How can I keep my email safe from sniffing?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Summary: We'll look at what sniffing is and ways to avoid it.

I recently heard of a scenario where an individual was able to "sniff" or listen in to the wireless network traffic within range and from that, determine the account name, server and passwords from everyone who happened to check email while he was looking.

Scary huh?

And every time you use public internet facilities and hotspots, you may be at risk.

•

The simplest solution is to use webmail, making sure that it's on an "https", secure, connection. That's encrypted and safe from any sniffers that happen to see it.

But for many of us, that's not as optimal as we'd like. We'd like to keep using our regular email program and POP3/IMAP/SMTP servers.

Enter "SSH Tunneling".

"...every time you use public internet facilities and hotspots, you may be at risk."

Now, one of the requirements for SSH tunneling is that you have SSH (Secure SHell) access to your mail server. If you do not (and if you don't know, you probably don't), you can stop reading now. Check with your ISP if you like, to see if you can get it, but this technique relies on SSH being available on your server.

The good news is that once you have SSH access, there's no further server-side configuration.

In short, the technique works like this:

Using your SSH client or other tools, set up a "tunnel" for ports 25 and 110 on your machine to those same ports on your mail server. This does require that the client or tool be kept running.
configure your mail client to send to and fetch from "localhost" instead of your mail server.

That's really all there is to it.

Let's walk through the details for Windows users.

Start by grabbing the free SSH client and tools called PuTTY. Get the ZIP file that contains all the tools, because we'll be using more than just the PuTTY client.

One of the tools is called "plink". In a command shell, run the following:

plink -v -L 110:mailserver:110 -L 25:mailserver:25 -2 you@mailserver -N -pw yourpassword

Where:

-v: verbose - optional, but it will show you what plink is doing setting up the tunnel, and as long as the tunnel is active.
-L 110:mailserver:110: defines a tunnel of port 110 on your local machine to go to port 110 on the mailserver. Port 110 is the POP3 mail service. You would replace "mailserver" with the name of your pop3 server.
-L 25:mailserver:25: defines a tunnel of port 25 on your local machine to port 25 on the mailserver. Port 25 is the outgoing SMTP mail port. Again, you would replace "mailserver" with the name of your pop3 server.
-2: force ssh v2 protocol only. Optional, but slightly more secure. Use it unless your remote server doesn't support it.
you@mailserver: your ssh login account name @ your mailserver.
-N: no shell. Normally plink will also open up an interactive shell. For our purposes here we don't need one.
-pw yourpassword: your password for your ssh login account name. You can also leave this off to be prompted instead.

Leave plink running once it connects.

Now, in your email client (Outlook, Eudora, whatever), change both the POP3 and SMTP servers to "localhost".

You're done.

Here's what happens now: when you reload your email client, it will attempt to, for example, fetch POP3 mail from "localhost, port 110". Plink is listening to port 110 on your local machine, encrypts the data and sends it to the ssh server running on the mail server. There, the ssh server decrypts the data, and forwards it on to port 110 on the mail server. Data coming back is handled similarly, as is the SMTP port 25 conversation we defined as well.

A couple of additional notes...

You can tunnel other protocols (like mySql, imap, etc...) by adding "-L port:server:port" parameters to the plink line.

You can perform the port forwarding in PuTTY itself, the interactive client if you like - there is a section in the options for that, and it can be saved with the profile for that connection.

Remember that while your email is configured to use "localhost" as the mail server, the tunnel must be running (the plink command must be active). If it is not, email will fail.

There's technically nothing wrong with using this all the time. Still, what I've done in Outlook is to clone a separate profile that I can select at Outlook startup. So when I'm at home using my own secure network, the connections are direct and unencrypted as before. When traveling, I start the tunnel, and select the profile that uses it.

Other SSH clients do support tunneling though not all. PuTTY is free, and works well for me.

Related:

Ask Leo! - Can hackers see data going to and from my computer?
Ask Dave Taylor - SSH Tunnels? How do I use an ssh tunnel to secure my email? - Dave shows how to set up an SSH tunnel with Microsoft Entourage on the Mac.

Article C2341 - April 25, 2005

Recent Comments

28 Comments

hey i dont wanna my brother ro look at my emails kk that

Posted by: Lois at February 7, 2007 8:17 PM

can my ex find out that i was snooping? I logged on to hotmail as him - but the guilt hit straight away and so i logged out almost immediately. Can he tell that i logged on to his email from somewhere else? (we live at opposite ends of the world). I didn't open any of his emails or anything.

Posted by: Rachel at August 19, 2007 10:06 AM

i do not want any one 2read my email accoun. so how can i stop that help me please.

thank u

Posted by: Ami at May 11, 2008 1:16 PM

Hello Leo; I was wondering if it is possible to use SSH access (Putty or other SSH client) with free email servers such as Gmail or yahoo? I mean, Does any free email service providers allows users to connect to their email servers via SSH? ... I have been doing some research and it looks that none of the free email providers worldwide supports and allows users to connect to their email servers using SSH. Does anyone knows about a free email service provider which allows users to connect via SSH? I mean, for Free.

Posted by: Brutus at June 16, 2008 7:36 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm not aware of any free services that allow for SSH
access.

With *some* you can do secure SMTP and POP3 instead - that's
typically easier to set up anyway. Check with the provider.

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIWEUlCMEe9B/8oqERAuovAJ9wFUviTxgv0R+J5nxn0nNYBJVK+gCgheDE
ydrNofsv8o+T1TvhjZgxhzs=
=wmnX
-----END PGP SIGNATURE-----

Posted by: Leo at June 17, 2008 4:13 PM

I believe someone hacked into my yahoo e-mail account and took some e-mails and forwarded them to someone else. Just not sure how this can happen?

Posted by: Quiver at July 29, 2008 2:36 PM

I have Yahoo as E mail. I can tell someone is spying on my E mails and some get deleted before I can see them I have windows visa and want to use my windows mail but don't know how to set it up. I also have Verizon as broadband built into my computer which I purchased from Dell. I don't feel secure at all, when I go into my acct, my computer makes me shut down without signing off. I really need security. PLEASE HELP. I have macAfee but it seems like I am getting phising pages instead of the real thin.

Posted by: Betty Ledesma at September 20, 2008 11:08 AM

Want is the best secure e-mail to use. I use yahoo because it is free. What do you suggest?

Posted by: Betty at September 20, 2008 11:10 AM

Leo,
Or anyone else that knows the answer. Would a proprietary email program such as the original Juno 5 be safer than Windows mail? I am not sure if its POP or not, but I do not think it is.

Thanks.

Posted by: Rob at December 16, 2008 7:49 PM

If I scan all my important docs - birth certificates, credit cards info, etc and email it to myself to keep in a file that can be accessed by myself anywhere I am - Is it safe, can anyone else access the info in my hotmail account?

NO!!!

Given the frequency with which I hear about account theft and hacks, there's no way anyone should be keeping that kind of information in a free email account like Hotmail.

Even mailing it to yourself is dangerous, because the mail travels unencrypted, and could be sniffed somewhere along the way.

Don't do it.

- Leo
19-Mar-2009

Posted by: Cheryl at March 18, 2009 10:01 AM

See all 28 comments...

Post a comment on "How can I keep my email safe from sniffing?":

Name: (Required) Email Address: (Required) (Email Address will not be published.) Remember Me? YesNo	By popular demand... my tip jar Buy Leo a Latte!
Comments: (you may use HTML tags for style)	Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...