There is a modern proverb that goes something like this:

Acknowledge the bad, but focus on the good.

In sum: do not be so naive as to think that bad things do not exist in this world, but rather choose to spend your energy and time focusing on the good things instead. Make a conscious decision that focusing on the good will not only get you further in life, but ultimately make you happier.

Before we get too carried away here – no, this is not a self-help, positive thinking piece - in the world of technology, IT professionals spend more than their fair share of time focusing on the bad, and it is often out of necessity. Every security decision comes with its own set of trade-offs, and IT professionals are often choosing the lesser of two evils.

But, the sentiment behind this saying poses an interesting question: can focusing on the good ever make you more secure?

However, the solutions we have in place to protect our email messaging systems typically do not adhere to the principle above. Rather, they hone in on the “bad”.

These methods range from the mainstream (content filters) to the paranoid (disposable email address services). They all offer some degree of control over abusive email, but none are perfect and many are time consuming.

So here we are - 32 years into the problem of spam, billions of dollars deep into the problem of solving it, but still haven’t been able to eliminate it.

Worse, in 2009, “spam” email comprised 81% of all messages sent. And while some general characteristics can be used to describe what the messages that comprise this 81% figure may have looked like (illegal html, all capital letters, invalid recipient field etc.), the truth of the matter is that the characteristics of spam are continually evolving.

In addition, every day nearly 150,000 new zombie computers are created and an average of 10,000 new malicious code signatures are added to software vendor Symantec’s threat database.

In sum: the ways in which the “bad guys” present themselves, and the methods they use to try to present themselves, are continually evolving.

So if the characteristics of 81% of email traffic purposefully vary on a continually basis, is there any constant in this equation?

Yes: the “good” guys.

The sending source, sending address, headers and general content you receive from email senders you communicate with on a regular basis has remained relatively constant - namely because there is little incentive for your colleague, mother, best friend, boss, personal trainer, roommate, or child to manipulate the properties of email.

They have a message they wish to send to you, and they do exactly that. The systems they use to send these messages to you all act alike and the email addresses they utilize are generally unvarying.

And it is these contacts and contact sources that comprise a successful whielist. For those interested in learning more about email whitelist best practices, check out the new Sendio white paper below How to Reclaim your Email Using Whitelists.

Download the White Paper

An “Adobe Security Update” malware campaigns, is said to be making the rounds, according to email security vendor Red Condor as well as reports from the software company. The spam messages reference a vulnerability identified as CVE-2010-0193, a bug that was addressed by Adobe previously on April 13.

The messages instruct users to download an executable file, which is known as Poison or PoisonIvy and is in fact malicious. According to news outlet Softpedia, only 19 of the 40 top AV engines are currently able to correctly identify this file as malicious.

Adobe has issued the following warning on their blog:

“Customers who subscribe to the Adobe Security Notification Service will receive email notifications that ONLY point to security advisories or security bulletins on the adobe.com domain (i.e. http://www.adobe.com/go/apsb10-09), and that NEVER link directly to an executable for a product security update or contain attachments that must be opened. Adobe product updates are only available (1) via the product's automatic update feature or (2) from the Adobe website at http://www.adobe.com/downloads/updates/.”

Stay safe out there! Always pay close attention to EXE files, and if something looks off in an email that is claiming to originate from a software vendor, be sure to verify the story directly on the vendors site before taking any action.

This week marks the 32^nd anniversary of the very first spam message – sent by Gary Thuerke on May 3, 1978 over the ARPAnet.

Then, just a few thousand people had “email accounts.” Today there are over 1.4 billion people who use email and spam comprises 80-90% of all email sent.

Here’s to a [hopefully] less successful year ahead for spam and those who send it!

In a letter to employees last week, University of California Davis (UCD) CIO Peter Siegel announced the university’s recent decision to terminate its evaluation of Gmail, citing concern with Google's ability to keep email correspondences private and doubt over whether “outsourcing email [was] in compliance with the University of California Electronic Communications Policy."

And they are not alone. Yale University made a similar decision just last month, citing analogous reasons.

While the resource savings associated with a move to the cloud, particularly the Google cloud where organizations benefit from a massive economy of scale, are undeniable - large enterprises and institutions are beginning to ask the scary questions: How secure is the Google cloud? And can data ever be completely private in a shared hosted environment?

And the conclusion many large organizations are coming to, is no.

Because Google provides little to no direct control over the location and security of customer’s data in the cloud, enterprises and institutions must simply “take it or leave it” – as Google bundles it.

Are there alternatives? Yes, but generally at a higher cost than Googles very inexpensive Gmail. For organizations looking to take advantage of the benefits of hosting their mail, but concerned about data privacy, a dedicated hosted environment, where there is no commingling of data, is the best alternative.

But as the Cloud becomes a more popular alternative to in-house applications, this is a question every organization will have to explore themselves.

What do you think? Are UCD’s fears unfounded? Does your organization host their mail or are you still keeping these applications in house?

Currently in its last day, Infosecurity Europe has attracted nearly 12,000 information security professionals to the 3 day UK event as well as many of the key industry players in the region.  In the mix is Cisco IronPort’s product manager Swastik Bihani – who took some time out Tuesday to check in with UK computing magazine PC Pro. Among the hot talking points – spam.

We’ve been alluding to it, if not outright screaming it in some of our most recent posts here on Save the Mail, but if you haven’t heard it yet we’ll say it again: “spam” (as we know it) is changing.

And according to Cisco’s Bihani, scammers are not only getting smarter, but their “finished product” is only becoming more dangerous.

Historically spam has been viewed as a nuisance rather than a real danger, but according to Bihani 85% of the messages processed by IronPort now contain some kind of link – and increasingly these links are directed to malware infected sites of some kind.

One of Bihani’s key recommendations: implementing SPF (Sender Policy Framework) for companies.

SPF is in essence an email validation system that seeks to prevent unwanted, dangerous email from spoofed source addresses.

The concept first took flight in 2002 and by 2004 had morphed into the SPF system that is more or less in place today.

How it works (in sum): administrators specify which hosts are allowed to send email from a given domain by creating a specific DNS SPF record in the public DNS. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators. (thank you Wikipedia for this very condensed version)

Most mail servers support SPF, but if for any reason yours doesn’t – there are also a number of extensions that you can deploy that will. In addition, most major email protection solutions on the market also support SPF.  (A list of some of the Mail Servers, extensions and programs that support SPF can be found here.)

If you are not currently relying on an SPF check as part of your broader email system protection plan, consider turning this feature on (or switching to a product that supports SPF) right away. It is a simple way to make your email safer immediately – and as spam threats continually worsen, a necessity for every company.