• Understanding Your Computer: Email Clients
• Using Caution with Email Attachments
• Reducing Spam
• Benefits and Risks of Free Email Services
• Benefits of Blind Carbon Copy (BCC)
• Understanding Digital Signatures
• Using Instant Messaging and Chat Rooms Safely
• Staying Safe on Social Network Sites

How do email clients work?

Every email address has two basic parts: the user name and the domain name. When you are sending email to someone else, your domain's server has to communicate with your recipient's domain server.

For example, let's assume that your email address is johndoe@example.com, and the person you are contacting is at janesmith@anotherexample.org. In very basic terms, after you hit send, the server hosting your domain (example.com) looks at the email address and then contacts the server hosting the recipient's domain (anotherexample.org) to let it know that it has a message for someone at that domain. Once the connection has been established, the server hosting the recipient's domain (anotherexample.org) then looks at the user name of the email address and routes the message to that account.

How many email clients are there?

There are many different email clients and services, each with its own interface. Some are web-based, some are stand-alone graphics-based, and some are text-based. The following are some well-known email programs:

Web-based

• Hotmail
• Yahoo! Mail

Stand-alone graphics-based

• Eudora
• Mulberry
• Outlook and Outlook Express
• Pegasus
• Thunderbird

Text-based

• Pine

How do you choose an email client?

There is usually an email client included with the installation of your operating system, but many other alternatives are available. Be wary of "home-brewed" software, because it may not be as secure or reliable as software that is tested and actively maintained. Some of the factors to consider when deciding which email client best suits your needs include
security - Do you feel that your email program offers you the level of security you want for sending, receiving, and reading email messages? How does it handle attachments? If you are dealing with sensitive information, do you have the option of sending and receiving signed and/or encrypted messages?

• privacy - If you are using a web-based service, have you read its privacy policy? Do you know what information is being collected and who has access to it? Are there options for filtering spam?
  
• functionality - Does the software send, receive, and interpret email messages appropriately?
  
• reliability - For web-based services, is the server reliable, or is your email frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons?
  
• availability - Do you need to be able to access your account from any computer?
  
• ease of use - Are the menus and options easy to understand and use?
  
• visual appeal - Do you find the interface appealing?

Each email client may have a different way of organizing drafted, sent, saved, and deleted mail. Familiarize yourself with the software so that you can find and store messages easily, and so that you don't unintentionally lose messages. Once you have chosen the software you want to use for your email, protect yourself and your contacts by following good security practices.

Can you have use more than one email client?

You can have more than one email client, although you may have issues with compatibility. Some email accounts, such as those issued through your internet service provider (ISP) or place of employment, are only accessible from a computer that has appropriate privileges and settings for you to access that account. You can use any stand-alone email client to read those messages, but if you have more than one client installed on your machine, you should choose one as your default. When you click an email link in a browser or email message, your computer will open that default email client that you chose.

Most vendors give you the option to download their email software directly from their web sites. Make sure to verify the authenticity of the site before downloading any files, and follow other good security practices, like keeping anti-virus software up to date, to further minimize risk.

You can also maintain free email accounts through browser-based email clients (e.g., Yahoo!, Hotmail) that you can access from any computer. Because these accounts are maintained directly on the vendors' servers, they don't interfere with other email accounts.

Why can email attachments be dangerous?
Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers:

• Email is easily circulated - Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don't even require users to forward the email—they scan a users' computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open any message that comes from someone they know.
• Email programs try to address all users' needs - Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
• Email programs offer many "user-friendly" features - Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the attachments.

What steps can you take to protect yourself and others in your address book?

• Be wary of unsolicited attachments, even from people you know - Just because an email message looks like it came from your mom, grandma, or boss doesn't mean that it did. Many viruses can "spoof" the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. This includes email messages that appear to be from your ISP or software vendor and claim to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email.
  
• Save and scan any attachments before opening them - If you have to open an attachment before you can verify the source, take the following steps:
  • Be sure the signatures in your anti-virus software are up to date
  • Save the file to your computer or a disk
  • Manually scan the file using your anti-virus software
  • Open the file
• Turn off the option to automatically download attachments - To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and make sure to disable it.
• Consider additional security practices - You may be able to filter certain types of attachments through your email software (see Reducing Spam) or a firewall

What is spam?

