Home » Blog
date 18.Mar.2012

■ How secure is your email account?


Electonic mail (e-mail) is so pervasive that we seldom stop and think about its security, or rather lack thereof. It is one of the earliest internet communication protocols, and like FTP, security wasn't high on the agenda back then. E-mail can be secure allright, but the default settings are often insecure. So if you are using MS Outlook and leave the server port numbers to the default 110 for incoming (POP3) and 25 for outgoing (SMTP) then you are exposed to eavesdropping, and your password may be compromised, e.g. when you check your email in a public wifi hotspot.

The solution is easy, instead of using the default communication ports, switch to the secure ports: 995 for incoming POP3 (993 if using IMAP) and 587 for outgoing SMTP. This simple change will force your email client (e.g. Outlook) and the email server to communicate with encryption and not in plain text. So any peeping toms will not be able to just read your password. This explains one of my earlier mysteries and proves that no matter how long you are in the computer business there's always more to learn.
default email port settings

If you are using gmail you will be forced to use the secure ports anyway but many webhosts like mine, aren't fussy and leave people exposed. I am not 100% sure if you need to tick "this server requires an ecrypted connection" option when switching to secure ports (it could be automatic for the port), but tick it anyway for extra peace of mind.

That's all you need to know about securing your email client. If you are interested in low level technicalities, then continue reading.

Email exposed in plain text

I had a crash course in email settings and safety when I was trying to add SMTP delivery to crack tracker. Sending emails from a program isn't as easy as you might guess. A program like your email client has to start a 'conversation' with the remote email server using numeric codes for requests and responses. This conversation is in plain text, including any username and password! For example here is a small email sent using port 25: (lines starting with S: are sent by us and R: are the responses of the server)

R=RESPONSE(server), S=SEND(client)
R: 220 auth.smtp.oneandone.co.uk (mreu3) Welcome to Nemesis ESMTP server
S: EHLO hppro
R: 250-auth.smtp.oneandone.co.uk
S: AUTH LOGIN
R: 250-STARTTLS
R: 250-AUTH LOGIN PLAIN
R: 250-AUTH=LOGIN PLAIN
R: 250-SIZE 120000000
R: 250 HELP
R: 334 VXNlcm5hbWU6
S: dGVzdEBjcmFja3RyYWNrZXIubmV0 (MIME encoded username)
R: 334 UGFzc3dvcmQ6
S: bGFtZXBhc3M= (MIME encoded password)
R: 235 Authentication successful
S: MAIL FROM:
R: 250 OK
S: RCPT TO:
R: 250 OK
S: DATA
R: 354 Enter mail, end with "." on a line by itself
S:
Date: 7 Mar 2012 16:16:53
From: User 
Reply-To: user@domain.com
To: 
Subject: The message
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hello, world
regards
User

.
R: 250 Message 0LmAhq-1Se4SY0jNy-00Ztjo accepted by mreu3.kundenserver.de
S: QUIT
R: 221 OK

The server and client introduce themselves, they agree on how to authenticate the user and then the email text is sent. This exchange is suitable even for manual operation from a console; see how the server is explaining to us how to type the email with a '.' to finish it off! Very quaint.

The username and password are also in the conversation MIME encoded. However this encoding isn't encryption, anyone can see the real text using a simple base64 conversion tool. So you don't want your Outlook chatting over port 25. That's why you must switch to the secure ports where the exchange isn't in plain text but encrypted using SSL or TLS.

Post a comment on this topic »

Share |

©2002-2012 ZABKAT, all rights reserved | Privacy policy | Sitemap