HOME
| UTORprotect |
DOCUMENTATION
|
AMS/ROSI
|
SERVICES
|
CONTACT
UTORprotect
Endpoint Security Policy System
Firewalls
Malicious Code
Network Security Policy
Open-Source Firewall
Password Usage Guidelines
Phishing 
Security Incident Reporting
Spam
Spyware 
Symantec Anti-Virus
Windows Security Maintenance
Windows Incident Response
Windows Security

Email Security

There are many risks associated with the use of e-mail. The risks include information leakage, data integrity violations, repudiation, malicious code, SPAM, and others. Following is a brief overview of the major issues.

Information Leakage

  • Many employers and online services retain the right to archive and inspect messages transmitted through their systems.
  • Either party might accidentally send an e-mail message to the wrong person.
  • E-mail might be left visible on an unattended terminal.
  • E-mail can be printed, circulated, forwarded, and stored in numerous paper and electronic files.
  • E-mail is discoverable for legal purposes.
  • A person authorized to access the information might use it for an unauthorized purpose or disclose it to an unauthorized party.
  • Confidential information might be obtained by an unauthorized entity from discarded media.
  • E-mail may be vulnerable to computer hackers who could then transmit the information for illegitimate purposes.
  • Phony e-mail could dupe legitimate users into voluntarily giving up sensitive information.

Data Integrity

  • E-mail is easily intercepted and altered without detection.
  • E-mail can be used to introduce viruses into computer systems.
  • An impostor can forge e-mail addresses.

Message Repudiation

A party to the communication could falsely deny that the exchange of information ever took place.

Malicious Code

Over 11,000 different computer viruses exist to date and some 300 new ones are created each month. Their effects range from negligible, to bothersome, to destructive. The danger of viruses transmitted through macros, another common form of virus transmission, is that they allow the user to continue working and sharing documents. This way, the virus spreads faster, infecting more and more users. One such macro virus, known as Melissa, reared its ugly head on March 26, 1999. Melissa forced organizations the world over - among them Microsoft and Intel - to suspend all e-mail transactions. The spread of this virus resulted in productivity loss. Similar destructive viruses include the Chernobyl and the Explore Worm, both of which wipe out files, resulting in data loss.

Most viruses and other malicious code programs are delivered through e-mail messages as attachments.

Handling Harassing or Threatening E-mail

If you receive a harassing or threatening e-mail message from a specific individual, we recommend you take the following steps:

Step 1

The sender should be told that you do not want to receive any further communications and you should reply to sender with a message similar to the following: "I do not wish to receive any further communications from you of any sort." You do not need to explain why, just that you want the communications to stop. Keep a copy of the original e-mail you received as well as the response you send. This is required if any further action is taken to track down the sender. If the content or any circumstances surrounding the message cause you to have concerns for your safety, the University of Toronto Police Service should be contacted immediately. Forward a copy of the e-mail message to Computer Security Administration at security.admin@utoronto.ca. They are responsible for keeping track of such incidents as well as for initiating investigation of such incidents. Optionally, if you feel it would be helpful, you may choose to cc or bcc a copy of the message to the University of Toronto Police Service. To reinforce the request for non-communication, you many choose to inform the sender you are contacting these university authorities as follows: "A copy of this e-mail is being forwarded to the University of Toronto Police Service and Computer Security Administration. Further communication of any sort will result in immediate notification to University authorities and the Police" Note: Computer Security Administration can provide assistance in taking the necessary steps to resolve such incidents. It is a good idea to keep copies of all messages sent and received. And remember, you don't want to get into a shouting match or a protracted exchange of messages with the individual who sent you the message.

Step 2

If the sender persists on communicating with you please notify Computer Security Administration and the University of Toronto Police Service right away and ask for further assistance.

