Top 5 technologies/trends that every IT professional should be thinking about with respect to e-mail

1. Anti-spam filtering can no longer be considered a reliable tool for protecting your e-mail infrastructure and/or your users from the many threats that use e-mail as their primary insertion vector. Smart IT professionals have come to realize it is impossible to determine intent from content. As we move into the 2nd decade of the 21st century, security on the Internet in general, and for e-mail specifically, must become personalized. We can no longer afford to count on the ability, or lack thereof, of a filter to guess what is good/safe and what is not. The next era for e-mail security will be ruled by systems that provide and promote Sender Address Verification and Authentication.
2. Domain forgery must be stopped; and we have the tools at our disposal to make this happen. The time has come, once and for all, for IT professionals to embrace and deploy BOTH Sender Policy Framework (SPF — www.openspf.org) and Domain Keys Identified Mail (DKIM — www.dkim.org).
3. While its true that “cloud computing” is well on its way to becoming the “2009 Buzzword of the Year,” the time has come for IT professionals to seriously consider moving the major security components of their e-mail infrastructure onto their own private islands within the greater computing cloud. Processes like anti-spam, anti-virus, anti-threat, compliance, data leakage prevention, and managed file transfer can be addressed more effectively and more efficiently before any data ever reaches the threshold of your private network.
4. In a difficult economy like we have today, e-mail is a more important tool than ever. E-mail is the ultimate asynchronous communication tool and is critical as a cost effective means for individuals to communicate over long (and short) distances. In both the medium and long terms, IT professionals must continue to strengthen their e-mail infrastructures. Now is not the time for cost cutting with respect to e-mail.
5. Early this month Google announced their newest project: Wave (wave.google.com/help/wave/about.html). While it is too early to tell if this new project/protocol will have any real impact in the near term, looking forward 18 – 36 months, this is something upon which IT professionals should keep close watch. If Google is even remotely successfully, and who would bet against Google, this new and open protocol has the potential to completely change the way people communicate on the Internet through the merging of e-mail, instant messaging (IM), and real-time collaboration.

Social Media Tips For Business Owners And Entrepreneurs

Just got some nice digital ink on SanDiego.com.

Social Media Tips For Business Owners And Entrepreneurs (http://tinyurl.com/nhbwb8)

“Seek to understand before asking to be understood,” Golan said. “This is not going to be an overnight thing.”

Social Networking Lessons Can Catalyze E-mail

I just had the following article published by Computer Technology Review:

Social Networking Lessons Can Catalyze E-mail
(http://tinyurl.com/computer-tech-review-20090512)

The popularity of social networking sites over the past decade has stemmed from the connectivity these sites afford users and the ability to coalesce around the commonality of a hobby, profession or past experience. However, their pervasive appeal in part can be attributed to the inherent security these sites offer (in the form of identity confirmation) that other mediums of communication don’t. Facebook, the originator, intervenes at the onset of every relationship to ask users to agree to communicate through its “friend request.”  Without an agreement, the relationship doesn’t evolve and access is denied. The identity confirmation principle is critical because it affords users the means to control relationships, information and access.

Facebook owes its existence to e-mail, its electronic predecessor. Unlike today’s social networking sites, e-mail evolved when electronic connectivity was in its infancy and potential future ramifications were unknown. Without an understanding of what the future would hold (including potential for misuse), the early e-mail forefathers didn’t necessarily have a need to consider e-mail security within the initial model — a painful absence felt by any everyday user today. Add to this equation the fact that e-mail is now so ubiquitous and entrenched in today’s lifestyles that everyday functions grind to a halt in its absence, and it is clear that it’s time for e-mail to evolve to the level of its social networking counterparts.

E-Threats Worsen and Exact a Higher Price

A recent Google study estimates that 94 percent of all e-mail is spam. But worse than the annoyance of receiving one (or more) of the billions of spam messages sent daily, these e-mails include malicious components such as “worms,” “Trojans,” “bots” and other Internet “crimeware” and “scareware”.  As new and innovative threats emerge, it’s clear that spammers are using increasingly advanced “business” models with the dual purpose of increasing their effectiveness and providing the needed subterfuge.

Today’s threats are also more resistant to conventional filtering efforts.  One such hazard is location-based spam. As part of the social engineering threat vector, these threats yield greater success because they don’t originate through a readily-impactable ISP and are tag-resistant because of their benign language and content (the McColo crackdown, as large as it was, will soon seem amateur in comparison).

