Internet Changes Everything: email Archives

Strategic Security: Developing a Secure E-Mail Strategy

Strategic Security: Developing a Secure E-Mail Strategy - Security - Network Computing

Message encryption, along with other measures, should be a critical part of your overall security strategy. But poor planning could leave your organization compliant and yet still unprotected. Here's how to choose the right combination of encryption and protection technologies to suit your needs.

Introduction
Encryption Options
Stop Viruses, Can Spam
Securing Mobile Devices

Oct 26, 2006 - By Christopher Beers

As an IT manager, your professional life is a balancing act in which you weigh the needs of your department against the reality of your budget. The range of potential purchases that makes up your budget proposal includes “critical” products, as well as not-so-urgent pet projects. Before you finalize next year’s capital budget, better be sure you’ve included funds for e-mail encryption in addition to virus scanning and content filtering.

E-mail security encompasses a wide variety of initiatives that attempt to reduce risk to employees, IT networks, intellectual property and customers. Recent legislation has forced businesses to implement various e-mail security initiatives that might not have been deployed voluntarily. Although virus scan-ning is old hat to most IT shops and content filtering is becoming just as common, encryption–a broad topic that is often overlooked by small businesses–is becoming increasingly important, especially given the rise of Wi-Fi hot spots and the use of handheld devices, such as Treos and BlackBerrys. The three types of e-mail encryption–boundary, staging server and end-to-end–offer varying levels of security. The type of encryption that makes sense for your company will depend on the kind of business you’re in and the type of content you need to lock down.

Bolt Down Your Email

Nearly half of 149 IT decision-makers for North American small companies surveyed by Forrester Research said they plan to spend capital in 2006 to secure e-mail. They’ll focus their capital on securing e-mail at the gateway, concentrating on spam, viruses and regulatory compliance. This trend is likely to continue and will probably increase in the coming years as companies realize the importance of e-mail security to their overall security strategy.

So which combination of encryption and protection is right for you? There’s no single answer. It’s safe to say, however, that a blind drive to meet bare-minimum compliance standards is a poor method for choosing an encryption-security solution–such a strategy could leave your organization compliant but still insecure.

Encryption Options

A variety of technologies have emerged in the encryption field. Boundary, or gateway, products attempt to encrypt e-mail before it leaves the corporate network. This method seems to have the most traction given its ease of implementation compared with that of other technologies. Staging-server encryption captures and stores secure e-mail locally on the network for remote users to retrieve over secure Web portals. Finally, end-to-end encryption offers the most secure scenario, encrypting the message immediately after the user clicks the Send button (see “Encryption Models,” right).

Large-scale deployments of completely secure e-mail are seen mostly in military, financial, health-care and government organizations. And growing businesses are more likely to deploy secure e-mail solutions for specific departments, such as finance, accounting and HR, according to Gartner. These highly secure e-mail systems are expensive, costing $20,000 to $200,000 for a 2,500-user installation, on top of the cost of an existing e-mail platform, Gartner estimates.

» Boundary Encryption

Boundary solutions work well for communications within the corporate network, but may not work for external e-mail, particularly to general consumers. In the boundary model of e-mail encryption, secure relationships are established with the boundary servers of both partner entities. This is typically a manual process, though it’s possible to configure some devices to automatically attempt to deliver the e-mail securely, and then fall back to normal mode if secure channels are unavailable. When a secure connection can be established, all e-mail sent between the two gateway servers is encrypted, which means when the data is most vulnerable, it has already been encrypted as it passes over the Internet. In this model, e-mail transiting within your corporate e-mail infrastructure is not encrypted.

Companies with encryption products in this arena include IronPort, Tumbleweed and Voltage Security. These vendors provide devices that serve as a barrier, residing on the edge of the network, filtering all incoming and outgoing messages for spam, malware and phishing.

More important, to address compliance issues, these devices also can provide encryption using a variety of technologies, including PGP, S/MIME and TLS (Transport Layer Security). TLS adoption continues to rise, and it’s likely to remain the preferred method through 2009. This is due to its popularity, acceptance and maturity as a secure transport. PGP (Pretty Good Privacy) is a free technology developed by the company of the same name and is effective and easy to use. It’s a public-key technology; servers share their public key and encrypt the message with a private key. Using the public key found and managed by Internet keyservers, receiving e-mail servers can decrypt messages. S/MIME (Secure/Multipurpose Internet Mail Extension) is similar to PGP. Encryption products operating at the boundary are best-suited for small companies that send sensitive data from one corporate entity to another. This solution gives them the most bang for the buck and secures e-mail where it’s most vulnerable.

» Staging-Server Encryption

Staging servers are used to store sensitive e-mail that can be retrieved later by the recipient on your secure network. If a user sends an e-mail to a domain that’s listed as secure by your outbound security filters, it’s routed to a server on your network. E-mail is then sent to the recipient notifying him that he has received a secure message. To read the message, the recipient must log into the secure server, usually using a secure Web portal, to view and respond to the message. This solution can be implemented using gateway devices or can be configured in certain software applications: PostX and Tumbleweed offer good products in this arena. For companies, such as banks, HR firms or credit-card companies, that want to notify customers their attention is needed–for instance, to ascertain that a transaction took place–this method works well.

There are some disadvantages to staging-server encryption, however. If end users correspond often with external recipients, each of those recipients will be forced to maintain yet another in-box and sent-mail box. And forgotten-password resolution for occasional users and automated password recovery must be well-thought-out to prevent additional work and unauthorized access.

» End-to-End Encryption

End-to-end encryption does what its name suggests: Data is encrypted by the sender and remains so until decrypted by the recipient. Typically, software agents are deployed that let users send encrypted mail by pressing a “Secure Send” button. There are products from PGP, Voltage Security and others that work with all major desktop clients. End-to-end encryption is suitable for environments–such as finance, accounting and HR– in which sensitive information must be kept secret and transmitted securely.

End-to-end encryption can be configured per user, per department or enterprisewide. It typically works using public-key encryption, with end users storing their public keys on servers that anyone can access–most frequently on servers maintained by the Massachusetts Institute of Technology or PGP. When a user sends an e-mail message, it’s immediately encrypted using the recipient’s public key found on key servers located on the Internet. Once the message is received, the recipient uses a private key to decrypt and view the message. This technology is getting easier to install and implement, but to encrypt a message, the recipient’s public key is required, so if a recipient doesn’t have one (and most don’t) e-mail messages sent to that recipient will not be encrypted. There is, of course, a mechanism by which users are notified whether their e-mail was sent securely.

