E-Mail Security

What issues does e-mail usage have?

The delivery of e-mails is a lot like ordinary postal delivery of postcards. Everyone with some professional knowledge is able to

• peek at the postcard, thus read it,
• write on the postcard, thus manipulate it, and
• send a postcard under a false name, thus forge it.

The reason for being able to read or manipulate e-mails is that plain e-mails are neither encrypted nor signed. This means that everyone, who can access parts of the delivery route, can tamper with them. Almost every e-mail provider uses transport encryption nowadays, which is good, but it only secures the transport from or up to the server of the e-mail provider!

As with ordinary postal delivery the address of the sender is not verified upon delivery, which enables forgery. Usually the address is verified before sending an e-mail. For example the WWU mail server secmail.uni-muenster.de only accepts e-mail addresses which match the user's account. But it is not possible to guarantee (globally) that all e-mails from uni-muenster.de or wwu.de are sent through this mail server to verify them.

How to recognize risky e-mails?

All e-mail users get confronted with spam and phishing messages at some point. The definitions and some more information can be found on the Threats on the Internet page. But how can one recognize spam, phishing or other risky e-mails? This often is no easy task because especially phishing e-mails are designed to look like real e-mails from known companies. The following hints should help with distinguishing between real and fake e-mails:

• Sender: Check if the sender's e-mail address matches the supposed originator of the e-mail, like e.g. "...@uni-muenster.de" for e-mails from the WWU.
• Salutation: Most companies will  use your real name to address you. Fake messages usually use more commonly fitting phrases like "Dear customer" or a simple "Hello".
• Grammar/spelling: In many cases fake e-mails have been translated automatically resulting in more grammatic or spelling issues than usual.
• Urgency/threats: Most phishing messages ask the user to take immediate actions, e.g. immediately log into a webpage or check an invoice, and threat the user with severe consequences, like blocking the user's account or imminent payment of a large sum. Most legitimate companies would rather contact you by letter or phone in urgent cases.
• Offers/winnings: Spam messages for advertisement or scam purposes often promise fabulous products and large profits. Should an e-mail contain such offers or lots of advertisements you should become suspicious and ignore it.
• Links: Risky e-mails usually contain cryptical-looking or easily confusable links, for example uni-meunster.de or uni-muenster.de.com instead of uni-muenster.de. Most of the time such links are hidden behind texts or buttons. Therefore, always check the whole link by hovering over it with your mouse pointer and see if it matches the supposed originator.
• Digital signatures: Most up-to-date e-mail applications show a seal next to a message when its digital signature is correct and matches the sender's address. Since fraudulent e-mails often use fake addresses they probably do not have correct signatures. But since the overall usage of signatures is sparse, most e-mails will not be digitally signed at all yet.

Should an e-mail contain multiple of those indications, it probably is a fraudulent e-mail.

Secure e-mail usage

To keep your e-mails and personal information secure and to protect your devices from malware, you should follow some basic guidelines:

• Only retrieve or send e-mails from trustworthy devices which satisfy the basic security measures (up-to-date operating system with anti-virus software and firewall).
• Make sure to use encrypted connections to the mail server. For webmail (e.g. OWA or Permail) the address should start with https. For local applications the SSL-/TLS-encryption should always be enabled (see Setting up your e-mail program).
• Should you need to send sensitive information, e.g. passwords, you always have to use an end-to-end encryption on such e-mails (see Digital IDs). The transport encryption SSL/TLS only encrypts the data up to the mail server! It is not recommended to (end-to-end) encrypt every e-mail you send out.
• Disable automatic downloading of external media, like embedded pictures, because they can contain malware. Many e-mail applications already do this by default.
• Never open unknown or unexpected file attachments! If the e-mail seems to be from a known person, check back with said person, whether the message was really sent by them. You should use another method of communication for this.
• Always be careful with links in e-mails! Check the link thoroughly even if the e-mail seems to be from a known person. If you do not recognize the origin or the message already looks suspicious, do not click on any embedded links!
• Do not enter personal information, e.g. login credentials, directly in an e-mail, nor on a linked website!
• Never reply to possible spam or phishing e-mails! Preferably just delete them. Should you be unsure whether it could be a legitimate e-mail, check with the sender using another method of communication.
• You can use a spam filter to reduce the amount of spam you directly get. Many e-mail providers and applications already include a spam filter by default. You can enable a spam filter for the WWU e-mail service as well (see IT-Portal).

Digital IDs

Digital IDs (identities), or user certificates, are an additional option to secure e-mail communication. Most importantly, they can be used to sign outgoing e-mails which can be compared to putting a postcard in an envelope and affixing a seal. This enables the recipient to verify that the letter really was sent by a particular person and it guarantees that it was not manipulated along the way. Digital IDs can also be used to encrypt messages end-to-end, thus making them unreadable during the whole delivery process. For end-to-end encryption the recipient must own a digital ID.

We are aiming to digitally sign all official e-mails from the WWU in the near future and will try to extend the usage of digital IDs in regular e-mail communication at the WWU as well. For this purpose the Münster University Certification Authority (WWUCA) offers free digital IDs for all members of the WWU. You can use IT-Portal to request such digital ID for yourself.

All up-to-date e-mail applications are able to automatically sign messages or encrypt them when needed, once a digital ID is available. Signatures of recieved e-mails are usually checked automatically as well and a seal is displayed next to it if the signature is correct. Further information can be found on the website of the WWUCA.

Business e-mails

The use of e-mails for business purposes at the WWU has to comply with some additional regulations:

• Only the mailbox provided by the WWU may be used for business e-mails!
• The automatic forwarding of business e-mails to external mailboxes is prohibited!
• As far as possible all business e-mails, especially newsletters, should be digitally signed.

Instructions

• Correct configuration of e-mail applications
• Requesting a digital ID
• Importing and using a digital ID