WyzGuys Tech Talk

by Bob Weiss 

Email is one of the very first Internet protocols, going all the way back to 1971 and the early ARPANET.  Ray Tomlinson is credited as the inventor of networked email; he developed the first system able to send mail between users on different hosts across the ARPANET, using the @ sign to link the user name with a destination server.

Your email address may be something you take for granted.  An email address is typically a combination of a user name and a domain name or mail server name joined with the @ sign, in the format user@domain.com, or as an example, bob@wyzguys.com.

Messaging

The principal purpose for email is sending messages between two or more individuals.  But email has evolved from its original purpose, the exchange of messages between two users on different computer systems over a network, such as a LAN or the Internet.

Identification

Because an email address needs to be globally unique or one-of-a-kind on the Internet, it has also become the major form of user identification.  A user ID has to be unique to the particular system or service, and the email address is an easy and preexisting way to do this.  When you log in to most web sites, web applications, or web services, you use your email address as your user ID, and then authenticate or prove your identity with a password, PIN, or other authentication factor.

Security Concerns

Many of the earliest Internet protocols were developed without much thought of security.  Email is no exception.  Email has become the principal attack vector through phishing emails, which according to the FBI is the number one cyber crime by victim count..  Phishing emails also represent at least 90% of the opening moves of a wide variety of cyber-crimes.  Email account hijacking, or what the FBI calls Business Email Compromise (BEC) is the number one cybercrime in terms of dollars lost, a whopping $1.8 trillion.

Types of Email Accounts

Let’s take a look at the different types of email accounts that you might be using.  Personally, I use all of these types.  I use a lot of different email accounts for different purposes.  We will discuss those uses in the next sections.

Primary Email Address

Everybody has at least one email address.  This is known as your primary email address.  It is the one you use most often.  Once upon a time, it may have been good enough to have a single email account, but these days there are good reasons to have at the very least a primary and secondary email account.  Many people have both a business email and a personal email which may both be considered primary, one at the office, one at home.

Secondary Email Address

A secondary email address is a good idea, and not just for separating business and personal emails.  It is good to add a secondary email address to important accounts such as you Microsoft account, Google account, Apple account, Amazon account, and so many others.. This way, if you are unable to access your primary email account due to having your account hijacked and the password changed by an attacker, you have a second channel to use to communicate with the service provider.  It is of the utmost importance that you set up a secondary email account in advance of a security breach.  Afterwards it will not be possible, and you may lose access to that account permanently.

Often we end up with a secondary account when we buy an Android or Apple smart phone, for example.  These phones are tied to either a Google account or and Apple account, and typically the phones are provisioned with an email account ending with @gmail.com for an Android phone and @icloud or @me for an iPhone.  You may not use these accounts for much of anything, but they can be used as as a secondary email account for the security purposes discussed above.

Special Purpose Email Address

You can create email accounts for special purposes.  If you are hosting a web site somewhere, you may have an email address that is tied to the website’s domain name.  If you are running a business, you may want to have some generic email accounts such as sales@, support@, accountspayable@, and so forth.  Many marketing organizations  will create a special email address to track responses to a marketing campaign.

I have several domains and web sites, and email accounts associated with most of them.  I have an email address that my wife and I share, and the emails come to both of us.  I have some domains I use for simulated phishing training and can provision special purpose email addresses as I need them.  I have a Proton Mail address when I need encryption and privacy.  I have some email identities I use for investigative purposes on the Dark Web.  There are lots of reasons you might want to create a special purpose email address.

Disposable Email Address

A disposable email address is designed for uses where you may want to close an online account permanently.  I use temporary or disposable email addresses when I am investigating phishing emails for the Friday Phish Fry.  This can come in handy any time you are worried about being aggressively marketed, spammed, or attacked in some other way over email.  Or if the survey you just completed has sold your personal information to dozens of spammers or email marketing firms.  This way your primary address and secondary address stay clean.  You can always close the disposable account when you no longer need it.

Here are a few email providers  from ProPrivacy that are set up especially for this purpose:

1. 10 minute Mail – A quick, simple, and effective service ideal for use with sites that require verification.
2. Temp-Mail – Offers a premium option for folks wanting to banish ads and increase their storage time.
3. ProtonMail – Offers far more than disposable emails, especially if you upgrade to a premium account.
4. GuerrillaMail – Zaps pesky spam messages before they can bother you, and offers an impressive amount of customizability.
5. Emailondeck – Impresses us with serious security standards – including routine wipes of mail logs.

