According to this article, outsourcing services to India and other less expensive offshore labor pools has recently expanded to legal services. Mindcrest employs 459 lawyers in Pune, India. The Indian lawyers are trained in the same common-law and business principles as British, Canadian, and U.S. lawyers.

On one hand, the cost savings are extremely attractive. However, regulatory regimes or laws may prohibit certain types of data leaving the company, leaving the country, or being shared with individuals in certain restricted countries.

As outsourcing plays an ever-increasing role, the role of data leak prevention (DLP) and similar solutions will thus become critical within three to five years. Cheaper lawyers in India are just one of the reasons.

… David Sengupta

Richi Jennings noted in a recent bulletin the claim from BorderWare of getting 98.3% detection using IP Reputation (DNSRBLs), and that other sources suggested 75%.

Isode has been making measurements of false negative rates, published in a white paper, “Measuring the False Negative Rate for Isode’s M-Switch Anti-Spam.”

Our measurements suggest that the (public) DNSRBLs we use hit about 90% of spam. Well-managed DNSRBLs seem an effective way to detect spam, because they have a very low false positive rate. We use DNSRBLs to mark messages (rather than reject at the SMTP server), so we can examine quarantine to check for false positives.

A further 5% can be hit by two other reputation mechanisms:

1. SPF (which is well known) is reasonably effective, but can produce some false positives, particularly in conjunction with mailing lists.
2. SURBL detects URLs within messages, using an underlying RBL mechanism.

Isode’s M-Switch anti-spam can hit most of the remaining spam with a variety of other spam markers and content scoring (using Support Vector Machine derived tables). General-purpose content scoring appears to work very well for many users, but aggressive checking leads to false positives for others, which can be mitigated by use of whitelists.

It seems conceivable that rates higher than 90% can be achieved using public DNSRBLs, although experience suggests that some (poorly managed) DNSRBLs lead to false positives.

… Steve Kille

We were recently briefed by Abaca, a vendor of spam control technology, on its proprietary ReceiverNet spam control algorithm. Abaca makes impressive claims for the accuracy and performance of ReceiverNet. The underlying algorithms have been explained to us under NDA, and they are very interesting. In essence — and at the risk of over-simplification — it relies on understanding the relationships between senders and recipients.

The ReceiverNet algorithm seems to be a good way of automatically generating on-the-fly, per-user whitelists and blacklists, with minimal time delay. The technology employs a more rigorous, statistical approach to this, which we found impressive. It helps to differentiate between purely-spammy senders, and those that appear to send both spam and ham email (for example, where a good sender shares an IP address with a bad sender). This should help prevent false positives.

ReceiverNet also keeps track of what proportions of good and bad email a recipient usually gets. This effectively turns every user into a fuzzy spamtrap. This aggregated data is used to weight the spam/ham decision.

Of course, this idea won’t work so well in the case when little or no data is known about the sender — the “zero-hour” problem. However, ReceiverNet also does statistical analysis of the content of known spam and ham messages. This allows it to compare known content with the content of unknown messages.

If it’s still not clear whether the message is spam or ham, ReceiverNet adds it to a separate inbox of “uncertain” messages. It’s good to see that Abaca doesn’t simply dump the such messages into a huge quarantine — it’s doing what I have often suggested spam control should do: prioritize the quarantine, to show the most likely false positives first.

Of course, no shiny, new spam control technique is perfect. Over the years we’ve seen many new techniques promise much and deliver little. But we like Abaca’s approach, it’s very promising.

… Richi Jennings, with Nick Shelness

Whiteboarding is the ability to work on shared files on an on-screen “shared notebook” or “whiteboard.” Whiteboarding is available in many Web services; for example, it is a part of the WebEx Web conferencing system and in tools such as Microsoft NetMeeting.