Location-based spam is tailored to the recipient’s geographic location — data that can be easily discovered from the IP addresses used by inbound e-mail servers.  This enables spammers to use classic affinity fraud techniques and develop personally-relevant attacks. Fraudsters send targeted e-mails, with geographically-germane information, which elicits the desired higher click rate and transports recipients to fraudulent websites. There, spammers can put into play a variety of techniques, from infecting visitor’s computers via e-cards, to prompting the viewing of a virus-containing video of a purported local disaster and other ploys to exploit the unsuspecting. The ultimate objective is to collect personal information for later attacks and/or identity fraud. This more personalized spamming (or “spear phishing”) is relatively resistant to status quo filter methodologies because it contains pertinent information, is sent in small batches through “botnet” channels, and seems highly authentic.

On-Line Identity Confirmation Changes the Game

How then can IT administrators and end-users protect themselves from an antagonistic on-line environment?  Identity confirmation, the central tenet of social networking, is the missing link in today’s hostile e-mail environment and the means by which to re-establish e-mail as a trusted communications tool.

The world has changed since the birth of e-mail and it’s no longer reasonable for end users to be electronically open to the universe: identity confirmation is necessary.  In reality, social networking’s friend request has nothing to do with friends—it is an invitation to access, an opening of the security screen. Networking sites are so attuned to “access is key,” that they offer adaptable levels of entree, from varying access to the Wall, to the tweaking of privacy settings.

E-mail security solutions that leverage identity confirmation (using a method similar to the friend request of the social networking site) to secure the end-user’s inbox are able to provide organizations with more advanced levels of protection.  As opposed to filter-based solutions that focus on scanning content, these solutions focus on the validity of contacts themselves to determine the legitimacy of an e-mail message.

The typical filter-based solution is only able to guess (be it an educated one or not) as to whether an e-mail message is spam or not.  In addition, even if a message does not meet the traditional definition of “spam,” it isn’t necessarily a message the recipient would like to receive.  Differentiating between wanted and unwanted messages is a task that filter-based solutions are unable to accomplish, but one that solutions focusing on the relationship between sender and recipient can. Ultimately, solutions that focus on the sender of a message allow users to create their own network of trusted contacts – once and for all putting the e-mail user in control of their inbox as opposed to the solution protecting it.

The Solution

Sendio’s E-mail Security Platform (ESP) is one example of a solution that focuses on the relationship between sender and recipient, as opposed to the content of a message to secure an organization’s e-mail infrastructure and restore trust in e-mail communications. Similar to the friend request utilized by popular social networking sites, the ESP utilizes a technology called Sender Address Verification (SAV), in conjunction with a number of other security technologies, to confirm senders as trusted e-mail sources and automatically build each e-mail user’s trusted network of contacts.

According to Gilbert Mendoza, IT Security Administrator at Pechanga Resort & Casino, California’s largest casino, based in Temecula, Pechanga implemented Sendio’s solution to address the huge amount of time his users were spending sorting through spam and looking for false positives.  The “opt-in” component of the solution was the most compelling for Mendoza: “Sendio’s ESP works because it uses the right approach for attacking the problem of spam –Sender Address Verification (SAV) to prevent spam and the loss of ‘good’ e-mails that previously wound up in limbo.”

By believing that people, not filters, should choose who they interact with, Sendio guarantees delivery of all clean messages and protection from e-mail borne attacks. In today’s on-line risk environment, filter-based e-mail security solutions are no longer able to effectively address the threats e-mail servers and inboxes faces.  Taking a lesson from its social networking counterpart, it is time for the e-mail paradigm to shift and adopt the security measures needed to catalyze e-mail to become the trusted tool users need.

For everyone there is a first time (publishing to YouTube)

Check out my first ever YouTube video posting.

Pandemic or Epidemic

(http://www.youtube.com/watch?v=_pQiayVZWUg)

Going Green: How Environmentally Friendly is your Company’s Anti-Spam Solution?

I originally posted the following at CIO.com (http://tiny.cc/Pvz1g)

Last week McAfee, in conjunction with ICF International, published The Carbon Footprint of E-mail Spam Report, a report that details the “carbon footprint” of sending, receiving, and viewing spam. A novel new concept – the environmental impact of spam?