Spam is the electronic version of "junk mail." The term spam refers to unsolicited, often unwanted, email messages. Spam does not necessarily contain viruses—valid messages from legitimate sources could fall into this category.

How can you reduce the amount of spam?

There are some steps you can take to significantly reduce the amount of spam you receive:

• Don't give your email address out arbitrarily - Email addresses have become so common that a space for them is often included on any form that asks for your address—even comment cards at restaurants. It seems harmless, so many people write them in the space provided without realizing what could happen to that information. For example, companies often enter the addresses into a database so that they can keep track of their customers and the customers' preferences. Sometimes these lists are sold to or shared with other companies, and suddenly you are receiving email that you didn't request.
• Check privacy policies - Before submitting your email address online, look for a privacy policy. Most reputable sites will have a link to their privacy policy from any form where you're asked to submit personal data. You should read this policy before submitting your email address or any other personal information so that you know what the owners of the site plan to do with the information.
• Be aware of options selected by default - When you sign up for some online accounts or services, there may be a section that provides you with the option to receive email about other products and services. Sometimes there are options selected by default, so if you do not deselect them, you could begin to receive email from lists those lists as well.
• Use filters - Many email programs offer filtering capabilities that allow you to block certain addresses or to only allow email from addresses on your contact list. Some ISPs offer spam "tagging" or filtering services, but legitimate messages misclassified as spam might be dropped before reaching your inbox. However, many ISPs that offer filtering services also provide options for tagging suspected spam messages so the end user can more easily identify them. This can be useful in conjunction with filtering capabilities provided by many email programs.
• Don't follow links in spam messages - Some spam relies on generators that try variations of email addresses at certain domains. If you click a link within an email message or reply to a certain address, you are just confirming that your email address is valid. Unwanted messages that offer an "unsubscribe" option are particularly tempting, but this is often just a method for collecting valid addresses that are then sent other spam.
• Disable the automatic downloading of graphics in HTML mail - Many spammers send HTML mail with a linked graphic file that is then used to track who opens the mail message—when your mail client downloads the graphic from their web server, they know you've opened the message. Disabling HTML mail entirely and viewing messages in plain text also prevents this problem.
• Consider opening an additional email account - Many domains offer free email accounts. If you frequently submit your email address (for online shopping, signing up for services, or including it on something like a comment card), you may want to have a secondary email account to protect your primary email account from any spam that could be generated. You should also use a secondary account when posting to online bulletin boards, chat rooms, public mailing lists, or USENET so that you can get rid of when it starts filling up with spam.
• Don't spam other people - Be a responsible and considerate user. Some people consider email forwards a type of spam, so be selective with the messages you redistribute. Don't forward every message to everyone in your address book, and if someone asks that you not forward messages to them, respect their request.

What is the appeal of free email services?

Many service providers offer free email accounts (e.g., Yahoo!, Hotmail, Gmail). These email services typically provide you with a browser interface to access your mail. In addition to the monetary savings, these services often offer other benefits:

• accessibility - Because you can access your account(s) from any computer, these services are useful if you cannot be near your computer or are in the process of relocating and do not have an ISP. Even if you are able to access your ISP-based email account remotely, being able to rely on a free email account is ideal if you are using a public computer or shared wireless hot spot and are concerned about exposing the details of your primary account.
• competitive features - With so many of these service providers competing for users, they now offer additional features such as large amounts of storage, spam filtering, virus protection, and enhanced fonts and graphics.
• additional capabilities - It is becoming more common for service providers to package additional software or services (e.g., instant messaging) with their free email accounts to attract customers.

Free email accounts are also effective tools for reducing the amount of spam you receive at your primary email address. Instead of submitting your primary address when shopping online, requesting services, or participating in online forums, you can set up a free secondary address to use (

What risks are associated with free email services?

