Software for organizations and people
MBBSoftware Blog - Authentic Email Communication for Mail List Owners Hi guest
Sign up - Login

Authentic Email Communication for Mail List Owners

By Miroslav B. Bonchev
Part I
Do mail list owners need to take proactive measures to protect themselves and others, even if they rarely send private and personal information? The answer is YES, though that may be surprising to many! In this two-part article, we discuss why it is important to protect yourself, your audience and others if you are a mail list owner. We also discuss how to do so through the use of software such as Act On File.

When it comes to authentic online communication, we most commonly discuss the authenticity issues from the message recipients' point of view. Thus, we most commonly discuss how the recipient of an email can ensure that the email which they receive is genuine, from the apparent sender, and that the message content has not been changed while travelling. Although it is possible for mail list owners to send encrypted messages to their subscribers, they very rarely, if ever, do. Thus, we will discuss only the authentication side of security hazards which both the subscribers and the mail list owners are subject to.

A recipient of an email message could be the subject of spam, spoofing and phishing attacks. The best way to protect oneself from such attacks is for the sender to always send a digital signature of the message, which the recipient can use to authenticate it. The recipient of an email can rarely prove with absolute certainty that a message is authentic unless it is digitally signed. Thus, the burden for the safety of the recipient is mostly in the hands of the sender. The email sender, in particular mail list owners, can use software such as Act On File to digitally sign their messages. The recipients, including mail list subscribers, can then easily authenticate the message using the message itself, its signature, and the public key of the sender which must be available through an authentic channel, such as being available for download from the sender's website. To make this technique infallible, it is recommended that the actual message is sent as an attached file with a signature appended to it. This is where the discussion is usually ended, but there is more to say.

It must not be assumed that all attacks are necessarily malicious and aim to deprive the recipient of their personal details, although this is probably the most common objective of such an effort. It also must not be assumed that the target of an attack is always the recipient of the message. An attack can be on the owner of the mailing list, or even on third parties entirely unrelated to neither the owner of the mailing list nor to the subscribers. Suppose that a well-known entity has a mailing list. It is possible for an attacker to start emailing the subscribers of that list if they have somehow obtained it, or even email randomly, with messages bearing the name, logo and style of the original person, thus impersonating them. Such an email attack could simply exploit the name of the mail list owner and the fact that they are well-known and trusted. For instance, an attack could be made to endorse a product, express opinion, or to create havoc and division in their circles. For example, suppose James Jones has a very successful television show, and is also running a mailing list. Then an imposer could use the name of James and spam numerous people with emails which look as if sent by James endorsing a product, or position, or have any other content using the name of James Jones. It will be very difficult for James to prove that he did not sent those emails unless he always digitally signs his messages and thus help his audience to always authenticate them.

In the second part of this article, we will discuss the best practices of how to prepare and send messages and data which can be authenticated by the recipients.

Act On File can be downloaded from: http://www.mbbsoftware.com/Products/Act-On-File/2012/Download.aspx.
Part II
In part one we discussed that although at first glance it may appear that a mail list owner does not need to do anything about safety in regards to their mail list submissions, in fact they are very much required and responsible to take proactive measures. The main reason for this is that third parties could spoof their emails and create attacks exploiting the name of the mail list owner and the fact that they are well-known and trusted.

To protect themselves, their subscribers, and the general public from imposters using their name, a mail list owner must always send messages which are digitally signed. This way, the recipient of the message can always establish if it is genuine or not. The best way to do that is to have the actual message attached to the email as a separate file with a digital signature appended to it. The email body should only contain the highlights of the content of the attached message. If the recipient is not interested in the highlights, then they are not likely to have been interested in the actual content if it was in the body of the email. However if they are interested in the highlights, then they would open the attached file. However, since the signature is appended to the message file, in order to be able to read it, the signature must be first removed from it, which is done in the process of authentication. The process of authentication removes the appended signature restoring the message file to its original readable form, and yields a confirmation or denial of the authenticity and integrity of the restored message file. If the result is a denial of the message authenticity then the recipient simply deletes the message. However, if it is a confirmation, then they can safely proceed to open the file and read its content. Additionally, since the message is confirmed to be authentic and is already outside of the mailing software, the user might be strongly inclined to store it for their records and future reference, which is another desirable outcome from the mail list owner's point of view. If a message is not signed, then it is automatically considered as sent by an imposter and discarded.

To sign files and append their signatures to them, one can use the Sign Files functionality of the Authenticator module of the Act On File software. To authenticate and remove the appended signature from a file, one can use the Verify Signatures functionality of the Authenticator module of Act On File. The Sign Files functionality can be used to generate public-private key pairs when needed.

It is possible to send the message file and its signature as two separate files attached to the email, however since in this case the message file is readily open-able, most people would fail to authenticate it. By sending a message file with a signature appended to it, the recipient is forced to first authenticate the message and remove the signature before they can open and read it. It is also possible to authenticate messages using certificates; however that process is less desirable than using public-private keys as it introduces unnecessary and burdensome certificate authority, which decreases the security level, and will also incur further expenses for the mail list owner. In conclusion, it is clear that helping the recipients of a message to authenticate the sender not only important for the safety and best experience of the recipients of the message, but also for the sender, and for the whole of society.

Act On File can be downloaded from: http://www.mbbsoftware.com/Products/Act-On-File/2012/Download.aspx.
Miroslav B. Bonchev
4-th August 2012
London, England
We would love to know your thoughts and opinions on this article. Please leave any comments or questions you may have about it in the box below, and create a free account or subscribe to our newsletter if you wish to be notified when we publish new articles.
Community Content
(To enter your comments you must be signed in. Log in or create FREE account.)
Be the first to comment.
Information Presenter
Act On File
Audio Control
Photo Window
Vat # Validator
Information Presenter
for Museums and Art galleries
for Resorts, Hotels and Cruises
for Parks of any kind
for any business
Encryption and Authentication
Safe Online Communication
Website Testimonials
Learn how to store private keys
Make The Most From Your Files
Convenient Volume Control
Photo Window - an Awesome Gift
My Account
FAQ - Forum
Email this page
Public Authentication Key
Public Encryption Key

© Copyright 2020 MBBSoftware. All Rights Reserved.
Machine translation:

Email this page
use semicolon to separate emails eg: joe@abc.com; lea@abc.com
a link to this page will be automatically added to your message
Please type the anti-bot text below.
Type text:
Thank you for subscribing to the MBBSoftware newsletter.
Enter your email address:
Please type the anti-bot text below.
Type text: