Top 5 technologies/trends that every IT professional should be thinking about with respect to e-mail

1. Anti-spam filtering can no longer be considered a reliable tool for protecting your e-mail infrastructure and/or your users from the many threats that use e-mail as their primary insertion vector. Smart IT professionals have come to realize it is impossible to determine intent from content. As we move into the 2nd decade of the 21st century, security on the Internet in general, and for e-mail specifically, must become personalized. We can no longer afford to count on the ability, or lack thereof, of a filter to guess what is good/safe and what is not. The next era for e-mail security will be ruled by systems that provide and promote Sender Address Verification and Authentication.
2. Domain forgery must be stopped; and we have the tools at our disposal to make this happen. The time has come, once and for all, for IT professionals to embrace and deploy BOTH Sender Policy Framework (SPF — www.openspf.org) and Domain Keys Identified Mail (DKIM — www.dkim.org).
3. While its true that “cloud computing” is well on its way to becoming the “2009 Buzzword of the Year,” the time has come for IT professionals to seriously consider moving the major security components of their e-mail infrastructure onto their own private islands within the greater computing cloud. Processes like anti-spam, anti-virus, anti-threat, compliance, data leakage prevention, and managed file transfer can be addressed more effectively and more efficiently before any data ever reaches the threshold of your private network.
4. In a difficult economy like we have today, e-mail is a more important tool than ever. E-mail is the ultimate asynchronous communication tool and is critical as a cost effective means for individuals to communicate over long (and short) distances. In both the medium and long terms, IT professionals must continue to strengthen their e-mail infrastructures. Now is not the time for cost cutting with respect to e-mail.
5. Early this month Google announced their newest project: Wave (wave.google.com/help/wave/about.html). While it is too early to tell if this new project/protocol will have any real impact in the near term, looking forward 18 – 36 months, this is something upon which IT professionals should keep close watch. If Google is even remotely successfully, and who would bet against Google, this new and open protocol has the potential to completely change the way people communicate on the Internet through the merging of e-mail, instant messaging (IM), and real-time collaboration.

Social Media Tips For Business Owners And Entrepreneurs

Just got some nice digital ink on SanDiego.com.

Social Media Tips For Business Owners And Entrepreneurs (http://tinyurl.com/nhbwb8)

“Seek to understand before asking to be understood,” Golan said. “This is not going to be an overnight thing.”

Social Networking Lessons Can Catalyze E-mail

I just had the following article published by Computer Technology Review:

Social Networking Lessons Can Catalyze E-mail
(http://tinyurl.com/computer-tech-review-20090512)

The popularity of social networking sites over the past decade has stemmed from the connectivity these sites afford users and the ability to coalesce around the commonality of a hobby, profession or past experience. However, their pervasive appeal in part can be attributed to the inherent security these sites offer (in the form of identity confirmation) that other mediums of communication don’t. Facebook, the originator, intervenes at the onset of every relationship to ask users to agree to communicate through its “friend request.”  Without an agreement, the relationship doesn’t evolve and access is denied. The identity confirmation principle is critical because it affords users the means to control relationships, information and access.

Facebook owes its existence to e-mail, its electronic predecessor. Unlike today’s social networking sites, e-mail evolved when electronic connectivity was in its infancy and potential future ramifications were unknown. Without an understanding of what the future would hold (including potential for misuse), the early e-mail forefathers didn’t necessarily have a need to consider e-mail security within the initial model — a painful absence felt by any everyday user today. Add to this equation the fact that e-mail is now so ubiquitous and entrenched in today’s lifestyles that everyday functions grind to a halt in its absence, and it is clear that it’s time for e-mail to evolve to the level of its social networking counterparts.

E-Threats Worsen and Exact a Higher Price

A recent Google study estimates that 94 percent of all e-mail is spam. But worse than the annoyance of receiving one (or more) of the billions of spam messages sent daily, these e-mails include malicious components such as “worms,” “Trojans,” “bots” and other Internet “crimeware” and “scareware”.  As new and innovative threats emerge, it’s clear that spammers are using increasingly advanced “business” models with the dual purpose of increasing their effectiveness and providing the needed subterfuge.