One of the most significant findings of the report was that nearly 80% of the energy consumed by spam comes “from end-users deleting spam and searching for legitimate e-mail (false positives).” The act of sending a spam message, consumes less than 1% of the GHG emissions associated with any given spam message – and the real “damage” so to speak is done once the spam message hits a user’s inbox (27% of GHG emissions are a result of false positives and 52% of emissions are a result of viewing spam).

I have to beg the question here, if the “damage” being caused is more or less in our hands (i.e. once the spam message reaches our inbox), is there such a thing as a “green” anti-spam solution we can implement to address the problem? Logic would say yes – anti-spam solutions that are able to eliminate false positives, and minimize the amount of spam end-users receive and view, are by course of reason and logic “green” solutions.

Here, lets explore the three criteria organizations can use to determine how “green” their anti-spam solution is: number of false-positives, spam messages viewed, and methodology used to stop spam.

False Positives
Twenty-seven percent of GHG emissions resulting from a typical spam message are the result of false positives. Anti-spam solutions that may block a high percentage of spam (98 or even 99%), but result in a high number of false positives, are usually more trouble than they are worth. While your end-users may not have spam in their inbox, the time spent searching for legitimate messages in a junk folder is costly in terms of lost productivity and environmental impact.

False positives are typically a problem that is inherently associated with filter-based anti-spam solutions – solutions that are built to avoid false-positives, and don’t rely on a “spam-filter” to scan the content of a message are more effective in addressing this “environmental” concern and time eater.

Spam Viewed
A staggering fifty-two percent of GHG emissions resulting from any given spam message are a result of viewing that piece of spam. This piece of criteria couldn’t be any simpler: the higher the spam stop-rate (i.e. 95, 96, 97 %) of your solution, the more environmental friendly it is. If your solution doesn’t allow spam messages to reach end-user’s inboxes, then your users aren’t spending time viewing or deleting these messages, and ultimately the GHG emissions associated with any one of these messages is eliminated.

Or, even better, select a solution that won’t allow spam through, period. Here, I’m sure to hear a resounding… “easier said than done!” However this point comes back to the methodology behind your solution and how it addresses the problem of spam.

Let’s discuss…

Solution Methodology
Sixteen percent of GHG emissions associated with a spam message can be traced back to the spam filter that worked to stop that spam message. Needless to say, without any anti-spam filter in place, emissions would increase dramatically in other areas (such as spam viewing), and any solution is better than none. However, some are better than others, and today organizations have a plethora of choices when it comes to selecting an anti-spam solution – and no longer need to rely on filter-based solutions to solve their spam problem.

Increasingly, organizations are moving away from “filter-based” solutions, to solutions that focus on the trustworthiness of the sender, not the content of the message. Although spam filters have gotten “better,” they still create an arms race – spammers are continually looking for new and innovative techniques to break or circumvent the filters and filtering companies are continually creating updates to combat these new attacks. This ping pong effect results in more spam, more management, and a problem that isn’t solved.

Sendio (for the enterprise), Earthlink, Spam Arrest, and Boxbe (for individuals) are all companies that have rolled out solutions that adopt an “Opt-in Model” to stop spam. Similar to many popular social networking sites, (such as Facebook and LinkedIn) these solutions utilize something similar to the “friend request,” allowing users to build their own network of trusted contacts instead of relying on a filter to determine what is and isn’t spam. By adopting an approach that puts users in control, organizations can truly address their spam problem – and totally eliminate false positives as well as spam viewed. To eliminate the time and carbon emissions associated with these two components eliminates nearly 80% of the carbon emissions associated with spam!

Ultimately, how environmentally friendly your anti-spam solution is, is directly correlated to how effective that solution is – and implementing anti-spam solutions that are highly effective, will be both good for business and for the environment.

Follow me on twitter: http://twitter.com/sendio & http://twitter.com/talgolan

Phishing, with a side of Swine Flu

I just read the following on the MSNBC web site:
(http://tinyurl.com/msnbc-phishing-swine-flu)

Phishing with Swine Flu as bait

Phishers and spammers have caught Swine Flu fever and are exploiting fears around the outbreak to try to sell pharmaceutical products or steal information, security experts said Tuesday.

The e-mail scams have a subject line related to the Swine Flu and typically contain either a link to a phishing Web site or an attachment that contains malicious code, the US-CERT said in an advisory. (Read More…)

Stuff like this reminds me how evil some people can be, and how ubiquitous email has become. Let’s be clear, these types of attacks always happen through email. Not through websites. Not through your fax machine. Not via instant messaging (IM), or SMS. These attacks don’t reach you via your cell phone, and these attacks don’t arrive via FedEx or UPS. Its ALWAYS via email.

