November 13, 2007

FEATURE EDITORIAL

Internet Messaging Leaders Fight Email Fraud

As part of the ongoing battle to combat email fraud and phishing scams, which threaten to diminish trust in email, a group of engineers from 20 leading ISPs, messaging product companies and industry associations recently gathered for two days to test DomainKeys Identified Mail (DKIM) – an email authentication standard recently approved by the Internet Engineering Task Force (IETF).

Testing covered different scenarios for signing and validating email messages between participants' products and services. Progress was tracked on a large matrix, which recorded each successful interoperability test. By the conclusion of the event, the matrix was nearly 100 percent complete!

"Because spam and phishing continue to proliferate, messaging companies are eager to move forward with wide-spread implementation of DKIM, to help consumers and businesses identify legitimate email messages," explains Dave Crocker, principal of Brandenburg InternetWorking, a Sunnyvale, Calif. consultancy, and one of the event's coordinators. "This much progress for a new standard's first testing event is extremely unusual. We have demonstrated that DKIM is easy to add to an email service and that its use of cryptographic technology provides a strong basis for knowing received email really is associated with the organization that claims to have sent it."

"We learned a lot by participating; not the least of which is that DKIM just works," declares Arvel Hathcock, founder and CEO of Alt-N Technologies, and host of the event. "The testing performed by all participants revealed no significant barriers to adoption or use."

DKIM uses domain names, rather than the more cryptic IP Address numbers, to represent an organization's identity, because domain names are more stable and are already used to identify organizations on the Internet. The standard allows email senders to insert a cryptographic signature or "fingerprint," which only they can create. This signature travels within the message itself, allowing authentication to take place without regard to the path the message follows to reach a recipient. When the signature is later validated, a recipient can be assured of the signer's identity and that the message was not tampered with during transit over the Internet.

A valid DKIM signature provides reliable input for domain-based reputation assessment. Incorporating the standard into messaging products provides an additional layer of email trust and protection to receivers concerned with threats of email fraud and phishing scams. DKIM also arms senders with a stronger means of brand protection.

The twenty participating companies and organizations included: Alt-N Technologies, AOL, AT&T Inc., Bizanga Ltd., Brandenburg InternetWorking, Brandmail Solutions, ColdSpark, Constant Contact, Inc., DKIMproxy, Domain Assurance Council, Google Inc., ICONIX Inc., Internet Initiative Japan (IIJ), IronPort Systems, Message Systems, Port25 Solutions, Postfix, Sendmail, Inc., StrongMail Systems, and Yahoo! Inc.

For more on this topic, be sure to read the story Restoring Trust in our September/October issue of Messaging News.

Greynet Survey Released

Last month FaceTime Communications, a provider of solutions that control greynets and manages unified communications in the enterprise, announced the results of its annual survey, Greynets in the Enterprise: 3rd Annual Survey of Trends, Attitudes and Impact. In September 2007, data was collected in a survey of more than 700 employees and IT managers to determine the impact greynet applications have on companies and organizations. FaceTime defines greynets as real-time consumer applications (e.g. instant messaging, P2P, VoIP) that are often introduced by individual end-users and use highly evasive techniques to traverse the network. These greynets pose myriad network and information security risks because they provide vectors for malware, intellectual property loss, identity theft and compliance risks.

According to the study, greynet use has increased dramatically within the workplace. An average of nine greynets are in use within the typical organization, and 99 percent of IT managers report at least one greynet in use at their locations. In spite of deploying security infrastructure, such as firewalls and IPS products, nine in 10 IT managers have experienced a greynet-related security incident in the last six months. In fact, only about 3 percent have avoided greynet-related security incidents during this period.

FaceTime acknowledges that while some greynets, such as Skype, instant messaging (IM) and Web conferencing, have legitimate business uses, IT should require visibility and control to ensure their safe and productive use. With other greynets, such as P2P file sharing, video streaming and anonymizers, FaceTime believes the risks might outweigh the benefits and suggests organizations have the ability to accurately detect and block them. Greynets can be evasive on the network, often circumventing the traditional security infrastructure that was designed for email and standard Web traffic. The survey shows that the average cost companies incur in recovering from greynet-related incidents on company PCs has more than doubled over last year. IT managers reported spending an average of nearly US$289,000 annually to repair or re-image company PCs after malware attacks over greynets. The cost reported in last year's study was nearly US$130,000 per year. On average, IT managers experience nearly 39 incidents per month that require some kind of repair or remediation to end-user PCs and each repair requires, on average, about nine hours of work.

Employees don't always see eye-to-eye with IT management regarding risky behavior on the network. For example, 80 percent of IT managers deem anonymizers – applications that disguise network traffic to permit anonymous use of the Internet – risky to corporate networks. In contrast, just more than half of users (57 percent) find them risky, for a 19 percent differential in risk assessment.

In addition, the survey reveals:

• 85 percent of employees report that they use their work PCs for "personal, non-work purposes," and among these employees, 38 percent send personal IMs or engage in chat while at work.
• The personal use of work computers is independent of company size. Across the board, approximately eight in 10 will surf, shop and chat over the company network, testimony to the continued blurring of personal and professional workspaces.
• Fewer than half – 45 percent – of employees are at work locations where personal IM messaging is monitored by the organization.
• The number of work locations with eight or more greynet applications in use has almost tripled in the last three years.

More survey results can be found by visiting here.

IN THE NEWS:

Voltage SecureMail Adds Business In-Depth Features

Voltage Security, Inc., a global leader in information encryption, today unveiled the latest version of Voltage SecureMail, with new enterprise in-depth features that support the business needs of large global enterprises and their divisions, groups and call centers. The company says that the latest version supports all major European regions and allows organizations to manage hundreds of corporate brands seamlessly without incremental cost.

The new release offers the capacity to create multiple brand interfaces per tenant, a necessity for large organizations that need to manage communications across dozens—if not hundreds—of product and corporate brands. It also offers comprehensive support for European languages, delivering a scalable platform for enterprises that need to quickly extend their brand and communications across international borders, or when supporting multi-lingual support centers.

Learn More:

Voltage Security offerings include Voltage SecureMail, the Voltage Data Protection System and the Voltage Security Network (VSN), an on-demand managed service for the extended business network.

We welcome your ideas and your news for Messaging Newswire’s News & Trends in Email Security. Let us know what you think by sending your comments to editorial@messagingnews.com. Written or compiled by Stephanie Jordan. All trademarks are the property of their respective owners.

For marketing information on this newsletter or other Messaging News products contact jvictor@messagingnews.com