A Defensive Computing Checklist    by Michael Horowitz

HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

EMAIL

Many times, perhaps most of the time, the first step in a company getting hacked is an email message.

• From who? Non-techies never know who sent an email message, so think very carefully before taking action based on a single message. It is fairly easy to forge the FROM address of an email. Be especially careful about doing anything involving money, passwords or personal information based on one lousy email message.
• Links: Links in email and web pages are complicated. Unless you are a techie it can be almost impossible to know where you will end up after clicking on a link. If an email message has a link to login to a service, DO NOT click it. Go to the website of the service on your own and login there. One option for learning where a link really ends up is to use a Link Expander. There is a whole page on Link Expanders on this site.
• SCAM EMAILS
  1. The more urgent the plea for you to take action, the more likely the message is a scam. Bad guys don't want you to have a chance to think about the issue or check with others.
  2. Excellent article: 7 Signs of Phishing to Watch For Don't be fooled by Leo A. Notenboom September 12, 2024.
  3. The use of official logos and images in an email message also does not indicate legitimacy. See How to spot suspicious emails and Dealing with Fake 'Ask Leo' which examines a scam email message for telltale signs.
  4. Victims can be scammed into thinking that an email message is legit, because it knew something about us. However, our personal information has leaked time and time again, so including information about you, specifically, is no indication that the sender is who they claim to be or that the message is legit. For example, Starwood was hacked, so an email about the time you stayed at the Westin hotel in Cleveland in the summer of 2018, may not be from Starwood. Bad guys know you stayed there too.
• EMAIL HEADERS
  All email messages include a header section that is normally hidden. The information in the header can do quite a lot towards validating if the message is legit or a scam. Every email program can display the header, but you have to figure out how on your own. Then there is the issue of reading it and understanding it. This is not a widely taught skill. Some techies can do it, some can not.
  1. When reading the header: SPF is a standard that defines whether a specific email server is authorized to send email on behalf of a certain domain. If I use an outlook.com account to send email modified to look like it came from irs.gov, this should create an SPF error, because the email server that sent my scam message is not authorized by the IRS to send their emails.
  2. DKIM is a standard that confirms whether an email message was sent by the email domain it claims to be from.
  3. If you can figure out how to display the header of an email message, you can copy/paste it into www.iplocation.net/trace-email which will parse the header and tell you the sending/source IP address, country, ISP and organization.
  4. A similar tool is Email Header Analyzer by MxToolbox.
  5. DNS Checker also offers an Email Header Analyzer.
  6. The Message Header Analyzer produces a very detailed report but the person(s) behind this service are unknown
  7. The Google Admin Toolbox analyzer shows the status of SPF, DKIM and DMARC in a very clearly labeled way.
• It is easy to assume that when you reply to an email message, the reply goes to the person that sent the message. Sure, this is the case almost all the time - but not all the time. Internet email has a rarely used ReplyTo feature that lets the sender specify an email address to receive replies. An email message from DonaldDuck@gmail.com might have a ReplyTo address of DonaldDuck@hotmail.com or DonaldDuck@aol.com or DonaldDuck@anyfreeservice.com. The ReplyTo address can be anything, but copying the sender's name while changing the domain makes it more likely the scam will not be noticed. If the ReplyTo is used in conjunction with a spoofed sender email address, then a victim can be fooled into an ongoing conversation with bad guys. Maybe your email software will display the ReplyTo field, maybe it won't. Gmail hides the ReplyTo address until you actually reply.
• Email is worth paying for. Sure, there are many places offering email for free but the price of free is no tech support. If email is important, and to many/most people it is, then having tech support is worth paying for. A free account can also be suspended, deleted or locked at the whim of the company providing the service, without recourse. For regular email, I suggest Fastmail. For secure email, I suggest Proton Mail. As of August 2024, pricing for Fastmail starts at $5/month with 60GB of storage. Pricing for Proton Mail starts at $4/month with 15GB of storage. Each assumes you pay for a year up-front. Fastmail has a 30 day trial, Proton Mail has a free service where you can kick the tires.
• An email password is more important than many people think. In that light, make sure it is at least 12 characters long and that you do not use the password for anything else. If you use password manager software, do not keep the email password in the password manager. Keep it on paper instead.
• When bad guys learn your email password, they are likely to send scam messages to everyone in your address book. So that you see these messages as soon as possible, consider having both your own email address and a secondary one that also belongs to you, in your email address book.
