Going Green: How Environmentally Friendly is your Company’s Anti-Spam Solution?

I originally posted the following at CIO.com (http://tiny.cc/Pvz1g)

Last week McAfee, in conjunction with ICF International, published The Carbon Footprint of E-mail Spam Report, a report that details the “carbon footprint” of sending, receiving, and viewing spam. A novel new concept – the environmental impact of spam?

One of the most significant findings of the report was that nearly 80% of the energy consumed by spam comes “from end-users deleting spam and searching for legitimate e-mail (false positives).” The act of sending a spam message, consumes less than 1% of the GHG emissions associated with any given spam message – and the real “damage” so to speak is done once the spam message hits a user’s inbox (27% of GHG emissions are a result of false positives and 52% of emissions are a result of viewing spam).

I have to beg the question here, if the “damage” being caused is more or less in our hands (i.e. once the spam message reaches our inbox), is there such a thing as a “green” anti-spam solution we can implement to address the problem? Logic would say yes – anti-spam solutions that are able to eliminate false positives, and minimize the amount of spam end-users receive and view, are by course of reason and logic “green” solutions.

Here, lets explore the three criteria organizations can use to determine how “green” their anti-spam solution is: number of false-positives, spam messages viewed, and methodology used to stop spam.

False Positives
Twenty-seven percent of GHG emissions resulting from a typical spam message are the result of false positives. Anti-spam solutions that may block a high percentage of spam (98 or even 99%), but result in a high number of false positives, are usually more trouble than they are worth. While your end-users may not have spam in their inbox, the time spent searching for legitimate messages in a junk folder is costly in terms of lost productivity and environmental impact.

False positives are typically a problem that is inherently associated with filter-based anti-spam solutions – solutions that are built to avoid false-positives, and don’t rely on a “spam-filter” to scan the content of a message are more effective in addressing this “environmental” concern and time eater.

Spam Viewed
A staggering fifty-two percent of GHG emissions resulting from any given spam message are a result of viewing that piece of spam. This piece of criteria couldn’t be any simpler: the higher the spam stop-rate (i.e. 95, 96, 97 %) of your solution, the more environmental friendly it is. If your solution doesn’t allow spam messages to reach end-user’s inboxes, then your users aren’t spending time viewing or deleting these messages, and ultimately the GHG emissions associated with any one of these messages is eliminated.

Or, even better, select a solution that won’t allow spam through, period. Here, I’m sure to hear a resounding… “easier said than done!” However this point comes back to the methodology behind your solution and how it addresses the problem of spam.

Let’s discuss…

Solution Methodology
Sixteen percent of GHG emissions associated with a spam message can be traced back to the spam filter that worked to stop that spam message. Needless to say, without any anti-spam filter in place, emissions would increase dramatically in other areas (such as spam viewing), and any solution is better than none. However, some are better than others, and today organizations have a plethora of choices when it comes to selecting an anti-spam solution – and no longer need to rely on filter-based solutions to solve their spam problem.

Increasingly, organizations are moving away from “filter-based” solutions, to solutions that focus on the trustworthiness of the sender, not the content of the message. Although spam filters have gotten “better,” they still create an arms race – spammers are continually looking for new and innovative techniques to break or circumvent the filters and filtering companies are continually creating updates to combat these new attacks. This ping pong effect results in more spam, more management, and a problem that isn’t solved.

Sendio (for the enterprise), Earthlink, Spam Arrest, and Boxbe (for individuals) are all companies that have rolled out solutions that adopt an “Opt-in Model” to stop spam. Similar to many popular social networking sites, (such as Facebook and LinkedIn) these solutions utilize something similar to the “friend request,” allowing users to build their own network of trusted contacts instead of relying on a filter to determine what is and isn’t spam. By adopting an approach that puts users in control, organizations can truly address their spam problem – and totally eliminate false positives as well as spam viewed. To eliminate the time and carbon emissions associated with these two components eliminates nearly 80% of the carbon emissions associated with spam!

Ultimately, how environmentally friendly your anti-spam solution is, is directly correlated to how effective that solution is – and implementing anti-spam solutions that are highly effective, will be both good for business and for the environment.

Follow me on twitter: http://twitter.com/sendio & http://twitter.com/talgolan

Phishing, with a side of Swine Flu

I just read the following on the MSNBC web site:
(http://tinyurl.com/msnbc-phishing-swine-flu)

Phishing with Swine Flu as bait

Phishers and spammers have caught Swine Flu fever and are exploiting fears around the outbreak to try to sell pharmaceutical products or steal information, security experts said Tuesday.

