To reiterate: the incident involved the state’s ONLINE DRIVING EXAM SYSTEM. The remarks were made at a panel discussion at RSA earlier this month on state cybersecurity.

While we understand the need for a certain level of discreetness on cybersecurity topics, especially when they have to do with our government this incident was not a threat to America’s security or livelihood by any stretch.

It was nothing more than an embarrassing moment for the state of Pennsylvania.

But what has us extremely worried here has been the firing of Maley and the subsequent “lockdown” on talking about cybersecurity by state officials in PA.

Does a lack of dialogue surrounding cybersecurity really make businesses and government agencies a more secure place? In some instances, yes – let’s not advertise huge gaping holes in our government’s cyber network.

But in this situation, the answer is a surrounding NO. How are we going to fix the “gaping holes” if we simply ignore them?

What better opportunity to discuss the complex issues surrounding securing our businesses’ and government’s cyber infrastructure than with the non-life threatening example Maley brought up of the state’s online driving exam system?

By stifling the dialogue on the cybersecurity, Pennsylvania is doing businesses and internet users a disservice - and passing up an opportunity to educate the public on cybersecurity vulnerabilities and dangers. 7RF7P2NCE2QK

Scareware instances have increased by 660% over the past 2 years and 400% in the last 12 months. And it’s no coincidence – there is some serious cash to be made here.

According to Francois Paget, a security research expert with McAfee Labs, “one company known as ‘Innovative Marketing’ made an estimated $180 million through these scams in one year, and more than four million consumers purchased their fake security software thinking it was real.”

Scareware has been around since as early as 1991, but has only grown “legs” in the last few years – now that users know they NEED to protect their computer, criminals are taking advantage of it. And it’s paying off (ergo it will continue).

Don’t let it happen to you or your users, check out this quick guide on how to protect yourself from these types of attacks and stay safe out there!

In our first ever installment of Groove and Dude, Groove asks the age old question: why do totally awesome emails get blocked by those gnarly content filters?

When you can't get that totally righteous recipe for Chicken from your best mate, it might be time to consider a different approach to your email security solution.

Email end-users are tired of bugging an IT person for help finding that latest missing email (think email false positives) – but we think you brave email users are more than capable of handling your email yourself.

You seem to manage just fine with your Facebook and LinkedIn accounts – deciding without the help of an IT person who you’d like to communicate with. And while we may occasionally hear from people we don't want to, none of us have managed to take the system down yet.

So Dude, why can’t people have the same ability with email? (Video created using the very fun Xtranormal program)

The UK’s Telegraph is reporting that nearly 42% of businesses surveyed for a Symantec security report lost confidential or proprietary data during 2009. And an even higher percentage – 75% of respondents – reported experiencing some type of cyber crime during the last 12 months.

What this boils down to?  An average loss of 1.2 Million Pounds (1.9 Million Dollars) PER COMPANY during 2009.

Financial loss totals were assessed based on a number of factors including lost revenue, loss of customer relationships and damage to their firm’s brand.

While some might find these figures surprising, in light of recent situations some may wonder why the dollar amount wasn’t steeper. Increasingly, these types of events are becoming all too common - and front and center news.

Two of the most prominent (and recent) examples that come to mind are Google and Intel. 

On January 12^th of this year Google reported that it had been the victim of “sophisticated cyber attacks” that originated from China.  As a result Google threatened to shut-down offices in China and stopped cooperating with Chinese censorship laws.

More recently (this past Tuesday to be exact), Intel announced in a filing with the US Securities and Exchange Commission that a “sophisticated [attack] incident” had occurred (around the same time as the attacks on Google).  While no further details were provided on the incident, it’s hard to imagine that no price tag was attached to it if they felt compelled to report it to the SEC.

While these Fortune 500 companies are much larger targets than the majority of companies out there, they’re also clear examples that no organization is immune from attack.  And when attacks occur – they are costly.