Stop Viruses, Can Spam

Eliminating virus threats from e-mail is a two-fold process. First, you must prevent viruses from entering your e-mail infrastructure by using software or hardware. Then, you must ensure your solution is updating its virus-definition files–year-old definition files are useless. And it’s not sufficient to simply deploy protection that scans incoming e-mail for viruses; you must prevent users from spreading the infection among internal e-mail servers as well as to computers outside your IT networks. Second, each desktop computer must have virus-scanning software that searches e-mail attachments to remove the threat of infection.

McAfee, Symantec, Trend Micro and other security vendors all offer add-on software that downloads regular updates to ensure you have the latest signatures for current viruses. You also can replace your inbound gateway e-mail servers with an appliance capable of removing virus content from e-mail. IronPort, Sonicwall and Symantec offer e-mail security in hardware devices that do more than virus scanning; these appliances also find potential malicious content.

As we mentioned last November, legislation such as the CAN-SPAM Act of 2003 has not led to a decrease in the amount of spam a typical end user receives (see “Spam Filters: Still Sick of Spam”). Content-filtering software, however, can reduce the number of spam and phishing messages that make their way to e-mail in-boxes. Our Network Computing Barracuda spam filter tagged 86.7 percent of all our mail as spam earlier this year–that’s 7,348,391 messages. That ratio was relatively unchanged from testing we did in October 2005 and May 2004. (Barracuda won Network Computing’s 2005 Well-Connected Award in the Antispam Tool category.)

Most spam is now blocked at the boundary, before it reaches the messaging server, by devices such as Tumbleweed’s MailGate Email Firewall, which uses the company’s DAS (Dynamic Anti-Spam) technology, and IronPort’s C600 appliance with Symantec Brightmail Anti-Spam. You can also buy software that runs on a corporate mail platform to protect gateway server devices.

Today, the greater threat comes from spyware and phishing attacks rather than conventional spam. In extreme cases, instances of spyware, especially key loggers, can compromise a company’s intellectual property. Besides the increased risk of losing data when spyware is installed, it can be difficult and time-consuming to remove. And, productivity can suffer when employees spend company time fixing credit reports harmed during a phishing attack. So filtering only for spam is clearly not a wise choice.

One area of content filtering that doesn’t get enough attention is that of intellectual property in outbound e-mail. Nearly 50 percent of network security attacks come from within the so-called secure boundary of the corporate network, according to Deloitte’s 2006 Global Security Survey (see “Data Drain”). People have different incentives for accumulating corporate information illegally. They might be paid handsomely for stealing data, or they might simply take data because they can. We’ve all come across the end user who, knowing he’ll be leaving the company soon, decides to forward all e-mail in his in-box to his personal e-mail account. We’re also familiar with the more damaging scenario of the employee who takes all of her contacts–including valuable sales leads–with her to her next job. Creating an effective e-mail security policy that includes scanning outbound e-mail for sensitive content can help protect your corporate secrets and keep information from getting to where it shouldn’t. But content scanning is still not as accurate as virus scanning. False positives, mistuned policies and e-mail mistakenly held up as “potential” threats on outbound servers will cause business delays.

Policing Your Setup

Combating viruses, spyware and phishing attacks does not stop with the selection and implementation of one of these technologies. Your security policy must be clearly defined to match the sensitivity of your data, and it must be enforced; it must convey who owns e-mail and how it is used. Undesirable e-mail security scenarios can be avoided through awareness campaigns and personnel training. Make sure your end users log out of their Windows sessions when leaving their workstation to prevent unwanted browsing of their in-boxes. Work with HR to ensure that employees are aware that all corporate e-mail is the express property of the company, not the employee. Take measures to make sure passwords aren’t written down and placed on monitors or under keyboards. These sound like common-sense measures, but we all know how often these guidelines are ignored. Finally, be wary of visitors to your offices, and make sure they are chaperoned when appropriate. Based on these concepts, create e-mail education seminars for your users. Training your end users will allow them to police themselves.

One of the more deadly delusions in the IT world is that the systems administrator or security officer can somehow maintain control over the network and all the information in it. The fact is, though IT professionals create and enforce policy, end users’ actions ultimately dictate how technology is used in the enterprise.

Securing Mobile Devices

Many executives, managers and even IT personnel carry handheld devices so they’re never out of communication. These devices have consumer versions of software that handle e-mail synchronization using POP and even Microsoft Exchange. For better security, all enterprises must consider acquiring the enterprise software versions of these devices.

BlackBerry’s BES (BlackBerry Enterprise Server), for example, gives systems administrators the flexibility and control they desire while providing the encryption necessary to achieve compliance with federal and state mandates. BES offers the option of using AES (Advanced Encryption Standard) or Triple-DES (Data Encryption Standard) to encrypt data sent from the messaging server to the handset. Additionally, BES lets systems administrators make changes to end users’ handheld devices remotely. Devices can be entirely disabled, passwords can be changed and, in cases where the device is lost or stolen, data can be wiped from the device–all by remote administration.

If your corporation uses Treo devices, there are solutions for synchronizing e-mail over secure POP or Exchange synchronization, including third-party programs to send specially crafted text messages that will wipe the data from the device. Good Technologies offers a similar secure Exchange synchronization product for Palm OS and Windows Mobile users.
From Dark Reading (http://www.darkreading.com/document.asp?doc_id=109262&print=true)

Christopher T. Beers is an NWC contributing editor and manager of systems operations for a large broadband ISP, where he oversees daily operations of high-speed data and VOIP for the Northeast United States, including Solaris and Linux administration. Write to him at cbeers@nwc.com.

OCTOBER 30, 2006

November 1, 2006 at 09:24 PM in email | Permalink | Top of page | Blog Home

E-mail authentication: The choices

June 12, 2006 (Computerworld) -- Some observers criticize IT vendors for not agreeing on a single, standard way for dealing with evil e-mail. The key e-mail authentication protocols are Microsoft's Sender ID Framework (SIDF), with its Sender of Policy Framework (SPF) records, and the rival Yahoo/Cisco DomainKeys Identified Mail (DKIM).

But a good case can be made that e-mail senders, Internet service providers and e-mail recipients should use both SIDF and DKIM.

"Domain owners are well advised to publish information using both standards, and e-mail recipients can use both standards to help filter spam," says Richi Jennings, an e-mail security analyst at Ferris Research Inc. in San Francisco.

But, he adds, "DKIM is better because the methods used to verify that the sender was authorized to use that domain are stronger. SPF/Sender ID has issues with mail lists and other things that autoforward mail."

DKIM is stronger, Jennings says, because it generates cryptographic hashes of content using keys owned by the e-mail sender's domain, while SIDF is simply based on which IP address the message comes from. "This means that DKIM is harder to set up and a little more expensive in terms of computing horsepower," he says.

