At the recent Professional Developer’s Conference in Los Angeles, Microsoft detailed its API (Application Programming Interface) strategy for the upcoming Exchange 12. While Microsoft announced many of the features that Exchange 12 would bring, this was the first information to appear about how developers will build applications against the new version. This is critical, because there are many Exchange applications on the market, from system management tools to end user productivity applications. In addition, organizations have written their own in-house, custom solutions. Developers need time to change existing applications, or build new ones that target Exchange 12.

For most developers, the message was good. Most of the existing commonly-used Exchange interfaces, such as Collaboration Data Objects (CDO) or WebDAV, will still be supported, even though they are being de-emphasized. This provides developers time to plan their API migration strategy. There are some interfaces, such as Exchange’s WMI classes or and CDO for Exchange Management, that are being cut altogether, but few applications were written to these interfaces. Any application that was written using these interfaces will have to be revised, since it will not function against Exchange 12.

Microsoft is replacing the de-emphasized and obsolete programming interfaces with a new set based primarily on Web Services, scriptable interfaces called Cmdlets, and the Windows Workflow Foundation. The developers  we interviewed at the PDC are excited about the new interfaces. They open up a larger part of Exchange’s services to developers, making it easier to build more powerful applications. They also are designed to solve many of the problems faced by developers in the past, such as the need to use different programming interfaces to build remote applications vs. intranet applications.

Developers will likely take advantage of the new interfaces quickly because they need to support versions of Exchange as they become available. But they’ll be faced with maintaining two code bases for some time, since existing versions of Exchange will be around for many years, just as we’ve seen with Exchange 5.5. Microsoft hasn’t yet made available beta versions of Exchange to a broad developer community, but no time is too soon, since the development environment will be changing so remarkably.

… Chris Williams

On September 22, Symantec announced it would acuire WholeSecurity.

WholeSecurity offers technology that protects against:

• Phishing websites. The technology looks at a website, and checks it against a dynamic database of phishing sites. It also checks for suspicious things. A simple example is clickable URLs purportedly going, to a well-known website, but which actually go to a covert one
• Malicious code such as spyware and viruses. The technology works by observing abnormal behaviour on a computer, such as a small windows application that doesn’t have any windows and which seems to be hiding from the user

This acquisition is probably good for Symantec and its customers. It will help Symantec offer simple bundles that protect against a broader range of threats--mainly viruses, spam, spyware, and phishihg. The technology helps to deal with zero-hour viruses, because it scans for strange PC behaviour rather than waiting for signatures.

The acquisition also opens an interesting new sales opportunity for Symantec. Symantec will be able to go to organizations that do business over the Internet, such as banks, eBay, Yahoo, and so on. These businesses will then be able to include Symantec’s security software into their own offering. For example, when you sign up with a bank, the bank can offer you a toolbar that protects against phishing, or the bank can offer you a download that will check your PC is healthy, and monitor it on an ongoing basis for malware.

It’s an all-cash deal; terms were not disclosed. WholeSecurity has 75 people, and has received $20M of venture money.

… David Ferris

Expect discussion of distribution lists ("DLs") to become a lot more lively over the next couple of years.

Two things will drive this:

• DLs are critical for regulations compliance and discovery requests. When people participate in DLs, you need to process DLs in order to tell who’s done what
• Corporate knowledge mining. To make sense out of a mass of emails, and pick out the discussions, you have to understand DLs

Today, DL membership fluctuates, with little associated tracking. Five years out, archiving systems will let us review DL history in much the same way as they do email.

… David Ferris

Be sensible in how you give out your email address

• Most people give out their email address where, for example, they would not give out their phone number – mostly due to the perception that email addresses are more ‘anonymous’ than home addresses or phone numbers.
• Whilst this was the case many years ago, it is now possible to derive more information about a computer user than you might think from their email address, particularly if they own the domain as well.

Don’t place too much trust in address obfuscation.

• Some users religiously write their addresses for public view as john dot doe at johndoemarketing dot com. However, some harvesting bots pick this up with ease as the software used to harvest email addresses is considerably more complex than it used to be.
• Other variations of this technique include writing scripts (e.g. JavaScript) to “generate” an email address every time a web page carrying an email address loads (so it doesn’t exist explicitly in user@host form in the HTML code). However, some spambots can render the script output before scanning it and so they can read the email address.

