.png)
1 day ago
7 BOOK THIS SPACE FOR AD
ARTICLE ADSUMMARY
Critical Oversight in Email Servers: Over 3.3 million email servers worldwide lack TLS encryption, leaving usernames, passwords, and email content vulnerable to interception during transmission. Top Affected Regions: The U.S. has nearly 900,000 exposed servers, followed by Germany (500,000+) and Poland (380,000+), highlighting the global scope of the issue. Vulnerability Details: POP3 and IMAP protocols, commonly used for email access, are at risk when not secured with TLS, enabling eavesdropping and dictionary attacks. Mitigation Steps: ShadowServer urges organizations to enable TLS, review the necessity of these protocols, or move services behind a VPN to secure email communications. Broader Security Recommendations: Experts stress the importance of advanced measures like strong password policies, regular audits, and proactive monitoring of external attack surfaces for robust email system protection.A recent investigation by ShadowServer has uncovered a critical security flaw affecting millions of email servers worldwide. The study revealed a staggering 3.3 million POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) servers operating without Transport Layer Security (TLS) encryption.
This lack of encryption renders these servers susceptible to attacks like data interception and dictionary attacks, where attackers attempt to guess common usernames and passwords. The United States leads in the number of vulnerable hosts, with nearly 900,000 exposed. Germany and Poland follow closely with over 500,000 and 380,000 vulnerable servers, respectively.
Why did the issue occur?
Two primary protocols facilitate email access: POP3 (Post Office Protocol 3), which downloads emails to the user’s device, and IMAP (Internet Message Access Protocol), which allows access from multiple devices. The vulnerability arises when these protocols operate without TLS, leaving the communication channel open for eavesdropping.
For your information, TLS is a fundamental security protocol that encrypts communication channels, ensuring the confidentiality and integrity of data exchanged over the Internet. Its absence in these email servers exposes them to significant risks.
Without TLS, user credentials and email content are transmitted in plain text, making them easily accessible to anyone monitoring the network traffic. This not only compromises user privacy but also opens the door to password-guessing attacks, where attackers can systematically try common passwords to gain unauthorized access to email accounts.
The Shadowserver Foundation urges affected organizations to immediately enable TLS support for their IMAP/POP3 services. They also recommend evaluating the necessity of these services and considering alternative solutions like moving them behind a Virtual Private Network (VPN).
However, while enabling TLS encryption is crucial, it’s essential to recognize that it alone cannot prevent all attacks. You must adopt advanced and reliable security measures, including stronger password policies and regular security audits, to safeguard email systems from evolving threats.
We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).
It's time to retire those! pic.twitter.com/Iw9cZPxshg
Martin Jartelius, CISO at Outpost24 commented on the issue stating, “As always, a reminder for all that keeping an eye on your external attack surface and ensuring that things are, and remain, configured appropriately is a simple and cost-effective security control.“
“Most modern email clients will use opportunistic TLS, meaning they start by attempting encrypted connections, so the de facto impact of this is in parts mitigated provided a system also supports encrypted options. But one should not rely on the connecting clients for the security of the exchange as the primary control,” Martin added.
Bengali (Bangladesh) · 
English (United States) ·