User menu

Menu

Main menu

Increased e-mail security may cause headaches for non-Gmail users

Protecting our computer networks and systems from malicious attacks is a never-ending arms race. Recently, Library & Technology Services made some changes to increase the security of our legacy e-mail systems. These changes exposed some underlying problems that have caused some people to have difficulty sending or receiving e-mail.

Who is affected?

Potentially, anyone with a Lehigh e-mail account that is not using Lehigh Gmail. The problem only occurs when you mistype your password repeatedly, or—more likely—when a device or program uses the wrong password repeatedly on your behalf. This affects e-mail client programs (like Thunderbird, Apple Mail, or Outlook) that connect to the legacy (non-Lehigh Gmail) mail server, and also Lehigh Webmail.

What has changed?

Our legacy e-mail system can be impacted when it is the target of an attack: someone is trying various passwords, looking for one that works. This is the issue that the change was intended to address. The problem can also be triggered when a device or program is misconfigured, such as when you have changed the password but not updated the program that is remembering it for you, or when you have a mail program set up to access accounts that are either no longer active or that have moved to Gmail.

Before the change, such mistakes would simply be ignored; the e-mail service would refuse the bad request, but take no further action. In the case of an actual attack, this gives the attacker unlimited time to keep trying to break in. (Most of our services already don't allow this kind of situation—repeated bad passwords trigger a security lockout. The new system now extends that protection to e-mail.) Once the trigger threshold has been exceeded, the new system blocks the internet address that the bad requests are coming from for a set period of time. Currently, the threshold is 7 bad requests in 10 minutes resulting in a lockout period of 30 minutes for incoming mail, and 3 hours for all other mail services. Internet addresses that are on-campus are not blocked.

There is one important aspect about this protection feature that is different from the usual security lockout: the block affects your internet address, not your account. In other words, it's based on where you are, not who you are. This means that if a device is configured to access multiple legacy e-mail accounts, a misconfiguration of just one of them effectively blocks them all. Before the change, when the one bad account failed to connect, you might not have noticed, perhaps because you weren't using it anyway. Now, unfortunately, old accounts you aren't really using can have an impact. It also means that in any situation where multiple devices share one address (like your home network), a problem with one device can affect every other device with the same address.

What do I do to fix this?

There are several things you can do. To get immediate access to your mail, you could try using Lehigh Webmail (webmail.lehigh.edu), assuming that isn't what you were already using. However, this doesn't solve the underlying problem. Another option is to connect to the Internet using the Lehigh VPN before using whatever program you are using to check your mail as this makes it appear to the computer network that you on-campus, and thus makes you unblockable. This also doesn't address the real issue.

The permanent solution to the problem is to do one of two things: either find and fix every misconfigured account in every program on every device (this can be time-consuming), or stop using legacy e-mail altogether and move all of your active accounts to Lehigh Gmail which offers a host of other benefits and is the one we recommend most strongly.

For more information or assistance, contact the LTS Help Desk at 610-758-4357.

Resources