HIREN KOTAK

When we talk about 'secure e-mail,' we're really talking about two different things: the security (or lack of it) provided by your e-mail software (the e-mail client), and the security of the message you write (the message content). Our five steps to secure e-mail will deal with both aspects; firstly with how to get a secure client, or make your existing client more secure; and finally how to get encryption to secure the content of your messages.

One: Use a secure e-mail client

Your e-mail client is the piece of software you use to compose, send and receive your messages. This obviously includes products like Outlook Express, The Bat and Thunderbird. Strictly speaking, if you use Webmail such as Hotmail, Gmail or Yahoo Mail, then your browser (Internet Explorer, Firefox, Netscape, etcetera) becomes your e-mail client - but for our purposes here we will treat Webmail as something separate. If you use an e-mail client, the first rule for secure e-mail is to use a secure e-mail client.

Two: Always use text

"Read e-mail in plain text (as God intended)". Anything capable of doing something without your say-so is potentially harmful. And HTML contains some things that can do just that - like going to a website you don't know about and getting what you think is just a picture to display in the e-mail. Most e-mail clients can protect against most problems - but just don't do it ; it's much safer. Of course, the corollary is that you should only send messages as text as well.

There is usually an option in the software to switch to text. In Outlook Express it's Tools>Options>Read, and check the box 'Read all messages in plain text'. Then go to the 'Send' tab and check the 'Plain text' radio button under Mail Sending Format. You can also make sure that 'Reply to messages using the format in which they were sent' is also unchecked.

This, of course, is only half the problem. What about attachments? Certain file types can carry macros and the macros can carry exploits. So be very careful.

Here are a few basic rules:

• Never accept attachments unless you are expecting them
• Never open an attachment unless you are really confident that it is safe. Some safe attachments could include .txt, .pdf, .gif. Some potentially unsafe attachments could include .doc, .xls...
• Never, ever, ever open an attached .exe unless you are really, really, really confident of what it is.

And of course you should return the compliment. Send attachments wherever possible as .txt files or PDFs.

Three: Use free Webmail accounts for subscriptions and postings

We all love subscribing to relevant free newsletters that will be delivered by e-mail to our desktop. In fact free newsletters are probably second only in volume to spam. And phising. And scams.

So where do those bothersome people get our e-mail addresses? Well, there are many methods - some of which we can do something about. One of their methods is to let robots loose on websites. These robots trawl through all the pages copying down any e-mail address they come across (this is called harvesting). So the first thing is never to put your e-mail address on your own website in anything like a machine readable format (and frankly JOHN AT SMITH DOT COM is probably machine readable).

You may, however, find that your e-mail address has been harvested from a different website - perhaps a non-too savvy website that takes postings and includes the poster's e-mail address. Or perhaps a hacker has got into a newsletter publisher's database and stolen all the subscriber addresses. This (semi-) solution works in both cases - never use your own main e-mail address. Guard this like it is your most embarrassing moment ever, and only tell people you really trust. For everyone and all things else - use a webmail account. Firstly, companies like Hotmail and Google and Yahoo are really good at screening out spam; and secondly, if and when spam does start getting through, just dump that address and get another one. You will need to re-subscribe to the newsletters, but it will be a good opportunity to abandon all of those you don't want or don't trust. But out of common courtesy, if there is a mechanism for formally closing the old webmail account, please do so.

Four: Use additional multi-layered defenses

It isn't enough to stop bad things getting on to your system via your e-mail - you have to prevent any unknown hidden infection you may already have getting out through your e-mail and infecting someone else. It's not just good manners - it could save your job or your bank balance or both. Many lawyers expect that sooner or later the victim of loss by infection will seek redress from the source of that infection; even if the source was totally unaware of what happened. Better make sure you're not that source; so you have to avoid sending out infections just as much as you must avoid receiving them.

E-mail isn't the only way you can catch a Trojan horse - it could be just by visiting the wrong website, using P2P injudiciously, a colleague or relative downloading or installing something not quite kosher... In fact, it's probably best to assume that sooner or later you will get infected by spyware or similar. So you don't just need an anti-virus system capable of inspecting your incoming e-mail, you need one that will inspect your outgoing mail as well. But just to be especially safe, you need anti-spyware/adware software to scan your system for Trojans that have got through; and you need a firewall that will stop unauthorized applications trying to connect to the internet.

Five: Encrypt sensitive emails

You can make Outlook Express (and any other e-mail client that supports S/MIME) provide encryption if you obtain or have a digital ID (digital certificate). To be frank, for most users of personal e-mail, the process of getting a dig cert is either too expensive or too onerous to bother. So it comes down to the usual cost/benefit trade-off: if the value of the information you wish to secure is high, then you need to obtain a digital certificate; if it is not that high, then seek an alternative method of encryption.

By Hiren Kotak