For the last decade companies like Microsoft, Cisco, Symantec, Google, McAfee, Trend Micro, Sonic Wall, Barracuda Networks, etc. have made (and spent) billions of dollars trying to convince us they know what they are doing when it comes to the security of our email. How much longer, and how many more exploits like this one, is it going to take before people realize that email, the original social networking application, deserves to be secured the same way Facebook, Twitter, LinkedIn, AIM, and Plaxo are secured?

Isn’t it time, once and for all, for authenticated email to take the main stage? What is everyone so afraid of? Threat free email is available, today, and is currently in use by millions of people and thousands of companies around the world.

It is time to stop the insanity. Continuing to do what you’ve always done (filtering your email) will always yield the mediocre results you are seeing today.

Preserving E-mail Infrastructure: Making do with what you have, and other lessons of the 1930’s

(originally posted 21 April 2009 on CIO.com)
http://tinyurl.com/talgolan-cio-blog-20090421

Over the past six months, we’ve found ourselves in an extraordinary set of economic conditions, that, as we are constantly reminded, we haven’t seen in years, decades, or as the cincher the media loves to use to really drive home the point – the Great Depression. Companies are doing more with less, cutting resources back in all departments and being forced to make difficult decisions about what their organization fiscally values.

IT departments are no exception; however, these teams are in the unique position where operations must go on under two sets of unprecedented conditions: an economic climate that stresses fiscal responsibility above all else, in conjunction with an unparalleled set of e-mail security threats that worsen by the day.

What is an IT department to do? Compromise security to preserve financial goals? Sit and wait? Or, hidden option C, take a few tough lessons from our depression-era counterparts and optimize services while avoiding expensive investments? If you’re thinking about going with the latter, here I discuss the first step: protect the server as the costliest and most important network component.

Go Back to the Basics

E-mail is the lifeblood of contemporary business communications. Any breakdown in this mission-critical tool and most companies come to a virtual halt – the crowds become just a little bit larger at the water cooler, and you’ll find the IT team in a strategy huddle in the server room.

In this type of environment, an IT department’s primary task is to keep the network infrastructure focused on and undistracted from its role of managing inbound and outbound e-mail—quickly and securely. However, despite a natural expectation that something so mission-critical will have iron-clad protection, from an insider’s perspective it is one of the most vulnerable corporate components – threats go far beyond the annoyance of spam to include malicious components such as phishing attacks, worms, Trojans, bots, and other Internet crimeware.

Under this set of circumstances, more than ever, it’s important to do the simple things exceedingly well, and keep the focus on the core of the organization’s infrastructure: the server. Doing what’s best for the server is usually in the best interest of the entire organization, including that of your team. Employing simple strategies that are in line with this focus will pay off by giving you the edge it takes to weather these conditions.

Make Do With What You Have

Give the Server a Focused and Undistracted Role

Because servers are robust tools demanding significant processing power, using an e-mail security solution for the heavy e-mail security lifting keeps the server focused on its core competencies. Resources that are able to take the e-mail burden off of the server should be utilized to the fullest extent possible, allowing server resources to be diverted to core assignments. Organizations may be surprised at how much bandwidth their organization’s e-mail traffic requires, and similarly what the true value of that additional bandwidth is.

Sidestep Server Upgrades and Replacements

Organizations that are preserving Microsoft Exchange 2000, 5.5 or earlier versions don’t benefit from any form of sender DNS checking or recipient checking on inbound e-mail communications. In-house resources that are able to perform these checks before e-mail enters the network boosts a department’s e-mail infrastructure security, but do not require additional server resources. These potentially performance-amplifying tools dramatically reduce the volume of e-mail burdening the infrastructure and mitigate the need for pricey server upgrades or replacements.

Protect the Server from Outside Exposure

Deploying an e-mail security appliance first in the line of defense (behind the corporate firewall) buffers the server from unnecessary outside communication, and takes

full responsibility for anti-spam/anti-virus processing and bandwidth. Solutions configured to sit in front of the server mitigate exposure and are able to handle inbound/outbound e-mail communication as well as the accompanying assaults.

Employ Smart Host Services

An e-mail security appliance with smart host services can protect the server from communicating directly over SMTP with outside servers—always risky—and provides a “perfect” delivery path within the internal network. One with mailbagging support does away with the need for “non-deliverable” status messages to be generated or e-mails to be resent, both of which distract and contribute to annoying e-mail volley.

