Skip to content

Over 3M+ POP3/IMAP email servers lack TLS, risking interception

  • by
  • 2 min read

Photo: Piotr Swat / Shutterstock.com

Over three million email servers running POP3 and IMAP protocols lack essential TLS encryption, leaving them vulnerable to network sniffing attacks. Both protocols are widely used methods for accessing emails on servers. IMAP is preferred as it synchronises messages across multiple devices, while POP3 downloads emails directly to a single device.

TLS secures data exchange between email clients and servers, ensuring that sensitive information, such as usernames and passwords, is encrypted. Without TLS, these details are transmitted in plain text, making them easily interceptable by malicious actors using network sniffing tools.

Scans by Shadowserver revealed that approximately 3.3 million servers offering POP3 and IMAP services are operating without TLS enabled. These servers expose user credentials and create opportunities for password-guessing attacks and unauthorised server access.

To mitigate this significant security risk, experts from Shadowserver have begun notifying mail server operators about their systems’ vulnerabilities. The organisation strongly recommends enabling TLS encryption for both IMAP and POP3 services.

What's the difference between POP and IMAP? | Candid.Technology
IMAP and POP3 protocols explained.

Experts have also advised operators to asses whether these services are necessary or if they should be restricted behind a VPN for additional security.

“This means that passwords used for mail access may be intercepted. Additionally, service exposure may enable password guessing attacks against the server,” researchers note. “If you receive this report from us, please enable TLS support for POP3 and consider whether the service needs to be enabled at all or moved behind a VPN.”

In January 2021, the U.S. National Security Agency (NSA) emphasised the need to replace outdated TLS protocol. The agency warned that obsolete configurations expose sensitive data to adversaries through passive decryption and man-in-the-middle attacks.

The latest iteration of TLS was launched in 2018 after years of development and rigorous testing. Major tech companies, including Microsoft, Google, Apple, and Mozilla, retired TLS 1.0 and TLs 1.1 in early 2020, urging users to adopt more secure alternatives, reports BleepingComputer.

In the News: ED raids 8 locations in West Bengal linked to 1,116 crore fraud in Tamil Nadu

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>