Sep 092011
 

I was alerted to this by an article on The Register which points to the Godai Group‘s investigation into what happens when you register domains “close” to a reputable company and grab all the emails that happen to pop by. It is hardly a surprise to anyone who has run an email system, but you will get tons of email delivered caused by email address typos. Specifically Godai Group looked at a specific type of typo – accidentally leaving out a “.”. For example, one of the domains that the Godai Group picked up on was some-person@ca.ibm.com where “someone” has registered caibm.com (no dot) … whether or not that person is sniffing those emails cannot be known, but they could.

Again, to those who have run email systems it is no surprise to learn that some of the emails contain “interesting” information not limited to :-

  • Trade secrets
  • Business invoices
  • Personal information about employees
  • Usernames and passwords!
  • Network diagrams.

What is not mentioned is that those Fortune 500 companies almost certainly have policies in place prohibiting acts such as sending passwords and other sensitive information by email. But of course there is a description for someone who reads all of the corporate policies – someone who isn’t doing their job!

There is an interesting list of mitigations in the Godai Group report, but it could be a lot more extensive :-

  • When sending out an email to an address where the left hand side would be a valid internal address, flag the destination in your logs. Use that information to build up a list of domains for which you should check for valid internal addresses and freeze (hold in the queue) any messages that match. As an example, if mike.meredith@ca.ibm.com were a valid address you might want to freeze any emails addressed to mike.meredith@caibm.com.
  • Use your email logs to build up a database of domains that you send email to. This will allow you to identify similar domains that may be practicing so-called “doppleganger domains” that you may want to take some action against. You may think you can guess what the domains would be, but there is a lot to be said for hard evidence.
  • Perform content filtering on outgoing email, and build up a set of rules to catch emails containing patterns that match certain kinds of emails you do not want leaving your organisation – to begin with a pattern matching “password [is] XXXXXX”. This could take considerable effort to build, and there will always be the chance of a false positive so you will want a sensible warning message when emails matching the relevant content filter get caught – “Please check that this email does not contain confidential information; please check the recipient address, and if necessary re-phrase the email”.
  • Encourage the use of end-to-end encryption such as PGP. Plain encryption is not sufficient – “walled garden” email systems such as GroupWise support encryption for internal emails, but this is about external (even if it isn’t intentionally so) email which is not encrypted with such corporate email systems. In fact systems such as GroupWise may be considered dangerous in this context – it comes with the word encryption on the tin, and even allows you to “take back” emails that you have sent that you regret. These facilities encourage dangerous practices.
  • Education, education, education. But this will not accomplish much – not only are the people who really need to be educated not listening, but these problems are mistakes – both in terms of accidentally sending emails to the wrong address, and in terms of emailing information that should probably not be sent via email.
  • Lastly, and perhaps for amusement value, you could try persuading senior managers that the danger of them sending inappropriate information accidentally out to third parties via email is so great that it justifies setting up a process by which all their email sent to external address is manually reviewed to ensure that it is not an accidental release of internal information. Good luck on that one!
Oct 102009
 

I have recently heard “push” email referred to as “gold-standard” mail by someone who should have known better. I disagree, although in many senses of the word, my own mail has been setup as “push” for many years now – far longer than “push” mail has been supported! Before kicking the idea of “push mail” being the cure for all ills into the grass, lets have a little review of what email is and the difference between “push” and “pull”.

Electronic mail is the computer version of those postcards you drop into letter boxes telling everyone (including the postman) what a great time you are having on holiday. It is not particularly private and is not necessarily very fast. We have gotten used to email normally arriving quickly – within minutes or even seconds, but that is not always the case. In common with the ordinary postal service (I am excluding special services such as recorded delivery), there is not even a guarantee of delivery – it is done on a best efforts basis.

Conventionally the majority of people “pulled” their email from their ISPs email server. When you wanted to read your email, you would start an email client (or commonly these days visit a webmail page and login) and it would pull your email into your email client. When connecting to your email server over a slow connection, the process of pulling in all the email could be quite slow.

To combat this problem, a few proprietary solutions appeared which ensured that the messages were pushed down to the device (as it happens a mobile phone) so that they were always ready when you wanted to read them. Essentially it was a trick – a neat trick, but a trick none the less that made the phone appear to be much faster at reading emails than other phones relying on the “pull” method.

Of course there’s a cost to all this pushing. The phone has to wake up every so often to allow the server(s) to push any available messages, which might not take much power but given the frequency with which it happens can have a big effect on how long your battery lasts.

And do we need the immediacy of push email (or other kinds of messages) ? Personally I think it is better to read (and respond) to messages when it is convenient to us to do so. Responding when the messages become available means being constantly interrupted.

At work I have seen those who have their machines configured to popup little messages whenever they get a message. I am amazed that people can get work done with these constant interruptions. Perhaps those who insist on push email are somewhat shallow, and have little need to concentrate on a task.

Oct 032009
 

It might be a little too much to expect, but it would be nice if there were an option to change the meaning of the little red numbers that show up on the Mail icon, the Messages icon (and other messaging apps) from “unseen” to “not replied”.

I often quickly visit a message to see if it’s something that needs dealing with straight away, and go away if it is not that important. But as soon as I do, I lose the little number that reminds me there’s a message to deal with. The whole concept of changing an icon with a little number to show how many messages there are is brilliant.

And undoubtedly for many more organised people knowing how many new messages there are is just what they need. But some of us would like to know how many messages have not been replied to or dealt with in some other way.

Jan 062007
 

I have just released a new version of Popspeaker, a trivial little Python script to make announcement sounds when it spots new messages from selected people in your POP3 mailbox. The big change is that it now loads a configuration file rather than rely on global variables in the script itself; but some other minor improvements have been made to make this more like a product and less than a scrofulous script knocked up for one person’s use.

The advantage of running this script for me, is that I can be sitting down reading a book and my workstation will announce “You have mail from your parents” if that happens. I can see mails from interesting people quickly, and let all the spam and other cruft wait until I am in the mood to trawl through my mail.