Invest Wisely

When there is an opportunity to invest in your department’s e-mail infrastructure: invest wisely. Choose solutions and technologies that will support, boost and protect the existing infrastructure as opposed to those options that will further tax already limited resources. To those who don’t believe: there is always a better way and there are always new and innovative options to those age old problems you thought had been solved five years ago. Taking the time to research the problem up front and finding a solution that will actually solve the problem will pay off multiple times over in the form of you and your team’s time and sanity.

Out with the Old, In with the New

A little technology based spring cleaning – my thoughts on malware and e-mail security technologies that are being phased out and the newer, better technologies that are taking their place:

The first technology being replaced is the traditional spam filter. As we all know, the % of spam and unwanted e-mail has been steadily increasing for the last decade. Clearly, the concept of filtering e-mail based on content has failed to even make a dent in the problem. Even the best spam filters, all based on a blend of heuristics and/or Bayesian probability, have proven to be reactive and ineffective. The replacement for these failed systems is e-mail address verification. Only through the establishment of human-to-human e-mail address verification can people begin to regain their confidence in e-mail as a trusted form of communication for business.

The next technology being replaced is signature based anti-virus tools. Gone are the days when enterprises can rely on a single vendor, or even a group of vendors, to provide virus definitions and scanning tools. Intelligent pattern recognition engines, like those provided by Commtouch RPD, are proving to be more effective and more efficient than traditional signature based tools.

Next, all technologies that call themselves “IP Reputations” technologies are on their way out. Products and services like Spamhaus, Spamcop, and other blacklisting databases are the cancer of the Internet and cause more harm than good. As the world moves from IPv4 to IPv6, these IP Reputation tools/systems/databases will become irrelevant.

Finally, from a security perspective, IPv4 is on its way out, to be replaced with IPv6. This transition is well underway within the confines of wireless networks and large private networks, and will soon be making its way into the public domain.

SC Magazine: Protect your email domain

Check out my opinion piece, published 10 April 2009, in SC Magazine’s print edition and on-line…

SC Magazine (http://www.scmagazineus.com/Protect-your-email-domain/article/130481/)

Of all the struggles associated with securing email, one of the most basic is the identification and prevention of domain name forgery. Email has become an essential tool for business, however, there is absolutely no security layer required when an email message is sent and/or received.

Two promising technologies have been developed to protect against domain name forgery. Unfortunately, both have been lumped into the “anti-spam” category. While preventing some email spam is a minor side effect of these technologies, this mis‑characterization appears to have limited the widespread adoption of these technologies.

Sender Policy Framework (SPF) is designed to empower domain owners to limit the ability of their domains to be forged within email addresses. SPF records are published via DNS and provides owners a means to specify which mail sources are legitimate for their domain.

Domain Keys Identified Mail (DKIM) is a cryptographic domain authentication protocol developed to protect against domain forgery within email addresses. DKIM is the merger of two similar concepts from Yahoo! and Cisco.

Here’s the catch… Both SPF and DKIM require domain owners to take responsibility for themselves. In this day and age, any business or organization that relies on email as a trusted channel of communication owes it to themselves and their customers/partners to implement SPF and DKIM for each of their domains as soon as possible. While some consider this to be a “chicken and the egg” proposition, it’s clear that now is the time for responsible internet citizens to step up and embrace these important technologies.

McAfee report says: Spam e-mails killing the environment

While I can’t comment on the science behind McAfee’s study, if it’s to be believed, that would make Sendio the single most eco-friendly anti-spam product on the planet!

Hot off the digital presses… Spam e-mails killing the environment, McAfee report says

McAfee’s Avert Labs recently reported the significant impact that spam is having, not just on our inboxes, but on the environment. The novelty of this angle aside, shouldn’t people be asking themselves how is it possible this problem has been allowed to get so bad? Let’s assume we like the idea of elevating spam to a place where it is considered to be an environmental hazard (I think its even worse — more like an environmental disaster — but the promotion is long overdue), clearly the time has come to ask “who has been asleep at the switch?”

Back in the 1970’s it became obvious that air pollution was caused, to a large extent, by exhaust from automobiles and trucks. Once this fact had been established, the question became… “What are we going to do about it?” If air pollution had been addressed like email pollution, we would have simply trusted the auto manufacturers to make things better. In light of today’s study from McAfee, I think it is safe to say that anti-spam filters = auto manufacturers. While the automobile industry has certainly made great strides in the areas of fuel efficiency and emissions, they have never come close to getting ahead of the curve or actually fixing the problem.

