No surprise there, but what’s the implication on legitimate email users?

As more and more spam filtering relies on your reputation as an email sender, your reputation gets more and more important. Lest we forget, most spam is sent by malware-infected zombies, some of which could be on your network.

That’s why outbound spam filtering is increasingly important. It’s not just about being a good ‘net citizen--you need it to protect your reputation.

If you don’t keep a lid on spam exiting your network, your reputation will be trashed. In crude terms, your outbound IP addresses will be blacklisted, meaning your ability to send email to your legitimate business contacts will be severely limited.

If a few of your users are unwittingly sending spam, then all of your users will have serious trouble sending legitimate email.

Of course, an outbound spam filter can’t, by definition, use sender reputation. It has to rely primarily on content filtering. Those who claim that reputation is the be-all-and-end-all of spam filtering are missing an important point.

… Richi Jennings, with thanks to Proofpoint’s Andrew Lochart and David Stanley

Now a new company, Dimdim, is offering a free Web conferencing product. Dimdim’s new product offers an attractive price (free!), advanced features for sharing presentations and desktops, as well as built-in VoIP communication and video streaming. I gave Dimdim a quick trial run and found it very easy to use, and the performance was excellent.

The Dimdim offering is significant because it makes a sophisticated communication tool available to everyone. Now organizations and individuals can enjoy the benefits of effective global communication without leaving their home or office.

Sounds like another technology to help keep planet Earth green. I wonder if Al Gore has tried it?

… Bob Spurzem

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare’s quoted statistic is 98.3%. Wow, that’s a lot, especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally expensive.

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (”Borderware Security Network,” soon to be rebranded as “Reputation Authority”).

These days, new zombie spam sources don’t hang around to be detected. They get sending as soon and as fast as they can--botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.

… Richi Jennings

Splunk brands itself as “IT Search” with the ability to search log files, configuration files, messages, traps, alerts, scripts, and metrics. Essentially it seems to be focused on search targeted at the IT administrator and related staff.

This kind of technology is very important from a compliance perspective. Organizations that need to prove who accessed a file must go to logs to find that data. Companies tasked with legal discovery need to present logs that support their case. And organizations interested in simply finding out what is going on in their IT infrastructure must go to logs--or reports based on those logs--for an accurate representation of what’s happening.

Probably why Splunk was a slam dunk for the award at Interop.

… David Sengupta

Consider email quantity. Where once we sent and received only a handful of emails daily, today we routinely send and receive hundreds of emails. You might argue that the volumes are increasing exponentially. Then again, you might argue that for many people, the volume is more or less stable, or increasing linearly.

Email attachments are a better example. Initially email attachments were nonexistent or quite small (<10KB). Now attachments are very common and can easily be 1-10MB in size. What will it be like when we are sending rich media files that are hundreds of megabytes (or gigabytes) in size?

Finally, consider mailbox size. A 10MB mailbox was once the norm and was replaced with 100-200MB mailboxes in recent years. Today users expect multigigabyte mailboxes, made famous by Google’s Gmail.

Such growth in email directly impacts email server performance and capacity. Consider the latest version of Microsoft Exchange 2007. Today Exchange can easily support 1GB mailboxes and 10MB attachments. How will it support 10GB mailboxes and 100MB attachments in the future?

… Bob Spurzem

Two tidbits I noted from a compliance standpoint:

• Microsoft Exchange team has adopted a Protect, Preserve, Discover, Prove framework for compliance.
• Microsoft OCS team made it clear that OCS is not a platform for compliance. Third-party archives are currently the only solution in this area.

Kudos to Bob Maher, Terry Myerson, Gurdeep Singh Pall, and the entire UC team at Microsoft on pulling off a quality event and attracting a very focused audience.

… David Sengupta

The thing that really surprised me was that non-press outnumbered the press folks two-to-one. There also seems precious little spam-related on publications’ editorial calendars.

Doesn’t the mainstream media care about spam any more? Certainly their readers do, as evidenced by the continuing churn in the spam filtering marketplace.

Any thoughts? Leave a comment; we’d love to hear what you think.

