Wondering why your email accounts are getting compromised?

What is Port 110 (and what is it used for)?

Port 110 is the default “port” designated for POP3 communication. When email clients like Outlook, Thunderbird, or Apple Mail want to retrieve emails from an email server using POP3, they will establish a connection with the server over Port 110.

At the dawning of the email era thirty-some odd years ago, people first received email with POP. You would initiate a telnet (teletype network) session to a specific port, send specific instructions, and get specific responses back – including email content. Information moved in cleartext, or “in the clear,” meaning it was unencrypted. This, of course, would apply to POP3.

“Did you know turning off Port 110 can result in 90% reduction in email compromise rates?”

POP3, or “Post Office Protocol Version 3,” is one of the oldest email protocols in use today. It facilitates communication between an email client and a mail server, but does so in an unsafe way. When POP3 is involved, passwords and account data are at risk due to the lack of encryption.

It’s surprising how many email operators still allow the use of POP 110, including sensitive operations like governments and enterprises. Every ISP operating on the modern internet should be turning off Port 110 immediately.

Why is the use of POP3 so problematic?

Unlike modern email protocols that support encryption by default, traditional POP doesn’t provide encryption for securing data transmission between the client and server. Without encryption, communication channels are vulnerable to eavesdropping and data interception.

POP originally transmitted passwords “in the clear” over Port 110. This means, whenever people transmit data over Port 110, it’s unencrypted, which is never safe on today’s internet. Traditional POP relies entirely on username and password authentication for email account access; without encryption, this method is particularly susceptible to different kinds of attacks, such as Brute Force attacks and password sniffing.

“When usernames and passwords are communicated in cleartext over a network, anyone with access to that network traffic may be able to intercept and see them. Passwords being transmitted without encryption are easily stolen this way via Man-in-the-Middle (MITM) attacks or packet sniffing.”

The emergence of IMAP

IMAP (Internet Message Access Protocol) is now the preferred email protocol. It can do everything POP can do, and there is little reason to continue advocating for any sort of implementation of POP3. Everything considered, whether you’re using POP or IMAP for your customers, you should only allow encrypted protocol access methods.

And it isn’t enough that you only allow it from your own networks. Any traffic or credentials sent in the clear can and will be sniffed. Many hardware manufacturers have had a horrible history of security measure implementation. Many ISP routers, firewalls, WiFi Devices, IoT devices, and even your Smart TVs or personal computers could be compromised by threat actors. Virtually every coffee shop has a potentially compromised router, and there are active botnet campaigns to hack these devices with the sole purpose of “listening” to the traffic, or “sniffing.”

“If POP3 Port 110 or IMAP 143 are in use, it isn’t not a question of if your email will be compromised, but when.”

Anything that isn’t encrypted gets searched for POP logins, and then sent to the threat actors’ central command center, where they will later log in and search all email, or use that email account to send more malware to your friends, family, and business acquaintances. If they are really lucky, they can ask for password reset confirmations from your bank, or even your domain provider, or they can read sensitive incoming emails, without a trace.

Transitioning to encrypted connections

Industry experts, researchers, and advocates for online security and privacy collectively realized the security vulnerabilities associated with protocols like POP. With extensive collaboration came the formation of recommendations and standards promoting the universal adoption of encryption to safeguard email communications.

The Internet Engineering Task Force (IETF) played a critical role in driving these initiatives. IETF working groups focused on email security protocols to address shortcomings and define specifications for secure communication.

All of this resulted in the creation of SSL/TLS encryption standards, which have become integral to securing email communication channels.

What is SSL/TLS (and why is it important)?

SSL/TLS encryption is today’s industry standard for securing communication over the internet. These protocols establish encrypted connections between email clients and servers. With encryption, private information like login credentials and email messages remains protected from eavesdropping and interception by unauthorized parties.

With the IETF’s endorsement of SSL/TLS encryption, email service providers and software developers started supporting these protocols in products and services. This widespread adoption facilitated the seamless transition to encrypted communication channels for POP3, SMTP, and IMAP, enhancing the overall security posture of email systems.

Port 995

As part of the transition to encrypted connections, a dedicated port for secure POP communication was introduced to provide users with a standardized, secure access point for retrieving emails. The internet community agreed upon Port 995 as the standard port for SSL-encrypted POP3 communication.

Port 995 represents a dedicated gateway for secure POP3 connections, allowing users to safely access their email accounts without compromising confidentiality or privacy. The same cannot be said of Port 110.

The introduction of Port 995 highlights the internet community’s commitment to promoting secure communication practices and mitigating the risks associated with older unencrypted protocols.

Why do people still use POP today?

Despite the existence of safer, more secure email protocols, some organizations continue to mobilize POP for accessing email. POP is one of the most time-worn email protocols, dating back to the early days of the internet. Many admins and organizations build their workflows and infrastructure around POP. This legacy contributes to its continued usage; it is often hard to switch away from something you know so well.

Unlike email protocols like IMAP, which involve server-side synchronization and email folder management, POP offers a simpler approach to email retrieval. For users who prioritize simplicity, POP can often seem like a viable option.

POP supports offline access to emails, allowing users to download messages from the server to their local email clients. For individuals traveling a lot or with limited internet access, this provides greater control over email data on the go.

From a server-side perspective, POP requires minimal resources compared to more sophisticated protocols like IMAP. Simultaneously, though, it presents multitudinous security risks and we should relegate it to the past immediately.

The importance of disabling Port 110

Disabling Port 110, the default port for unencrypted POP3 communication, is a critical first step in facilitating stronger email security. By preventing the transmission of sensitive data in the clear, ISPs can mitigate a lot of the risk associated with unauthorized access and data breaches.

Transitioning to secure protocols like POP SSL/993, or even better IMAP SSL/994, over encrypted connections offers advanced encryption, improved authentication, and regulatory compliance, strengthening the overall security posture of email systems and safeguarding sensitive information.