The e-mail scams have a subject line related to the Swine Flu and typically contain either a link to a phishing Web site or an attachment that contains malicious code, the US-CERT said in an advisory. (Read More…)

Stuff like this reminds me how evil some people can be, and how ubiquitous email has become. Let’s be clear, these types of attacks always happen through email. Not through websites. Not through your fax machine. Not via instant messaging (IM), or SMS. These attacks don’t reach you via your cell phone, and these attacks don’t arrive via FedEx or UPS. Its ALWAYS via email.

For the last decade companies like Microsoft, Cisco, Symantec, Google, McAfee, Trend Micro, Sonic Wall, Barracuda Networks, etc. have made (and spent) billions of dollars trying to convince us they know what they are doing when it comes to the security of our email. How much longer, and how many more exploits like this one, is it going to take before people realize that email, the original social networking application, deserves to be secured the same way Facebook, Twitter, LinkedIn, AIM, and Plaxo are secured?

Isn’t it time, once and for all, for authenticated email to take the main stage? What is everyone so afraid of? Threat free email is available, today, and is currently in use by millions of people and thousands of companies around the world.

It is time to stop the insanity. Continuing to do what you’ve always done (filtering your email) will always yield the mediocre results you are seeing today.

Why the cloud is a great place for enterprise email

Why the cloud is a great place for enterprise email.

• E-mail is required to be on-line 24 x 7 x 365 with “5 9s” reliability. Using cloud computing resources can give even small businesses the opportunity to provide email reliability that used to only be available to the largest enterprises. Medium to large enterprises can benefit by “off-loading” the responsibility of up-time to the cloud provider.
• Security. E-mail is perhaps the single most targeted vector for enterprise security attacks. Through judicious use of cloud computing, e-mail can be kept completely private while being kept at a distance.
• Bandwidth/resource conservation. Cloud computing allows enterprises of all sizes to keep e-mail threats away from their primary bandwidth sources. In addition, the computing resources required to protect the e-mail stream can be re-purposed for other activities.

Preserving E-mail Infrastructure: Making do with what you have, and other lessons of the 1930’s

(originally posted 21 April 2009 on CIO.com)
http://tinyurl.com/talgolan-cio-blog-20090421

Over the past six months, we’ve found ourselves in an extraordinary set of economic conditions, that, as we are constantly reminded, we haven’t seen in years, decades, or as the cincher the media loves to use to really drive home the point – the Great Depression. Companies are doing more with less, cutting resources back in all departments and being forced to make difficult decisions about what their organization fiscally values.

IT departments are no exception; however, these teams are in the unique position where operations must go on under two sets of unprecedented conditions: an economic climate that stresses fiscal responsibility above all else, in conjunction with an unparalleled set of e-mail security threats that worsen by the day.

What is an IT department to do? Compromise security to preserve financial goals? Sit and wait? Or, hidden option C, take a few tough lessons from our depression-era counterparts and optimize services while avoiding expensive investments? If you’re thinking about going with the latter, here I discuss the first step: protect the server as the costliest and most important network component.

Go Back to the Basics

E-mail is the lifeblood of contemporary business communications. Any breakdown in this mission-critical tool and most companies come to a virtual halt – the crowds become just a little bit larger at the water cooler, and you’ll find the IT team in a strategy huddle in the server room.

In this type of environment, an IT department’s primary task is to keep the network infrastructure focused on and undistracted from its role of managing inbound and outbound e-mail—quickly and securely. However, despite a natural expectation that something so mission-critical will have iron-clad protection, from an insider’s perspective it is one of the most vulnerable corporate components – threats go far beyond the annoyance of spam to include malicious components such as phishing attacks, worms, Trojans, bots, and other Internet crimeware.

Under this set of circumstances, more than ever, it’s important to do the simple things exceedingly well, and keep the focus on the core of the organization’s infrastructure: the server. Doing what’s best for the server is usually in the best interest of the entire organization, including that of your team. Employing simple strategies that are in line with this focus will pay off by giving you the edge it takes to weather these conditions.

Make Do With What You Have

Give the Server a Focused and Undistracted Role

Because servers are robust tools demanding significant processing power, using an e-mail security solution for the heavy e-mail security lifting keeps the server focused on its core competencies. Resources that are able to take the e-mail burden off of the server should be utilized to the fullest extent possible, allowing server resources to be diverted to core assignments. Organizations may be surprised at how much bandwidth their organization’s e-mail traffic requires, and similarly what the true value of that additional bandwidth is.