The clear benefit to a standardized approach to whiteboarding is to enable distributed use without lock-in to a single vendor or service. Presence is an important underpinning to whiteboarding to enable two or more users to initiate whiteboarding. The Internet standard eXtensible Messaging and Presence Protocol (XMPP) has been the starting point of choice for all whiteboarding standardization work to date of which we are aware.

Scalable Vector Graphics (SVG) is widely considered to be the second component of standardized whiteboarding. SVG is XML-based, extensible, widely adopted, and standardized by the W3C.

An independent demonstration of SVG-based whiteboarding over XMPP is provided by a cross-platform client called Coccinella. This offers easy-to-use whiteboarding that will work with most XMPP servers; the key capabilities for whiteboarding are in the client. The ability to work independent of the server shows a key XMPP capability to carry generic payload. Coccinella is well worth trying for anyone who wants to investigate this area.

A major initiative on SVG-based whiteboarding over XMPP has been driven by the U.S. Joint Forces Command (JFCOM), which has developed and is piloting a whiteboarding system. Transverse, the JFCOM XMPP client and whiteboarding application, is available for download here.

The JFCOM work is a major input to whiteboarding standardization by the XMPP Standards Foundation (XSF). The latest version of this specification is here.

This is one of several technical inputs, and there are a number of proposals. Most of these are based on SVG, and it seems very likely that the final standard or standards will be SVG-based. Another factor is Shared XML Editing (SXE), which is being standardized to enable multiple users to edit a single document. The requirements for SXE are described in XEP-0228. A key architectural decision for whiteboarding is whether to build it over SXE or as an independent whiteboarding specification.

Although there is not yet an agreed-upon final standard, it is clear that XMPP is the direction for standardized whiteboarding.

… Steve Kille

Whether or not you or I believe BorderWare’s amazing claim that it filters 98% of spam using reputation alone, it’s clear that reputation is increasingly important.

No surprise there, but what’s the implication on legitimate email users?

As more and more spam filtering relies on your reputation as an email sender, your reputation gets more and more important. Lest we forget, most spam is sent by malware-infected zombies, some of which could be on your network.

That’s why outbound spam filtering is increasingly important. It’s not just about being a good ‘net citizen--you need it to protect your reputation.

If you don’t keep a lid on spam exiting your network, your reputation will be trashed. In crude terms, your outbound IP addresses will be blacklisted, meaning your ability to send email to your legitimate business contacts will be severely limited.

If a few of your users are unwittingly sending spam, then all of your users will have serious trouble sending legitimate email.

Of course, an outbound spam filter can’t, by definition, use sender reputation. It has to rely primarily on content filtering. Those who claim that reputation is the be-all-and-end-all of spam filtering are missing an important point.

… Richi Jennings, with thanks to Proofpoint’s Andrew Lochart and David Stanley

Web conferencing is a valuable Internet technology that allows users to connect globally, sharing files, presentations, and any software running on the desktop. Major players in this market are WebEx (recently purchased by Cisco), Microsoft LiveMeeting, and Citrix GoToMeeting. WebEx, LiveMeeting, and GoToMeeting are fee-based services sold to enterprises.

Now a new company, Dimdim, is offering a free Web conferencing product. Dimdim’s new product offers an attractive price (free!), advanced features for sharing presentations and desktops, as well as built-in VoIP communication and video streaming. I gave Dimdim a quick trial run and found it very easy to use, and the performance was excellent.

The Dimdim offering is significant because it makes a sophisticated communication tool available to everyone. Now organizations and individuals can enjoy the benefits of effective global communication without leaving their home or office.

Sounds like another technology to help keep planet Earth green. I wonder if Al Gore has tried it?

… Bob Spurzem

BorderWare is making a very interesting claim. It seems to be blocking an enormous proportion of its customers’ inbound spam simply using IP reputation.

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare’s quoted statistic is 98.3%. Wow, that’s a lot, especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally expensive.

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (”Borderware Security Network,” soon to be rebranded as “Reputation Authority”).