John Scarrow, Microsoft's general manager of antispam and antiphishing strategy, agrees that the approaches are complementary. "By utilizing both, e-mail senders receive optimal protection and functionality across the board," he says. He acknowledges that DKIM is better for automatic forwarding by servers, such as when a user configures his Hotmail account to automatically forward messages to his Microsoft account.

But Scarrow argues that DKIM requires users to upgrade to both outbound and inbound message-transfer agents (MTA), such as Microsoft's Exchange Server, and affects "about 10% to 15% of computing cycles, while SIDF has no outbound impact to the MTA and negligible impact to any computing resources."

September 12, 2006 at 02:17 AM in email | Permalink | Top of page | Blog Home

The Future of E-mail

une 12, 2006 (Computerworld) -- Your company scans incoming e-mail for viruses and outgoing messages for confidential information. Your spam filter snags most of the garbage, and it gets better as it learns the latest spamming and phishing spoofs. You're encrypting sensitive e-mail now, and you recently completed a project that keeps your messages safely archived in case federal regulators come knocking.

Indeed, with the right technology, the right policies and a little slice of your budget, you can pretty much manage the messaging madness. And new technology likely to emerge from the labs in the next year or two will help bring a little more civilization to the world of e-mail, ensuring its continued place among the most popular and important of all corporate applications.

However, e-mail's problems will accompany it into its second act, especially as users deploy a growing variety of mobile devices and discover new ways of communicating -- such as instant messaging, blogs, wikis and virtual reality spaces you've never even dreamed of. These will offer green pastures for hackers, spammers and phishers, and will require a whole new round of defensive tools, techniques and policies.

While today's efforts to improve e-mail are aimed mostly at curing its ills, research in vendor and university labs points to brave new uses for the humble e-mail message, from knowledge mining to workflow enhancement. Interviews with researchers, futurists and IT managers yielded the following conclusions about the future of e-mail.

1. New technologies, plus economic and political pressures, will eventually tame the malware.

Ray Tomlinson, a principal engineer at BBN Technologies in Cambridge, Mass., calls the struggle against spam, phishing and malware "pretty much a draw" at present. He has a good deal of perspective on these issues, having sent the world's first network e-mail message in 1971.

Tomlinson points with hope, but some exasperation, to alternate -- some would say competing -- proposals for stemming the tide of offensive, malicious and deceptive e-mail.

"It's not so much a hard technical problem; it's a hard business and political problem," Tomlinson says. "The players have vested interests in the various approaches, and they are fighting tooth and nail to get their approaches adopted. It's not the end users who are the bottleneck here."

Microsoft Corp. is pushing its Sender ID Framework, which verifies that a message was actually sent from a server authorized to send mail for the domain owner. John Scarrow, Microsoft's general manager of antispam and antiphishing strategy, says Sender ID has been adopted by 73% of Fortune 100 companies and is used for 31% of all e-mail messages.

An experimental system at HP Labs shows actual e-mail paths (the gray lines) overlaid on the lab's formal organizational structure (the black lines).
An experimental system at HP Labs shows actual e-mail paths (the gray lines) overlaid on the lab's formal organizational structure (the black lines).
"We are seeing the amount of spam now starting to plateau," he says. "It's a good indication the industry is starting to take a good bite out of the economics of the business."

More good news, Scarrow says, is that while IM and other modes of electronic communication also need to be protected, the technology for doing so is similar to that for e-mail.

Meanwhile, Yahoo Inc. and Cisco Systems Inc. last year submitted to the Internet Engineering Task Force a proposed standard called DomainKeys Identified Mail (DKIM), which, like Sender ID, is designed to guard against spoofing and phishing by authenticating an e-mail sender. DKIM verifies the domain of the sender and also cryptographically verifies the integrity of the message.

In addition to Sender ID, Microsoft has the SmartScreen filter, which uses statistical techniques to learn what's spam and what isn't, and the Phishing Filter add-in for the MSN Search Toolbar. But those tools are not enough, say the folks at Microsoft Research, where some 40 people work on new e-mail technology.

For example, researcher Joshua Goodman says the ultimate solution could be a four-pronged defense against spam called SmartProof. Here's how an experimental version of it works:

* First, a machine-learning filter, similar to SmartScreen, snags the obvious spam and quarantines it or throws it away. The filter passes on to the user's in-box any message that is from someone on the user's "whitelist."

* Messages suspected of being spam trigger replies to the senders, challenging them to prove they're not spammers.

* Senders may respond to the challenge by solving some kind of a puzzle -- one that's easy for a human but hard for an automatic spam generator.

* Alternately, senders can ensure the delivery of their messages by making credit card-based "micropayments." The payments may go to the recipient, the Internet service provider or a charity, or they can be refunded to the sender if the message turns out not to be spam.

"We thought if we could put all that together, we'd have a great long-term solution," Goodman says. "Obviously, it's a very ambitious plan, and I don't think we ever thought it would happen quickly."

Elsewhere at Microsoft, researchers are working on a prototype called MailScope that monitors e-mail routes and alerts users when significant delays are expected. If MailScope sees persistent delays between, say, Microsoft.com and Berkeley.edu, it warns users on those servers that delays are likely, much as a traffic report notifies drivers of congested routes.

In a related Microsoft project called SureMail, when a message is sent, a system posts a tamperproof notification to a table somewhere on the Internet. E-mail recipients periodically query the table and match notifications with messages received. If they find a notification for which there is no message, they know the message has been lost. Microsoft calls these "silent" losses because they so often go undetected. In controlled experiments over two months, using a variety of e-mail systems and carriers, Microsoft found that one in 140 e-mail messages disappeared without a trace. Delays averaged four minutes but lasted as long as 27 hours.

Despite the extensive research and development, some observers say technology can never completely cure e-mail's ills. Economic and regulatory tools will be needed as well, they say.

"Ultimately, I believe there will be a pay-per-message type of service that charges to ensure that e-mail is spam-free," says CIO Matthew Lynch at ShopKo Stores Inc. in Green Bay, Wis. E-mail carriers will charge companies a penny or two per message and will in exchange certify those messages as legitimate, he says. Lynch also predicts "stronger legislation around this topic."

A combination of technology, policy and market measures will keep e-mail among the top of all corporate applications, most users say. "E-mail will continue to be an integral form of communication," says Matthew Marks, head of integrated user services at Aetna Inc. "The capability to quickly and easily distribute a message with an attachment -- documents, links, objects, etc. -- to a large, dispersed audience with tracking and audit cannot be matched by IM, fax or snail mail."

2. E-mail -- just one of the many communications streams in the workplace -- will become part of a "puddle," or "activity thread."

