Dan Balsam doesn’t like spam.  In fact, he hates it. Enough so that he went to law school, left a career in marketing and now spends much of his time filing law suits against spammers.

And earlier today he was awarded $7k in a rare court ruling against a spamming organization ($1,000 for every offending email + legal fees).

The unsolicited email Balsam received was from 2007. The spammer (Trancos, Inc.) is now expected to appeal the decision.

When all is said and done here, this begs the question: was it worth it?

Let’s do the math:

3 years + Team of Attorneys = $7k – Imminent Appeal + More Legal Fees = No Real Change?

Dan’s website danhatesspam.com warns that “spam is threatening the legitimacy of email as a means for communication” – but we have the feeling that “spam” has already killed the legitimacy of email for Balsam.

His site boasts a no spam policy that warns of $25,000 fees upon his reading of any piece of unsolicited commercial email as well as nine other bullet points littered with legal speak.

The problem here: the real spammers will ignore this.  You might scare off a few friends but the real spammers won’t ever even see it, and will never give Dan a chance to reference it in court either.  

The most dangerous email spam is from sources that will never show-up to a court date – from sources that are not traceable, trackable or suable.

But what he will get: a few thousand dollars out of sloppy – but mostly legitimate – email marketing companies like Trancos (an Inc. magazine fastest growing private company of ’07).

What he won’t get: an end to spam.

Frustrated email consumers like Dan have a right to a spam free inbox, but it shouldn’t have to involve an entirely new career path and a new set of life goals.  Taking back control shouldn’t be this hard.

We don’t need an entire court system to tell us who can and cannot send us an email, we should decide for ourselves.

Remember that mention below of the “bad apple” email users – those email users that take undo risk when receiving, opening and responding to email from unknown sources? Well, here we have one such example.

419 Scams have been on the rise since early February, and today it was announced that a young woman from Frankfort South Africa fell for a well known variation of the scam and lost more than $178,000 US Dollars (1.2 Million South African Rands) to a group promising 1 million British pounds of prize money she had won.

After paying thousands of Rands into an anonymous bank account and paying various individuals for their assistance “helping” her claim her prize money, the woman had still not received any payout and reported the incident to police.

The dangers lurking in email inboxes – when they go unchecked - are incredible.  If you do not have an email protection solution in place that blocks email from illegitimate and/or unknown senders, make sure you and your email users are not opening email from sources you don’t recognize. 

419 scams are not going away, but are easily avoidable. For more information on 419 scams, click here.

Some interesting data points presented recently at the Messaging Anti-Abuse Working Group conference point towards a set of email users that are either clueless or Evel Knievel risk takers:

• • Roughly half of survey respondents had opened a spam message at one time or another
  • 1 in 10 have either clicked on links or downloaded attachments from spam messages
  • 1 in 5 opened the message “to see what would happen”
  • 4% replied to the messages and another 4% forwarded them to other people

All this points towards a large pool of at risk email users.  Here at Save the Mail though, we are of the opinion (and we think most would agree) that users as a whole aren’t the email idiots this study would have you believe. Sure, there are some bad apples but there are, and have always been, the exceptions. Given a choice most users will apply the prudent email best practice that IT has been extolling for years:

Don’t open email from sources you don’t recognize.

At Save the Mail we believe the better solution is:

Don’t accept email from sources you don’t know (or want).

Ultimately we need to change the conversation. Rather than putting in solutions which keep the bad mail out, how about a solution that only allows the good mail in? If we let users decide who they want to email the "crap" doesn’t have a chance. Again, (other than the bad apples) when was the last time you received spam from someone you trusted? Yes, it happens, but again, it’s extremely rare. And if the message happens to have a virus then any good anti-spam solution is going to detect the virus and prevent delivery of the message.

Granted this is only possible when the right solution in place, but this is still the ideal scenario. When email users are given the ability to choose who to receive email from, you are far safer than when you either a) accept all inbound email messages or b) “guess” as to what is, or isn’t, good and bad.