Although free email services have many benefits, you should not use them to send sensitive information. Because you are not paying for the account, the organization may not have a strong commitment to protecting you from various threats or offering you the best service. Some of the elements you risk are

• security - If your login, password, or messages are sent in plain text, they may easily be intercepted. If a service provider offers SSL encryption, you should use it. You can find out whether this is available by looking for a "secure mode" or by replacing the "http:" in the URL with "https:" (see Protecting Your Privacy for more information).
• privacy - You aren't paying for your email account, but the service provider has to find some way to recover the costs of providing the service. One way of generating revenue is to sell advertising space, but another is to sell or trade information. Make sure to read the service provider's privacy policy or terms of use to see if your name, your email address, the email addresses in your address book, or any of the information in your profile has the potential of being given to other organizations (see Protecting Your Privacy for more information). If you are considering forwarding your work email to a free email account, check with your employer first. You do not want to violate any established security policies.
• reliability - Although you may be able to access your account from any computer, you need to make sure that the account is going to be available when you want to access it. Familiarize yourself with the service provider's terms of service so that you know exactly what they have committed to providing you. For example, if the service ends or your account disappears, can you retrieve your messages? Does the service provider give you the ability to download messages that you want to archive onto your machine? Also, if you happen to be in a different time zone than the provider, you may find that their server maintenance interferes with your normal email routine.

What is BCC?

BCC, which stands for blind carbon copy, allows you to hide recipients in email messages. Unlike addresses in the To: field or the CC: (carbon copy) field, addresses in the BCC: field cannot be seen by other users.
Why would you want to use BCC?

There are a few main reasons for using BCC:

• Privacy - Sometimes it's beneficial, even necessary, for you to let recipients know who else is receiving your email message. However, there may be instances when you want to send the same message to multiple recipients without letting them know who else is receiving the message. If you are sending email on behalf of a business or organization, it may be especially important to keep lists of clients, members, or associates confidential. You may also want to avoid listing an internal email address on a message being sent to external recipients.
  
• Another point to remember is that if you use the To: or CC: fields to list all of your recipients, these same recipients will also receive any replies to your message unless the sender removes them. If there is potential for a response that is not appropriate for all recipients, consider using BCC.
  
• Tracking - Maybe you want to access or archive the email message you are sending at another email account. Or maybe you want to make someone, such as a supervisor or team member, aware of the email without actually involving them in the exchange. BCC allows you to accomplish these goals without advertising that you are doing it.
  Respect for your recipients - Forwarded email messages frequently contain long lists of email addresses that were CC'd by previous senders. These addresses are highly likely to be active and valid, so they are very valuable to spammers. Furthermore, many email-borne viruses harvest email addresses contained in messages you've already received (not just the To: and From: fields, but from the body, too), so those long lists in forwarded messages pose a risk to all the accounts they point to if you get infected.
  
  Many people frequently forward messages to their entire address books using CC. Encourage people who forward messages to you to use BCC so that your email address is less likely to appear in other people's inboxes and be susceptible to being harvested. To avoid becoming part of the problem, in addition to using BCC if you forward messages, take time to remove all existing email addresses within the message. The additional benefit is that the people you're sending the message to will appreciate not having to scroll through large sections of irrelevant information to get to the actual message.

How do you BCC an email message?

Most email clients have the option to BCC listed a few lines below the To: field. However, sometimes it is a separate option that is not listed by default. If you cannot locate it, check the help menu or the software's documentation.

If you want to BCC all recipients and your email client will not send a message without something in the To: field, consider using your own email address in that field. In addition to hiding the identity of other recipients, this option will enable you to confirm that the message was sent successfully.

What is a digital signature?

You may have received emails that have a block of letters and numbers at the bottom of the message. Although it may look like useless text or some kind of error, this information is actually a digital signature. To generate a signature, a mathematical algorithm is used to combine the information in a key with the information in the message. The result is a random-looking string of letters and numbers.

Why would you use one?

Because it is so easy for attackers and viruses to "spoof" email addresses, it is sometimes difficult to identify legitimate messages. Authenticity may be especially important for business correspondence—if you are relying on someone to provide or verify information, you want to be sure that the information is coming from the correct source. A signed message also indicates that changes have not been made to the content since it was sent; any changes would cause the signature to break.

