E-mail security

Common e-mail security risks

These are some risks associated with using e-mail:

• Flooding (a type of denial of service attack) occurs when a system becomes overloaded with multiple e-mail messages. It is relatively easy for an attacker to create a simple program that sends millions of e-mail messages (including empty messages) to a single e-mail server to attempt to flood the server. Without the correct security, the target server can experience a denial of service because the server's storage disk fills with useless messages. The system can also stop responding because all system resources become involved in processing the mail from the attack.
• Spamming (junk e-mail) is another type of attack common to e-mail. With increasing numbers of businesses providing e-commerce over the Internet, there has been an explosion of unwanted or unrequested for business related e-mail. This is the junk mail, that is being sent to a wide distribution list of e-mail users, filling the e-mail box of each user.
• Confidentiality is a risk associated with sending e-mail to another person through the Internet. This e-mail passes through many systems before it reaches your intended recipient. If you have not encrypted your message, a hacker can intercept and read your e-mail at any point along the delivery route.

E-mail security options

To guard against flooding and spamming risks, you must configure your e-mail server appropriately. Most server applications provide methods for dealing with these types of attacks. Also, you can work with your Internet Service Provider (ISP) to ensure that the ISP provides some additional protection from these attacks.

What additional security measures you need depend on the level of confidentiality that you need, as well as what security features your e-mail applications provide. For example, is keeping the contents of the e-mail message confidential sufficient? Or do you want to keep all information associated with the e-mail, such as the originating and target IP addresses, confidential?

Some applications have integrated security features that might provide the protection you need. Lotus Notes® Domino®, for instance, provides several integrated security features including encryption capability for an entire document or for individual fields in a document.

In order to encrypt mail, Lotus Notes Domino creates a unique public and private key for each user. You use your private key to encrypt the message so that the message is readable to only those users that have your public key. You must send your public key to the intended receivers of your note so that they can use it to decipher your encrypted note. If someone sends you encrypted mail, Lotus Notes Domino uses the public key of the sender to decipher the note for you.

You can find information about using these Notes® encryption features in the online help files for the program.

When you want to provide more confidentiality for e-mail or other information that flows between branch offices, remote clients, or business partners, you have a couple of options.

If your e-mail server application supports it, you can use Secure Sockets Layer (SSL) to create a secure communications session between the server and e-mail clients. SSL also provides support for optional client-side authentication, when the client application is written to use it. Because the entire session is encrypted, SSL also ensures data integrity while the data is in transit.

Another option available to you is to configure a virtual private network (VPN) connection. You can use your system to configure various VPN connections, including connections between remote clients and your system. When you use a VPN, all traffic that flows between the communicating endpoints is encrypted, ensuring both data confidentiality and data integrity.