• Terminology: "Phishing" means scam. A phishing email is lying to you about something. "Spear Phishing" is a scam specifically targeted at you. In a spear phish, the bad guys will have researched you and they use the information about you as the part of the lure in their scam. For example, they might learn who does the money transfers in a company, then pretend to be the boss and order a fake money transfer.
• Email attachments: Word documents, spreadsheets and PDF files are often malicious. The safest way to open any file attached to an email message is on a Chromebook running in Guest mode. The next safest option is to open it on an iOS device. The third safest environment is from Google Drive (hopefully from a Chromebook or an iOS device). Upload the attachment to Google Drive and open it from Google Drive. The least safe environment to deal with email attachments is Windows. If you must use Windows or macOS, download the attached file and go to VirusTotal.com to scan it with many different anti-virus programs before opening it. Any type of attached file can be dangerous.
• Secure Email: The only two companies offering this, that I know of, are ProtonMail and Tutanota. Neither company can read your email while it is stored on their servers. Messages sent between their customers are also safe from prying eyes. Email from either company to any other email provider can either be secure or not, but it is a very different type of security. In October 2021, I wrote about this: Using ProtonMail encrypted messages with a normal email account. Both companies offer free limited accounts. Both can be used with software on your computer but webmail lets the browser prove that encryption is being used in transit. Webmail can also be used on a Chromebook running in Guest mode to insure that no trace of your actions is left behind. Episode 149 of the Privacy, Security, & OSINT podcast was on Secure Email with a comparison of ProtonMail and Tutanota. Interesting point in the podcast: you may want to configure each service not to automatically save every email address you correspond with in the your Contacts list.
• If you use webmail, you should have a local (on your computer) backup of your contacts/address book. For Gmail, go to contacts.google.com and look for "Export" in the left side vertical column. Google offers three possible formats for the backup file, it can not hurt to make three backups, one in each format. Make a note to do this backup every few months.
• An email with a password protected attachment, that has the password in the body of the email message, is surely malicious. This is a trick bad guys use to prevent anti-virus programs from detecting malicious software. If you try to open an attached file on Windows and it fails to open, you can still get infected with a virus.
• An email that asks you to logon to read an encrypted message is a scam.
• REPORTING: Emails that pretend to be from a trusted organization for the purpose of stealing passwords or other personal information can be reported to Cisco PhishTank, SpamCop and the Anti-Phishing Working Group. Registration is required. You can also report any and all SPAM to SpamCop. Links from Daniel Aleksandersen. Sophos is also willing to accept SPAM and malicious emails on their Submit a Sample page. If the scam came from Hotmail or Outlook, report it to abuse@outlook.com. If the scam came from Gmail, then report it to abuse@gmail.com.
• Use multiple email addresses
• If you have an email account with a recovery email address (Gmail does this) you should check every now and then (yearly?) that the recovery email address is still valid. It is used for things like resetting the password.
• A special warning to Uber customers about malicious email that really looks like it came from Uber. More in this January 2, 2022 article: Uber ignores vulnerability that lets you send any email from Uber.com by Ax Sharma.
• Taking a step back, it seems to me like we are living in a time much like the one before seat belts were required in cars. The current norm, reading email on a computer with sensitive or important files (or LAN based access to such files), is much too risky. If you are not reading email on a Chromebook or an iOS device, you are doing it wrong. Using any other OS, in a corporate environment, is job security for the IT department and the assorted security companies they employ. I say this as someone who does not work in corporate IT.

EMAIL FOR YOUR DOMAIN

From: Jerry Lerman on Mastodon December 15, 2024.

If you own a domain name that you do not use for email, you can/should protect it from bad guys from flagging all email from the domain as junk. You do this by adding two TXT records to the DNS for your domain:
TXT v=spf1 -all
TXT v=DMARC1; p=reject;
"The first says there is not a single SMTP server on earth authorized to send email on behalf of your domain. The second says that any email that says otherwise should be trashed."

If you do use your own domain for sending email, Lerman suggests adding this:
SPF record to indicate which SMTP server(s) are allowed to send your email.
DKIM records to add a digital signature to emails, allowing the receiving server to verify the sender and ensure message integrity.
DMARC record that tells the receiving email server how to handle email that fails either check.

---

NOTE: This topic was moved to its own page Jan. 3, 2024.

Copyright 2019 - 2025