How does it work?

Before you can understand how a digital signature works, there are some terms you should know:

• Keys - Keys are used to create digital signatures. For every signature, there is a public key and a private key.
  • Private key - The private key is the portion of the key you use to actually sign an email message. The private key is protected by a password, and you should never give your private key to anyone.
  • Public key - The public key is the portion of the key that is available to other people. Whether you upload it to a public key ring or send it to someone, this is the key other people can use to check your signature. A list of other people who have signed your key is also included with your public key. You will only be able to see their identify if you already have their public keys on your key ring.
• Key ring - A key ring contains public keys. You have a key ring that contains the keys of people who have sent you their keys or whose keys you have gotten from a public key server. A public key server contains keys of people who have chosen to upload their keys.
• Fingerprint - When confirming a key, you will actually be confirming the unique series of letters and numbers that comprise the fingerprint of the key. The fingerprint is a different series of letters and numbers than the chunk of information that appears at the bottom of a signed email message.
• Key certificates - When you select a key on a key ring, you will usually see the key certificate, which contains information about the key, such as the key owner, the date the key was created, and the date the key will expire.
• "Web of trust" - When someone signs your key, they are confirming that the key actually belongs to you. The more signatures you collect, the stronger your key becomes. If someone sees that your key has been signed by other people that he or she trusts, he or she is more inclined to trust your key. Note: Just because someone else has trusted a key or you find it on a public key ring does not mean you should automatically trust it. You should always verify the fingerprint yourself.

The process for creating, obtaining, and using keys is fairly straightforward:

1. Generate a key using software such as PGP, which stands for Pretty Good Privacy, or GnuPG, which stands for GNU Privacy Guard.
2. Increase the authenticity of your key by having your key signed by co-workers or other associates who also have keys. In the process of signing your key, they will confirm that the fingerprint on the key you sent them belongs to you. By doing this, they verify your identity and indicate trust in your key.
3. Upload your signed key to a public key ring so that if someone gets a message with your signature, they can verify the digital signature.
4. Digitally sign your outgoing email messages. Most email clients have a feature to easily add your digital signature to your message.

What are the differences between some of the tools used for real-time communication?

• Instant messaging (IM) - Commonly used for recreation, instant messaging is also becoming more widely used within corporations for communication between employees. IM, regardless of the specific software you choose, provides an interface for individuals to communicate one-on-one.
• Chat rooms - Whether public or private, chat rooms are forums for particular groups of people to interact. Many chat rooms are based upon a shared characteristic; for example, there are chat rooms for people of particular age groups or interests. Although most IM clients support "chats" among multiple users, IM is traditionally one-to-one while chats are traditionally many-to-many.
• Bots - A "chat robot," or "bot," is software that can interact with users through chat mechanisms, whether in IM or chat rooms. In some cases, users may be able to obtain current weather reports, stock status, or movie listings. In these instances, users are often aware that they are not interacting with an actual human. However, some users may be fooled by more sophisticated bots into thinking the responses they are receiving are from another person.

There are many software packages that incorporate one or more of these capabilities. A number of different technologies might be supported, including IM, Internet Relay Chat (IRC), or Jabber.

What are the dangers?

• Identities can be elusive or ambiguous - Not only is it sometimes difficult to identify whether the "person" you are talking to is human, but human nature and behavior isn't predictable. People may lie about their identity, accounts may be compromised, users may forget to log out, or an account may be shared by multiple people. All of these things make it difficult to know who you're really talking to during a conversation.
• Users are especially susceptible to certain types of attack - Trying to convince someone to run a program or click on a link is a common attack method, but it can be especially effective through IM and chat rooms. In a setting where a user feels comfortable with the "person" he or she is talking to, a malicious piece of software or an attacker has a better chance of convincing someone to fall into the trap (see Avoiding Social Engineering and Phishing Attacks for more information).
• You don't know who else might be seeing the conversation - Online interactions are easily saved, and if you're using a free commercial service the exchanges may be archived on a server. You have no control over what happens to those logs. You also don't know if there's someone looking over the shoulder of the person you're talking to, or if an attacker might be "sniffing" your conversation.
• The software you're using may contain vulnerabilities - Like any other software, chat software may have vulnerabilities that attackers can exploit.
• Default security settings may be inappropriate - The default security settings in chat software tend to be relatively permissive to make it more open and "usable," and this can make you more susceptible to attacks.