Although e-mail seems unlikely to be supplanted by alternatives, the job of the IT manager is nevertheless complicated by the emergence of other options.

E-mail is in its "pimply adolescence," says futurist Paul Saffo at the Institute for the Future in Palo Alto, Calif. The problems of spam, phishing and e-mail-borne malware will be conquered, he predicts. In the meantime, he cautions, "you can't treat e-mail in isolation. All of our communications forms are melting away, and we are creating new things out of the puddle of old stuff."

Richard Golden, vice president for IT infrastructure at Circuit City Stores Inc. in Richmond, Va., says these threats will cause corporations to augment their technology defenses with strong policy defenses. He says it's relatively easy to protect e-mail systems with spam filters, virus scanners and the like because the systems are well defined, with discrete messages going from Point A to Point B through corporate IT assets.

"But things are converging into a world that is not as clearly definable as a corporate e-mail system," he says. "I think you'll see more policies about things like blogging, for instance. As the lines blur on the means for communications, it's going to require more focus on the information conveyed, regardless of the means used to convey it."

IBM Research is looking for ways to combine e-mail with other functions and integrate it seamlessly into users' daily activities. "It's not enough to help people manage their e-mail; it's important to help them manage their work," says Dan Gruen, a research scientist at the company's facility in Cambridge, Mass. That involves "connecting all the communications and information feeds around a topic or activity," he says.

For example, an IBM Research proto-type called Activity Explorer is a collaboration tool that pulls together e-mail messages, synchronous communication such as instant messages, screen images, files, folders and to-do lists. A project team can establish "activity threads" containing these feeds and can switch easily between asynchronous and real-time collaboration. An activity thread might include the messages, chats and files exchanged among members of a team that's writing a contract bid, for instance.

A more advanced experimental tool from IBM called Unified Activity Manager does all that and more, linking into other corporate applications such as workflow systems. It not only combines the elements of a current activity but also pulls in those elements from past similar activities. These notions of "activity-centric collaboration" will show up in the next release of Lotus Notes, dubbed Hannover, which is expected to ship next year, Gruen says.

Meanwhile, Microsoft Research has developed a way to combine e-mail, files, Web pages, calendar entries, to-do lists and other materials into one searchable archive. Called "Stuff I've Seen," the prototype uses MS Search to index a user's important content and then offers it through a unified interface with sorting, filtering, previews and thumbnail views.

3. New e-mail applications will emerge, including tools that mine message archives for corporate intelligence.

Even as e-mail yields turf to upstarts like IM, especially among younger users, new uses for e-mail are on the horizon. As companies and individuals begin to systematically archive messages, the e-mail becomes available for data mining, and researchers at a number of companies and universities are developing ways to make these archives more accessible.

For example, Hewlett-Packard Co. researcher Bernardo Huberman is devising ways to "harvest organizational knowledge" by mining the e-mail messages and PowerPoint presentations of employees. His techniques go way beyond the searching and categorization of messages that products do pretty well now. Huberman looks at the strengths of communication bonds among employees and patterns of communication that can reveal both hidden problems and opportunities.

"You can look at an organizational chart and make all sorts of inferences about how people work, but when you look at e-mail patterns, you see how they work in a different way," he says. "You discover leadership roles, such as who's the hub through which most of the e-mails go, that you wouldn't identify from the organizational chart."

The result of such pattern or network analysis might be to reorganize departments, projects or activities around those hubs, Huberman says.

HP Labs is now prototyping a tool called Knowledge Navigator that's based on those principles. It applies text mining, clustering algorithms and statistical analyses to employee e-mails and presentations stored on HP's servers. It could handle a query such as, "Who are the top five experts on topic x?" Huberman says, even when such expertise is not explicitly noted in org charts or personnel records.

Huberman says this kind of knowledge harvesting will be used by companies internally on their employees and externally on customers, resulting in the ability to generate messages and pitches aimed at both groups. "What we will see in the next few years is a very targeted way of placing information in the hands of relevant people," Huberman says. "Sure, it can be annoying, but it's better than getting spam on things you don't care about."

Despite the benefits, he acknowledges that mining messages raises ethical and potential legal issues. "In the next few years, we will see a blurring of the boundaries between what is considered private and public," Huberman says.

Mining employee e-mails is "something the company has an interest in, and we are starting to see that interest grow," says Carl Jones, director of collaboration services at The Boeing Co. in Chicago. He says the company has a knowledge management pilot project that, among other things, examines e-mail messages.

"If you have a business problem, you may be able to mine across the e-mail spectrum and find out, hey, there are people out in the field who are subject- matter experts that can help you," says Jones. But, he adds, "we'll have to be very careful about policies on privacy and so on."

Jon Kleinberg, a professor of computer science at Cornell University , says much can be learned from the networks created by people's activities on the Internet.

"How can you infer that someone is influential?" he says. "Is it the obvious things, like they send and receive the most messages, or is it more subtle things, like they operate at the periphery [of a group] but pull together groups that are otherwise weakly connected?"

Kleinberg says answers to such questions may have profound importance for companies that sell online and rely on word-of-mouth recommendations via customers' e-mail. He's looking into two competing theories as to why that kind of e-mail sometimes leads to snowballing sales and other times fizzles.

"Is it the attractiveness of the product, or is it something about the community of people who are into those kinds of products?" Kleinberg wonders.

He says e-mail pattern analysis could help a company answer questions such as, "Who are the key people to influence?" and "For which products is it worth it, and for which is it not?"

"Social network analysis is one of the great tools for productivity going forward, and very few people understand it," says Thornton A. May, a Computerworld columnist and dean at the IT Leadership Academy at Florida Community College at Jacksonville. "People tend to think of social network analysis as a list of people -- an address book. But it should tell you not just who knows who, but who knows what as well."

Users should see social network analysis as more than a way to find dates or customers. It can "solve problems, create teams or recombine organizations," May says.

IBM's Unified Activity Manager

IBM's Unified Activity Manager combines e-mails, files and schedules associated with a multiperson effort to respond to a request for proposals. This kind of capability will ship in IBM's next version of Notes, dubbed Hannover.
(Click image to see larger view)

September 12, 2006 at 02:15 AM in email | Permalink | Top of page | Blog Home

Security of email

SECURITY OF PUBLIC WEB SERVERS

Shirley Radack, Editor

Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

Electronic mail (email) is an essential communications tool for many industry, government, and academic organizations. Email is popular and convenient for exchanging messages, data files, images, and sound clips over computer networks and especially over the Internet. Two principal components, mail servers and mail clients, support the email processes. The mail server is the computer host that delivers, forwards, and stores the mail. Users interface with the mail client software to read, compose, send, and store email messages.