Custom or Domain-based Email Address

My first email address was @aol.com.  That’s gone now.  When the cable company came to my town in the 1990’s, I was assigned a Road Runner account on @rr.com.  They were acquired by Comcast, and I was switched to @comcast.net.  And then there were the many business email addresses that were assigned to me by my employers, and these email addresses disappeared when I left their employ.  For me, the lack of control over my email was just too damn annoying and inconvenient.

In 1990, I was laid off from an Internet startup when the Great Internet Bubble burst.  I had seen this coming, and had prepared by creating a website for a computer support business I was planning to launch.  I registered the domain name wyzguys.com and set up the email address bob@wyzguys.com.  I am still using that email address 22 years later.  I am a big believer that you have to own your own email identity.

The way to do that is to register a domain name and learn how to set up the email addresses you need.  I strongly recommend that if you own a business and are using an email on @gmail.com, @yahoo.com, @me.com, or @outlook.com, you need to set up a business email domain now.  Any of those service providers could change or go out of business, and leave you with no access to that email account you are using for business.  For example Microsoft has had a bunch of different email domains starting with @hotmail.com, then msn.com, then live.com, and now outlook.com.  Fortunately for users, Microsoft has continued to support all these email domains, but some day they just might turn the older ones off.

Changing email addresses

Changing your email address is a hassle, but there is a right way to do it.  There are also many wrong ways to do it.  Sometimes the change is forced on you, when an email service provider goes out of business or changes the terms of service.  For instance, Yahoo required one of my clients to pay an annual fee for him to read Yahoo mail in Microsoft Outlook.  His other alternative was to use the Yahoo web mail portal for free, but he was a long time Outlook user, and didn’t want to stop using it.  We ended up switching him to Outlook.com.  Of the free public email alternatives, only Outlook.com works reliably in Outlook the application.  Not surprising.  Here is the process.

• Pick a new email address.  The best of the free public services are Gmail, Outlook.com, and Apple.com. I would recommend avoiding Yahoo at this point. If you are a business owner, or have  registered a domain name for a website, consider taking control of your email and creating the email addresses you need on your registered domain.
• Download your email archive, contacts, and calendar.  Using your current email provider’s Help articles, find out how to export, backup, or save your emails, contacts and appointments.  Usually this information is saved in comma-delimited format.
• Import your email contact, and calendar trove to the new service.  Using the NEW email provider’s Help files, learn how to import the records you saved in the last step.
• Forward new emails from the old email address to the new email address.  You can use the old service provider’s Help files to learn how to do this.  You will want to leave the forwarding in place for six months to a year.  You should also set up an auto-responder email that informs the person who sent the email of your new email address.  You may have to skip the autoresponder if you are escaping from too much junk mail or spam.  The last thing you want is for your spammers to get the new email address.
• Start using the new email.  Have fun trying out the new email.  Make sure you have all the available security options enabled.
• Notify your contacts.  Send an email to everyone on your contact list, or at least those people who need to know that you have changed your email address, and that they should update their contact record.
• Clean out the old account.  Go back to the old email account and delete all saved messages and folder, contacts, and calendar entries.
• Shut down the old account.  After six moths or a year, close the old account down.  Leaving the old account in place might just be handy for an attacker who might use your old account for phishing or some other email attack.

Email Security

There are two different areas to consider when it comes to email security – securing the account itself, and securing the message contents.

To secure the message contents requires encryption, and this can be accomplished through the use of PGP, S-MIME, or using an encrypted service like Proton Mail.  You can also use the secure email ports for POP (995), IMAP (993), and SMTP (465 or 587) with START-TLS.  This does not encrypt the message contents exactly, but it does encrypt the transmission session.

Securing your email account will require the use of knowledge-based questions and answers (what was your elementary school name?), the establishment of a secondary email address, setting up text message alerts, telephone alerts, location alerts, and a good second authentication factor using something like Google’s Authenticator app or a YubiKey.  Time spent setting up your security is time well spent.

I have covered many issues surrounding your email account fairly thoroughly.  Hopefully you found this information useful.  Your email account may be the most important of all your online assets and identities, so make sure you have taken care to follow my suggestions.  If you need help, just send me an email!