Problem solve Get help with specific problems with your technologies, process and projects.

What is the best method to determine whether email messages are transmitted as clear text?

In this application security Ask the Expert Q&A, Michael Cobb disccuses how to use a network analyzer tool to determine whether email exchanges are transmitted as clear text.

What is the best method for determining if e-mail messages are transmitted as clear text? I need to determine whether our company e-mail messages are encrypted when they are transmitted within and out of the corporate network.
You need a network analyzer (a.k.a. packet sniffer, packet analyzer or protocol analyzer). This is a hardware device or software program that captures packets transmitted over a network and decodes them into a readable format for routine inspection and problem detection. With a network analyzer, you can check how e-mails are transmitted across your network and use the information it collects for debugging other network-related problems.

Once the network analyzer is set up, it can capture everything that travels through your network. To capture e-mail...

packets, ensure that the analyzer is logging traffic to and from your mail server. When you review the packets, check the e-mail headers to see if the content-type is application/x-pkcs7-mime. If it is, the e-mail is encrypted, which means you will not be able to read the message. If the content-type is text/plain or multipart/alternative the message is not encrypted, which means you will be able to read the message.

Many analyzers have built-in filters that alert you when specific conditions are met, which is useful when analyzing random events that have no explanation. Also, if your network analyzer supports the logical node name mapping feature, it will be easier to determine which machines are doing what on your network. Your network switches may also support port spanning, which enables port monitored traffic to be simultaneously sent to a network analyzer connected to another port.

You should be concerned if your sensitive messages aren't encrypted, as e-mail headers and content are transmitted via the clear text if encryption is not used. As a result, the message can be read or altered in transit. The header can be modified to hide or change the sender, or to redirect the message. Remember, confidential information can reside in two states on your network: physical storage media, such as a hard drive, memory, data-at-rest, or packets, data-in-motion. In both cases, data that is sensitive should be encrypted. When it comes to data-in-motion here are some information types that should always be encrypted:

  • Passwords
  • Sensitive HTTP traffic
  • SQL queries
  • Enterprise resource planning (ERP) queries
  • FTP
  • Telnet

You can use your network analyzer to investigate whether this traffic is being encrypted according to your security policy.

This was last published in April 2006

Dig Deeper on Email and Messaging Threats-Information Security Threats