Computer Security Administration
Computing & Networking Services

Fax:      416.978.1354
Phone:  416.978.1267/5551
E-mail:  security.admin@utoronto.ca
Web:     http://www.utoronto.ca/security

University of Toronto Police Service
Facilities & Services

Phone: 416-978-2323
Web:   http://www.utoronto.ca/police/

Internet Mail Headers

In order for Security Amdinistration to investigate Spam and other e-mail related incidents, the message forwardedas part of the report must include the full and complete Internet mail headers. Without the headers, we are not able to identify the source of the message or whether the source address/IP number are forged.

Following are instruyctins on how to obtain the mail headers for messages handled through Outlook, MS Outlook and Netscape mail. MS Outlook To display the Internet headers:

  • open the message click on "View" from the menu bar choose "Options"
  • Copy the headers and paste into the message being sent to security.admin@utroonto.ca

Outlook Express To display the Internet headers:

  • open the message click on "File" from the Menu choose "Properties" click the "Details" tab
  • Copy the headers and paste into the message being sent to security.admin@utroonto.ca

Netscape Messenger To display the Internet headers:

  • Click on "View" form the Menu bar choose "Headers" click "All"
  • Copy the headers and paste into the message being sent to security.admin@utroonto.ca

Other Risks

  • The sender may assume, but doesn't necessarily know, that his/her message was delivered.
  • The recipient might not check his messages within the time frame the sender expects.
  • The attachments embedded in the e-mail might be in a format the recipient's software can't read.
  • E-mail can be misinterpreted. Without verbal and nonverbal feedback, the sender can't confirm that his/her messages are understood.

Best Practices

  • Understand the risks associated with using electronic mail to discuss personal, confidential or sensitive information.
  • Double-check the recipient's address before sending a message.
  • Communicate via e-mail only those things you're comfortable having forwarded.
  • Avoid using e-mail for particularly sensitive matters.
  • Avoid using e-mail for time sensitive messages.
  • Take time to make sure the message is clear and concise, and cannot be misconstrued.
  • Be careful about leaving programs operational and/or documents visible when your computer is unattended.
  • Make use of screen savers with private passwords or automatic sign-off.
  • If you receive any harassing or threatening e-mail, report it to Computer Security Administration at security.admin@utoronto.ca.
  • Make sure that you include the e-mail headers from such messages, as this is the only way that the origin of the message can be traced.
  • Ensure that your e-mail client is set to check for new mail no more frequently than once every 10 minutes (600 seconds), or longer if that's acceptable.
  • Empty your inbox regularly to avoid exceeding your quota. Transfer messages you want to keep from your inbox to other folders, or to your computer's hard drive.
  • Unsubscribe from any mailing lists that no longer interest you. Lists generate a huge amount of mail traffic.
  • Don't attach very large files to e-mail messages. Generally, attachments should be less than one megabyte. Explore FTP alternatives to send files larger than this.
  • Use BCC (blind copy) instead of CC to copy a message to a large number of people. This cuts down on the size of the mail header; it also makes messages easier for your correspondents to read.
  • Update your address book regularly and remove addresses you don't need.
  • Do not participate in chain letters. It's not only illegal but it's also not a good idea as it ties up network resources for all concerned.
  • Learn to recognize virus hoaxes that circulate via e-mail, and don't pass them on.
  • Make sure your computer is protected from e-mail viruses.
  • Never click on an attachment unless the message has been scanned by your anti-virus program.
  • f you were not expecting the attachment, it's best to just delete the message and the attachment.
  • Some virus programs change the extension of the attachment so as to disguise its real purpose so you also need to be careful about attachments such as GIFs and JPEGs.
  • If you receive advertising and other SPAM messages asking you to reply to the message to unsubscribe, be careful before replying to the messages. If the message is from a company that you are aware of, for example a software vendor or a department store, unsubscribing will usually work. Otherwise, simply delete or filter the Spam.
  • Set up your e-mail program to filter SPAM directly to your trash can.
©2011 - University of Toronto Information + Technology Services. All Rights Reserved.