And letting users decide gives IT a chance to spend their time on more important tasks. How much money is wasted by IT people digging through spam folders looking for the latest “most important email ever”? Why not let users do this? Remember, with the right solution users can only release clean messages from people they trust so, really, what’s the harm?

There will always be IT support stories about the latest “the user did what?” But with a whole new generation entering the work force, we will start seeing a shift towards users who have spent their whole life with email, the internet and social networks like LinkedIn and Facebook. This shift in the work force will not be without it’s challenges but explaining how to use email will not be one of them. Why not shift the anti-spam strategy now and let users decide?

To reiterate: the incident involved the state’s ONLINE DRIVING EXAM SYSTEM. The remarks were made at a panel discussion at RSA earlier this month on state cybersecurity.

While we understand the need for a certain level of discreetness on cybersecurity topics, especially when they have to do with our government this incident was not a threat to America’s security or livelihood by any stretch.

It was nothing more than an embarrassing moment for the state of Pennsylvania.

But what has us extremely worried here has been the firing of Maley and the subsequent “lockdown” on talking about cybersecurity by state officials in PA.

Does a lack of dialogue surrounding cybersecurity really make businesses and government agencies a more secure place? In some instances, yes – let’s not advertise huge gaping holes in our government’s cyber network.

But in this situation, the answer is a surrounding NO. How are we going to fix the “gaping holes” if we simply ignore them?

What better opportunity to discuss the complex issues surrounding securing our businesses’ and government’s cyber infrastructure than with the non-life threatening example Maley brought up of the state’s online driving exam system?

By stifling the dialogue on the cybersecurity, Pennsylvania is doing businesses and internet users a disservice - and passing up an opportunity to educate the public on cybersecurity vulnerabilities and dangers. 7RF7P2NCE2QK

Wikipedia defines the internet (in layman’s terms) as “a network of networks” that “carries a vast array of information.” While we all know it’s much more complicated than this, few of us spend much time thinking about this “network of networks.”  The internet is notoriously an intangible, abstract item that the average email/internet user dedicates little mindshare to.

Luckily for us, Pingdom, a company that offers uptime monitoring services, has done their share and more, scouring the internet for, well… data on the internet.  You can find the full report in this blog post from last week, Internet 2009 in Numbers.

While some of the figures weren’t a big surprise (81% of email was spam per their data), some were quite interesting:

-       2009 saw a 24% increase in spam over the year prior

-       148,000 new zombie computers were created each day

-       100 million new email users joined the world of email

-       And collectively we sent 90 trillion emails during the year (although spammers can take credit for the vast majority of these)

Even more stats can be found in the full post.

Or, depending on how you look at it, perhaps quite a solemn one - Canada's second oldest magazine has been forced to change its name after 90 years because the title's inadvertently sexual connotation is getting caught in spam filters and preventing the publisher from reaching "a new, life-sustaining generation of readers online (Resource Shelf).

The magazine will transition from its current title The Beaver, to Canada's History beginning with its next issue in April.

How many more magazines covering the fur trade and Canada's northwest frontier must we sacrifice before we are able to beat the anti-spam content filters?  Or worse, what seemingly innocent 21st century words will be pulling companies under 50 years from now?

I want my fur trade knowledge delivered just the way it was 90 years ago, by the Beaver.  Now whose with me?

Years ago these studies were rolled out with all the pizzazz of ground-breaking medical research, but every year IT teams seem to become just a little bit more numb to it:

…the numbers are in and according to Symantec’s December 2009 state of spam report (download a full copy here) just around 87% of emails sent during 2009 were spam.

We’ll leave it to you to fill in the blank on this one. But here’s to a New Year, new possibilities, and staying productive, protected & secure!

On an unrelated note, we’re taking bets on the 2010 figure – any takers on a > 90% figure?