Sidestep Server Upgrades and Replacements

Organizations that are preserving Microsoft Exchange 2000, 5.5 or earlier versions don’t benefit from any form of sender DNS checking or recipient checking on inbound e-mail communications. In-house resources that are able to perform these checks before e-mail enters the network boosts a department’s e-mail infrastructure security, but do not require additional server resources. These potentially performance-amplifying tools dramatically reduce the volume of e-mail burdening the infrastructure and mitigate the need for pricey server upgrades or replacements.

Protect the Server from Outside Exposure

Deploying an e-mail security appliance first in the line of defense (behind the corporate firewall) buffers the server from unnecessary outside communication, and takes

full responsibility for anti-spam/anti-virus processing and bandwidth. Solutions configured to sit in front of the server mitigate exposure and are able to handle inbound/outbound e-mail communication as well as the accompanying assaults.

Employ Smart Host Services

An e-mail security appliance with smart host services can protect the server from communicating directly over SMTP with outside servers—always risky—and provides a “perfect” delivery path within the internal network. One with mailbagging support does away with the need for “non-deliverable” status messages to be generated or e-mails to be resent, both of which distract and contribute to annoying e-mail volley.

Invest Wisely

When there is an opportunity to invest in your department’s e-mail infrastructure: invest wisely. Choose solutions and technologies that will support, boost and protect the existing infrastructure as opposed to those options that will further tax already limited resources. To those who don’t believe: there is always a better way and there are always new and innovative options to those age old problems you thought had been solved five years ago. Taking the time to research the problem up front and finding a solution that will actually solve the problem will pay off multiple times over in the form of you and your team’s time and sanity.

Out with the Old, In with the New

A little technology based spring cleaning – my thoughts on malware and e-mail security technologies that are being phased out and the newer, better technologies that are taking their place:

The first technology being replaced is the traditional spam filter. As we all know, the % of spam and unwanted e-mail has been steadily increasing for the last decade. Clearly, the concept of filtering e-mail based on content has failed to even make a dent in the problem. Even the best spam filters, all based on a blend of heuristics and/or Bayesian probability, have proven to be reactive and ineffective. The replacement for these failed systems is e-mail address verification. Only through the establishment of human-to-human e-mail address verification can people begin to regain their confidence in e-mail as a trusted form of communication for business.

The next technology being replaced is signature based anti-virus tools. Gone are the days when enterprises can rely on a single vendor, or even a group of vendors, to provide virus definitions and scanning tools. Intelligent pattern recognition engines, like those provided by Commtouch RPD, are proving to be more effective and more efficient than traditional signature based tools.

Next, all technologies that call themselves “IP Reputations” technologies are on their way out. Products and services like Spamhaus, Spamcop, and other blacklisting databases are the cancer of the Internet and cause more harm than good. As the world moves from IPv4 to IPv6, these IP Reputation tools/systems/databases will become irrelevant.

Finally, from a security perspective, IPv4 is on its way out, to be replaced with IPv6. This transition is well underway within the confines of wireless networks and large private networks, and will soon be making its way into the public domain.

SC Magazine: Protect your email domain

Check out my opinion piece, published 10 April 2009, in SC Magazine’s print edition and on-line…

SC Magazine (http://www.scmagazineus.com/Protect-your-email-domain/article/130481/)

Of all the struggles associated with securing email, one of the most basic is the identification and prevention of domain name forgery. Email has become an essential tool for business, however, there is absolutely no security layer required when an email message is sent and/or received.

Two promising technologies have been developed to protect against domain name forgery. Unfortunately, both have been lumped into the “anti-spam” category. While preventing some email spam is a minor side effect of these technologies, this mis‑characterization appears to have limited the widespread adoption of these technologies.

Sender Policy Framework (SPF) is designed to empower domain owners to limit the ability of their domains to be forged within email addresses. SPF records are published via DNS and provides owners a means to specify which mail sources are legitimate for their domain.

Domain Keys Identified Mail (DKIM) is a cryptographic domain authentication protocol developed to protect against domain forgery within email addresses. DKIM is the merger of two similar concepts from Yahoo! and Cisco.

Here’s the catch… Both SPF and DKIM require domain owners to take responsibility for themselves. In this day and age, any business or organization that relies on email as a trusted channel of communication owes it to themselves and their customers/partners to implement SPF and DKIM for each of their domains as soon as possible. While some consider this to be a “chicken and the egg” proposition, it’s clear that now is the time for responsible internet citizens to step up and embrace these important technologies.

McAfee report says: Spam e-mails killing the environment

While I can’t comment on the science behind McAfee’s study, if it’s to be believed, that would make Sendio the single most eco-friendly anti-spam product on the planet!

