an extended period of time, you may have noticed that it doesn’t run quite as smoothly as it used to. Outlook’s performance is affected by many things, including the amount of data it has to keep track of, any add-ons that are installed, how often it checks for new mail (checking more frequently can improve performance), and various other factors. Whether you use POP, IMAP, ActiveSync or Outlook Connector, you can perform various tasks to improve Outlook’s performance. Follow the steps outlined below to keep Outlook running like a well-oiled machine.
Outlook Connector Users
Compact the Outlook Connector Local Cache File
Unlike POP, which stores data in a PST file, Outlook Connector stores a local copy of account data in a local cache file. If you are using Outlook Connector, you can compact the local cache file to improve performance. Follow these steps to compact the local cache file:
Make sure Outlook is shut down, and navigate to the Windows control panel.
Click on the Mail control panel.
Click on Email Accounts.
Double-click on your Outlook Connector account.
Click on the Database Management tab.
Locate the Purge Database section and click on the Purge button.
Locate the Compact Database section, and click on the Compact button. You can also check “Compact database on Outlook shutdown” to compact the database each time Outlook is shut down.
NOTE: Outlook Connector includes the option “Download Headers Only” under the Send/Receive tab of the Outlook Connector Client configuration screen. When this option is enabled, Outlook only downloads the information needed to show messages in the message list, and not the full content of each message. When you click on a message, the rest of the message is downloaded for viewing. Users may experience a slight delay in viewing messages in the preview pane when “Download Headers Only” is enabled because Outlook has to download the rest of the message when it is selected. If messages are show to appear in the preview pane or when viewing, try disabling “Download headers only.”
Performing the following housekeeping tasks regularly will help minimize the amount of data that Outlook must process, and will reduce the amount of memory used by the program.
We recommend performing these housekeeping tasks regularly:
Delete any email messages, calendar items, and contacts that are no longer needed.
Empty the Deleted Items folder by right-clicking it and selecting Empty Folder.
Delete unwanted items from the Sent Items folder.
Move items out of the Inbox to other mail folders.
Archive old messages. Mail server administrators can implement a server-wide archiving solution such as MailStore to help cut down on the amount of data stored in user mailboxes.
Having too many Outlook add-ins can bog down Outlook’s performance. When Outlook is installed for the first time, it comes with its own set of add-ins. Not all of these add-ins will be activated, and there may be add-ins enabled that you don’t need. Here is a list of default Outlook add-ins:
Business Connectivity Services Add-in
Microsoft Exchange Add-in
Microsoft Outlook Social Connector / Outlook Social Connector 2013
Microsoft SharePoint Server Colleague Import Add-In
Microsoft Exchange Unified Messaging
OneNote Notes about Outlook Items
Microsoft Access Outlook Add-In for Data Collection and Publishing
Microsoft VBA for Outlook Add-in
Windows Search Email Indexer
This page contains a List of all default Outlook Add-ins, plus other add-ins you might encounter.
In addition, other third-party applications can add their own Outlook add-ins. Fortunately, it’s easy to disable unwanted add-ins.
In Outlook 2007: Go to Tools | Trust Center | Add-ins. In the Manage drop-down list, select which add-ins you’d like to disable. Press Go, and make your changes.
In Outlook 2010, 2013 and 2016: Go to File | Options | Add-ins. Locate the Manage drop-down menu at the bottom, and select Com Add-ins, then click on Go. To disable specific add-ins, simply un-check the items you don’t need, and click on OK. You can also use the Remove button to remove selected items completely. For some add-ins, you may need to restart Outlook for your changes to take effect.
Disable RSS Feeds
If you have a lot of RSS feeds that are synchronized with Outlook, these syncing tasks could bring Outlook to a crawl. If you aren’t using Outlook as an RSS reader, you can disable this feature from Outlook by following these steps:
In Outlook 2007: Go to Tools | Options. Select the Other tab, and then click on Advanced Options. Then, uncheck both options under RSS Feeds.
In Outlook 2010 / 2013 / 2016: Go to File | Options. Click on the Advanced button in the left-hand navigation menu. Under the RSS Feeds section, uncheck both options.
Adjusting the Send/Receive Frequency
Adjusting Outlook’s Send/Receive schedule can often improve performance. If email messages are slow showing up in your Inbox, you can configure Outlook to send/receive messages more frequently so that it doesn’t have to download as much data each time it checks for new messages. If your send/receive schedule is set to check less-frequently, say, every 30 minutes, try changing it to send/receive every 3 minutes.
Outlook 2010, 2013 and 2016 users can find this setting via File | Options | Advanced. Locate the Send/Receive section and click on the Send/Receive button. Then, under Send/Receive Groups | All Accounts, adjust the timing for “Schedule an automatic send/receive every…” as shown here:
POP, IMAP & ActiveSync Users
Compact or Repair PST Files
PST files can be another source of Outlook sluggishness. You can help improve Outlook’s performance by:
Using multiple PST files.
Keeping attachments out of PST files.
Compacting PST files.
To compact a PST file in Outlook 2010, 2013 and 2016:
Delete any items you no longer need, and then empty the Deleted Items folder.
Click on the File tab on the ribbon, and then select the Info tab.
Click on Account Settings, and then click on Account Settings again.
Click on the Data Files tab.
Select your PST file in the list, and then click on Settings.
On the General tab, click on Compact Now.
Click on OK and Close.
To compact a PST file in Outlook 2007:
Delete any items you no longer need, and then empty the Deleted Items folder.
Navigate to Tools | Account Settings.
Select your desired account, and then click on Change.
Click on More Settings.
On the Advanced tab, click on Offline Folder File Settings.
Click on Compact Now.
Sometimes, your PST files can develop errors or data inconsistencies, resulting in unexpected behavior in Outlook. When you suspect that there’s an issue with the integrity of your PST file, you can run Scanpst.exe to repair your PST files.
Scanpst can be tricky to locate. By default, you should be able to find it in the Program Files | Microsoft Office | Office14 folder, but you may need to perform a search if you can’t find it in its default location. This location may vary depending on which version of Outlook you are using. You may also want to create a shortcut to this file on your desktop for easier access.
Before using this tool, we recommend making a backup copy of your PST file in case any errors or file corruptions occur to the original file. This shouldn’t be an issue, however, because if Scanpst finds any errors, it will prompt you to make a backup before attempting to repair the file.
Keep Windows Up-to-Date
Microsoft periodically releases Windows updates and service packs. Having the latest updates and service packs can help improve your computer’s overall performance as well as Outlook’s performance.
Nobody should have to put up with sluggish Outlook performance. Following the above suggestions will help ensure that you spend less time waiting for things to happen, and more time making things happen!
SecurityGateway is a powerful email spam & malware filter & gateway that can be used to protect any type of mail server. It offers a layered approach to security, with protection features including data leak prevention, attachment filtering, heuristic and Bayesian analysis, zero-hour Outbreak Protection, and much more.
In today’s video tutorial, we demonstrate best practices for handling spam in SecurityGateway. Topics covered include:
How to mark a message as spam to teach the Bayesian learning process how to identify junk email messages, which helps to make the spam filter more accurate over time.