… Richi Jennings

The first is ClearContext. Its product is named Information Management System (IMS). This is an Outlook add-on that analyzes a user’s email to determine the importance of messages and contacts. A clever color scheme is used to prioritize incoming messages and organize messages into easy to manage projects. For example, a message from a sender to whom a user responds quickly is deemed critical and marked in red.

The second is Xobni. Its product is Xobni (Inbox spelled backwards). This is an Outlook add-on that includes a fully indexed high-speed search and organizes email based on conversations. Xobni’s analytics capture email history and display a list of parties involved and provide information about the sender. Xobni also adds a tab to Outlook’s interface and provides reports about email frequency to response times and actions taken.

If you’re suffering from mail overload, we recommend you take a look at these new products.

… Bob Spurzem

An alternative exists for sending files and it comes free of charge. These companies provide free online services for file delivery:

• YouSendIt
• Megaupload
• DropSend

There are other such services, and these are typical of the digital content delivery solutions available online. I tried YouSendIt and was able to send a large 7MB PowerPoint file to my email account in just minutes. The process was simple, fast, and free of charge. The other services appear to provide the same ease of use and performance.

These services can help when users need to send attachments that exceed Exchange send/receive limits. By default, these are 10MB. Rather than remove or extend the limits, users can take advantage of one of the online delivery solutions. In the long run, Exchange needs greater storage capacity. In the mean time, this approach satisfies users’ business needs without sacrificing Exchange performance.

… Bob Spurzem

It is owned by Sourcefire, which employs the ClamAV developers and provides commercial support for ClamAV.

The most important capability of an anti-virus product is to be able to remove a high percentage of viruses, including rapid reaction to new viruses.

A test by Untangle put ClamAV as one of the top three (along with Kaspersky and Symantec). This test generated a lot of controversy, with some arguing the test methodology to be flawed and others suggesting that commercial vendors are trying to suppress a free alternative.

A comment from AV-Comparatives, which provides independent testing, gives useful insight in explaining why it does not include ClamAV in its standard list. AV-Comparatives notes that ClamAV is not designed or suitable for use on an end system, but is designed to detect spreading viruses, and has a very good response rate to new threats. This is confirmed in its report and other references on the net.

ClamAV detects phishing attacks, as well as conventional viruses and worms. During one day’s operation on the Isode servers, the following viruses and phishing attacks were detected:

• Exploit.HTML.IFrame: 10 Time(s)
• Exploit.WMF: 6 Time(s)
• HTML.Phishing.Auction-144: 1 Time(s)
• HTML.Phishing.Auction-222: 2 Time(s)
• HTML.Phishing.Bank-1232: 1 Time(s)
• HTML.Phishing.Bank-474: 18 Time(s)
• HTML.Phishing.Pay-36: 1 Time(s)
• W32.Sality.Q-1: 5 Time(s)
• Worm.Mydoom.I: 1 Time(s)
• Worm.Mydoom.M: 4 Time(s)
• Worm.SomeFool.AA-2: 9 Time(s)
• Worm.SomeFool.D: 1 Time(s)
• Worm.SomeFool.P: 17 Time(s)
• Worm.Stration.YY: 1 Time(s)
• Worm.Womble.D: 8 Time(s)

The integration with an email gateway is straightforward and efficient. This is important for gateway/boundary use. A number of AV vendors are focusing on appliance and “complete solution,” and either dropping or reducing support for integration with other products.

ClamAV is a good anti-virus option for boundary checking.

… Steve Kille

“Zantaz had a couple more layoffs this year across multiple departments such as QA, engineering and services. People also have been leaving voluntarily at all levels from Boston and Pleasanton office. More people will leave, especially from the Boston office as they have been overworked and some are “forced” to work over 80+ hrs a week without additional compensation. Annual performance review has been eliminated, some say to ensure that employees will not receive compensation adjustments.”

Thoughts:

• The recent acquisition of Zantaz by Autonomy is proving painful for many people.
• There appears to be a culture conflict between Autonomy and Zantaz.
• Zantaz developed quite a strong channel. Autonomy appears to have little interest in this.