Hot off the digital presses… Spam e-mails killing the environment, McAfee report says

McAfee’s Avert Labs recently reported the significant impact that spam is having, not just on our inboxes, but on the environment. The novelty of this angle aside, shouldn’t people be asking themselves how is it possible this problem has been allowed to get so bad? Let’s assume we like the idea of elevating spam to a place where it is considered to be an environmental hazard (I think its even worse — more like an environmental disaster — but the promotion is long overdue), clearly the time has come to ask “who has been asleep at the switch?”

Back in the 1970’s it became obvious that air pollution was caused, to a large extent, by exhaust from automobiles and trucks. Once this fact had been established, the question became… “What are we going to do about it?” If air pollution had been addressed like email pollution, we would have simply trusted the auto manufacturers to make things better. In light of today’s study from McAfee, I think it is safe to say that anti-spam filters = auto manufacturers. While the automobile industry has certainly made great strides in the areas of fuel efficiency and emissions, they have never come close to getting ahead of the curve or actually fixing the problem.

Just like the US auto industry has failed to keep pace, from an innovation perspective, with their competitors around the globe, the developers of anti-spam filtering technologies have, obviously, failed to keep pace with spammers. As Albert Einstein said, “The definition of insanity is doing the same things, over and over again, expecting different results.” Like the US auto industry, the US anti-spam filtering industry is bloated, stuck in the past, is stagnant, and is losing the arms race to the bad guys.

Fortunately for us, the challenge to improve air quality was not simply “trusted,” or handed-over, to the auto industry alone. We realized that individuals needed to get involved. We, the people, needed to make changes to the way we did/do things. We came to understand that to help ourselves we needed to actively engage; not simply sit back and hope some passive system would make everything better.

The time has come, once and for all, for “we the people” to take a stand against spam! Clearly, the mammoth companies, like McAfee, Cisco, Symantec, Google, Barracuda Networks, etc., that make anti-spam filtering tools have failed to save our environment from this polluting scourge. If we, as individuals and collectively as businesses, don’t start looking beyond the status quo with respect to failed anti-spam filtering, we are not only going to loose e-mail as a tool, we are going to hasten the deterioration of our physical environment.

Sendio in the Boston Globe

Its not much, but we did get a mention in the Boston Globe…

http://www.boston.com/business/technology/articles/2009/04/11/filters_getting_better_at_blocking_spam/?page=2

Other companies, like Sendio Inc. in Irvine, Calif., and Spam Arrest LLC of Seattle, use a “challenge-response” technique. Send an e-mail to a challenge-response user and you’ll get an automated reply, asking you to type in some words or numbers. This will prove your e-mail came from a human being and not a spam-spewing computer. If you send the correct reply, all your future messages are delivered immediately, but spam messages can’t get through.

For the record… Sendio’s sender address verification technology (SAV), also know generically as challenge response, DOES NOT require anyone to “…type in some words or numbers.” Our technology requires a simple “REPLY & SEND.” and ONLY in the case where the sender is completely unknown to the intended recipient. For example, anyone I send an e-mail to is automatically added to my personal accept-list, thus, is NEVER subjected to the address verification process.

What’s up with “scareware?”

Fear is used, universally, as a means to control people. Governments use it. Large businesses use it. So it should come as no surprise to anyone that “cyber bad guys” us it. Why do they use fear… Because it is is effective!

I often ask myself who comes up with terms like “scareware?” Talk about a self-fulfilling prophecy.

“Scareware” is, at its core, a Trojan horse. In most cases, the “malicious security software” that plagues computers around the world is willingly installed by the victims themselves. The purveyors of these threats, in many cases, get their victims to pay for the software under the guise that it is, itself, software designed to protect the user.

The easiest and best way for people to avoid falling victim to these types of attacks/threats is to use common sense.

• Don’t install software unless you can verify its  source is legitimate and reputable.
• Before installing any new software on your computer,  make sure your anti-virus software is enabled and its definitions are  up-to-date.
• Whatever you do, don’t disable your anti-virus  software. No legitimate software should ever require such an action.
• Finally, before installing any new software, make sure  your important files have been backed-up to a location off your  computer.

In the end, even people who follow all the best security practices sometimes still get hurt by malicious software. However, by following the 4 steps mentioned above, your risk of getting burned is greatly reduced, and even if you do get burned, at least your will not loose your data.

Spam in the Neighborhood

Spam in the Neighborhood
http://securitywatch.eweek.com/spam/spam_in_the_neighborhood.html

“Among others, experts at messaging security vendor Sendio have called out the recent trend toward local spam campaigns. In a recent research summary, the company’s CTO, Tal Golan, highlighted the use of methods including the spoofing of local news events, and regional news portal domains, to convince people to click on the (frequently malware-infected) URLs that spammers are trying to pawn off on them.”