Because they are vulnerable targets for attack by malicious intruders, both mail servers and mail clients must be protected. In September 2002, the National Institute of Standards and Technology (NIST) issued NIST Special Publication (SP) 800-45, Guidelines on Electronic Mail Security, by Miles Tracy, Wayne Jansen, and Scott Bisker, to help federal agencies improve the secure design, implementation, and operation of their electronic mail servers and clients.

NIST SP 800-45 describes secure practices for the installation, configuration, and maintenance of mail servers and clients. Topics discussed in the guidelines include the security aspects of email standards, use of encryption standards, the security of the underlying operating systems, and the filtering of email content. The publication gives details on the use of devices such as firewalls, routers, switches, and intrusion detection systems to protect networks, and offers recommendations for managing the mail server in a secure manner using backups, tests, updates, patches, log reviews and records management practices. The appendices provide a glossary and information on mail-related standards and security tools. Also included in the appendices are discussions of the secure use of Microsoft, UNIX, and LINUX mail systems, references that are available in print and electronic format about protecting email systems, and a security checklist.

Along with other guidelines and recommendations, NIST SP 800-45 provides agencies with comprehensive information about protecting the computer and network systems that interact with and serve the public. NIST publications are developed primarily for the federal community, but should be useful to individuals, the private sector, and other public sector organizations. Other recent publications covering the security of publicly accessible systems include NIST SP 800-44, Security of Public Web Servers, and NIST SP 800-46, Security for Telecommuting and Broadband Communications. Summaries of these publications were featured in the November and December bulletins in this series. Information technology security publications and ITL bulletins are available in electronic format from the NIST website:

http://csrc.nist.gov/publications/

Vulnerabilities of Mail Servers and Clients

After web servers, an organization’s mail servers are typically the most frequent targets of attack as both mail servers and public web servers communicate to some degree with unknown parties, who may or may not be trustworthy. Attackers, with their thorough understanding of the supporting computing and networking technologies, have been successful in exploiting weaknesses in mail servers and clients.

Mail servers and clients can be vulnerable to events such as:

· Denial of service (DoS) attacks that are directed to the mail server or its supporting network which can deny or hinder access to the mail server by valid users.

· Sensitive information on the mail server may be disclosed or changed in an unauthorized manner.

· Sensitive information that is transmitted unencrypted between mail server and email client may be intercepted. For example, the email software may default to sending usernames, passwords, and the email message itself without the protection of encryption.

· Information within the email message may be altered at some point between the sender and recipient.

· A successful attack on a mail server can be used to gain unauthorized access to resources elsewhere in the organization’s computer network, including user passwords and other computers on the network.

· A mail server that has been attacked can be used to attack another organization’s network, perhaps creating liability for damages to the sending organization.

· Attackers may use the organization’s mail server to send email-based advertisements (commonly referred to as spam).

· Viruses and other types of malicious code may be distributed to computers throughout an organization via email.

· Users may send inappropriate, proprietary, or other sensitive information via email. This could expose the organization to legal actions.

What Can Be Done to Improve Email Security

Mail servers, mail clients, and the network infrastructure that supports them must be protected to avoid the conditions that can lead to damage, compromise of information, and inconvenience. With good planning and rigorous implementation of secure configurations and operational procedures, organizations can operate successful electronic mail operations while protecting their networks and information resources.

The following actions will help organizations to improve their email security:

· Plan carefully and address the security aspects of the deployment of a mail server.

Careful planning is the essential first step to assuring that mail servers have been installed, configured, and implemented in a secure manner. It is more difficult to address security issues once deployment and implementation have been completed. A detailed and well-designed deployment plan enables the organization to make prudent decisions regarding the tradeoffs between usability, performance, and risks. A deployment plan makes it possible to maintain secure configurations and identify security vulnerabilities.

All mail server activities should be carried out in compliance with the organization’s plans and policies. Plans and policies should support the application of consistent management controls across the entire organization. This is essential in order to avoid variations in controls that can result when the information technology support staff becomes fragmented within the organization.

The following items should be considered when planning a mail server:

· Identify the purpose of the mail server and the information to be processed on or transmitted through the mail server.

· Identify the security requirements of the information.

· Identify other services to be provided by the mail server and their security requirements.

· Identify the location of the mail server, the network services to be provided, and the network service software on both the clients and the server.

· Identify the users or categories of users of the mail server and any support hosts.

· Determine the privileges that each category of user will have on the mail server and support hosts.

· Consider issues such as authentication methods, enforcement of access rules, cost, and compatibility with the existing infrastructure, employee skills, and vulnerabilities.

· Work closely with vendors in the planning stage.

The deployment plan should address the human resource requirements for both the deployment and the operational phases of the mail server and its supporting infrastructure. The following issues should be covered in the deployment plan:

· The types of personnel required, including the system and mail server administrators, network administrators, and information systems security officers (ISSOs).

· The skills and training required by assigned personnel.

· The levels of effort required of specific individuals and of the entire staff involved in deploying and operating the mail server.

· Implement appropriate security management practices and controls to assure that the mail server is maintained and operated securely.

Protecting the operating system helps to protect the mail server from exposure to danger. Appropriate management practices are essential to operating and maintaining a secure mail server. Security practices include the identification of an organization’s information system assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines. The goal is to ensure the confidentiality, integrity, and availability of information system resources.

The following practices are recommended.

· Create an organizational-wide information system security policy that states the basic policy and outlines responsibilities within the organization for carrying out the policy.

· Control and manage the modifications to a system’s design, hardware, firmware, and software to assure consistency in handling changes and protection against improper modifications.

· Establish risk assessment and management procedures to collect and analyze data about assets, threats, and vulnerabilities. Based on the analysis of risks, select and implement controls to reduce risks to a level acceptable to the organization.

· Develop standardized software configurations for widely used systems and applications. This will provide guidance to mail server and network administrators on secure configurations that satisfy the information system security policy of the organization.

· Use security awareness and training programs to make users and administrators aware of their security responsibilities, correct practices, and individual accountability.

· Carry out contingency planning, continuity of operations, and disaster recovery planning to maintain operations if there are disruptions.

· Apply certification and accreditation techniques to analyze how well a system meets its security requirements. Document management acceptance of the analysis and the extent to which the system meets the technical requirements for security.

· Ensure that the mail server operating system is deployed, configured, and managed to meet the security requirements of the organization.

The operating system that supports the mail servers must be secure. It is important to check the hardware and software configurations, which may have been set originally to emphasize features, functions, and ease of use, rather than the security of the system. Since each organization has unique security needs, the mail server administrator should configure new servers to meet the organization’s requirements. As requirements change, systems should be reconfigured. NIST SP 800-45 provides references and information about automated tools to help mail server administrators develop and maintain operating system security. To secure the operating system, follow these steps:

· Patch and upgrade the operating system to correct known vulnerabilities.

