Experts warn millions of email servers could be vulnerable to attack

News
By
published

Over 3 million IMAP and POP3 mail servers are without TLS encryption

Security
(Image credit: Future)
  • New research reveals millions of host sites are without TLS encryption
  • TLS encryption allows end-to-end encryption for safer communications and browsing
  • ShadowServer has recommended these hosts be retired

New research from ShadowServer has revealed 3.3 million POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) mail servers are currently exposed to network sniffing attacks, due to being without TLS encryption.

TLS, or Transport Layer Security, is a security protocol which provides end-to-end security between applications over the Internet. It is used for secure web browsing, and encrypts communications through email, file transfer, and messaging.

ShadowServer scanned the internet for hosts running a POP3 service on port 110/TCP or 995/TCP without TLS support - finding 3.3 million hosts without the security layer.

Time to retire

Without TLS, passwords for mail access could be intercepted, and that exposed services could allow password guessing attacks on the server. Without the encryption, credentials and message content is sent in clear text, which exposes hosts to eavesdropping network sniffing attacks.

Almost 900,000 of these sites were in the US, with over 500,000 and 380,000 in Germany and Poland, but the researchers note, ‘regardless whether TLS is enabled or not service exposure may enable password guessing attacks against the server’.

“We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted,” the ShadowServer Foundation said in a tweet.

“We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap). It's time to retire those!”

In August 2018, TLS 1.2 was updated with TLS 1.3 brought in, with 1.3 offering significant improvements in both performance and security. Whilst TLS is very common, ImmuniWeb reports that from Q1 2024 to date, there were 1,421,781 SSL/TLS events - so even with the encryption, there are dangers for users.

Via SecurityAffairs

You might also like

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

Read more
A VPN runs on a mobile phone placed on a laptop keyboard
Major new online tunneling vulnerability could put millions of devices at risk
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.
Thousands of SonicWall VPN devices are facing worrying security threats
Hands typing on a keyboard surrounded by security icons
Your passwords aren't the key to protecting your online identity, your email address is
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
Best secure email provider's logos by TechRadar
Best secure email provider of 2025
Latest in Security
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
China
Chinese hackers who targeted key US infrastructure charged by Justice Department
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
Latest in News
Android 16 logo on a phone
Android 16 beta users are reporting major battery drain issues – but I’m not too worried about it
Woman holding phone in field with Spotify app onscreen
The Spotify bug that shows ads to Premium subscribers has finally been fixed - for now at least
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
Man adjusting settings on Garmin Fenix 6 watch
Garmin Fenix 6, Enduro, Marq and Tactix watches are getting fixes to solve some frustrating problems – here's what's new
The Samsung Galaxy S24 Ultra with S Pen drawn, demonstrating Circle to Search
Samsung says ‘millions’ are using Galaxy AI regularly, despite surprising survey results
The Oppo Find N5 open to Google Maps
Android 16 brings a much-needed upgrade to Google Maps that iOS users already have
More about security
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.

Microsoft reveals over a million PCs hit by malvertising campaign
Woman using iMessage on iPhone

UK government guidelines remove encryption advice following Apple backdoor spat
Mac Studio from above.

New benchmark suggests Apple's M3 Ultra may not be much faster than the M4 Max - only a minor uplift in multi-core performance
See more latest
Most Popular
Mac Studio from above.
New benchmark suggests Apple's M3 Ultra may not be much faster than the M4 Max - only a minor uplift in multi-core performance
Woman holding phone in field with Spotify app onscreen
The Spotify bug that shows ads to Premium subscribers has finally been fixed - for now at least
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
Android 16 logo on a phone
Android 16 beta users are reporting major battery drain issues – but I’m not too worried about it
The Oppo Find N5 open to Google Maps
Android 16 brings a much-needed upgrade to Google Maps that iOS users already have
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
The Samsung Galaxy S24 Ultra with S Pen drawn, demonstrating Circle to Search
Samsung says ‘millions’ are using Galaxy AI regularly, despite surprising survey results
King Charles III sat at his desk in promo for his radio broadcast for Apple Music 1
Apple Music gets the royal treatment with special King Charles show – and the playlist has some real jewels
StarlinkUnited
United Airlines successfully installed Starlink on its first aircraft, and the promised speeds are up to 50 times faster