Just like the US auto industry has failed to keep pace, from an innovation perspective, with their competitors around the globe, the developers of anti-spam filtering technologies have, obviously, failed to keep pace with spammers. As Albert Einstein said, “The definition of insanity is doing the same things, over and over again, expecting different results.” Like the US auto industry, the US anti-spam filtering industry is bloated, stuck in the past, is stagnant, and is losing the arms race to the bad guys.

Fortunately for us, the challenge to improve air quality was not simply “trusted,” or handed-over, to the auto industry alone. We realized that individuals needed to get involved. We, the people, needed to make changes to the way we did/do things. We came to understand that to help ourselves we needed to actively engage; not simply sit back and hope some passive system would make everything better.

The time has come, once and for all, for “we the people” to take a stand against spam! Clearly, the mammoth companies, like McAfee, Cisco, Symantec, Google, Barracuda Networks, etc., that make anti-spam filtering tools have failed to save our environment from this polluting scourge. If we, as individuals and collectively as businesses, don’t start looking beyond the status quo with respect to failed anti-spam filtering, we are not only going to loose e-mail as a tool, we are going to hasten the deterioration of our physical environment.

Valentine’s Day Spammers

I came across this article last night, “Botnet Operators Gearing Up for Valentine’s Day Spammers try to play Cupid, with a dark twist” by Richard Adhikari with Internet News (http://www.internetnews.com/security/article.php/3802331) and can’t help but think there is nothing new here.

The “bad guys” are well funded and have developed sophisticated tool-sets to evade detection by content driven and IP reputation based security systems.

While I’m not extremely familiar with the term “fast flux DNS,” this is a perfect illustration of why DNS blacklisting (a.k.a. IP reputations) is such a waste of time as currently implemented by folks like Websence, etc. The “bad guys” know that as long as they are competing against reactive technologies like content filters and DNS blacklists they will ALWAYS be ahead of the curve.

Points of Pain

A recent article I wrote for ADVANCE for IT Executives on-line magazine (http://health-care-it.advanceweb.com) dealt with the challenges unique to the health care industry because of their unfortunate position in the cross hairs— their routine communications employ similar terminology to the purveyors of smut and spam. Common industry words, in their context benign, such as “breast” or “Viagra,” pose particular problems for filtering mechanisms, which can’t distinguish the difference between purveyors of smut and patient communications or correspondence from health care colleagues. Think about how costly, time-consuming and distracting that misjudgment can be. In a reflection of how tightly intertwined spam and the health care industry are, in October 2008, a U.S. District Court shut down what had been called the largest “spam gang” in the world after amassing more than three million complaints about the operation’s attempt to sell prescription drugs, weight-loss pills and male-enhancement products.

So while the health care community is particularly hampered by the inherent flaws of traditional spam filtering mechanisms which were designed to only guess at the safety of the message by screening for “suspect” words, that industry isn’t alone in feeling acute pain. If we randomly selected IT Administrators from any range of industries and forced them into a group session, every one of them could fill hours on the couch with stories about how their resource allocations were haywire dealing with spam.

Zombie PCs Attack

Internet News published this article yesterday, about zombie PCs (http://www.internetnews.com/security/article.php/3796526/The+Webs+Latest+Threat+Smarter+Zombies.htm) getting smarter and harder to track, as they are regularly asking for new IP addresses from their ISPs, ultimately rendering anti-spam software that works by blocking IPs now useless:

Unfortunately, my first thought reading through this is a big “I told you so” to the universe of security experts who keep insisting that IP reputation is the silver bullet in the ongoing war against spam and other e-mail bourn threats. Commtouch (www.commtouch.com) is a world recognized expert in the field of IP based reputation and should be taken at their word. If they say that IP reputation is finally dead, I would agree.

The fact that IP based reputation schemes are flawed has been well known to Sendio (www.sendio.com) for years. We have always believed the only type of security that really works is active security. All of the current IP reputation schemes are passive/reactive; employing complex algorithms to make guesses based on patterns and probabilities. Clearly, in a world where there is big money at stake, the bad guys are highly motivated to find mechanism that allow them to evade these passive security paradigms.