· Remove or disable all unnecessary services and applications, and enable only those services that are required by the mail server.

· Configure the operating system to authenticate users.

· Configure access controls to specify access privileges to files, directories, devices, and other resources.

· Test the security of the operating system periodically to identify vulnerabilities and to validate the effectiveness of security measures.

· Be sure that the mail server application is deployed, configured, and managed to meet the security requirements of the organization.

In general, the same steps that are recommended for protecting the operating system also apply to the secure installation and configuration of the mail server application. The goal is to install the minimal amount of mail server services required and to eliminate any known vulnerabilities through patches or upgrades. The following steps should be followed to secure the mail server application:

· Patch and upgrade the mail server application to correct for any known vulnerabilities.

· Remove or disable unnecessary services, scripts, applications, and sample content.

· Configure mail servers to require authentication of users.

· Configure mail servers to implement the same or more restrictive controls on access to resources as those enforced by the operating system.

· Test the security of the mail server application.

· Consider implementing and using cryptography to protect user authentication and mail data.

Cryptographic functions have been added to standard email protocols to allow for encryption of the message, authentication of sending party, non-repudiation of the message, and integrity of the message. Mail protocols can be attacked when they default to unencrypted user authentication and send email data in the clear (unencrypted). Attackers can intercept this data, compromise a user’s account, and alter unencrypted messages. At a minimum, organizations should consider encrypting the user authentication information even if they do not encrypt the email message. Encrypted user authentication is now supported by most standard and proprietary mailbox protocols.

There are many issues to be considered regarding the encryption of email. Encrypting email places a greater load on the user’s computer and on the organization’s network infrastructure. Encryption may complicate virus scanning and mail content filtering, and usually entails significant administrative overhead. However, for many organizations, the benefits of email encryption will outweigh the costs.

· Use the network infrastructure to protect the mail servers.

The network infrastructure, including the firewalls, routers, and intrusion detection systems that support the mail server, plays a critical role in maintaining the security of the mail server. In most configurations, the network infrastructure will be the first line of defense between potential attackers using the Internet and the mail server. Network design alone, however, cannot protect a mail server. Attacks have been too frequent, sophisticated, and varied. The best defense is through the application of diverse and layered protection mechanisms.

· Continue to maintain the security of mail servers in an ongoing process.

Maintaining a secure mail server requires continued effort, resources, and vigilance from an organization. Daily attention to the administration of a mail server is essential. The following steps are recommended for maintaining the security of mail servers:

· Configure, protect, and analyze the log files of information about access and use of the mail server.

· Back up the data on the mail server frequently.

· Analyze intrusions and protect against malicious code (e.g., viruses, worms, Trojan horses).

· Establish and follow procedures for recovering from compromise.

· Test and apply patches in a timely manner.

· Test the security of the system periodically.

About Standards for Secure Electronic Mail

Standards are critical to the successful exchange of email. Standards for electronic mail have been developed by the Internet Engineering Task Force (IETF), a large open international community of network designers, operators, vendors, and researchers, who are concerned with the evolution and operation of the Internet architecture. The standards cover the composition, formatting, transmission, delivery, and storage of email, and they often reference other standards issued by the International Organization for Standardization (ISO) and the International Telecommunication Union (ITU). The handling of an email message involves many complex steps, and the use of standards makes it possible for different systems to interchange messages. The relevant IETF documents for standard electronic mail are listed in Appendix B of NIST SP 800-45.

· Standards for Encryption

Pretty Good Privacy (PGP) and the Secure Multipurpose Internet Mail Extensions (S/MIME) are the principal mechanisms used to secure email content from end to end. Both techniques are based, in general, on public key cryptography processes. A user has a pair of related keys: a public key that is available openly and a private key that is held exclusively by its owner. The recipient’s public key is used to send encrypted information that can be decrypted only with the private key. The sender’s private key is used to send digitally signed information that can be verified for authenticity by anyone holding the corresponding public key. Digital signature techniques use a cryptographic hash function to create a digest of the message being sent. This digest can be signed more efficiently than the entire message.

PGP and S/MIME differ in their approach to key management. Some versions of PGP have no central key issuing or approving authority, and its users exercise management and control. S/MIME and newer versions of PGP use a hierarchical model involving a master registration and approving authority, and subordinate local registration authorities. This Public Key Infrastructure (PKI) provides a mechanism to authenticate users and protect the confidentiality of email. See Chapter 3 of NIST SP 800-45 for details about the advantages and disadvantages of PGP and S/MIME systems.

NIST SP 800-49, Federal S/MIME V3 Client Profile, issued in September 2002, provides specifications for adding cryptographic security services to the standard mail protocol. Based on the Multipurpose Internet Mail Extensions (MIME) standard, S/MIME allows for the addition of services, such as authentication, non-repudiation of origin, message integrity, and message privacy.

· Federal Information Processing Standards

Standards for the cryptographic techniques used for encryption, key management, and digital signatures within the secure email end-to-end process include the following Federal Information Processing Standards (FIPS):

· FIPS 46-3, Data Encryption Standard (DES), in triple DES mode (3DES) for data encryption.

· FIPS 197, Advanced Encryption Standard (AES), for data encryption.

· FIPS 186-2, Digital Signature Standard (DSS), for digital signatures. The DSS specifies the Digital Signature Algorithm (DSA) and allows the use of digital signature techniques specified in American National Standards Institute (ANSI) X9.31, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), and ANSI X9.62, Elliptic Curve Digital Signature Algorithm (ECDSA).

· FIPS 180-2, Secure Hash Algorithm (SHA-1), for hashing (effective February 2003).

Information about these and related FIPS is available at:

http://csrc.nist.gov/publications/fips/index.html

Summary

Organizations and individuals benefit when electronic mail and mail systems are protected. Mail systems available to public access can be vulnerable to misuse, unauthorized access, and denial of services. However, the risks of operating, implementing, and maintaining electronic mail systems can be managed through careful planning, secure configuration of systems, and continued attention to implementation and maintenance.

Disclaimer
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

February 24, 2006 at 11:13 AM in email | Permalink | TrackBack (506) | Top of page | Blog Home

Googling Google Survey: Part II

» Googling Google Survey: Part II | Googling Google | ZDNet.com

Posted by Garett Rogers @ 6:59 pm

gmail_logo.gifOne of my readers sent an article that explains how GMail changed the way he uses email, and that got me thinking — I wonder what people I know think about this service and how has it changed the way they use email? Enter the second part of the Googling Google survey.

