Exchange 2010 disclaimers: What’s new?

January 21st, 2010

With each new version of Exchange Server, Microsoft introduces more advanced email disclaimer options. In Exchange 2010, the following new disclaimer features have been added:

In Exchange 2010 the email disclaimers are still configured from the Transport Rules, like they were in Exchange 2007 (see our previous article ‘How to Configure an Email Disclaimer in Exchange 2007‘). The only difference is that in Exchange 2010, the dialog where you enter the actual disclaimer text now also allows you to include HTML code, image tags and Active Directory merge fields.

Although these features greatly improve the disclaimer functionality in Exchange 2010, you might still find that they do not fully meet your requirements. We have compiled a list of disclaimer features ‘missing’ in Exchange 2010 that are available in third party disclaimer products:

No disclaimer/signature positioning within email body: Exchange 2010 does not allow you to position your email signature or disclaimer below the most recent message text (you can only select to add it at the top or bottom of the email message). Some third party applications can place the email disclaimer or signature after the most recent message text, instead of at the very bottom of the email. This is especially desirable if you are using email signatures and if you want to recipient to actually ‘see’ the disclaimer.

No support for embedded images: Exchange 2010 does not allow you to embed images in your disclaimer or signature. This means that if you want to include a picture in your disclaimer or signature when using Exchange 2010, you must include it as an IMG tag, pointing to a URL containing the image. This is highly undesirable since many email programs, including Microsoft Outlook, block access to linked images by default. Many third party applications are capable of inserting an image stored on a local drive into the message. These images do not get blocked by Microsoft Outlook.

Disclaimer does not show in Sent Items: Exchange 2010 does not show your email signature or disclaimer in the Sent Items in Outlook. This not only means that your users cannot see what their email looked like, it also means that your email archive does not contain the actual email that was sent and will therefore not be legally correct. Especially when adding disclaimers it is essential that proof is obtained that the disclaimer was added.

No message fields: Exchange Server 2010 does not allow you to use message fields that are retrieved from the email message, such as recipient name and date. It can be useful to include the actual recipient name in the disclaimer as follows: This email is only intended for [recipient name]. Adding the actual recipient names instead of stating ‘the individual(s) to whom it is addressed’ makes the confidentiality notice more specific and effective. It can also be useful to ‘date stamp’ the disclaimer, indicating when it was added to the message.

No distinction between initial email and replies/forwards: Many companies like to add a longer signature on the first email (with for instance the corporate mailing address and company logo), and then a shorter signature with only the person’s phone number and email address. This functionality is not available in Exchange 2010, but is available in some third party email disclaimer products.

No HTML editor: Exchange 2010 does not include an HTML editor for creating your disclaimer or signature. Of course there are many HTML editors that you could use to create your email disclaimer or signature and then copy and paste the HTML source into the Exchange 2010 disclaimer text, but this is not so user friendly, and can be cumbersome if dealing with a number of different signatures and disclaimers.

No preconfigured AD merge fields: If you want to make use of Active Directory merge fields in your Exchange 2010 disclaimer text, you have to find the correct field code and then enter the code in between double percentage signs (%%) within the disclaimer text. This again can be cumbersome if you are using many fields, and more importantly can be prone to mistakes if the fields are not entered correctly within the disclaimer text. Third party disclaimer products allow you to insert preconfigured AD fields and some include a Preview utility to preview the disclaimer using a selected user’s AD information. This gives you the peace of mind that the disclaimer or signature was correctly configured.

Red Earth Software are developers of Policy Patrol Disclaimers, email disclaimer and email signature software for Microsoft Exchange Server. Policy Patrol 6 is the first server based email disclaimer product for Exchange Server that shows the disclaimer and signature in the Sent Items of Outlook without requiring any client software or allowing users to edit or remove the disclaimer before sending.

Posted in Email disclaimers | Top Of Page | Leave a Comment »

Forrester study reveals workers not ready to give up email any time soon

December 23rd, 2009

A recent Forrester study held among 3700 knowledge workers reveals that 77% of workers use email for collaborative work and only 5% use social media such as wikis, blogs and social networks. When asked whether they would like to see any improvement in the way they communicate, they responded that they prefer to keep using the same tools with improvements, rather than using a whole new set of tools to communicate. Respondents mostly named the following points that needed improvement in email: miscommunication, scattered files and delays awaiting replies from others.  In the study, entitled ‘Building the Future of Collaboration’, Forrester concludes that ‘respondents hope tomorrow will be similar, but better’.

Posted in Email policy, Email productivity | Top Of Page | Leave a Comment »

Are companies unknowingly exposing themselves to the potentially harmful effects of cc mass mailings?