Today’s threats are also more resistant to conventional filtering efforts.  One such hazard is location-based spam. As part of the social engineering threat vector, these threats yield greater success because they don’t originate through a readily-impactable ISP and are tag-resistant because of their benign language and content (the McColo crackdown, as large as it was, will soon seem amateur in comparison).

Location-based spam is tailored to the recipient’s geographic location — data that can be easily discovered from the IP addresses used by inbound e-mail servers.  This enables spammers to use classic affinity fraud techniques and develop personally-relevant attacks. Fraudsters send targeted e-mails, with geographically-germane information, which elicits the desired higher click rate and transports recipients to fraudulent websites. There, spammers can put into play a variety of techniques, from infecting visitor’s computers via e-cards, to prompting the viewing of a virus-containing video of a purported local disaster and other ploys to exploit the unsuspecting. The ultimate objective is to collect personal information for later attacks and/or identity fraud. This more personalized spamming (or “spear phishing”) is relatively resistant to status quo filter methodologies because it contains pertinent information, is sent in small batches through “botnet” channels, and seems highly authentic.

On-Line Identity Confirmation Changes the Game

How then can IT administrators and end-users protect themselves from an antagonistic on-line environment?  Identity confirmation, the central tenet of social networking, is the missing link in today’s hostile e-mail environment and the means by which to re-establish e-mail as a trusted communications tool.

The world has changed since the birth of e-mail and it’s no longer reasonable for end users to be electronically open to the universe: identity confirmation is necessary.  In reality, social networking’s friend request has nothing to do with friends—it is an invitation to access, an opening of the security screen. Networking sites are so attuned to “access is key,” that they offer adaptable levels of entree, from varying access to the Wall, to the tweaking of privacy settings.

E-mail security solutions that leverage identity confirmation (using a method similar to the friend request of the social networking site) to secure the end-user’s inbox are able to provide organizations with more advanced levels of protection.  As opposed to filter-based solutions that focus on scanning content, these solutions focus on the validity of contacts themselves to determine the legitimacy of an e-mail message.

The typical filter-based solution is only able to guess (be it an educated one or not) as to whether an e-mail message is spam or not.  In addition, even if a message does not meet the traditional definition of “spam,” it isn’t necessarily a message the recipient would like to receive.  Differentiating between wanted and unwanted messages is a task that filter-based solutions are unable to accomplish, but one that solutions focusing on the relationship between sender and recipient can. Ultimately, solutions that focus on the sender of a message allow users to create their own network of trusted contacts – once and for all putting the e-mail user in control of their inbox as opposed to the solution protecting it.

The Solution

Sendio’s E-mail Security Platform (ESP) is one example of a solution that focuses on the relationship between sender and recipient, as opposed to the content of a message to secure an organization’s e-mail infrastructure and restore trust in e-mail communications. Similar to the friend request utilized by popular social networking sites, the ESP utilizes a technology called Sender Address Verification (SAV), in conjunction with a number of other security technologies, to confirm senders as trusted e-mail sources and automatically build each e-mail user’s trusted network of contacts.

According to Gilbert Mendoza, IT Security Administrator at Pechanga Resort & Casino, California’s largest casino, based in Temecula, Pechanga implemented Sendio’s solution to address the huge amount of time his users were spending sorting through spam and looking for false positives.  The “opt-in” component of the solution was the most compelling for Mendoza: “Sendio’s ESP works because it uses the right approach for attacking the problem of spam –Sender Address Verification (SAV) to prevent spam and the loss of ‘good’ e-mails that previously wound up in limbo.”

By believing that people, not filters, should choose who they interact with, Sendio guarantees delivery of all clean messages and protection from e-mail borne attacks. In today’s on-line risk environment, filter-based e-mail security solutions are no longer able to effectively address the threats e-mail servers and inboxes faces.  Taking a lesson from its social networking counterpart, it is time for the e-mail paradigm to shift and adopt the security measures needed to catalyze e-mail to become the trusted tool users need.

For everyone there is a first time (publishing to YouTube)

Check out my first ever YouTube video posting.

Pandemic or Epidemic

(http://www.youtube.com/watch?v=_pQiayVZWUg)

Going Green: How Environmentally Friendly is your Company’s Anti-Spam Solution?

