14 Dec Safer Email Practices
♥ Thanks to Frank Abrams for his many contributions to this article.
There are security issues involved with the use of sending an email message to a large number of people with the addresses of all the people revealed in the “To:” and/or “CC:” lines as well using REPLY ALL to e-mails received. They have to do with the insecurity of email messages. This article will explain why this practice is dangerous and how to make it safer.
Q. Why are these practices potentially dangerous?
A. Email is insecure on our computers. Some supposedly legitimate websites (LinkedIn is a good example) will collect all your contacts’ emails when you open an account with them unless you take steps to prevent this from happening. Less scrupulous websites try to access your contacts lists without letting you “opt out”. If an original email is sent to to 25 recipients, each of the 25 mailboxes will now contain all 25 of the e-mail addresses in the “To:” field. Thus it 25 more times likely that each of our addresses will be hacked and stolen because they now exist in 25 of our email inboxes and, depending on how those inboxes are configured, in 25 of our contact lists/address books.
Q. Is there another danger to this practice?
A. Email is insecure in transit as well. When email is sent between persons in Fearrington, it does not stay in Fearrington. It goes out on the internet and passes through many computers that may be anywhere in the country and indeed the world. In its long journey, an email is subject to be snared and viewed by bad actors who ply the internet looking for email addresses to sell! They don’t waste their energy on messages with only a few addresses showing, but when one comes along with a large number (anything around 10 is a good guess to a definition of “large number”), they gobble them up. Internet purveyors of junk, scammers and phishers are the main buyers of such lists of email addresses and this kind of practice of sending mass email our with tens of email addresses showing is one of the main ways such actors get our addresses to prey on us. These mass emails are generally unwanted. They can be annoying. And they are often dangerous, as they are capable of infecting our computers with viruses, turning them into “zombies” that send or relay other malicious email under a botnet’s control, or by encrypting all our files and demanding a “ransom” for decrypting information.
Q. How does REPLY ALL relate to this?
A. Each of the above 25 recipients have 25 e-mail addresses in their message so if a REPLY ALL is used there will now be 625 addresses floating in cyberspace available to hacking. Also, if each recipient does a REPLY ALL, then each recipient in-box is now clogged with 25 additional messages.
Q. Anything else?
A. Yes. An email with a large number of TO or CC recipients is often deemed to be spam and blocked by many spam filters created by email services to try to protect their customers, so some of the recipients may never see the email you are trying to send them.
Q. What’s the solution to this potentially dangerous practice?
A. A far safer way to send the original message is to place the addresses in the blind copy (BCC:) line. Then, replies, even from those who have their email applications set, knowingly or not to REPLY ALL, will go only to the sender who, after all, is the person assembling the list of the recipients!
Q. What if I want to promote an e-mail discussion with the recipients by sharing all their responses?
A. The ONLY safe way to do it is to use some form of “list server”. A list server is a secured listing of email addresses to which a message is sent without revealing the addresses of any of the recipients. Any recipient can reply to the message, which issues a command to the list server to send the reply to everyone in the list. Thus each message shows only two addresses: the replier’s and the address of the list server.The list server prevents anyone other than one of those listed from commanding it to send a message to those listed. There are many free ways to use the list server approach, among them Google Groups (http://groups.google.com) or FreeLists (https://www.freelists.org/).