These days, new zombie spam sources don’t hang around to be detected. They get sending as soon and as fast as they can--botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.

… Richi Jennings

Splunk won “Best of Interop” in the Network Management, Software, and Services category. With more than 450 enterprise customers and a lot of momentum, this is a company to watch.

Splunk brands itself as “IT Search” with the ability to search log files, configuration files, messages, traps, alerts, scripts, and metrics. Essentially it seems to be focused on search targeted at the IT administrator and related staff.

This kind of technology is very important from a compliance perspective. Organizations that need to prove who accessed a file must go to logs to find that data. Companies tasked with legal discovery need to present logs that support their case. And organizations interested in simply finding out what is going on in their IT infrastructure must go to logs--or reports based on those logs--for an accurate representation of what’s happening.

Probably why Splunk was a slam dunk for the award at Interop.

… David Sengupta

Moore’s Law discusses the exponential growth of electronic circuits. Perhaps email is another case where Moore’s Law applies.

Consider email quantity. Where once we sent and received only a handful of emails daily, today we routinely send and receive hundreds of emails. You might argue that the volumes are increasing exponentially. Then again, you might argue that for many people, the volume is more or less stable, or increasing linearly.

Email attachments are a better example. Initially email attachments were nonexistent or quite small (<10KB). Now attachments are very common and can easily be 1-10MB in size. What will it be like when we are sending rich media files that are hundreds of megabytes (or gigabytes) in size?

Finally, consider mailbox size. A 10MB mailbox was once the norm and was replaced with 100-200MB mailboxes in recent years. Today users expect multigigabyte mailboxes, made famous by Google’s Gmail.

Such growth in email directly impacts email server performance and capacity. Consider the latest version of Microsoft Exchange 2007. Today Exchange can easily support 1GB mailboxes and 10MB attachments. How will it support 10GB mailboxes and 100MB attachments in the future?

… Bob Spurzem

I attended Microsoft’s inaugural INTERACT2008 conference in San Diego earlier in April. While Office Communications Server (OCS) was the clear focal point for the event, Microsoft’s Exchange Server 2007 received good coverage as well.

Two tidbits I noted from a compliance standpoint:

• Microsoft Exchange team has adopted a Protect, Preserve, Discover, Prove framework for compliance.
• Microsoft OCS team made it clear that OCS is not a platform for compliance. Third-party archives are currently the only solution in this area.

Kudos to Bob Maher, Terry Myerson, Gurdeep Singh Pall, and the entire UC team at Microsoft on pulling off a quality event and attracting a very focused audience.

… David Sengupta

I moderated a webinar earlier this week. It was intended to be a press-only event, to support Abaca’s recent launch of ReceiverNet. Inevitably with these things, a few non-press register, but that’s perfectly OK.

The thing that really surprised me was that non-press outnumbered the press folks two-to-one. There also seems precious little spam-related on publications’ editorial calendars.

Doesn’t the mainstream media care about spam any more? Certainly their readers do, as evidenced by the continuing churn in the spam filtering marketplace.

Any thoughts? Leave a comment; we’d love to hear what you think.

… Richi Jennings

You’re probably flooded with inbound emails. Managing thousands of emails is time consuming, error prone and extremely frustrating. Plus it diverts you from more important tasks. Two new tools aim to make life easier.

The first is ClearContext. Its product is named Information Management System (IMS). This is an Outlook add-on that analyzes a user’s email to determine the importance of messages and contacts. A clever color scheme is used to prioritize incoming messages and organize messages into easy to manage projects. For example, a message from a sender to whom a user responds quickly is deemed critical and marked in red.

The second is Xobni. Its product is Xobni (Inbox spelled backwards). This is an Outlook add-on that includes a fully indexed high-speed search and organizes email based on conversations. Xobni’s analytics capture email history and display a list of parties involved and provide information about the sender. Xobni also adds a tab to Outlook’s interface and provides reports about email frequency to response times and actions taken.