… David Ferris

Trend is applying the 80/20 rule. It promotes a hybrid approach, with the hosted service implementing only a first level of spam filtering based on reputation. This filters roughly 80% of the inbound spam. The remaining email is passed on to spam filtering appliances on the customers’ premises, to deal with the other 20%.

The on-premise appliance can therefore be more easily customized to conform to local policy. When it comes to filtering spam using content, it’s best to have an understanding of the types of legitimate content that the organization sends and receives. The obvious example is medical organizations, which may well expect to receive email about a certain blue pill whose name begins with V.

Of course, organization-specific customization can be done in the cloud. There’s nothing intrinsic about it that forces it to be on-premise, but this split in responsibilities seems to have merit.

… Richi Jennings

VSN is the Voltage Security Network, and it isn’t new. It’s a hosted service that implements the key management for Voltage-style identity-based encryption (IBE). The idea is that instead of on-premise key management, you centralize the key generation in the cloud. This is similar to the architecture used by Identum (now part of Trend Micro). It’s the “Connected” part that’s new.

There’s a class of customer that wants to do outbound encryption at the gateway--possibly driven by local policy--but doesn’t want to provide the decryption service to nonlocal users. This type of hybrid architecture is what Connected VSN is for.

The sender has an on-premise Voltage appliance that manages keys and performs outbound encryption. Recipients then use the VSN service hosted by Voltage to decrypt the message.

… Richi Jennings

It’s an interesting claim, but of arguable merit. However, there are other aspects that are worth talking about:

• This key will self-destruct. If you try to disassemble it, or if you enter the wrong password too many times, the IronKey doesn’t just wipe itself, it destroys the flash memory, making it worthless.
• It’s not just a device, but also a service. If you register the device on IronKey’s Web site, the company offers password recovery/escrow and access to IronKey’s own Tor anonimizing network (i.e., a private network, not the usual public one).
• It also acts as a 2FA device. A firmware update will add the necessary logic to make it act as a VeriSign VIP device, for two-factor authentication. An “enterprise” version of the device will also have similar support for RSA SecurID.

Shipping now for Windows XP and Vista. Mac and Linux support are “nearly ready.”

… Richi Jennings

It works by calculating symmetric private keys; that is, it doesn’t use a public/private key pair. Each party in a transaction has a private key, which it presents to a trusted intermediary. The pair of keys defines a series of encryption keys, to be used in sequence.

2factor says the benefits are:

1. Very fast encryption (the calculations can be done using register arithmetic); perhaps 100x as fast as Diffie-Hellman, for example.
2. Provably secure, unlike elliptic curves, for example.
3. The trusted-intermediary architecture can be generalized, permitting a federated model.

… Richi Jennings

Aside from the recent $20 million funding round and the additional 40 employees hired already this year, he reminds us that Proofpoint recently launched a hosted email security service, Proofpoint on Demand. This means that Proofpoint now offers its technology as a service, as software, as an appliance, and as a virtual appliance (a virtual machine image of the appliance).

Sticking with what seems to be a “hybridized” theme in my recent bulletins, customers can mix and match the different form factors, while still managing them all from a single console. Handy, that.

… Richi Jennings

DDB Canada, a marketing communications company, has implemented a novel policy in an effort to thwart this behavior. Similar to soccer, they have implemented a carding system. Fellow employees are encouraged to flash a Yellow Card to employees caught using their mobile devices during internal or client meetings. Two yellow cards for an employee results in a Red Card. The penalty for a Red Card is that the employee has to pay the service fees for their mobile device for that particular month. Ouch.

… Colin R. Bush

Hosted email archiving solutions like Google’s compete with in-house email archive solutions on cost and quick deployment. The Google offering is priced at $25 per user per year, aligned with the cost of in-house solutions. This does not take into account the cost of provisioning an in-house solution.

The archiving service appears quite nice, based on a quick look. It’s substantially more than just a crude index of emails sent over the Internet via Cisco/Postini’s spam filtering service. Plus it’s got Google’s name on it. Good to have Google in the world of e-disco.