I originally posted the following at CIO.com (http://tiny.cc/Pvz1g)

Last week McAfee, in conjunction with ICF International, published The Carbon Footprint of E-mail Spam Report, a report that details the “carbon footprint” of sending, receiving, and viewing spam. A novel new concept – the environmental impact of spam?

One of the most significant findings of the report was that nearly 80% of the energy consumed by spam comes “from end-users deleting spam and searching for legitimate e-mail (false positives).” The act of sending a spam message, consumes less than 1% of the GHG emissions associated with any given spam message – and the real “damage” so to speak is done once the spam message hits a user’s inbox (27% of GHG emissions are a result of false positives and 52% of emissions are a result of viewing spam).

I have to beg the question here, if the “damage” being caused is more or less in our hands (i.e. once the spam message reaches our inbox), is there such a thing as a “green” anti-spam solution we can implement to address the problem? Logic would say yes – anti-spam solutions that are able to eliminate false positives, and minimize the amount of spam end-users receive and view, are by course of reason and logic “green” solutions.

Here, lets explore the three criteria organizations can use to determine how “green” their anti-spam solution is: number of false-positives, spam messages viewed, and methodology used to stop spam.

False Positives
Twenty-seven percent of GHG emissions resulting from a typical spam message are the result of false positives. Anti-spam solutions that may block a high percentage of spam (98 or even 99%), but result in a high number of false positives, are usually more trouble than they are worth. While your end-users may not have spam in their inbox, the time spent searching for legitimate messages in a junk folder is costly in terms of lost productivity and environmental impact.

False positives are typically a problem that is inherently associated with filter-based anti-spam solutions – solutions that are built to avoid false-positives, and don’t rely on a “spam-filter” to scan the content of a message are more effective in addressing this “environmental” concern and time eater.

Spam Viewed
A staggering fifty-two percent of GHG emissions resulting from any given spam message are a result of viewing that piece of spam. This piece of criteria couldn’t be any simpler: the higher the spam stop-rate (i.e. 95, 96, 97 %) of your solution, the more environmental friendly it is. If your solution doesn’t allow spam messages to reach end-user’s inboxes, then your users aren’t spending time viewing or deleting these messages, and ultimately the GHG emissions associated with any one of these messages is eliminated.

Or, even better, select a solution that won’t allow spam through, period. Here, I’m sure to hear a resounding… “easier said than done!” However this point comes back to the methodology behind your solution and how it addresses the problem of spam.

Let’s discuss…

Solution Methodology
Sixteen percent of GHG emissions associated with a spam message can be traced back to the spam filter that worked to stop that spam message. Needless to say, without any anti-spam filter in place, emissions would increase dramatically in other areas (such as spam viewing), and any solution is better than none. However, some are better than others, and today organizations have a plethora of choices when it comes to selecting an anti-spam solution – and no longer need to rely on filter-based solutions to solve their spam problem.

Increasingly, organizations are moving away from “filter-based” solutions, to solutions that focus on the trustworthiness of the sender, not the content of the message. Although spam filters have gotten “better,” they still create an arms race – spammers are continually looking for new and innovative techniques to break or circumvent the filters and filtering companies are continually creating updates to combat these new attacks. This ping pong effect results in more spam, more management, and a problem that isn’t solved.

Sendio (for the enterprise), Earthlink, Spam Arrest, and Boxbe (for individuals) are all companies that have rolled out solutions that adopt an “Opt-in Model” to stop spam. Similar to many popular social networking sites, (such as Facebook and LinkedIn) these solutions utilize something similar to the “friend request,” allowing users to build their own network of trusted contacts instead of relying on a filter to determine what is and isn’t spam. By adopting an approach that puts users in control, organizations can truly address their spam problem – and totally eliminate false positives as well as spam viewed. To eliminate the time and carbon emissions associated with these two components eliminates nearly 80% of the carbon emissions associated with spam!

Ultimately, how environmentally friendly your anti-spam solution is, is directly correlated to how effective that solution is – and implementing anti-spam solutions that are highly effective, will be both good for business and for the environment.

