News

Electronic mail protocols were designed in an era that naively believed the on-line world could and would police itself. But in the decade since the beginning of the mass commercialization of e-mail, that antiquated notion has given way to a darker reality: inboxes flooded with porn, our computers turned into zombies under the control of shady criminal hackers and our sensitive personal information stolen from under our very noses.

Despite the horrors lurking in our inboxes, e-mail continues to be a true killer application. More than a billion of us trade somewhere between 60 and 135 billion e-mail messages a day. And while a huge chunk of that is junk — estimates range from 40 to more than 90 per cent — that's still a lot of valid mail, making it an important business tool.

"For most companies, if e-mail goes down, the business goes down," says Rick Caccia, senior director with Symantec Corp.'s message and web security group based in California. "You can't take orders, employees can't talk to each other, you can't close deals and you can't respond to customers."

Standard e-mail is not secure, a revelation that shocks many of the people who use it daily. But, then again, it wasn't designed to be. Yet as people become more familiar with the limitations of basic e-mail systems, there are increasing demands that this vital communications tool be made safer.

"In addition to keeping the bad stuff out, there's a big push to keep the good stuff in, to keep the confidential e-mail confidential," Caccia says. "The first line of defence is going to be the administrators who run the mail servers."

The demand for better e-mail security has spawned a market for new programs and services. XPM Software's PerfectMail and NorthSeas AMT's Small Business Guard E/N are two of the players in this burgeoning niche.

XPM Software president Larry Karniss defines e-mail security as "using e-mail as a safe, reliable business tool" in an environment in which "the number of legitimate messages on average is a small percentage of the messages that a mail server is exposed to." In other words, an important requirement for secure e-mail is the ability to accurately separate the wheat from the chaff. But that's not easy. "A content filtering solution that is 95 per cent accurate makes a mistake one time out of 20," he says. "No business can tolerate that level of inaccuracy."

The main problem with the content-based approach to filtering messages, Karniss says, is that the creators of spam and "phishing" e-mails — those intended to lure recipients to bogus versions of legitimate websites that are set up to steal passwords and financial information — are in complete control of the content. "They specifically structure their messages to try to defeat that sort of content-based, consensus-oriented anti-spamming tool," he says. "The approach we ultimately settled on is a reputation-based approach." In other words, if the PerfectMail server recognizes you, it passes your mail along to the real mail server and into the proper inbox. If it doesn't, it will run legitimacy checks. "We check everything," Karniss says. "Is the sender who they say they are? Does the sender's mail server have a valid account?"

NorthSeas Guard E/N uses another technique called "greylisting," which delays the initial attempt by an unknown source to send an e-mail, then accepting it on the second try. "Spammers' systems are all automated and they are set to shut down a connection if there is any kind of delay," says NorthSeas chief executive officer Stephen Spence from the company's offices in Ottawa. "Anything that slows down their attack is not cool in their books, so they end up shutting down the connection and moving on."

Spammers also engage in "dictionary" attacks using test messages to find active e-mail inboxes. "They will send to Bob@ and Joe@ and Sue@, and what they are looking for are the ones that don't bounce back because the ones that don't bounce back are considered valid [e-mail addresses]. Then they'll use those for spamming, or sell them to spammers," Spence says. NorthSeas Guard E/N also uses a technique known as "tarpitting" to thwart this type of threat. It slows the processing of mail from any source that persists in attempts to send e-mail to non-existent users. "When we activated these features, my spam dropped to two to three a week. But I'd rather have my 60- or 70-a-day spam back than have one false positive," he says, referring to a legitimate message that gets blocked by the spam filter.

To address this problem, XPM Software's Karniss says, "if we think that the inbound mail message is unwanted — we have no prior history with the sender or the sender's mail server and so on — we send a message to the sender saying, 'We think this message is unwanted. If we've made a mistake, here's how you can reach us by phone,' and spammers never phone."

Spam can be a big headache for businesses, but given how the e-mail system itself was originally designed — e-mails are more like postcards than letters in securely sealed envelopes — there's another security issue that has so far escaped the attention of most businesses, even those in highly-sensitive sectors such as law enforcement and financial services: The need for encryption.

Many people mistakenly think that e-mail is a "one-to-one communication," says Alfonso Licata, co-founder and executive vice-president of Echoworx Corp., a Toronto-based security solutions provider. "Say I send an e-mail to you. There's been a misconception that that e-mail just travels from me to you. We know for a fact that's not the case. It travels on a series of servers and is open for spoofing, open for tampering, and so on." Each one of those servers, or "hops" as they're called by system administrators can keep a copy of any e-mail that it handles. The vast majority of e-mail messages and the attachments tagged to them are unencrypted, which leaves them open for examination on their journey through networks and servers.

The problem is that e-mail encryption has been either too much of a hassle or simply considered too "nerdy" for the tastes of most e-mail users. That's something Echoworx hopes to address with its user-friendly mail security system now being offered as a subscription service by Verizon, Bell South, USA.et and other large Internet service providers. "Our goal is to make e-mail encryption as ubiquitous as regular e-mail," Licata says.

Registered users download a small plug-in that places a button labelled "Secure" next to the usual "Send" button in a person's e-mail software. A useful twist allows registered users to send to unregistered recipients by creating a secret question/answer that allows the recipient to unlock encrypted messages. "This is a full, military-grade solution," Licata says.

Encryption isn't the only concern for businesses sending official information via e-mail. As courts have demonstrated recently, electronic documents are discoverable, which means that the law requires companies to be able to collect, store and retrieve those electronic documents. "Companies by and large don't have an e-mail archiving policy," Caccia says. "Yet about 75 per cent of Fortune 500 legal cases involved e-mail in discovery. So you need to be able to produce it. And to produce it, you have to be able to archive it. Most infrastructure today does not have a built-in way to do that."

While it provides e-mail security, NorthSeas Guard E/N also allows customers to use standard network storage as a centralized e-mail archive, taking that load off mail servers. Freeing up mail server storage is particularly important for businesses using hosted services where every stored megabyte costs money.

"E-mail storage on a mail server is a huge problem because e-mail volume has grown to such a magnitude," Spence says. His company's network device collects incoming and outbound e-mail, separates the contents from the "envelope" information and then saves the indexed data on a shared network drive.

So what's better for businesses: in-house or hosted e-mail services? Licata says hosted network services that include anti-virus, anti-spam and firewall solutions can be had for a few dollars per month per user, and "they're probably 10 times as good as anything I would have gotten 10 years ago, which would have cost me hundreds of thousands of dollars."

Others prefer to keep their e-mail systems in-house where they retain full control over the system and the message archive.

The choice between the two seems to fall somewhere along the 100-employee line. Those above it tend to go for in-house services, while smaller companies tend to opt for hosted solutions that are managed for them. But either way, says Symantec's Caccia, it's important for a business to assess its network's messaging vulnerabilities — from spam to security to storage — and begin to take steps to correct them.

"It's kind of a clichéd phrase, but you don't need to boil the ocean up front," he says. "You can get into this gradually, and doing something gradually is better than doing nothing."