I believe the time has come for the security community-at-large to recognize that we need to move away from passive guessing schemes to active authentication methodologies.

Cisco’s annual security study is out, and…

Cisco’s annual security study is out, and not surprisingly personalized spam and phishing attacks are on the rise:

http://ibtimes.com/articles/20081217/personalized-spam-rising-sharply-study-finds.htm

Personalized spam rising sharply, study finds
By JORDAN ROBERTSON

SAN FRANCISCO (AP) — Yes, guys, those spam e-mails for Viagra or baldness cream just might be directed to you personally. So, too, are many of the other crafty come-ons clogging inboxes, trying to lure us to fake Web sites so criminals can steal our personal information.

A new study by Cisco Systems Inc. found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use.

Unlike traditional spam, most of which is blocked by e-mail filters, personalized spam, known as “spear phishing” messages, often sail through unmolested. They’re sent in smaller chunks, and often come from accounts the criminals have set up at reputable Web-based e-mail services. Some of the messages are expertly crafted, linking to beautifully designed Web sites that are bogus or immediately install malicious programs.

Cisco’s annual security study found that spam is growing quickly — nearly 200 billion spam messages are now sent each day, double the volume in 2007 — and that targeted attacks are also rising sharply.

More than 0.4 percent of all spam sent in September were targeted attacks, Cisco found. That might sound low, but since 90 percent of all e-mails sent worldwide are spam, this means 800 million messages a day are attempts are spear phishing. A year ago, targeted attacks with personalized messages were less than 0.1 percent of all spam.

The latest attacks include text-message spam, e-mails trying to trick business owners into coughing up credentials for their Google advertising accounts, or personalized “whaling” e-mails to executives claiming that their businesses are under investigation by the FBI or that there’s a problem with their personal bank account.

As the world’s largest maker of networking gear, Cisco is in a unique position to study the traffic flowing through its customers’ networks, which include the biggest Internet providers and corporations. The latest study was based in part on the company’s ability to monitor 30 percent of all Web and e-mail traffic through its hardware and software and a network of companies that contribute data.

Anti-Fraud is not Anti-Spam

One of the biggest problems with e-mail is the complete lack of an inherent security model. Like the telephone, most people have come to take e-mail for granted; expecting that it simply works. Most e-mail users do not know how easy it is to forge almost every aspect of an e-mail message. We have all received spam that, when viewed in our e-mail client (Outlook, Entourage, Gmail, etc.) appears to have been sent to us, from us. How can this happen?

There is a common misconception amongst many in the e-mail security space that anti-fraud technologies like Sender Policy Framework (SPF), SenderID and Domain Keys Identified Mail (DKIM) are part and parcel anti-spam technologies. While it is true that anti-fraud/anti-forgery technologies have a nice side-effect of preventing some spam, this is not their main goal. In addition, by lumping these imporant technologies in as simply anti-spam misses the point and tends to dimish the importance of these technologies.

Protecting your domain from e-mail forgery is up to you; the owner of the domain. Does your domain publish a Sender Policy Framwork (SPF) record (http://www.openspf.org/)? If not, why? What are you waiting for? Is your inbound e-mail checked to see if the sender’s domain publishes a SPF record? If not, why? After all, if the sender’s domain administrator has elected to take domain forgery seriously, you should as well. Finally, are you recognizing DKIM (http://www.dkim.org/) signatures for inbound e-mail and is your e-mail server signing outbound e-mail?

In case you are wondering… Google, eBay, Yahoo, Cisco, and many other large companies are now on the DKIM bandwagon.

…and who says e-mail spam filtering works?

The following excerpt comes from MSNBC’s “The Red Tape Chronicles” :

[Let me begin by saying that you cannot make this stuff up!]

Friday: 10 Oct 2008
(http://redtape.msnbc.com/2008/10/att-customer-ca.html#posts)

AT&T reserves the right to change its terms of service by sending its Internet service customers an e-mail. Apparently, it also reserves the right to deposit those e-mails into its customers’ junk mail folders.

Last month, AT&T made some controversial changes to its Internet policies. Verbiage indicating that high-bandwidth users might experience some intentional slowdowns irritated some techies; another section that forces customers to use binding arbitration to resolve disputes annoyed consumer organizations; and an L.A. Times reporter bristled at the size of the full new agreement — 2,500 pages.