Prevention will always be the best form of protection here. Has your organization taken the proper measures to plan for and protect against these types of attacks?  If you haven’t, begin assessing vulnerabilities immediately and put a plan in place to address them.

It’s a time where we find ourselves on the edge of our seat, watching sports we weren’t quite sure existed just two weeks ago, in awe of the human beings in front of us.

Olympic athletes are loved, and those talented enough to win medals are treated as heroes - welcomed back to their home country with a press schedule and endorsement contracts.

But if you happen to be Australian skier Dale Begg-Smith, Olympic silver medalist on the moguls, you won’t be so lucky.

Currently being called a “traitor” and “sourpuss,” fans can’t seem to move past his last occupation as spam mogul – running a company called AdsCPM that used malicious adware to deliver 20 million pop-ups a day.

I guess we can add “spammer” to the list of things that just generally anger the public. We’re going to slide it just below cheating on your wife and just above athletes on steroids.

Some background: Last week Amir Lev posted an attention-grabbing blog on Computerworld that posed some interesting questions that have surrounded challenge-response email protection systems for years, but didn’t quite grasp the whole story on how this technology really operates today.

The blog entry in its entirety can be found here.  We touched on this in an entry last week, but there is still some valuable ground to cover.

We won't make the argument here that challenge-response technology is the be-all end-all of email security (that goes against the philosophy of this blog, and the philosophy of this writer) – but it is far from the apocalyptic solution Lev describes and a huge step up from many of the “anti-spam” solutions on the market today.

When challenge-response technology is implemented properly it can be a valuable tool within a comprehensive email security solution – a mechanism to support a powerful dynamic whitelist, not a clunky auto-responder that ushers emails into an abyss.

Here we dive deeper into the shakiest parts of Lev's argument in a short series touching on some of the most common myths surrounding CR technologies…

Otherwise known as Category Number 1 below (“the con,” see Email Abuse: Cons, Attacks, Phish). 419 scams are in essence a type of advance-fee fraud that is conducted over email - offering a large payoff for a small amount of work.  If the victim “accepts,” he/she ends up fronting cash in the hopes of payoff that will never happen.

More personal than many of the other types of abusive email, the 419 scam is experiencing a comeback, experts think in part because of the recent earthquake in Haiti. According to Symantec’s February State of Spam and Phishing Report 419 cons are at the highest levels ever measured by the company.

While many pose the obvious question, who responds to these messages?, the answer is quite chilling: in 2009 alone victims lost a collective $9.3 billion to these scammers. That’s right, billion. To date we’ve dropped $41 billion on these guys, at a growth rate of 5% each year.

To all those who think this resurgence will be short lived and that the general public has “wisened up” – think again.  As always, be smart with your email:

1. NEVER provide personal or confidential information via email (e.g. bank numbers, addresses, social security numbers etc.)
2. If it sounds too good to be true IT PROBABLY IS – delete it. If your long lost uncle from the UK actually had left his entire inheritance in your name, wouldn’t they have a better way to contact you than that yahoo address of yours?

Spam. Lately there has been a great deal of confusion around the term – but here friend of Save the Mail Tim comes to the rescue with some much needed insight on the term, and email abuse in general.

To really dive into where email is at today, we first have to dive into where it all started.  And in the case of email, that’s goes back to the 60s and 70s when an email communications network was assembled for use almost exclusively by research scientists.  The goal of email was simple: get work done – faster & more easily.

But in 1978 one man realized that this network happened to be the target audience for a new product he was selling (a digital mainframe) and he sent an “unsolicited, commercial email” to this entire database.  When Gary Thuerk, “father of spam,” sent this short note out spam was born.

And today, we find our inboxes cluttered with messages, many of which we don’t even want.  But few of these messages are “commercial” in nature.  In fact, increasingly these messages fall into 1 of 3 categories:

1. A flat out CON (those messages hawking Viagra, fake replica watches, or Canadian pharmaceuticals)
2. A phishing attempt (those messages trying to obtain personal message via email)
3. True attack messaging (those messages trying to sneak a Trojan or virus into your system)

Unfortunately, no friendly message from Gary Thuerk in the mix here: it is flat out EMAIL ABUSE. Check out the video above for the whole story.