… David Ferris

Consider how Exchange has evolved. When mailboxes were tens of gigabytes in size, hundreds of mailboxes could be managed on a single CPU machine. As mailboxes grew to hundreds of megabytes, more powerful dual- and quad-processor machines were needed. Now with the latest Exchange version 2007 and 64-bit machines, gigabyte mailboxes are supported, but it is still not enough.

A quick fix is to improve the way users manage email:

• Users should always delete email once it is no longer needed.
• The deleted folder should be emptied each day.
• Users should file their email and avoid filling the Inbox. If the Inbox (and the Sent Items folder) is allowed to grow to thousands of items, Outlook performance is severely crippled.
• Do not store email in PST files. PST files are easily lost and are costly to access for discovery.

However, such measures are often (rightly) resisted by users.

For the last few years, the solution has been email archiving. Email archiving moves email, based on age and size, from Exchange to the archive. In this way, Exchange storage is reduced and long-term email storage is now the responsibility of the archive. Email in the archive remains accessible via Outlook and OWA, so users can still look up and read old email when needed.

My sense is that storage management will gradually become less of a driver for Exchange archiving. My sense is also that five years out, Exchange will let users have mailboxes the size they want them to be. Archiving will still be important, indeed a necessity, but it won’t be as a fix to storage management problems.

… David Ferris

The architects of an archival and e-discovery product or service have to solve a number of difficult technical problems. These include, but are not limited to:

1. Disaster tolerance
2. Suitably fast accession (i.e., indexing)
3. Suitably fast search
4. Iron-clad security
5. Assured destruction (at the end of a retention period)

The first three are, in general, solved much more economically by a shared service. This is because a shared service can more economically maintain storage across multiple data centers, and employ large grids of parallel computers to perform both accession and search (think Google). The fourth is more easily solved by an on-customer-premise product, while the fifth is a nightmare for both the architects of shared services and on-premise products.

Fortiva, as a well architected shared service, is able to economically offer disaster tolerance — at least two copies of each archived record are maintained on RAID disk storage at a customer’s primary Fortiva data center, while at least one other copy is maintained on RAID disk storage at another, remote, Fortiva data center. Their data centers are also equipped with sufficient shared processing power to operate suitably rapid accession and search. This is not what is unique to Fortiva; other archival and e-discovery services can take a similar approach. Whether they have done so to date is an open question.

What is unique to the Fortiva service is the vendor’s approach to providing iron-clad security. Their solution is provided by an array of one or more on-customer-premise appliance/s that perform five tasks:

1. An appliance extracts the search terms (words) in a record and individually encrypts them using a long-lived key. These encrypted words will be passed to the Fortiva accession service, which will employ them to index the record.
2. It encrypts the entire record, again using a long-lived key before passing that record to the Fortiva service for storage.
3. It employs Active Directory-based policies and Windows credentials to control access to the fourth task (see task 4 following).
4. It constructs search queries using encrypted search terms (see task 1 above).
5. It accesses and decrypts records referenced by a search query (see task 4 above) response.

Fortiva is not particularly forthcoming about how it encrypts search terms (tasks 1 and 4 above) - it’s the company’s secret sauce.

In addition to employing appliance-based encryption to ensure the privacy of customer data (both record and index), the Fortiva service also employs encryption to effect assured destruction. All records received by the Fortiva service, and we believe (Fortiva has not confirmed this) all full text indices maintained by the Fortiva service, are encrypted using a time-dependent (monthly) symmetric encryption key. If they are encrypted, then index blocks are decrypted using the same time-sensitive key in order to perform matching, as are records which are decrypted before being returned to an appliance.

At the end of a retention period, the time-sensitive keys employed to encrypt both record data and full text indices for that period are destroyed by the Fortiva service. This destruction must be total! Once a time-sensitive key is destroyed, any and all data encrypted with it can no longer be decrypted, and thus the data is assuredly destroyed. There is no need, given this approach, to physically scrub, or otherwise destroy, bits on physical media in order to achieve assured destruction!

…Nick Shelness