December 7th, 2009

This could happen to you: Your new sales rep is eager to get results and fast. He decides to contact his 200 customers with your latest promotional offer. In order to get the message across in the minimum amount of time, he creates one email, pastes all the email addresses in the Cc: field and hits ‘Send’. Now he just needs to wait for the orders to come in.

Your nightmare has begun. A potential privacy breach and damage to your company’s reputation has been set in motion. Not only has this one email exposed your valuable customer list and opened you up to 200 potential lawsuits for privacy breach, it has severely damaged your company’s reputation. If your company is this careless with its customer information, what does that say about the quality of the services and products you provide? And you don’t even want to think about what will happen when the recipients hit the ‘Reply to All’ button and start complaining about your company’s spam practices and asking you to remove them from the list. A true ‘mail storm’ could erupt with your company as the source. Download the Red Earth Software white paper ‘Preventing Privacy Breach - Why You Need to Block Cc Mass Mailings’ to find out about how these undesirable mass mailings can occur, the damage they can do, and how you can protect your company by preventing these emails from leaving your network.

Posted in Email security, Email policy, Email compliance | Top Of Page | Leave a Comment »

How to Configure an Email Disclaimer in Microsoft Exchange Server 2007

October 1st, 2009

Microsoft Exchange Server 2007 includes the ability to add email disclaimers to your internal and external emails by making use of Transport Rules. In this article we will show you how you can configure an email disclaimer in Exchange Server 2007 and the various options that are available, including disclaimer formatting, positioning and avoiding multiple disclaimers. To configure an email disclaimer, follow the next steps:

  1. In the Exchange Management Console, go to Organization Configuration > Hub Transport.
  2. In the right-hand pane, select New Transport Rule.
  3. Enter a name and description for the rule. Leave the checkbox Enable Rule enabled. Click Next.
  4. In Conditions, you can select a number of options. For instance you can configure the disclaimer to only be added if the email is addressed to or from certain people or groups, when a word is present in the subject or body of the email, when the header contains certain words, when the message is marked with a classification or importance, or when an attachment file name or size is detected. In this example we will apply the disclaimer to all messages sent externally to the organization. To do this we will select the option ‘sent to users inside or outside the organization’.

    5. Set Email Disclaimer Conditions

  5. Now click on the ‘Inside’ link in the rule description. Select Outside and click OK. Click Next.
  6. You will now be able to specify the action that must be taken for any email that meets the selected conditions. There are several options such as adding text to the subject, sending a blind copy, removing/adding a header, redirecting the message to another address and setting a spam confidence level. Since we are creating a rule to add disclaimers, we will select the option ‘append disclaimer text using font, size, color, with separator and fallback to action if unable to apply’.

    7. Append Email Disclaimer

  7. Click on the ‘disclaimer text’ link. A dialog will appear allowing you to enter your email disclaimer text. Enter the disclaimer text and click OK.

    8. Entering the disclaimer text

  8. By default the disclaimer will be added in Arial, smallest font, gray color with a separator and fall back to wrap if unable to apply. Follow the next steps to change any of these default settings:
    • To change the font type, click on the ’Arial’ link. From a drop down box you will be able to select Courier New or Verdana, instead of Arial.
    • To change the font size, click on the ‘smallest’ link. You will be able to choose from smallest, smaller, Normal, larger, largest.
    • If you wish to change the color, click on the ‘Gray’ link. You will be able to choose from a number of colors in the drop down list.
    • If you do not wish to have a separator (this is a line separating the disclaimer from your message text), click on the ‘with separator’ link and select ‘without separator‘ from the drop-down list.
    • Click on the ‘wrap’ link to select from one of three Fallback actions: wrap, ignore, reject. This option tells Exchange Server what to do if for some reason an email disclaimer cannot be added, for instance if the message is encrypted or digitally signed. If you select wrap, Exchange Server will create a new email message with the disclaimer in the body and the original email as an attachment. If you select ignore, Exchange Server will let the message through without a disclaimer. If you select reject, the message will not be delivered and an NDR will be sent to the sender.

      • When you are ready entering the disclaimer options, click Next.

  9. You will now be able to enter exceptions to the rule. If the email message meets any of the selected exceptions, the email disclaimer will not be added. For instance an exception can be used to avoid multiple disclaimers being added to the same message. This can be done by selecting the option except when the text specific words appears in the subject or the body of the message.
  10. Click on the ‘specific words’ link. Now enter a part of the disclaimer that is unique to your disclaimer. To make sure you do not enter text that could also be part of someone else’s disclaimer, it is recommended to enter text that includes your company name. Click OK. You can also select other exceptions such as certain senders or recipients, or when certain words are found in the subject or header. When you are ready configuring exceptions, click Next.