When signing up for a service which asks for an email address, read the relevant part of the small print.

• Some forms say “check this box to receive our newsletter” and others say “check this box to opt out of receiving our newsletter”.
• Also be aware that ‘spam’ and ‘email you don’t want’ are not necessarily the same. Its only really spam if you didn’t agree to receive it (either explicitly or implicitly).

Use a sacrificial email address for signing up to online services

• If an email address starts to be sent too much spam it can be swapped for a new email; unlike usual business email.
• Some users have a different email address for every online service that they sign up to, so they can easily see which service distributes their details.

Keep your operating system and other software that you use up to date.

• There exist viruses and spyware that capture addresses. Also ensure that, in addition to up-to-date on-virus filters, you also have up-to-date adware/spyware detection.
• Remember that if you have a n infection on your computer, it is likely that spammers are using your computer to send their emails to other people. In other words, your PC is a zombie in a botnet.

Users who run their own mail servers should ensure that they aren’t acting as an open relay.

• If in doubt, seek advice.
• Don’t forget to check for misconfigured routers and firewalls.

Consider using a form of spam detection which includes verification of SPF and/or DomainKeysIM records, particularly if the email appears to come from a critical source such as a financial institution.

• It will help to detect and block phishing attacks.
• If you own your own domain and advertise SPF records (or sign outgoing email using DomainKeysIM), it will help to prevent other people spoofing your address.
• It is very easy to send an email and make it look like it came from somewhere else, so if you don’’t have this level of filtering, don’t trust an email just because it appears to be from one of your friends.

Newsgroups have a particularly bad reputation for email address harvesting; this is because it is very quick and easy to get a list of email addresses from Usenet. Consider using a sacrificial/different email address when posting to newsgroups (e.g. using Google News).

Most people have some sort of an instinct about how legitimate online services appear to be. Don’t ignore this – it is very valuable.

• If you have a ‘bad feeling’ about a site, or it doesn’t seem very professional, or there are too many grammatical or spelling mistakes, do not trust it.
• However, note that phishers are becoming increasingly sophisticated in the graphic design of their email messages and web sites – it’s easy to copy the design of a legitimate web site or transactional email.

Recognize social engineering techniques and don’t fall for them.

• If someone asked for your bank account number or perhaps eBay password without a valid reason in person, you would be understandably suspicious. If you receive an email asking for personal details like that, and your instinct is to not trust the email, don’t.
• In general, do not give out any personal details through email. Banks won’t ask you for passwords, account numbers or mothers’ maiden names by email. Bear in mind that giving out seemingly insignificant information, such as how long you have lived at home, could prove very useful to abusive users, particularly if they are trying to impersonate you.
• Banks usually have advice explaining that emails asking for personal information apparently from them are hoaxes. Pay attention to this.

Be suspicious rather than trusting. Anyone offering an unbeatable or even unbelievable deal by email probably won’t be doing it for your benefit, however much it seems like it.

• If you receive an email from someone you don’t know, claiming that you have a lot of money left to you by someone you’ve never heard of, it’s highly unlikely to be genuine.
• Most people would not be fooled by this if it was verbal or through the post, so there’s no reason to be any more trusting because it is by email. If it seems too good to be true, it probably is.

Don’t ignore warning messages

• If you go to https://online.banking and the web browser displays a warning message about the site appearing to be invalid (technically: the digital signer of the site’s certificate isn’t a trusted certification authority), don’t just click the OK button.
• Genuine sites such as PayPal and banks have correctly signed certificates so if your web browser thinks it is not correctly signed, you’ll get a warning message – it’s there for a reason.

To alleviate the concern over genuine email being classified as spam (false positives) consider using spam filters that provide some end user control

• Some spam filters provide end user message reports that allow authorized end users to view what messages have been quarantined on their behalf and the reasons why. Messages can be released from quarantine by the end user, without the need for intervention by the IT support team.
• Similarly, users should be able to include and manage their own personal white- and black-lists in addition to corporate lists. This would enable spam-like newsletters that an user wants to be delivered, even though many others would perceive this to be unwanted email.

… David Ferris, with thanks to Black Spider’s Emma Dunstone