A. How to Read Webmail Safely(Beta)
<<-- Email-Security Start Page
This is the track for webmail -- not ordinary (POP) email. You read webmail in a browser. Safeguards for ordinary email are covered in a separate track.
The situation:
From a browser's point of view, Webmail is just a series of webpages. When you "open" a message, your browser simply "loads" a webpage from your webmail provider's website. That webpage is much like any other webpage.
The message could contain malicious content. If you open the message, it's much the same as visiting a malicious web site. Any attacks embedded in the message will succeed if your browser is vulnerable.
Many webmail providers have POP and SMTP interfaces. That lets me add security to my webmail accounts buy using Thunderbird to access them instead of reading them online in my browser.
1. Set up your browser for the security level you want:
Cyber-bandits target email because it's an easy way to get into computers. Browsers are vulnerable to evil email unless they're set up properly, and patched (updated) promptly when new ones are found.
The first step towards safe webmail is to learn about evil email tricks. Then be *very* careful how you handle webmail messages.
If that fits your needs, just follow basic browser security settings. Remember to also follow these precautions for Web pages when you're working with webmail.
You need safeguards that go beyond the ordinary if you want the best webmail security. Running with reduced rights is the most important one. It takes more work to set up and your browser will be less convenient to use. But you will be very secure, both for webmail and on the Web in general.
2. Screen your messages carefully before you open them:
The whole point of screening messages is to delete the evil ones before you open one that does you or your computer in. Don't leave them around to tempt you. ;-)
Look for messages that don't look quite right -- you don't know the sender, the subject or attachment seems strange, it's urgent or alarming, its too good to be true, the subject doesn't jibe with the sender -- just delete the message.
Examine messages and attachments as a whole when deciding if one or both are malicious. The nature of the attachment -- its size, name or extension -- combined with details of the message will give most bogus email away.
If you are suspicious about a message but decide not to delete it immediately, you can check it further. Preview it using some passive method before you open it. You may be able to read enough to dispense with it then and there.
You can safely preview messages by saving them as a text file and opening them with Notepad. Or you can do it directly in Outlook Express: [Right click the suspicious message > Select "Properties" from the context menu > select the "Details" tab in the properties window > finally click the "Message Source" button > maximize the "Message Source" window so you can examine the message fully.
Learn more about evil email messages.
3. Never click links in suspicious messages:
It's very easy to "spoof" links in email messages so that they look like they're legitimate, but actually take you to a counterfeit or hostile Web site. Particularly messages that purport to come from a financially related sender. They could have a fish hook in them.
4. Handle attachments safely:
Never, ever open an email attachment that you have any doubts about -- even if it's addressed directly to you and comes from someone you know. Always check with the sender directly -- most worms appear to come from someone you know these days -- make sure they intended to send the attachment. (Just send them an email and ask. Even then be cautious with attachments.) If you're satisfied with how they got the file, it's probably OK, but you still need to handle it appropriately.