Top 5 technologies/trends that every IT professional should be thinking about with respect to e-mail

1. Anti-spam filtering can no longer be considered a reliable tool for protecting your e-mail infrastructure and/or your users from the many threats that use e-mail as their primary insertion vector. Smart IT professionals have come to realize it is impossible to determine intent from content. As we move into the 2nd decade of the 21st century, security on the Internet in general, and for e-mail specifically, must become personalized. We can no longer afford to count on the ability, or lack thereof, of a filter to guess what is good/safe and what is not. The next era for e-mail security will be ruled by systems that provide and promote Sender Address Verification and Authentication.
2. Domain forgery must be stopped; and we have the tools at our disposal to make this happen. The time has come, once and for all, for IT professionals to embrace and deploy BOTH Sender Policy Framework (SPF — www.openspf.org) and Domain Keys Identified Mail (DKIM — www.dkim.org).
3. While its true that “cloud computing” is well on its way to becoming the “2009 Buzzword of the Year,” the time has come for IT professionals to seriously consider moving the major security components of their e-mail infrastructure onto their own private islands within the greater computing cloud. Processes like anti-spam, anti-virus, anti-threat, compliance, data leakage prevention, and managed file transfer can be addressed more effectively and more efficiently before any data ever reaches the threshold of your private network.
4. In a difficult economy like we have today, e-mail is a more important tool than ever. E-mail is the ultimate asynchronous communication tool and is critical as a cost effective means for individuals to communicate over long (and short) distances. In both the medium and long terms, IT professionals must continue to strengthen their e-mail infrastructures. Now is not the time for cost cutting with respect to e-mail.
5. Early this month Google announced their newest project: Wave (wave.google.com/help/wave/about.html). While it is too early to tell if this new project/protocol will have any real impact in the near term, looking forward 18 – 36 months, this is something upon which IT professionals should keep close watch. If Google is even remotely successfully, and who would bet against Google, this new and open protocol has the potential to completely change the way people communicate on the Internet through the merging of e-mail, instant messaging (IM), and real-time collaboration.

Going Green: How Environmentally Friendly is your Company’s Anti-Spam Solution?

I originally posted the following at CIO.com (http://tiny.cc/Pvz1g)

Last week McAfee, in conjunction with ICF International, published The Carbon Footprint of E-mail Spam Report, a report that details the “carbon footprint” of sending, receiving, and viewing spam. A novel new concept – the environmental impact of spam?

One of the most significant findings of the report was that nearly 80% of the energy consumed by spam comes “from end-users deleting spam and searching for legitimate e-mail (false positives).” The act of sending a spam message, consumes less than 1% of the GHG emissions associated with any given spam message – and the real “damage” so to speak is done once the spam message hits a user’s inbox (27% of GHG emissions are a result of false positives and 52% of emissions are a result of viewing spam).

I have to beg the question here, if the “damage” being caused is more or less in our hands (i.e. once the spam message reaches our inbox), is there such a thing as a “green” anti-spam solution we can implement to address the problem? Logic would say yes – anti-spam solutions that are able to eliminate false positives, and minimize the amount of spam end-users receive and view, are by course of reason and logic “green” solutions.

Here, lets explore the three criteria organizations can use to determine how “green” their anti-spam solution is: number of false-positives, spam messages viewed, and methodology used to stop spam.

False Positives
Twenty-seven percent of GHG emissions resulting from a typical spam message are the result of false positives. Anti-spam solutions that may block a high percentage of spam (98 or even 99%), but result in a high number of false positives, are usually more trouble than they are worth. While your end-users may not have spam in their inbox, the time spent searching for legitimate messages in a junk folder is costly in terms of lost productivity and environmental impact.

False positives are typically a problem that is inherently associated with filter-based anti-spam solutions – solutions that are built to avoid false-positives, and don’t rely on a “spam-filter” to scan the content of a message are more effective in addressing this “environmental” concern and time eater.

Spam Viewed
A staggering fifty-two percent of GHG emissions resulting from any given spam message are a result of viewing that piece of spam. This piece of criteria couldn’t be any simpler: the higher the spam stop-rate (i.e. 95, 96, 97 %) of your solution, the more environmental friendly it is. If your solution doesn’t allow spam messages to reach end-user’s inboxes, then your users aren’t spending time viewing or deleting these messages, and ultimately the GHG emissions associated with any one of these messages is eliminated.

