More than 3 Million Email Hosts Run POP3 and IMAP Protocols without Encryption, Foundation Warns

More than 3 million hosts running email services via the POP3 and IMAP protocols don’t have TLS enabled and are vulnerable to all sorts of attacks.

Users can access email services via dedicated apps, but the way that connection is made varies. One way is via the POP3 (Post Office Protocol 3) protocol, which downloads the entire email onto the user’s device and deletes it from the server. Another is the IMAP (Internet Message Access Protocol), which lets the user interact with the same email message from multiple devices. 

The problem emerges when email hosts don’t provide encrypted communications (TLS), which can let attackers intercept data. 

“We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap),” said the Shadowserver Foundation in a report. 

The report underlines that the greatest number of those exposed is in United States, with more than 1.8 million, followed closely by Germany with 1.1 million and Poland with 769,000.

Besides letting attackers intercept important information such as usernames and passwords, this type of security misconfiguration can also expose those services to dictionary attacks.  

“If you receive this report from us, please enable TLS support for IMAP/POP3 as well as consider whether the service needs to be enabled at all or moved behind a VPN,” the foundation also said.

It’s also worth noting that dictionary attacks against servers won’t be stopped just by enabling TLS encryption.