This post adds my own personal experiences to improving the email authentication protocols of my own domain. I wrote about these issues in general for iBoss earlier this year and described the three protocols (SPF, DKIM and DMARC) and how they interact with each other. These protocols have been around for a while, and implementing them isn’t easy and hasn’t been very popular, outside of perhaps Google-administered email domains.
A recent survey from Barracuda shows how the majority of folks haven’t yet set up anything in their environments, as you can see by this graphic below. Another survey from Agari (who sells DMARC managed services, so they have something of a self-interest) says 82 percent of federal government domains lack DMARC protection. To try to fix this, the feds are getting more serious about DMARC, requiring it across all agency networks soon.
So I wanted to be able to lead by example and actually put these tools in place on my own servers. That was easier said than done.
I first contacted Valimail in August. They have a managed email authentication service and agreed to work with me to get me set up. Valimail knows what they are doing in this space. As an example, a few weeks ago one researcher posted how he could deliberately break some DKIM records if he created some oddball email messages. Turns out Valimail has this covered and posted a counter reply. They claimed that the researcher didn’t really understand how it was used in practice.
And that is the issue: these protocols are very, very hard to implement in practice. Getting my domains setup wasn’t easy: part of that was my fault, and partly because this is a knotty area that has a lot of specific knobs to turn and places where a misplaced comma can wreck your configuration. So I am glad that I had them in my corner.
Let’s talk about what was my fault first. I have two different Internet providers for my domains. First is GoDaddy, which registers my domains. I have always felt it is a good idea to separate my content from my registrar, which is where my second provider, EMWD.com, comes into play. They host my blogs and mailing lists. The problem is that the three email protocols touch on aspects of both what the registrar has to do and what the content hosting provider has to do, and so I found myself going back and forth between the two companies and their various web-based control panels to add DNS entries and make other adjustments as I needed. For your particular circumstances, that may not be necessary. Or it could be more complicated, depending on how many individual domains (and sub-domains) you own and how you have set up your email servers.
When you first sign on with Valimail, they run a report that shows how messed up your email system is. Now right here I want to stop and explain what I mean. Your email system is probably working just fine, and your messages are flowing back and forth without any real issues. Except one: they aren’t using the full power of the various authentication protocols that have been developed over the years. If you don’t care about spam and phishing, then stop right here. But if you do care — and you should — then that means you need to get email authentication done correctly. That is the journey that I have been on since this summer.
OK, back to my story. So I got a report from Valimail that looked like this. It shows that I made several mistakes in configuring my mail server because it uses a different domain (webinformant.tv) from the domain that I use for sending individual emails (strom.com). Duh! It was embarrassing, after all these years claiming to be this email “expert” (I did write a book on corporate email use once upon a time) and yet I still missed this very obvious mistake. But that is why you hire outside consultants to help you learn about this stuff.
That wasn’t my only problem. Second, I was using WordPress as my blogging software. Now, what does this have to do with email, you might ask? My problem was I didn’t immediately make the connection either. Some of my emails weren’t being authenticated properly, and it was only after further investigation did I realize that the comments that were being collected by my blog were the culprits. WordPress uses email to notify me about these comments. Luckily, there is a plug-in for fixing this that was available. Of course, it still took some effort to get it working properly.
This is why you want someone like Valimail to be working with you, because the chances of making any errors are huge, and your email infrastructure can be a bigger project that you realize, even for a small organization such as my own operation.
I have one other technology piece in my mix. One of the reasons why I chose EMWD is because they offer cheap but really good hosting of Mailman, which is a Unix-era email server that I have been using for more than a decade for my weekly Web Informant newsletters. It isn’t as fancy as Mailchimp or some of the other more modern mailers, but I also am familiar enough with its oddities that I feel comfortable using it. So any DKIM/DMARC/SPF installation also had to make some changes to its parameters too. Luckily, The folks at Valimail knew which ones to tweak.
So it took several months of elapsed time to work with Valimail to get things correctly setup. And that is probably a good thing because uncovering all the various applications that make use of email in oddball ways will take some time, particularly if you are a decent-sized company. Most of the elapsed time for my situation was because I was busy on other matters, and also because it took me several tries to understand the scope of what I had to do. Also, because Valimail’s typical customer is a larger enterprise, they weren’t very familiar with the cPanel interface that EMWD (like a lot of smaller ISPs) employs, or working with WordPress, so they had a learning curve too.
The team that helped me was very patient, which was great because I did need a lot of hand-holding (in the form of JoinMe meetings and screen sharing sessions) to walk me through the various processes. But what this demonstrated to me is how ingrained using email for various tasks can be, even for a company of one employee.