But Lance Mead, an AT&T Internet customer from Encino, Calif., almost missed the entire controversy. His notification of the new terms of service was sent via e-mail on Sept. 18, but AT&T’s own spam filters trapped the e-mail as spam and deposited it in his junk mail folder, he said. On a whim, he checked the folder and spotted the notice. He was furious.

Someone — anyone — please tell me how this is not proof positive the entire premise behind e-mail spam filtering is seriously flawed? I completely understand that mistakes happen. However, these “mistakes” are also considered “false positives.” In the “e-mail game” it is the false-positives that cost business real money. Is it really the end of the world if 5% to 10% of the e-mail received in your inbox is spam? Probably not. It is unnecessary, annoying, and unproductive to be forced to wade through spam, but missing an important e-mail thanks to the flawed concept of filters, a.k.a. guessing machines, should be considered absolutely unacceptable.

In Search of… A definition for e-mail spam

According to Wikipedia, e-mail spam is defined as follows:

“E-mail spam, also known as unsolicited bulk Email (UBE) or unsolicited commercial email (UCE), is the practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients. (http://en.wikipedia.org/wiki/Spam_(electronic)#E-mail_spam)”

This definition is okay, but is overly broad. I would like to propose the “Triangle of Spam” in an effort to more accurately define the problem.

Simply put, for any piece of e-mail to be considered “spam” it must be unsolicited, anonymous, and high volume. If any one (or more) of these characteristics is not met, the e-mail can be considered unwanted, but is not “spam.”

It is important to distinguish between “spam” and simply unwanted e-mail. For example, are “Lowest Fare” updates from United Airlines spam or, in my case, simply unwanted (I never fly United)? While I’m sure I did fly United at some point in the distant past, I certainly do not plan on flying United anytime soon. Technically speaking, United has the right, by virtue of our “previous business relationship,” to send me these updates. However, in my particular case, these are absolutely unwanted e-mails, but they cannot (or should not) be considered spam.

I am very interested to hear what other people think of the “Triangle of Spam.”

Some advice if HP really is trying for an ‘end-run’ around Windows

It sure would be a great move for the folks at HP (Hewlett Packard) to build an operating system to further distinguish themselves within the terribly “me to” desktop hardware world. Simply put, if Apple can do it, why not HP?

Here is the article I read from Business Week…

HP’s ‘End Run’ Around Windows

“The carefully crafted ecosystem of tech companies built around Microsoft’s Windows operating system is showing signs of strain. Hewlett-Packard (HPQ), a longtime Microsoft ally, has quietly assembled a group of engineers to develop software that would make Windows Vista easier to use, or bypass some of its more onerous features. A Skunk Works of engineers at the company is even angling to replace Windows with an HP-assembled operating system, sources say.”

Do I think HP can build an operating system to compete with Windows? Absolutely. As of 12 Sept 2008, HP has a market cap of ~$115B and, according to BusinessWeek “HP is the world’s largest supplier of PCs, with about 19% market share, and analysts estimate overall sales will grow 10.3% this year, to $115 billion.” In my opinion, building an operating system is something HP must do if it intends to remain relevant in the years to come.

Keeping in mind that I hope this is all true and the folks at HP really do have the guts, I would like to offer the 3 following suggestions:

1. Whatever you do, make sure you launch with a full-blown (and functionally complete) replacement for Outlook (use Evolution as your starting point). This will be key to your success. Winning the “hearts & minds” of corporate/business users will be what makes this venture successful. Do not forget: E-mail is still the Internet’s “killer app!” To be very specific, for better or worse, your Outlook replacement must fully integrate with Microsoft Exchange (2003/2007+). This means group calendering, contacts (address books), notes, public folders, rules, etc. If you want to know what you need, take a look at Entourage2008, compare its support with Outlook 2007, and fill in the gaps. Entourage2008 is about 75% good enough.
2. Work closely with the OpenOffice developers and the folks at Sun to assure the OpenOffice productivity suite is as close to being a real replacement for Microsoft Office as possible. I use OpenOffice on a daily basis and think it’s great, however, there are still way too many formatting and usage incompatibilities with Microsoft Office, particularly with Word & PowerPoint. You need to spend the money to make sure OpenOffice and Microsoft Office can be used as interchangably as possible.
3. Make sure you work with RIM to assure compatibility with their BlackBerry PDAs, their desktop software, and their BES (BlackBerry Enterprise Server).

If you are reading this and happen to be from HP… Good luck! I, and a huge percentage of the free-world are pulling for you. I will be happy to help any way I can.