'll start by explaining how I use GMail as my primary email client. It is my communication portal that encapsulates every email address I own, providing an easy, heads-up view of my accounts. My GMail address is used for personal communication between friends, family and my blog readers. Besides my @gmail.com address, I have a few others for domains I own — all of which are hosted on a server I operate. Incoming messages to that server are automatically forwarded to GMail — this takes care of most spam too. My work email also forwards to gootch2@gmail.com.

For outgoing mail, I set up accounts corresponding to these addresses. For people who don't know about this feature, setting up accounts gives you the ability to impersonate email addresses that you control. For example, when I'm at work I can send mail that appears originate from there rather than gootch2@gmail.com — even though GMail is used to compose the message.

Here are the results of the informal, non-scientific survey I conducted with close to fifty friends, family and random strangers who use GMail as their primary client.

Where did you hear about GMail?

Two answers to this question came up time and again. The most common answer was a referral — a friend or someone else they know got them to sign up. The second most common answer was seeing @gmail.com addresses more frequently around the Internet — for some people this caused enough curiosity to investigate.

Before you signed up, which single feature did you find most appealing?

Most people said they were impressed by the very large storage size. To me this makes sense because storage is the easiest feature to explain, understand and appreciate. For example, explaining the storage size to someone who doesn't use GMail involves a simple comparison to the mail service currently being used.

People who had a Hotmail account in the days of the 2MB limit know exactly what it's like to run out of space. Now imagine someone like that hearing "GMail gives you over 1000 times more storage than Hotmail used to, and is continually growing". It's easy for them to understand the benefit — that's what makes it a success.

Do you like GMail?

Yes. People who have made the switch generally like the service on one of two levels. In most cases, they like it better than their previous mail client, and others find it to be a suitable replacement.

What makes GMail different in your eyes?

People who use the service as their sole email client often confirm that the "message grouping" feature is quite addictive, and is surely missed when forced to use something like Hotmail, Yahoo or a client like Outlook. "It is a little weird at first, but give it a week of actual use and you will be hooked" says one of the surveyed.

Some users say they receive less junk using GMail. That, coupled with the ease of reporting messages gives people a sense that they are actively taking part in the fight against spam.

In more of a negative light, people recognize that the file structure is quite a bit different compared to traditional mail clients. Folders really don't exist, and labels are confusing for some people. The average user doesn't quite understand the concept or benefits of labels until they are explained by someone who knows.

Has GMail changed the way you use email?

The majority of people surveyed simply use GMail in a very basic way. Only a handful of people surveyed even knew about the more advanced features like setting up multiple accounts for outgoing mail, web clips, contact groups, labels, and mobile viewing capabilities.

I did run into a couple people however that used GMail in almost every way it can be. They both said that GMail has absolutely changed the way they use email. Like myself, they use it for every email address they own, have filters set up, labels for all kinds of things, etc. These fellows even use the mobile viewing capabilities. In general, they said, GMail makes them more organized, productive and reachable.

What do you wish GMail did better?

The majority find that GMail does most everything they want, but there were a few complaints. The ability to drag and drop messages into folders and labels came up a couple times. MSN Live Mail and Yahoo Mail beta both sport some nice drag and drop capabilities — could it be that far away for GMail?

A number of people switching from Hotmail and Yahoo were annoyed with the lack of a "choose recipients" feature. When composing or forwarding messages, it would be nice to see a selectable list of contacts. Many users decide where to forward messages on a case by case basis. Contact groups don't quite fit the bill in this type of situation.

I am a huge fan of services like GMail, Hotmail and Yahoo Mail as they provide a portable solution that makes it simple to carry around email. In the last couple months, Google added even more portability by giving users the ability to view email on mobile phones with http://m.gmail.com.

Keeping data online is very important, and I am sure Google will continue to develop products and services with this in mind. To emphasize this fact, I recently purchased a new computer. The painful process of transferring data from my old computer amplified my gratefulness of portable data. I didn't have to create a backup of my email and import it into a new system because everything was conveniently stored on the Internet for me.

There will be a day when Google makes storing your files as easy and portable as storing your email. Files that I want to keep portable could be stored on Google's G: drive so that switching computers (or even operating systems) would be extremely simple and worry free.

As rumors spread that Google is working on a version of Ubuntu called Goobuntu, even if just a rumor, I can't help but think that an online storage service isn't far away. People don't want to leave their whole life behind and start fresh with a brand new operating system — so why should they?
1 Comments | Blog This | E-mail This | Print This | Permalink
Categories: Gmail

* Previous Post

* Google VPS / VM Desktop on the Net Dietrich -- 02/04/06
* Add your opinionAdd your opinion

Trackbacks

The URI to TrackBack this entry is: http://blogs.zdnet.com/Google/wp-trackback.php?p=88

No trackbacks yet.

Popular white papers, webcasts, and case studies

* File Fragmentation, SANs, NAS and RAID Diskeeper Corporation
* Transforming Discrete Manufacturing Supply Chains Hewlett-Packard
* Successful Server Consolidation: It's All in the Preparation Hewlett-Packard
* Footwear Company, Dr. Martens, 'Steps Up' with ShoreTel ShoreTel
* ITIL: What It Is and Why You Should Care Global Knowledge Network
* Preparing Your Windows 2000 Network for an Upgrade to Windows 2003 Global Knowledge Network

February 5, 2006 at 12:26 AM in email | Permalink | TrackBack (551) | Top of page | Blog Home

Postage Is Due for Companies Sending E-Mail

Postage Is Due for Companies Sending E-Mail - New York Times

By SAUL HANSELL
Published: February 5, 2006

Companies will soon have to buy the electronic equivalent of a postage stamp if they want to be certain that their e-mail will be delivered to many of their customers.

America Online and Yahoo, two of the world's largest providers of e-mail accounts, are about to start using a controversial system that gives preferential treatment to messages from companies that pay from 1/4 of a cent to a penny each to have them delivered. The senders must contact only people who have agreed to receive their messages, or risk being blocked entirely.

The Internet companies say that this will help them identify legitimate mail and cut down on junk e-mail, identity-theft scams and other scourges that plague users of their services. The two companies also stand to earn millions of dollars a year from the system if it is widely adopted.

AOL and Yahoo will still accept e-mail from senders who have not paid, but the paid messages will be given special treatment. On AOL, for example, they will go straight to users' main mailboxes, and will not have to pass the gantlet of spam filters that could divert them to a special bulk e-mail box or strip them of images and Web links.

Yahoo and AOL say the new system is a way to restore some order to e-mail, which, because of spam and worries about online scams, has become an increasingly unreliable way for companies to reach their customers, even as online transactions are becoming a crucial part of their businesses.