So the moral of the story: even if you know what you doing, this is one area that requires very specialized knowledge. But if you want to make an effort to reduce spam and phishing, you should implement all three of these protocols. And you might end up fixing some other email issues across your enterprise along the way too.
I have known Dave Piscitello for several decades; he and I served together with a collection of some of the original inventors of the Internet and he has worked at ICANN for many years. So it is interesting that he and I are both looking at spam these days with a careful eye.
He recently posted a column saying “It sounds trivial but spam is one of the most important threats to manage these days.” He calls spam the security threat you easily forget, and I would agree with him. Why? Because spam brings all sorts of pain with it, mostly in the form of phishing attacks and other network compromises. Think of it as the gateway drug for criminals to infect your company with malware. A report last December from PhishMe found that 91% of cyberattacks start with a phish. The FBI says these scams have resulted in $5.3 billion in financial losses since October 2013.
We tend to forget about spam these days because Google and Microsoft have done a decent job hiding spam from immediate view of our inboxes. And while that is generally a good thing, all it takes is a single email that you mistakenly click on and you have brought an attack inside your organization. It is easy to see why we make these mistakes: the phishers spend a lot of time trying to fool us, by using the same fonts and page layout designs to mimic the real sites (such as your bank), so that you will login to their page and provide your password to them.
Phishing has gotten more sophisticated, just like other malware attacks. There are now whaling attacks that look like messages coming from the CFO or HR managers, trying to convince you to move money. Or spear phishing where a criminal is targeting someone or some specific corporation to trick the recipient into acting on the message. Attackers try to harvest a user’s credentials and use them for further exploits, attach phony SSL certificates to their domains to make them seem more legitimate, use smishing-based social engineering methods to compromise your cell phone, and create phony domains that are typographically similar to a real business. And there are automated phishing construction kits that can be used by anyone with a minimal knowledge to create a brand new exploit. All of these methods show that phishing is certainly on the rise, and becoming more of an issue for everyone.
Yes, organizations can try to prevent phishing attacks through a series of defenses, including filtering their email, training their users to spot bogus messages, using more updated browsers that have better detection mechanisms and other tools. But these aren’t as effective as they could be if users had more information about each message that they read while they are going through their inboxes.
There is a new product that does exactly that, called Inky Phish Fence. They asked me to evaluate it and write about it. I think it is worth your time. It displays warning messages as you scroll through your emails, as shown here.
There are both free and paid versions of Phish Fence. The free versions work with Outlook.com, Hotmail and Gmail accounts and have add-ins available both from the Google Chrome Store and the Microsoft Appsource Store. These versions require the user to launch the add-in proactively to analyze each message, by clicking on the Inky icon above the active message area. Once they do, Phish Fence instantly analyzes the email and displays the results in a pane within the message. The majority of the analysis happens directly in Outlook or Gmail so Inky’s servers don’t need to see the raw email, which preserves the user’s privacy.
The paid versions analyze every incoming mail automatically via a server process. Inky Phish Fence can be configured to quarantine malicious mail and put warnings directly in the bodies of suspicious mail. This means users don’t have to take any action to get the warnings. In this configuration, Outlook users can get some additional info by using the add-in, but all the essential information is just indicated inline with each email message.
I produced a short video screencast that shows the differences in the two versions and how Phish Fence works. And you can download a white paper that I wrote for Inky about the history and dangers of phishing and where their solution fits in. Check out Phish Fence and see if helps you become more vigilant about your emails.
Inky Phish Fence is an anti-phishing platform available for many email systems and can detect and defend against many types of suspicious emails and phishing attacks. It comes as an add-in for Outlook for Exchange/Office 365 accounts. It is also available for G Suite and Gmail as a Chrome extension. Enterprise users would most likely use a purely server-side gateway version where the checks are performed automatically and the warnings get inserted into the actual email. The consumer add-ins are free, the corporate version starts at a few dollars per month per user with quantity discounts available.
I tested the product in November 2017.
To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work. Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them.
Email encryption products have made major strides since I last looked at them nearly two years ago in this review for Network World. This week I had an opportunity to revisit these products, and found that they have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements. They are at the point where encryption can almost be called effortless on the part of the end user.
I reviewed five products: the two that I reviewed in 2015 (HPE/Voltage Secure Email and Virtru Pro) and three others (Inky, Zix Gateway, and Symantec Email Security.cloud). The overall winner was Zix (shown here). It was easy to install and manage, well-documented, and the encryption features were numerous and solid. The only drawback was that Zix lacks a separate mobile client to compose messages, but having a very responsive mobile web app made up for most of this issue.