Or, even better, select a solution that won’t allow spam through, period. Here, I’m sure to hear a resounding… “easier said than done!” However this point comes back to the methodology behind your solution and how it addresses the problem of spam.

Let’s discuss…

Solution Methodology
Sixteen percent of GHG emissions associated with a spam message can be traced back to the spam filter that worked to stop that spam message. Needless to say, without any anti-spam filter in place, emissions would increase dramatically in other areas (such as spam viewing), and any solution is better than none. However, some are better than others, and today organizations have a plethora of choices when it comes to selecting an anti-spam solution – and no longer need to rely on filter-based solutions to solve their spam problem.

Increasingly, organizations are moving away from “filter-based” solutions, to solutions that focus on the trustworthiness of the sender, not the content of the message. Although spam filters have gotten “better,” they still create an arms race – spammers are continually looking for new and innovative techniques to break or circumvent the filters and filtering companies are continually creating updates to combat these new attacks. This ping pong effect results in more spam, more management, and a problem that isn’t solved.

Sendio (for the enterprise), Earthlink, Spam Arrest, and Boxbe (for individuals) are all companies that have rolled out solutions that adopt an “Opt-in Model” to stop spam. Similar to many popular social networking sites, (such as Facebook and LinkedIn) these solutions utilize something similar to the “friend request,” allowing users to build their own network of trusted contacts instead of relying on a filter to determine what is and isn’t spam. By adopting an approach that puts users in control, organizations can truly address their spam problem – and totally eliminate false positives as well as spam viewed. To eliminate the time and carbon emissions associated with these two components eliminates nearly 80% of the carbon emissions associated with spam!

Ultimately, how environmentally friendly your anti-spam solution is, is directly correlated to how effective that solution is – and implementing anti-spam solutions that are highly effective, will be both good for business and for the environment.

Follow me on twitter: http://twitter.com/sendio & http://twitter.com/talgolan

Phishing, with a side of Swine Flu

I just read the following on the MSNBC web site:
(http://tinyurl.com/msnbc-phishing-swine-flu)

Phishing with Swine Flu as bait

Phishers and spammers have caught Swine Flu fever and are exploiting fears around the outbreak to try to sell pharmaceutical products or steal information, security experts said Tuesday.

The e-mail scams have a subject line related to the Swine Flu and typically contain either a link to a phishing Web site or an attachment that contains malicious code, the US-CERT said in an advisory. (Read More…)

Stuff like this reminds me how evil some people can be, and how ubiquitous email has become. Let’s be clear, these types of attacks always happen through email. Not through websites. Not through your fax machine. Not via instant messaging (IM), or SMS. These attacks don’t reach you via your cell phone, and these attacks don’t arrive via FedEx or UPS. Its ALWAYS via email.

For the last decade companies like Microsoft, Cisco, Symantec, Google, McAfee, Trend Micro, Sonic Wall, Barracuda Networks, etc. have made (and spent) billions of dollars trying to convince us they know what they are doing when it comes to the security of our email. How much longer, and how many more exploits like this one, is it going to take before people realize that email, the original social networking application, deserves to be secured the same way Facebook, Twitter, LinkedIn, AIM, and Plaxo are secured?

Isn’t it time, once and for all, for authenticated email to take the main stage? What is everyone so afraid of? Threat free email is available, today, and is currently in use by millions of people and thousands of companies around the world.

It is time to stop the insanity. Continuing to do what you’ve always done (filtering your email) will always yield the mediocre results you are seeing today.

Why the cloud is a great place for enterprise email

Why the cloud is a great place for enterprise email.

• E-mail is required to be on-line 24 x 7 x 365 with “5 9s” reliability. Using cloud computing resources can give even small businesses the opportunity to provide email reliability that used to only be available to the largest enterprises. Medium to large enterprises can benefit by “off-loading” the responsibility of up-time to the cloud provider.
• Security. E-mail is perhaps the single most targeted vector for enterprise security attacks. Through judicious use of cloud computing, e-mail can be kept completely private while being kept at a distance.
• Bandwidth/resource conservation. Cloud computing allows enterprises of all sizes to keep e-mail threats away from their primary bandwidth sources. In addition, the computing resources required to protect the e-mail stream can be re-purposed for other activities.