"The last time I checked, the postal service has a very similar system to provide different options," said Nicholas Graham, an AOL spokesman. He pointed to services like certified mail with return receipts, "where you really do get assurance that if what you send is important to you, it will be delivered, and delivered in a way that is different from other mail."

But critics of the plan say that the companies risk alienating both their users and the companies that send e-mail. The system will apply not only to mass mailings but also to individual messages like order confirmations from online stores and customized low-fare notices from airlines.

"AOL users will become dissatisfied when they don't receive the e-mail that they want, and when they complain to the senders, they'll be told, 'it's AOL's fault,' " said Richi Jennings, an analyst at Ferris Research, which specializes in e-mail.

As for companies that send e-mail, "some will pay, but others will object to being held to ransom," he said. "A big danger is that one of them will be big enough to encourage AOL users to use a different e-mail service."

In a broader sense, the move to create what is essentially a preferred class of e-mail is a major change in the economics of the Internet. Until now, senders and recipients of e-mail — and, for that matter, Web pages and other information — each covered their own costs of using the network, with no money changing hands. That model is different from, say, the telephone system, in which the company whose customer places a call pays a fee to the company whose customer receives it.

The prospect of a multitiered Internet has received a lot of attention recently after executives of several large telecommunications companies, including BellSouth and AT& T, suggested that they should be paid not only by the subscribers to their Internet services but also by companies that send large files to those subscribers, including music and video clips. Those files would then be given priority over other data, a change from the Internet's basic architecture which treats all data in the same way.

This Tuesday the Senate Commerce Committee will hold a hearing to consider legislation for what has been called Net neutrality — effectively banning Internet access companies from giving preferred status to certain providers of content. The concern is that companies that do not pay could find it hard to reach customers or potential customers, threatening the openness of the Internet.

AOL and its parent, Time Warner, which also owns a large cable system offering high-speed Internet access, have not taken a public stand on the principle of Net neutrality. Neither has Yahoo, which has close relationships with AT& T and Verizon. The issue of e-mail postage has not yet come up in the debate over Net neutrality. In the next two months, AOL will start accepting e-mail processed by Goodmail Systems, a company in Mountain View, Calif., that will collect the electronic postage and verify the identity of the sender. Goodmail has tested the system with the participation of a few companies, including the American Red Cross and The New York Times.

Paying senders will be assured that their messages will be delivered to AOL users' main in-boxes and marked as "AOL Certified E-Mail." Unpaid messages will be subject to AOL's spam-filtering process, which diverts suspicious messages to a special spam folder. Most of these messages will also not be displayed with their original images and links. Users will be able to specify that unpaid messages from a particular person or company should never be treated as spam, as they can do now.

Yahoo will start trying out Goodmail's system in coming months, but it has not decided how paid mail will be differentiated from unpaid, said Brad Garlinghouse, vice president of communications products at Yahoo. Goodmail will charge 1/4 cent to 1 cent per message, with high-volume mailers getting the biggest discounts. It will give more than half of that amount to the e-mail service provider.

When AOL started to explain the details of its plan last month to companies that send a lot of e-mail, many quickly raised objections.

"No one wants Goodmail or any other provider to set up a tollbooth that makes it cost-prohibitive for legitimate mailers to reach the in-box," said Matthew Moog, the chief executive of Q Interactive. The company runs a marketing service called CoolSavings that sends e-mail to 10 million people a month who have requested it.

Mr. Moog said that he was very much in favor of systems that helped distinguish the mail he sent from spam. But Mr. Moog added that he wanted AOL and other Internet providers "to offer several competing services to ensure that innovation continues and there is a competitive market to drive fair pricing for the service."

For example, he said that CoolSavings already works with Bonded Sender, a company used by Microsoft's Hotmail service and other providers to identify sources of legitimate mail. Bonded Sender charges a flat fee of no more than $20,000 a year to the highest-volume senders, a fraction of what they would pay through the Goodmail system. Mr. Moog said that the Goodmail system would at least double the cost of an e-mail campaign. "I don't think the economics work," he added.

Matt Blumberg, the chief executive of Return Path, the New York company that runs Bonded Sender, said there was no need for the Goodmail price to be so high.

"From AOL's perspective, this is an opportunity to earn a significant amount of money from the sale of stamps," he said. "But it's bad for the industry and bad for consumers. A lot of e-mailers won't be able to afford it."

But Mr. Garlinghouse of Yahoo said that by making senders pay for each message, they will be forced to be more discriminating in whom they send e-mail to, which will benefit users.

"Because the cost of sending e-mail is so low, some players are not as good at keeping their lists clean," he said. "I still gets e-mails from lists I signed up for three years ago, but I haven't responded to a single one."

As spam has started to clog millions of mailboxes, particularly over the last five years, some people have suggested that requiring all e-mail senders to pay some sort of postage would drive out spammers, who can profit even if they sell their wares to a very small percentage of mail recipients.

But in recent years the volume of spam has leveled off, in part because of a new federal law that imposes penalties for many deceptive e-mail practices. Moreover, most major e-mail providers have built sophisticated filters that divert much of the spam. AOL says that spam complaints from its members are down 75 percent since their peak in 2003. (These filters also capture about 20 percent of legitimate mail, according to Ferris Research.)

A more troublesome problem now is phishing, messages that appear to be from a bank or an online payment service and that seek to fool recipients into divulging their passwords or credit card numbers. Phishing has led Internet providers and other companies to look for ways to help people identify legitimate mail.

Goodmail was founded several years ago with the idea that it would charge postage for all mail, but it has narrowed its focus to mail sent by companies and major nonprofit organizations, which will pay a reduced rate. It does not envision that individuals will pay to have their e-mail delivered.

"The e-mail in-box is a potentially dangerous place," said Richard Gingras, the chief executive of Goodmail. "There is a tremendous need for a class of certified e-mail that can convey to consumers that a message is authentic."

Mr. Gingras argued that companies will be glad to pay the postage fee because their customers will have more trust in their e-mail and thus will buy more from them.

And Mr. Graham of AOL added that the portion of the postage it will receive is justifiable compensation for the costs it has incurred in developing systems to combat spam.

"We have some prerogative to move to a system that asks for other people to participate and share the financial burden in making a clean e-mail environment on the Internet," he said.

February 4, 2006 at 04:25 PM in email | Permalink | TrackBack (12) | Top of page | Blog Home

Postage Is Due for Companies Sending E-Mail

Postage Is Due for Companies Sending E-Mail - New York Times

By SAUL HANSELL
Published: February 5, 2006

Companies will soon have to buy the electronic equivalent of a postage stamp if they want to be certain that their e-mail will be delivered to many of their customers.