Over the next few weeks you’ll see more and more of these popping up and we hope you find each of them both interesting and useful (if you don’t – let us know!).  The world of email is growing increasingly complicated and our goal here will be to arm you with the knowledge you need to protect yourself and participate in the conversation.

Wow.  This is a serious business problem (abuse of email) reduced to the same type of partial truths, misdirection, and self-serving spin that radical liberals and reactionary conservatives use to discuss politics.  Any time you see sarcasm in a debate, check the facts.

CR is used to manage white lists.  If I know you, if I do business with you, if I ever send you a message, you are already on my white list.  So, everybody I already communicate with NEVER gets a challenge.  Instead, everything you send me gets delivered without risk of being mislabeled as "spam" by a content filter, with no administrative overhead.

If you are someone I don't know, and you are interested in establishing a relationship with me via email, when you send me your first message I run through an integrity check process for BOTH of our benefit.  Within seconds, I test your message with a variety a techniques (are you are a legitimate sending server; does the message come from a valid domain; check for spoofing; etc.) and if everything looks good, I send out a CR message.  It asks you to confirm, ONE TIME, that you are a real person and not simply software, so that I can automatically add you to my white list and thereby guarantee your important messages won't get lost.  This is good for both of use.  (Oh, and no CAPTCHA required.  That is old tech.  Just hit Reply)

If you are a "spammer," 97%+ of the time your message fails the basic integrity checks, so your abuse message is simply dropped.  These checks are totally deterministic (pass/fail) and not probabilistic (statistical guessing), so there are no "false positives" or "false negatives."  For three messages in 1,000, a challenge request is sent out, with two possible results.  Since spammers use botnets and other compromised systems as sending servers, their sender addresses are always forged.  If the sender address doesn't actually exist, the challenge goes nowhere.  If the sender address was stolen, the legitimate owner (what Amir call the "innocent user") receives the challenge message.  This tells them that their address has been compromised, which you would think they would be interested to know about .  Since there is no response to the challenge, the original abuse message gets dropped.  No downside here at all.

Now, Amir labels the 3 challenge messages that are sent out against the 1000 incoming messages as "backscatter" and "effectively spam" but uses an illogical argument.  The Internet email protocol SMTP (like all IP protocols) in not really like dropping a letter with a stamp in the postbox on the corner: a one-step one-way transaction.  With email, the sending server and receiving server go through a whole back-and-forth request-acknowledgment IP dialog setting up the communications process.  Actual challenge messages have no measurable impact on overall Internet message volume.

But there certainly is a problem, which Amir points out.  However, if people with his mindset (CR is inherently bad; the earth is the center of the universe) start with a faulty premise, they typically reach a faulty conclusion.  The issue: if you design spamtraps, content filters and reputation services with the presumption that challenges are bad, those systems are poisoning what is actually a highly effective process.  A challenge message is not "unsolicited commercial email" so categorizing it as "spam" is a fundamental design flaw in those systems.  "Branding" the users of CR systems as spammers and therefore mishandling the legitimate email is a mistake by the reputation systems, and sure sounds like true persecution of "innocent users."  All of the "lost mail" that Amir refers to is caused by other ill-conceived systems, not the CR process.

So, if someone I don't know sends me an email (asking for the privilege of getting into my inbox), and then "can't be bothered responding" to a challenge that actually helps both of us, how should I view that potential relationship? Or, if I'm in Sales and I worry that a challenge message might somehow make a new prospect feel uncomfortable or confused (because they read the emotional hatemail that the concept seems to create), maybe I should simply have the challenge feature turned off for my address while allowing everyone else in my organization to be free from email abuse.