If you’re suffering from mail overload, we recommend you take a look at these new products.

… Bob Spurzem

Attachments are one of the reasons for Exchange storage growth. People use Exchange email to send files to co-workers and customers, and depending on the file content (e.g., text, pictures, audio, video), these files can be quite large. Files in the 30MB-50MB range are becoming common. This causes rapid Exchange store growth and strains Exchange resources.

An alternative exists for sending files and it comes free of charge. These companies provide free online services for file delivery:

• YouSendIt
• Megaupload
• DropSend

There are other such services, and these are typical of the digital content delivery solutions available online. I tried YouSendIt and was able to send a large 7MB PowerPoint file to my email account in just minutes. The process was simple, fast, and free of charge. The other services appear to provide the same ease of use and performance.

These services can help when users need to send attachments that exceed Exchange send/receive limits. By default, these are 10MB. Rather than remove or extend the limits, users can take advantage of one of the online delivery solutions. In the long run, Exchange needs greater storage capacity. In the mean time, this approach satisfies users’ business needs without sacrificing Exchange performance.

… Bob Spurzem

ClamAV is an open source, free anti-virus tool, designed for email scanning on mail gateways.

It is owned by Sourcefire, which employs the ClamAV developers and provides commercial support for ClamAV.

The most important capability of an anti-virus product is to be able to remove a high percentage of viruses, including rapid reaction to new viruses.

A test by Untangle put ClamAV as one of the top three (along with Kaspersky and Symantec). This test generated a lot of controversy, with some arguing the test methodology to be flawed and others suggesting that commercial vendors are trying to suppress a free alternative.

A comment from AV-Comparatives, which provides independent testing, gives useful insight in explaining why it does not include ClamAV in its standard list. AV-Comparatives notes that ClamAV is not designed or suitable for use on an end system, but is designed to detect spreading viruses, and has a very good response rate to new threats. This is confirmed in its report and other references on the net.

ClamAV detects phishing attacks, as well as conventional viruses and worms. During one day’s operation on the Isode servers, the following viruses and phishing attacks were detected:

• Exploit.HTML.IFrame: 10 Time(s)
• Exploit.WMF: 6 Time(s)
• HTML.Phishing.Auction-144: 1 Time(s)
• HTML.Phishing.Auction-222: 2 Time(s)
• HTML.Phishing.Bank-1232: 1 Time(s)
• HTML.Phishing.Bank-474: 18 Time(s)
• HTML.Phishing.Pay-36: 1 Time(s)
• W32.Sality.Q-1: 5 Time(s)
• Worm.Mydoom.I: 1 Time(s)
• Worm.Mydoom.M: 4 Time(s)
• Worm.SomeFool.AA-2: 9 Time(s)
• Worm.SomeFool.D: 1 Time(s)
• Worm.SomeFool.P: 17 Time(s)
• Worm.Stration.YY: 1 Time(s)
• Worm.Womble.D: 8 Time(s)

The integration with an email gateway is straightforward and efficient. This is important for gateway/boundary use. A number of AV vendors are focusing on appliance and “complete solution,” and either dropping or reducing support for integration with other products.

ClamAV is a good anti-virus option for boundary checking.

… Steve Kille

This was sent to me anonymously. However, it seems reliable and well-founded.

“Zantaz had a couple more layoffs this year across multiple departments such as QA, engineering and services. People also have been leaving voluntarily at all levels from Boston and Pleasanton office. More people will leave, especially from the Boston office as they have been overworked and some are “forced” to work over 80+ hrs a week without additional compensation. Annual performance review has been eliminated, some say to ensure that employees will not receive compensation adjustments.”

Thoughts:

• The recent acquisition of Zantaz by Autonomy is proving painful for many people.
• There appears to be a culture conflict between Autonomy and Zantaz.
• Zantaz developed quite a strong channel. Autonomy appears to have little interest in this.

… David Ferris