SC Magazine: Protect your email domain

Check out my opinion piece, published 10 April 2009, in SC Magazine’s print edition and on-line…

SC Magazine (http://www.scmagazineus.com/Protect-your-email-domain/article/130481/)

Of all the struggles associated with securing email, one of the most basic is the identification and prevention of domain name forgery. Email has become an essential tool for business, however, there is absolutely no security layer required when an email message is sent and/or received.

Two promising technologies have been developed to protect against domain name forgery. Unfortunately, both have been lumped into the “anti-spam” category. While preventing some email spam is a minor side effect of these technologies, this mis‑characterization appears to have limited the widespread adoption of these technologies.

Sender Policy Framework (SPF) is designed to empower domain owners to limit the ability of their domains to be forged within email addresses. SPF records are published via DNS and provides owners a means to specify which mail sources are legitimate for their domain.

Domain Keys Identified Mail (DKIM) is a cryptographic domain authentication protocol developed to protect against domain forgery within email addresses. DKIM is the merger of two similar concepts from Yahoo! and Cisco.

Here’s the catch… Both SPF and DKIM require domain owners to take responsibility for themselves. In this day and age, any business or organization that relies on email as a trusted channel of communication owes it to themselves and their customers/partners to implement SPF and DKIM for each of their domains as soon as possible. While some consider this to be a “chicken and the egg” proposition, it’s clear that now is the time for responsible internet citizens to step up and embrace these important technologies.

Some advice if HP really is trying for an ‘end-run’ around Windows

It sure would be a great move for the folks at HP (Hewlett Packard) to build an operating system to further distinguish themselves within the terribly “me to” desktop hardware world. Simply put, if Apple can do it, why not HP?

Here is the article I read from Business Week…

HP’s ‘End Run’ Around Windows

“The carefully crafted ecosystem of tech companies built around Microsoft’s Windows operating system is showing signs of strain. Hewlett-Packard (HPQ), a longtime Microsoft ally, has quietly assembled a group of engineers to develop software that would make Windows Vista easier to use, or bypass some of its more onerous features. A Skunk Works of engineers at the company is even angling to replace Windows with an HP-assembled operating system, sources say.”

Do I think HP can build an operating system to compete with Windows? Absolutely. As of 12 Sept 2008, HP has a market cap of ~$115B and, according to BusinessWeek “HP is the world’s largest supplier of PCs, with about 19% market share, and analysts estimate overall sales will grow 10.3% this year, to $115 billion.” In my opinion, building an operating system is something HP must do if it intends to remain relevant in the years to come.

Keeping in mind that I hope this is all true and the folks at HP really do have the guts, I would like to offer the 3 following suggestions:

1. Whatever you do, make sure you launch with a full-blown (and functionally complete) replacement for Outlook (use Evolution as your starting point). This will be key to your success. Winning the “hearts & minds” of corporate/business users will be what makes this venture successful. Do not forget: E-mail is still the Internet’s “killer app!” To be very specific, for better or worse, your Outlook replacement must fully integrate with Microsoft Exchange (2003/2007+). This means group calendering, contacts (address books), notes, public folders, rules, etc. If you want to know what you need, take a look at Entourage2008, compare its support with Outlook 2007, and fill in the gaps. Entourage2008 is about 75% good enough.
2. Work closely with the OpenOffice developers and the folks at Sun to assure the OpenOffice productivity suite is as close to being a real replacement for Microsoft Office as possible. I use OpenOffice on a daily basis and think it’s great, however, there are still way too many formatting and usage incompatibilities with Microsoft Office, particularly with Word & PowerPoint. You need to spend the money to make sure OpenOffice and Microsoft Office can be used as interchangably as possible.
3. Make sure you work with RIM to assure compatibility with their BlackBerry PDAs, their desktop software, and their BES (BlackBerry Enterprise Server).

If you are reading this and happen to be from HP… Good luck! I, and a huge percentage of the free-world are pulling for you. I will be happy to help any way I can.