How can you use these tools safely?

• Evaluate your security settings - Check the default settings in your software and adjust them if they are too permissive. Make sure to disable automatic downloads. Some chat software offers the ability to limit interactions to only certain users, and you may want to take advantage of these restrictions.
• Be conscious of what information you reveal - Be wary of revealing personal information unless you know who you are really talking to. You should also be careful about discussing anything you or your employer might consider sensitive business information over public IM or chat services (even if you are talking to someone you know in a one-to-one conversation).
• Try to verify the identity of the person you are talking to, if it matters - In some forums and situations, the identity of the "person" you are talking to may not matter. However, if you need to have a degree of trust in that person, either because you are sharing certain types of information or being asked to take some action like following a link or running a program, make sure the "person" you are talking to is actually that person.
• Don't believe everything you read - The information or advice you receive in a chat room or by IM may be false or, worse, malicious. Try to verify the information or instructions from outside sources before taking any action.
• Keep software up to date - This includes the chat software, your browser, your operating system, your mail client, and, especially, your anti-virus software

What are social networking sites?

Social networking sites, sometimes referred to as "friend-of-a-friend" sites, build upon the concept of traditional social networks where you are connected to new people through people you already know. The purpose of some networking sites may be purely social, allowing users to establish friendships or romantic relationships, while others may focus on establishing business connections.

Although the features of social networking sites differ, they all allow you to provide information about yourself and offer some type of communication mechanism (forums, chat rooms, email, instant messenger) that enables you to connect with other users. On some sites, you can browse for people based on certain criteria, while other sites require that you be "introduced" to new people through a connection you share. Many of the sites have communities or subgroups that may be based on a particular interest.

What security implications do these sites present?

Social networking sites rely on connections and communication, so they encourage you to provide a certain amount of personal information. When deciding how much information to reveal, people may not exercise the same amount of caution as they would when meeting someone in person because

• the internet provides a sense of anonymity
• the lack of physical interaction provides a false sense of security
• they tailor the information for their friends to read, forgetting that others may see it
• they want to offer insights to impress potential friends or associates

While the majority of people using these sites do not pose a threat, malicious people may be drawn to them because of the accessibility and amount of personal information available on them. The more information malicious people have about you, the easier it is for them to take advantage of you. Predators may form relationships online and then convince unsuspecting individuals to meet them in person. That could lead to a dangerous situation. The personal information can also be used to conduct a social engineering attack. Using information that you provide about your location, hobbies, interests, and friends, a malicious person could impersonate a trusted friend or convince you that they have the authority to access other personal or financial data.

How can you protect yourself?

• Limit the amount of personal information you post - Do not post information that would make you vulnerable (e.g., your address, information about your schedule or routine). If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing.
• Remember that the internet is a public resource - Only post information you are comfortable with anyone seeing. This includes information in your profile and in blogs and other forums. Also, once you post information online, you can't retract it. Even if you remove the information from a site, saved or cached versions may still exist on other people's machines (see Guidelines for Publishing Information Online for more information).
• Be wary of strangers - The internet makes it easy for people to misrepresent their identities and motives. Consider limiting the people who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.
• Be skeptical - Don't believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, a product of exaggeration, or a joke. Take appropriate precautions, though, and try to verify the authenticity of any information before taken any action.
• Check privacy policies - Some sites may share information such as email addresses or user preferences with other companies. This may lead to an increase in spam (see Reducing Spam for more information). Also, try to locate the policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send email messages to anyone you refer until they join.

Children are especially susceptible to the threats that social networking sites present. Although many of these sites have age restrictions, children may misrepresent their ages so that they can join. By teaching children about internet safety, being aware of their online habits, and guiding them to appropriate sites, parents can make sure that the children become safe and responsible users