An article posted on The Chief Officers’ Network today posed an interesting question: Are Anti-spam Laws Working?

The obvious conclusion, was no. These laws requiring that “spammers” provide opt-out options at the bottom of their email attacks seem to act more as a means to validate an email address, rather than protect it.  While all reputable companies abide by these opt-out requirements - for the more shadowy figures in the situation, at best these opt-outs are ignored.

The article called out some of the more devious perpetrators in the equation: a company called fagms.net that requires users to opt-out to campaigns individually rather than as a whole, a US company whose media contact list seems to be harvested by bots at best and endlessly peppers the unlucky recipients with email blurbs from clients, and a company called easy.com that simply ignores customer’s opt-out requests.

But what was never mentioned was the nature of these email messages: the faux products and services they were trying to hawk, the links they begged you to click on, the software you just have to download.

And their very questionable legitimacy.  At the heart of the problem is a set of “businesses” that are not seeking to do any sort of legitimate “business.”  These people are criminals, not just dodgy businessman, and it is no surprise they tip toe around the laws in place that are meant to circumvent them.  

If laws were enough our society would be utopian.

However, there are laws in place to prevent people from stealing, but people still steal.

There are laws in place to prevent people from speeding, but people still speed.

There are laws in place to prevent people from downloading music illegally, but music is still downloaded illegally.

…and the list goes on.  Spammers are criminals that do not abide by the law.  Plain and simple.

We could fill the books with laws that sought to prevent these messages, but those annoying solicitations would still creep into our inboxes.

The solution is much easier than we all seem to think it is.  It isn’t legislation, its technology.  Implement email protection solutions that adopt an approach to email that gives the end-user control over who they communicate with, not the spammer. Access to someone’s email inbox is a privilege, not a right, and should be treated as such – take advantage of technology that makes this a reality.

1. Anti-spam filtering can no longer be considered a reliable tool for protecting your e-mail infrastructure and/or your users from the many threats that use e-mail as their primary insertion vector. Smart IT professionals have come to realize it is impossible to determine intent from content. As we move into the 2nd decade of the 21st century, security on the Internet in general, and for e-mail specifically, must become personalized. We can no longer afford to count on the ability, or lack thereof, of a filter to guess what is good/safe and what is not. The next era for e-mail security will be ruled by systems that provide and promote Sender Address Verification and Authentication.
2. Domain forgery must be stopped; and we have the tools at our disposal to make this happen. The time has come, once and for all, for IT professionals to embrace and deploy BOTH Sender Policy Framework (SPF — www.openspf.org) and Domain Keys Identified Mail (DKIM — www.dkim.org).
3. While its true that “cloud computing” is well on its way to becoming the “2009 Buzzword of the Year,” the time has come for IT professionals to seriously consider moving the major security components of their e-mail infrastructure onto their own private islands within the greater computing cloud. Processes like anti-spam, anti-virus, anti-threat, compliance, data leakage prevention, and managed file transfer can be addressed more effectively and more efficiently before any data ever reaches the threshold of your private network.
4. In a difficult economy like we have today, e-mail is a more important tool than ever. E-mail is the ultimate asynchronous communication tool and is critical as a cost effective means for individuals to communicate over long (and short) distances. In both the medium and long terms, IT professionals must continue to strengthen their e-mail infrastructures. Now is not the time for cost cutting with respect to e-mail.
5. Early this month Google announced their newest project: Wave (wave.google.com/help/wave/about.html). While it is too early to tell if this new project/protocol will have any real impact in the near term, looking forward 18 – 36 months, this is something upon which IT professionals should keep close watch. If Google is even remotely successfully, and who would bet against Google, this new and open protocol has the potential to completely change the way people communicate on the Internet through the merging of e-mail, instant messaging (IM), and real-time collaboration.