In practice, businesses who use CR systems seem to love them because they are amazingly effective with virtually no administration.  It is interesting that the most vocal critics of the concept are people with a vested interest in potentially competitive products like content filters and reputation services.  Amir's closing "absurdum" comment pretty well sums up the substitution of emotional argument for actual logic: "if everyone used CR, email would become unusable" due to an infinite "loop."  Reality is: in a brand new email relationship, (1)  if you send me a message, (2) your CR system automatically adds my address to your white list, (3) so when my challenge request comes back you get it, (4) and when you hit reply you are now in my white list, and (6) we will now forevermore be able to send messages back and forth with no risk of loss.  No infinite loops, just reliable business communications without email abuse.

Wikipedia defines the internet (in layman’s terms) as “a network of networks” that “carries a vast array of information.” While we all know it’s much more complicated than this, few of us spend much time thinking about this “network of networks.”  The internet is notoriously an intangible, abstract item that the average email/internet user dedicates little mindshare to.

Luckily for us, Pingdom, a company that offers uptime monitoring services, has done their share and more, scouring the internet for, well… data on the internet.  You can find the full report in this blog post from last week, Internet 2009 in Numbers.

While some of the figures weren’t a big surprise (81% of email was spam per their data), some were quite interesting:

-       2009 saw a 24% increase in spam over the year prior

-       148,000 new zombie computers were created each day

-       100 million new email users joined the world of email

-       And collectively we sent 90 trillion emails during the year (although spammers can take credit for the vast majority of these)

Even more stats can be found in the full post.

Yesterday CJ Fearnley of Open Source Magazine & Remote Responder posted an interesting blog on “best practices for SMTP blocking of email spam,” stressing to readers the dangers of blocking blacklisted Received headers at SMTP time, while endorsing the general practice of blocking blacklisted senders at SMTP time.

Here at Save the Mail we are big proponents of taking advantage of the ability to block invalid email at the time of SMTP transfer – when it’s possible to determine absolutely that a message is invalid.  Typically 90%+ of the email any individual or organization receives is invalid and it would be nonsensical to accept every one of these messages and then work to determine what is good and what is bad. 

Technologies that can weed out the most obvious spam before messages enter the network (e.g. directory synchronization checks and certain forms of greylisting) can be an immense help to organizations seeking to alleviate bandwidth requirements while protecting their email infrastructure.

However we can’t help but think that Blacklists of any kind are not one of these said technologies.  Blacklists have been in use for 10+ years but at their core, they tend to hurt legitimate companies who for whatever reason have angered the email gods, while not truly stopping the “dangerous” senders they are meant to.

From a spammers perspective: as soon as their IP is blocked, they get a new one and continue to spam. It is a numbers game for them and one blocked ip address means very little.  Meanwhile, law-abiding “emailers” are blacklisted daily and left to clean up the mess – without the advantage of being able to simply dump their ip and move onto a new one.

Spam has taken on a life of its own in more ways than one.  Similar to Google trends, or Twitter’s trending topics, McAfee (along with several other organizations close to the world of email) continues to keep a pulse on hot topics in the world of spam email.

And (drum roll please) … the December breakdown, according to a January 2010 spam trend report, went as follows:

The most popular male spam subject was none other than Obama - followed by Michael Jackson, George Bush and Brad Pitt.

The top female “honor” went to Angelina Jolie, followed by Oprah, Paris Hilton and Britney Spears.

While there wasn’t any overlap between Google trends and what spammers bet their money on in the month of December (perhaps they would have been more successful if there were?) – each of these figures have in their own right fascinated us to no end at one time or another.

But unlike Twitter’s trending topics or Google trends, we’re left feeling like there isn’t much to gather here about – well – much of anything.  Will Paris Hilton be making her big come back in January 2010?  Maybe Angelina and Brad will finally break it off come February?  Or perhaps spammers took a gamble on what would pull on our delicate heart strings during the month of December and this is what came out. 

Hey its that time of the week again!  If you're up for the challenge, tell us what you think about whats going on in the world of email and we will hook you up with one of our Revolutionary Mail Enhancement t-shirts (its what we serve up daily here at Save the Mail - pun totally intended).