E-Mail Firewalls

Sometime after 4:00 AM EST on August 25th, my Yahoo email account was compromised. Because of how that account was configured, the villain(s) were able to spam all of my friends and family – and basically anyone for whom I had an e-mail account.  This despite an intention on my part to ‘firewall’ the account.

I pay for the Yahoo Plus mail account.  Yea, I know given what many other mail providers are giving away that’s a waste of money but I have had the account forever and I hate to give it up.  I use the account to register with all of the web based services that require an e-mail account to authenticate that I’m a real live person.  The account as no entries in its contact folder and has no mail in it.  The account was set up to forward e-mail to another account.

So if the Yahoo account had no contacts in it, how did they spam my everyone I know?  Well, being the idiot that I am, the password on the account set up to receive all forwarded e-mail had the same password as the first account.  I’m not going to dwell on that idiocy…

Regardless, I have learned a few things while attempting to remedy my mistake.  I am presenting them as best practices in identity management but most of them center on e-mail accounts.

  1. First, do not share your e-mail account password with any service.   Google, Yahoo, Microsoft and AOL are the major providers and they all provide alternative authentication protocols to web services.  It should never be necessary to share your password.
  2. Change your e-mail account password on a regular schedule.  Write up a process for yourself so that each time you need to change your password, you can simply pull out the instructions.  I for example have a mobile device and need to change the password stored on that whenever I change the referenced e-mail account password.
  3. Do not use the same password in different places.
  4. At least one of the social networks (I won’t name names here) provides a ‘feature’ where it will determine if you are logged in to the e-mail service for your e-mail account and automatically authenticate you on their service.  That’s a bad idea.  My very first concern after I discovered my e-mail account was compromised was whether they would try to access my account on that network.  All they would have had to do was log on to mail account and then go to the social network.  This is an option I selected.  I have since disabled the feature.
  5. Do not share your private e-mail addresses publicly.  Many of the web based social networking sites can and will share your e-mail address.  If you want to be a target – present one.  If you do not want to be a target, conceal it.
  6. Since many people want to participate in social networks, you have to make available an e-mail address.  Either use an aliased e-mail address – or use a throw away account.  Yahoo is nice because with the paid plan you can set up an alias to your own e-mail account.  If GMail is your preferred e-mail service provider than you can simply set up an e-mail account and forward all mail to your private account.