Follow me on twitter: http://twitter.com/sendio & http://twitter.com/talgolan

Phishing, with a side of Swine Flu

I just read the following on the MSNBC web site:
(http://tinyurl.com/msnbc-phishing-swine-flu)

Phishing with Swine Flu as bait

Phishers and spammers have caught Swine Flu fever and are exploiting fears around the outbreak to try to sell pharmaceutical products or steal information, security experts said Tuesday.

The e-mail scams have a subject line related to the Swine Flu and typically contain either a link to a phishing Web site or an attachment that contains malicious code, the US-CERT said in an advisory. (Read More…)

Stuff like this reminds me how evil some people can be, and how ubiquitous email has become. Let’s be clear, these types of attacks always happen through email. Not through websites. Not through your fax machine. Not via instant messaging (IM), or SMS. These attacks don’t reach you via your cell phone, and these attacks don’t arrive via FedEx or UPS. Its ALWAYS via email.

For the last decade companies like Microsoft, Cisco, Symantec, Google, McAfee, Trend Micro, Sonic Wall, Barracuda Networks, etc. have made (and spent) billions of dollars trying to convince us they know what they are doing when it comes to the security of our email. How much longer, and how many more exploits like this one, is it going to take before people realize that email, the original social networking application, deserves to be secured the same way Facebook, Twitter, LinkedIn, AIM, and Plaxo are secured?

Isn’t it time, once and for all, for authenticated email to take the main stage? What is everyone so afraid of? Threat free email is available, today, and is currently in use by millions of people and thousands of companies around the world.

It is time to stop the insanity. Continuing to do what you’ve always done (filtering your email) will always yield the mediocre results you are seeing today.

Why the cloud is a great place for enterprise email

Why the cloud is a great place for enterprise email.

• E-mail is required to be on-line 24 x 7 x 365 with “5 9s” reliability. Using cloud computing resources can give even small businesses the opportunity to provide email reliability that used to only be available to the largest enterprises. Medium to large enterprises can benefit by “off-loading” the responsibility of up-time to the cloud provider.
• Security. E-mail is perhaps the single most targeted vector for enterprise security attacks. Through judicious use of cloud computing, e-mail can be kept completely private while being kept at a distance.
• Bandwidth/resource conservation. Cloud computing allows enterprises of all sizes to keep e-mail threats away from their primary bandwidth sources. In addition, the computing resources required to protect the e-mail stream can be re-purposed for other activities.

Preserving E-mail Infrastructure: Making do with what you have, and other lessons of the 1930’s

(originally posted 21 April 2009 on CIO.com)
http://tinyurl.com/talgolan-cio-blog-20090421

Over the past six months, we’ve found ourselves in an extraordinary set of economic conditions, that, as we are constantly reminded, we haven’t seen in years, decades, or as the cincher the media loves to use to really drive home the point – the Great Depression. Companies are doing more with less, cutting resources back in all departments and being forced to make difficult decisions about what their organization fiscally values.

IT departments are no exception; however, these teams are in the unique position where operations must go on under two sets of unprecedented conditions: an economic climate that stresses fiscal responsibility above all else, in conjunction with an unparalleled set of e-mail security threats that worsen by the day.

What is an IT department to do? Compromise security to preserve financial goals? Sit and wait? Or, hidden option C, take a few tough lessons from our depression-era counterparts and optimize services while avoiding expensive investments? If you’re thinking about going with the latter, here I discuss the first step: protect the server as the costliest and most important network component.

Go Back to the Basics

E-mail is the lifeblood of contemporary business communications. Any breakdown in this mission-critical tool and most companies come to a virtual halt – the crowds become just a little bit larger at the water cooler, and you’ll find the IT team in a strategy huddle in the server room.

In this type of environment, an IT department’s primary task is to keep the network infrastructure focused on and undistracted from its role of managing inbound and outbound e-mail—quickly and securely. However, despite a natural expectation that something so mission-critical will have iron-clad protection, from an insider’s perspective it is one of the most vulnerable corporate components – threats go far beyond the annoyance of spam to include malicious components such as phishing attacks, worms, Trojans, bots, and other Internet crimeware.

Under this set of circumstances, more than ever, it’s important to do the simple things exceedingly well, and keep the focus on the core of the organization’s infrastructure: the server. Doing what’s best for the server is usually in the best interest of the entire organization, including that of your team. Employing simple strategies that are in line with this focus will pay off by giving you the edge it takes to weather these conditions.

