We attended Infosec (the Infosecurity Europe 2006 conference) in London this week. We estimate there were up to 750 paid attendees, but countless more unpaid, exhibits-only visitors.

Among the 300 or so exhibiting vendors, we saw these messaging- and collaboration-related firms: Aliroo, AVG, Barracuda, BitDefender, BlackSpider, Blue Coat, Chronicle Solutions, CipherTrust, Clearswift, CP Secure, Critical Software, Cryoserver, Dimension Data, Email Systems, Entrust, Finjan, General Dynamics, GeoTrust, HP, Identum, IronPort, Kaspersky, Marshal, McAfee, MessageLabs, Microsoft, Mimecast, Mirapoint, MXSweep, Netasq, Netintelligence, NOD32, Norman, OpenHand, Postini, RSA, Secured eMail, SfbIT, Sophos, SurfControl, Symantec, Trend Micro, VeriSign, VoIPshield Systems, and Voltage.

Apologies to anyone we missed — it was a large, packed show.

… Richi Jennings

We recently discovered two interesting resources for virus hunters. Both will allow you to submit a sample file for analysis, giving you an opinion of whether it contains a virus, worm, Trojan, or other malware.

Hispasec’s Virustotal takes a fairly conventional approach of scanning the file for known viruses. What’s notable is that it uses 23 separate scanning engines. Hispasec also provides an interesting statistics page.

Norman Sandbox live automatically runs the file in a test environment, watching what it does. This is similar to the approaches used by Avinti and BitDefender.

… Richi Jennings, with thanks to Frank Bernard and Chris Mikkelson

So you have a fantastic new idea to solve the spam problem once and for all? Of course, you’re sure it’ll work brilliantly and you’re sure nobody else has thought of it.

Sounds like you’ve come up with what spam fighters call a FUSSP — a Final Ultimate Solution to the Spam Problem. Vernon Schryver maintains a list of fallacies that appear again and again from FUSSP inventors. It’s fairly impenetrable to those outside what one might call the spam-fighting clique. So here we present a few rephrased highlights. Think of them as tips to prevent making yourself look foolish:

• Don’t assume that spammers are stupid.
• Don’t rely on email recipients changing their behavior with nothing to show for it.
• Don’t rely on other email senders responding to automatic challenges (or on victims of challenges sent to forged addresses not to respond).
• Don’t rely on all ISPs, Web hosts, and registrars being active, reponsible, spam-hating ‘Net citizens.
• Don’t propose replacing SMTP, DNS, TCP/IP, Microsoft Exchange, Lotus Notes/Domino, or other immovable objects.
• Know what these terms mean: tarpit, DNSBL, HELO, EHLO, MX, RMX, MTA, MUA, DCC.
• Know the difference between the SMTP envelope and header.
• If your scheme requires a new standard, make sure you understand how standards are set on the Internet — at a minumum, read and understand RFC 2223 and RFC 2026.
• With few exceptions, strangers won’t pay money to send you mail.

… Richi Jennings

If you’re going to the Infosec conference in London and would like to meet Ferris Research, do get in touch. Richi Jennings will be there Thursday, April 27. Email richi.jennings@ferris.com with some suggested times.

We’d be happy to discuss whether our services can be of help to you; for example, our Analyzer Information Service and white papers. Also, if you’re someone we know virtually, it would be nice to meet in person.

We’re especially interested in discussing secure messaging and collaboration (i.e., spam control, virus control, encryption, etc.)

Ferris Research

This is the second bulletin in a series about policy and regulatory compliance tools. These tools are outbound email filters that attempt to stop users from violating organizational policies or legal regulations.

Attempt is the operative word here. These tools can’t do a perfect job.

Let’s use the same example policy as before: "Only people in the PR Team group are allowed to email press releases to people outside the company." Determining what a press release looks like is an imperfect science. So we’ll experience quite a number of false positives — incorrect detection of a violation when none has occurred.

The important thing is what happens when the tool believes it has spotted a violation. Ideally, such tools should be set up to return the message to its sender, with a warning that a potential policy violation was detected. This is usually better than (say) alerting the user’s manager or the HR department.

… Richi Jennings

Policy and regulatory compliance tools are outbound email filters that attempt to stop users from violating organizational policies or regulations. An example of such a policy is: "Only people in the PR Team group are allowed to email press releases to people outside the company."

Policy compliance tools are useful for saving users from making silly mistakes, but not so good at preventing deliberate violations. If your competitor tries to steal your PR plans by planting a mole, no policy compliance tool could conceivably prevent them from stealing next week’s draft press release. Although it might frustrate their attempts to email the draft, it won’t prevent the use of other media such as flash drives, CD-Rs, or the good old printed page.

Beware of relying too heavily on technological solutions to problems. Don’t neglect the more obvious strategies, such as vetting contractors and keeping sensitive data under lock and key.

… Richi Jennings

Here’s another insight from an "unsophisticated" email user. We think this is interesting feedback for vendors of email clients. It might appear trivial to email cognoscenti like us, but it’s an important human factors observation. It’s an area where we as an industry can do a better job.

In a panicked phone call, "my" user told me that he’d sent an important email message to three people. But he’d mistyped one of the addresses and got a nondelivery message back. His question to me was:

Did the other two people get my message?

Of course, I told him that, yes, they did. But now that I come to think about it, why should that be obvious to him?

… Richi Jennings

I was talking to some "unsophisticated" email users recently. I asked them what their experience was of email in the workplace. I expected to hear complaints about poor performance, overuse of the CC feature, and misaddressed love notes. Instead, their main gripe was their correspondents’ unreasonable expectations.

There’s a culture grown up in some organizations that any email message will elicit an instant reply. This impatience seems to be born of the immediate nature of email — if it’s simple and quick for me to send a message, it should be simple and quick for you to reply.

"My" email users had learned that it’s necessary to manage these people’s expectations with a quick reply, informing them when to expect the task to be completed or the requested information to be sent. They’ve found that if they don’t do this, these impatient senders will follow up by phone or with another email message — even if it’s obvious that what they’re requesting will take a few hours or days to deliver.

Perhaps you recognize your organization’s email culture in this description?

… Richi Jennings