You can read the complete review in Network World here, and you can watch a screencast video comparing how three of the products handle data leak protection:
I never thought I would see the day where executives and major public figures would be proud of their techno-luddite status. Scratch that. Not proud, but grateful. In a story in today’s New York Times, several senators and other public figures are quoted about how they have given up their personal email accounts, or have begun scrubbing their sent folders, thanks to the recent series of leaks from the mailboxes of the DNC and Colin Powell.
Senator Lindsey Graham said, “I haven’t worried about an email being hacked since I’ve never sent one. I’m, like, ahead of my time.” Senator Chuck Schumer is noted for still using a flip phone. And of course there are the email-related stories that doggedly follow one of our presidential candidates around. All of a sudden, it is cool to be more disconnected. Especially ironic, given today is also the day millions will flock to the nearest Apple Store and buy a phone that doesn’t have a headphone jack. (Shelly Palmer’s rant on this is pure pleasure.)
The hacked emails seem to be genuine, at least according to press reports and the impact they have had with the shake up of the DNC leadership. But they have also had the effect that others in the public eye are reconsidering the contents of their own message store.
I have even learned a new acronym: LDL, for let’s discuss live. Meaning, “too hot to talk about in email.”
So let’s all just take a deep breath and look calmly at a few simple rules for your own email usage going forward. First off, yes, emails can be compromised. Don’t say anything there that you wouldn’t want anyone else to read. While you may not think you are a target or of any interest, you have no control over where that message might end up. You might want to walk down the hall for a quick FTF meeting, or even pick up the phone. Think about the 80’s.
Second, if you are very worried, start using encryption, and make sure it covers the complete path end-to-end. There are several instant messaging platforms that are easy to use (Network World did a recent review comparing them, and I have written reviews of encrypted email products for them as well). Yeah, I know, encryption is a pain, but the current crop of products is actually pretty easy to deploy and use. Having said that, hardly anyone sends me encrypted emails, ever.
Third, take a moment to review your password collection for your communications products, including your IMs, email accounts, voice mails and VoIP products. If you use the same password for more than one of these tools, take a day and install LastPass or some other password manager and start treating these passwords more seriously. Do it this weekend.
Finally, don’t hide behind your personal accounts such as Facebook or a non-corporate email address. Those are just as much at risk, as one network anchor realized who hurriedly deleted his Gmail account that was cited in the Times story. Everything is discoverable and vulnerable these days.
There are numerous articles on the misuse of email (including this post where we talk about ways to onboard Gen Y workers), but one of the biggest mistakes is email becomes the general all-purpose tool for all kinds of inappropriate collaboration methods for your team. While email is great for point-to-point communications, it falls down when it comes to sharing and editing spreadsheets and documents, scheduling meetings, and tracking projects — all things that I talk about in my latest post for the Quickbase Fast Track blog here.
With the passing this week of Ray Tomlinson, I am tripping down memory lane and thinking once again about email. Ray, for those of you that don’t recall, was credited with the invention of the @ sign back in 1971 as a mechanism to separate a user from the computer that ran the user’s account. It took decades before it became the ubiquitous part of the Internet addressing system that we all take for granted today.
But, no disrespect to Ray, email is a lot more than just the @ sign, although it certainly is the easiest and most recognizable part of it. If you want to really dive into the history of email, I would start with Dave Crocker’s excellent compendium site. Crocker had a hand in inventing several key elements of email infrastructure himself and wrote this excellent history of early email for the Washington Post several years ago.
As you review some of these documents, you’ll quickly see that email isn’t just the product of any one person. Like many of the things behind the Internet and the world of open source software, dozens if not hundreds of people contributed, block by block and bit by bit. Today’s email system makes use of numerous different protocols to get a message from you to me and back again. What is astounding is that essentially email is the same basic service and “has not been replaced or interrupted in 40 years. It simply grew from a couple hundred users to a couple billion,” as Crocker wrote in his Post piece. Well, maybe not so simply, but still.
One thing not often discussed is the fact that for its early years, email thrived outside of the Internet. Many of the early email systems were local to a company, and only able to exchange messages with other users there. Vendors such as cc:Mail, Network Courier, and Higgins (remember those?) dominated that early corporate landscape. Eventually, the Internet would connect these disparate systems together and avoid the use of messaging gateways or remote dial-up modems. Now it is almost impossible to use email and not be connected to the billions of others online. Of course, finding a current email address for a recipient is another matter.