Make Do With What You Have

Give the Server a Focused and Undistracted Role

Because servers are robust tools demanding significant processing power, using an e-mail security solution for the heavy e-mail security lifting keeps the server focused on its core competencies. Resources that are able to take the e-mail burden off of the server should be utilized to the fullest extent possible, allowing server resources to be diverted to core assignments. Organizations may be surprised at how much bandwidth their organization’s e-mail traffic requires, and similarly what the true value of that additional bandwidth is.

Sidestep Server Upgrades and Replacements

Organizations that are preserving Microsoft Exchange 2000, 5.5 or earlier versions don’t benefit from any form of sender DNS checking or recipient checking on inbound e-mail communications. In-house resources that are able to perform these checks before e-mail enters the network boosts a department’s e-mail infrastructure security, but do not require additional server resources. These potentially performance-amplifying tools dramatically reduce the volume of e-mail burdening the infrastructure and mitigate the need for pricey server upgrades or replacements.

Protect the Server from Outside Exposure

Deploying an e-mail security appliance first in the line of defense (behind the corporate firewall) buffers the server from unnecessary outside communication, and takes

full responsibility for anti-spam/anti-virus processing and bandwidth. Solutions configured to sit in front of the server mitigate exposure and are able to handle inbound/outbound e-mail communication as well as the accompanying assaults.

Employ Smart Host Services

An e-mail security appliance with smart host services can protect the server from communicating directly over SMTP with outside servers—always risky—and provides a “perfect” delivery path within the internal network. One with mailbagging support does away with the need for “non-deliverable” status messages to be generated or e-mails to be resent, both of which distract and contribute to annoying e-mail volley.

Invest Wisely

When there is an opportunity to invest in your department’s e-mail infrastructure: invest wisely. Choose solutions and technologies that will support, boost and protect the existing infrastructure as opposed to those options that will further tax already limited resources. To those who don’t believe: there is always a better way and there are always new and innovative options to those age old problems you thought had been solved five years ago. Taking the time to research the problem up front and finding a solution that will actually solve the problem will pay off multiple times over in the form of you and your team’s time and sanity.

Out with the Old, In with the New

A little technology based spring cleaning – my thoughts on malware and e-mail security technologies that are being phased out and the newer, better technologies that are taking their place:

The first technology being replaced is the traditional spam filter. As we all know, the % of spam and unwanted e-mail has been steadily increasing for the last decade. Clearly, the concept of filtering e-mail based on content has failed to even make a dent in the problem. Even the best spam filters, all based on a blend of heuristics and/or Bayesian probability, have proven to be reactive and ineffective. The replacement for these failed systems is e-mail address verification. Only through the establishment of human-to-human e-mail address verification can people begin to regain their confidence in e-mail as a trusted form of communication for business.

The next technology being replaced is signature based anti-virus tools. Gone are the days when enterprises can rely on a single vendor, or even a group of vendors, to provide virus definitions and scanning tools. Intelligent pattern recognition engines, like those provided by Commtouch RPD, are proving to be more effective and more efficient than traditional signature based tools.

Next, all technologies that call themselves “IP Reputations” technologies are on their way out. Products and services like Spamhaus, Spamcop, and other blacklisting databases are the cancer of the Internet and cause more harm than good. As the world moves from IPv4 to IPv6, these IP Reputation tools/systems/databases will become irrelevant.

Finally, from a security perspective, IPv4 is on its way out, to be replaced with IPv6. This transition is well underway within the confines of wireless networks and large private networks, and will soon be making its way into the public domain.

SC Magazine: Protect your email domain

Check out my opinion piece, published 10 April 2009, in SC Magazine’s print edition and on-line…

SC Magazine (http://www.scmagazineus.com/Protect-your-email-domain/article/130481/)

Of all the struggles associated with securing email, one of the most basic is the identification and prevention of domain name forgery. Email has become an essential tool for business, however, there is absolutely no security layer required when an email message is sent and/or received.

Two promising technologies have been developed to protect against domain name forgery. Unfortunately, both have been lumped into the “anti-spam” category. While preventing some email spam is a minor side effect of these technologies, this mis‑characterization appears to have limited the widespread adoption of these technologies.