(originally posted 21 April 2009 on CIO.com)
http://tinyurl.com/talgolan-cio-blog-20090421

Over the past six months, we’ve found ourselves in an extraordinary set of economic conditions, that, as we are constantly reminded, we haven’t seen in years, decades, or as the cincher the media loves to use to really drive home the point – the Great Depression. Companies are doing more with less, cutting resources back in all departments and being forced to make difficult decisions about what their organization fiscally values.

IT departments are no exception; however, these teams are in the unique position where operations must go on under two sets of unprecedented conditions: an economic climate that stresses fiscal responsibility above all else, in conjunction with an unparalleled set of e-mail security threats that worsen by the day.

What is an IT department to do? Compromise security to preserve financial goals? Sit and wait? Or, hidden option C, take a few tough lessons from our depression-era counterparts and optimize services while avoiding expensive investments? If you’re thinking about going with the latter, here I discuss the first step: protect the server as the costliest and most important network component.

Go Back to the Basics

E-mail is the lifeblood of contemporary business communications. Any breakdown in this mission-critical tool and most companies come to a virtual halt – the crowds become just a little bit larger at the water cooler, and you’ll find the IT team in a strategy huddle in the server room.

In this type of environment, an IT department’s primary task is to keep the network infrastructure focused on and undistracted from its role of managing inbound and outbound e-mail—quickly and securely. However, despite a natural expectation that something so mission-critical will have iron-clad protection, from an insider’s perspective it is one of the most vulnerable corporate components – threats go far beyond the annoyance of spam to include malicious components such as phishing attacks, worms, Trojans, bots, and other Internet crimeware.

Under this set of circumstances, more than ever, it’s important to do the simple things exceedingly well, and keep the focus on the core of the organization’s infrastructure: the server. Doing what’s best for the server is usually in the best interest of the entire organization, including that of your team. Employing simple strategies that are in line with this focus will pay off by giving you the edge it takes to weather these conditions.

Make Do With What You Have

Give the Server a Focused and Undistracted Role

Because servers are robust tools demanding significant processing power, using an e-mail security solution for the heavy e-mail security lifting keeps the server focused on its core competencies. Resources that are able to take the e-mail burden off of the server should be utilized to the fullest extent possible, allowing server resources to be diverted to core assignments. Organizations may be surprised at how much bandwidth their organization’s e-mail traffic requires, and similarly what the true value of that additional bandwidth is.

Sidestep Server Upgrades and Replacements

Organizations that are preserving Microsoft Exchange 2000, 5.5 or earlier versions don’t benefit from any form of sender DNS checking or recipient checking on inbound e-mail communications. In-house resources that are able to perform these checks before e-mail enters the network boosts a department’s e-mail infrastructure security, but do not require additional server resources. These potentially performance-amplifying tools dramatically reduce the volume of e-mail burdening the infrastructure and mitigate the need for pricey server upgrades or replacements.

Protect the Server from Outside Exposure

Deploying an e-mail security appliance first in the line of defense (behind the corporate firewall) buffers the server from unnecessary outside communication, and takes

full responsibility for anti-spam/anti-virus processing and bandwidth. Solutions configured to sit in front of the server mitigate exposure and are able to handle inbound/outbound e-mail communication as well as the accompanying assaults.

Employ Smart Host Services

An e-mail security appliance with smart host services can protect the server from communicating directly over SMTP with outside servers—always risky—and provides a “perfect” delivery path within the internal network. One with mailbagging support does away with the need for “non-deliverable” status messages to be generated or e-mails to be resent, both of which distract and contribute to annoying e-mail volley.

Invest Wisely

When there is an opportunity to invest in your department’s e-mail infrastructure: invest wisely. Choose solutions and technologies that will support, boost and protect the existing infrastructure as opposed to those options that will further tax already limited resources. To those who don’t believe: there is always a better way and there are always new and innovative options to those age old problems you thought had been solved five years ago. Taking the time to research the problem up front and finding a solution that will actually solve the problem will pay off multiple times over in the form of you and your team’s time and sanity.