Email security question

[Martyuk39]

My boss uses Outlook 2002 and SMTP for sending mail. He uses whatever internet connection he can get his hands on. Currently he's in a factory the Far East. He's convinced someone is monitoring his sent emails. All I know about the exact setup is that they have him set up so that the outgoing server (theirs) requires authentication, and that he logs on using a username and password given to him by them, separate from any he has for his machine, ISP, incoming mail server etc.

How easy would it be for them somehow to get a copy of what he's sending? Is it likely? We're certainly not talking military grade secrets here. He's just a salesman. As far as I know, haha.

Thanks

 

[AT]

If he is sending emails unencrypted using the setup you described then logging their contents is as easy as 1+1.

At the very least he should have an encrypted connection to a trusted mail server. Currently he basically storing all his sent mail on their servers. If he is seriously worried then encryption (PGP) is the way to go.

 

[Martyuk39]

My hands are a little bit tied in that I don't know much about their system. I didn't even know he was logging into it until this morning. I've told him to set up an email account that requires authentification for sending and to use the same settings as the incoming server. If that works then it would that be all right? His email account over there can be whatever it wants - he's a custom recipient in my Exchange server and I forward everything to him.

Would the above scenario be relatively more secure? If he's not logging into their server?

I'm assuming there's a strong possibility that their server could block it and give him error 550 or whatever. How do I get round that?

 

[AT]

Authenticating on the server does not help if the server is still theirs. The emails will still be handled and sent in plain text (unless of course they are encrypted) on that server and therefore available for monitoring.

How about you providing him SSL encrypted webmail on your mail server? You have Exchange so Outlook Web Access is available? That should make it at least a bit more difficult for that company to monitor your bosses emails as all his sent mail is not routed through their servers.

Since he is working in their network he should also be reading his mails using an encrypted protocol (SSL protected POP/IMAP).

 

[Martyuk39]

I haven't got OWA available due to a lack of resources in my office (he's in China where he's now producing all the goods he used to produce here in the UK!). I've tried it and it's a bit of a crawl - the router is also my network switch, the Exchanger server is the everything else server too.

I've had a look at trying to secure emails using something like Verisign but run into a problem - "Outlook had problems encrypting this message because the following recipients had missing or invalid certificates...." it seems to want the recipient to have a digital signature too, and I keep having to send unencrypted (this is from my pop3/smtp non-exchange client). Is this something I should be able to figure out so it is possible to encrypt messages?

How do I get him reading his mails using an encrypted protocol? Is that available to him in Outlook or is it server or ISP-based?

 

[AT]

Originally posted by: Martyuk39
I've had a look at trying to secure emails using something like Verisign but run into a problem - "Outlook had problems encrypting this message because the following recipients had missing or invalid certificates...." it seems to want the recipient to have a digital signature too, and I keep having to send unencrypted (this is from my pop3/smtp non-exchange client). Is this something I should be able to figure out so it is possible to encrypt messages?

That's the whole point of encryption and practical problem in many cases with email encryption. You need to have other people using same encryption and you need their public keys to encrypt mails sent to them.

How do I get him reading his mails using an encrypted protocol? Is that available to him in Outlook or is it server or ISP-based?

You have to enable the mail server to use SSL POP/IMAP. Also Outlook has to be configured to use it. If I remember correctly it's only a matter of a few clicks but I don't have Outlook available right now so can't check.

How about a real quick and dirty solution. Don't tell anyone I actually suggested this: forward his emails to Gmail account. At least that is SSL secured and I would trust Google an inch more than some company that may actually be interested in your bosses emails.

If your boss reads his emails using standard POP then there is not much point in securing his email sending as all his received mails are in plain text available in the network where your boss is right now.

 

[Martyuk39]

OK one thing I didn't mention. When he's not at the factory he stays in an apartment and has a broadband router with an ISP which I'm assuming is independent of the factory server. So he's going to be OK there, or elsewhere, isn't he? Once he stops logging into their mail server for outgoing mail.

Gmail doesn't seem to be available to the general public at the moment...

 

[AT]

Who knows what's going on in the great firewall of China. If you are using unencrypted email it can monitored. But unless the company gets information about emails from the local ISP or local government your boss is at leastslightly better off sending his emails using that ISP. At least then the company has to actually do something to get them instead of your boss directly storing his emails on their servers.

Gmail accounts are invitation only but invitations are everywhere. Post your email address here and I'm sure you will get some invitations if needed.

 

[MrChad]

Text

You're on the right track with digital IDs and encryption. Any forwarding and/or transmission of emails leaves you open for monitoring, especially if your ISP connections are not over SSL. I would recommend an encrypted message solution.

You can also try a PGP solution. There are plugins freely available for Outlook.

 

[Martyuk39]

Thanks for the assistance. He seems to have wandered off probably for the weekend, so I'll see what I can come up with next week