Sender Policy Framework (SPF) is designed to empower domain owners to limit the ability of their domains to be forged within email addresses. SPF records are published via DNS and provides owners a means to specify which mail sources are legitimate for their domain.

Domain Keys Identified Mail (DKIM) is a cryptographic domain authentication protocol developed to protect against domain forgery within email addresses. DKIM is the merger of two similar concepts from Yahoo! and Cisco.

Here’s the catch… Both SPF and DKIM require domain owners to take responsibility for themselves. In this day and age, any business or organization that relies on email as a trusted channel of communication owes it to themselves and their customers/partners to implement SPF and DKIM for each of their domains as soon as possible. While some consider this to be a “chicken and the egg” proposition, it’s clear that now is the time for responsible internet citizens to step up and embrace these important technologies.

McAfee report says: Spam e-mails killing the environment

While I can’t comment on the science behind McAfee’s study, if it’s to be believed, that would make Sendio the single most eco-friendly anti-spam product on the planet!

Hot off the digital presses… Spam e-mails killing the environment, McAfee report says

McAfee’s Avert Labs recently reported the significant impact that spam is having, not just on our inboxes, but on the environment. The novelty of this angle aside, shouldn’t people be asking themselves how is it possible this problem has been allowed to get so bad? Let’s assume we like the idea of elevating spam to a place where it is considered to be an environmental hazard (I think its even worse — more like an environmental disaster — but the promotion is long overdue), clearly the time has come to ask “who has been asleep at the switch?”

Back in the 1970’s it became obvious that air pollution was caused, to a large extent, by exhaust from automobiles and trucks. Once this fact had been established, the question became… “What are we going to do about it?” If air pollution had been addressed like email pollution, we would have simply trusted the auto manufacturers to make things better. In light of today’s study from McAfee, I think it is safe to say that anti-spam filters = auto manufacturers. While the automobile industry has certainly made great strides in the areas of fuel efficiency and emissions, they have never come close to getting ahead of the curve or actually fixing the problem.

Just like the US auto industry has failed to keep pace, from an innovation perspective, with their competitors around the globe, the developers of anti-spam filtering technologies have, obviously, failed to keep pace with spammers. As Albert Einstein said, “The definition of insanity is doing the same things, over and over again, expecting different results.” Like the US auto industry, the US anti-spam filtering industry is bloated, stuck in the past, is stagnant, and is losing the arms race to the bad guys.

Fortunately for us, the challenge to improve air quality was not simply “trusted,” or handed-over, to the auto industry alone. We realized that individuals needed to get involved. We, the people, needed to make changes to the way we did/do things. We came to understand that to help ourselves we needed to actively engage; not simply sit back and hope some passive system would make everything better.

The time has come, once and for all, for “we the people” to take a stand against spam! Clearly, the mammoth companies, like McAfee, Cisco, Symantec, Google, Barracuda Networks, etc., that make anti-spam filtering tools have failed to save our environment from this polluting scourge. If we, as individuals and collectively as businesses, don’t start looking beyond the status quo with respect to failed anti-spam filtering, we are not only going to loose e-mail as a tool, we are going to hasten the deterioration of our physical environment.

Sendio in the Boston Globe

Its not much, but we did get a mention in the Boston Globe…

http://www.boston.com/business/technology/articles/2009/04/11/filters_getting_better_at_blocking_spam/?page=2

Other companies, like Sendio Inc. in Irvine, Calif., and Spam Arrest LLC of Seattle, use a “challenge-response” technique. Send an e-mail to a challenge-response user and you’ll get an automated reply, asking you to type in some words or numbers. This will prove your e-mail came from a human being and not a spam-spewing computer. If you send the correct reply, all your future messages are delivered immediately, but spam messages can’t get through.

For the record… Sendio’s sender address verification technology (SAV), also know generically as challenge response, DOES NOT require anyone to “…type in some words or numbers.” Our technology requires a simple “REPLY & SEND.” and ONLY in the case where the sender is completely unknown to the intended recipient. For example, anyone I send an e-mail to is automatically added to my personal accept-list, thus, is NEVER subjected to the address verification process.