In the 1990s, I was lucky to have worked with some of these early pioneers, such as Crocker. Also with Marshall Rose, who wrote some of those early Internet email standards. Marshall and I co-authored a book called Internet Messaging back in 1998. Penn Jillette, part of the comedy magic team of Penn and Teller, wrote the foreword to our book. He says, “email is still the greatest thing ever invented in the history of the world. ‘What about fire?’ you say. And I answer, what good would it be without an email to ‘come and get it?'” Penn also had some sage advice: “When I see your words [via email], they are in my font and color on my computer, and the computer feels like part of my brain. Telephone is talking; email is whispering thoughts directly into my mind.”
All food for thought when you send your next email.
Whether you think Ed Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email business. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology itself to transmit his documents. As I wrote about earlier this year, since Snowden’s revelations, more people have been motivated to employ encryption than ever before.
Ironically, it seems that the type of encryption that you use can make you a target of the spy agencies, who can scoop up your transmissions and figure out your origins. As Bruce Schneier said in a post last year, “There’s nothing that screams “hack me” more than using specially designed al Qaeda encryption software.”
That is a scary thought. But I don’t want to debate this here; instead I wanted to take a closer look at both new and older email encryption technologies and how much they actually protect your communications.
I took this two-year mark of Snowden’s unintended flight to Russia to write this review of seven different products for Network World. They include Hushmail, ProtonMail, Datamotion SecureMail, HP’s Voltage SecureMail, Tutanota, Virtru and AppRiver. Using one of them will certainly be better than not using any encryption, even if it raises your profile with certain three-lettered agencies. Tutanova’s Outlook plug-in is pictured above.
You can read my full review here.
Two years ago a young man left his girlfriend and home with his laptops and a fantastic story that has changed the world and the way we think about our Internet privacy. I am of course talking about the flight and plight of Ed Snowden and his cache of secret documents about the massive NSA surveillance of electronic communications.
Whether you think Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email biz. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology. (He isn’t the only one.) While he ultimately was successful in securing his communications with the press, another irony was how things ended up for him: now he is living in Russia, certainly not one of the most privacy-friendly places in the world. It is also ironic that his Russian residency has enabled his new career as a professional speaker, albeit using various remote video technologies since he can’t get on a plane because he doesn’t have a passport. (Part of me is envious of this, having to still give speeches the old fashioned way by getting on planes. But I am glad that I have my passport.)
But the ironies extend beyond Snowden’s life to more important matters. We have evidence that shows how the NSA abused numerous statutes in what they call “bulk metadata collection” of phone calls and emails. And we all now know what metadata means, and how former NSA director Michael Hayden said last year: “We kill people based on metadata.” Certainly, the Snowden effect is quite real, given the current debates in Congress over reauthorizing various legislative means for them to continue these practices.
And the ultimate irony of them all is another Snowden effect: while the NSA revelations have closed down several secure email providers such as Lavabit and Silent Circle, others have taken their place and encrypted email usage is most likely at an all-time high, thanks to the paranoid and prudent among us.
I have spent a lot of time listening to Snowden’s various public discussions, held at SxSW, with John Oliver for his HBO show, and at a recent conference at Princeton where he exchanged words with a New York Times reporter that broke some of the early stories. And while I am not sure where I stand on the traitor/patriot index, Snowden certainly has a lot of interesting things to say. It is clear that he has spent a good portion of his clandestine career preparing for his media close ups and photo ops. He also has a lot of time on his hands to keep up with current events.
I think Snowden has done more than just about anyone since Phil Zimmerman (the creator of PGP and now involved with DarkMail) to encourage email encryption usage. When Marshall Rose and I wrote a book about corporate email use back in 1998 (cover reproduced above), we said that secure email was “best described as a sucking chest wound.” For most of the last 17 years, secure email was more a curiosity and almost unknown and unused in corporate America. That changed two years ago, and it is catching on in more places.
It is still too difficult to use, as this story in Ars Technica takes you through how to deploy it on an individual basis. Maybe not a sucking chest wound, but still more than just a mere blister to be sure.
I am interested in hearing more about your own secure email usage, and it is partly motivated by a review that I am writing for Network World comparing several of the more useful business-oriented tools. Having used some of these products for decades, I welcome your own thoughts and will let you know when the review is published, probably later this summer.
And if you want to re-read a semi-serious blog post that I wrote last year where I thanked the NSA for enabling all sorts of activities, here you go.