    11. Avoiding Multiple Disclaimers

  11. Read the rule description. If everything looks good, click New. The rule will now be created. Click Finish. Your rule will now be listed under the Transport Rules tab.

As you can see, email disclaimers are easy to configure in Exchange 2007. Although there are quite a few available options, it is possible that the offered email disclaimer/signature functionality might not meet your needs entirely. We have listed some features below that are available in third party email disclaimer applications:

See disclaimers and signatures in the Sent Items of Outlook: Exchange Server does not show the email disclaimer or email signature in the Sent Items of Outlook. This means that the sender does not obtain proof that the disclaimer was added, the sender cannot see the actual message that was sent, and the email archive will not include the disclaimer text. Some third party applications do show email disclaimers in the Sent Items in Outlook, however most of them require client software to be installed or still allow users to edit or remove the disclaimer or signature. Using a server based email disclaimers application that shows disclaimers in Sent Items without allowing users to modify or remove the disclaimer is preferable.

Active Directory Merge fields: In order to create a global corporate email signature that is automatically personalized for each sender, some third party email disclaimer applications make use of Active Directory merge fields. These merge fields can be used in the disclaimer or email signature template. When an email is sent, the fields will automatically be replaced with the sender’s Active Directory properties, such as name, phone number and email address.

Message fields: Exchange Server 2007 does not allow you to use message fields which are retrieved from the email message, such as recipient name and date. It can be useful to include the actual recipient name in the disclaimer as follows: This email is only intended for [recipient name]. It can also be useful to ‘date stamp’ the disclaimer, indicating when it was added to the message.

Include logo or picture in your disclaimer/signature: Exchange Server 2007 does not allow you to include a logo or picture in your disclaimer or email signature. A number of third party disclaimer applications allow you to embed an image within your email disclaimer/signature.

Custom disclaimer positioning: Some third party applications can place the email disclaimer or signature after the most recent message text, not only at the end or beginning of the email. This is especially desirable if you are using email signatures and if you want to recipient to actually ‘see’ the disclaimer.

HTML formatting and inline CSS styles: Exchange Server 2007 only allows you to add formatted text to an email. It offers a limited set of font colors and sizes and does not allow you to use css styles or html tables, and other formatting options. Third party applications allow you to edit the disclaimer or signature straight from HTML, offering many more formatting options.

Add different signature on first emails: Should you wish to add a longer signature on the first email (with for instance the corporate mailing address and company logo), and then a shorter signature with only the person’s phone number and email address, this is also possible by using third party email disclaimer software.

Posted in Email policy, Email compliance, Email disclaimers | Top Of Page | Leave a Comment »

Why worry about image spam if you have greylisting?

September 21st, 2009

MessageLabs recently reported an image spam déjà vu with image spam reaching a new peak in May 2009, and warned that users with outdated spam filters might be the victim of this new wave. Image spam is where spammers place their spam message in an embedded image within the email, therefore bypassing filtering solutions based on Bayesian filtering and heuristic filtering because the email does not contain any text to scan. Image spam first appeared in 2006 and enjoyed considerable success. Anti-spam vendors quickly created new techniques to block this kind of spam, including optical character recognition (OCR) scanning of the text in the image. The effectiveness of this was short-lived since spammers started to obfuscate their images by adding background noise and blurred text, therefore rendering OCR scanning useless. Spammers also easily defeated anti-spam solutions that relied on a database of known spam images by slightly adjusting the image in each spam mail. According to the MessageLabs report, we are now seeing a new type of image spam where the image is not embedded within the image but contains a link to a remote image on a website. It further warns that ‘it is notoriously difficult for traditional anti-spam techniques to safeguard against this type of image spam’.

Should we be worried by this new image spam? The answer is: no, not at all. That is, if you are using a spam filter that uses greylisting.  You will not even have to continually upgrade your system to ward off the latest spammer invention; greylisting will continue to happily block tried and tested spam methods as well as new, nifty spamming ways.  Instead of trying to analyze each different type of spam message and heavily interpret images using resource-intensive OCR methods, anti-spam filters must deploy more universal methods that deal with any type of spam, whether that is ‘normal’ spam, image spam, pdf spam or Excel attachment spam. Greylisting is a universal approach that can block any type of spam (and even viruses), and is very difficult for spammers to circumvent. 

So what is greylisting? Greylisting blocks spam and viruses by temporarily rejecting initial emails from new (non white-listed) senders for one minute. Legitimate emails will still get through, but spam messages will not. This is because unlike spam engines and zombie machines, regular mail servers resend their messages upon initial rejection. Spammers simply cannot afford to resend their messages. If they would do this, it would take much longer to send out their spam. The longer it takes to send out spam, the higher the chance is that their domain is added to a blacklist, effectively blocking all their spam from that point onwards. This is also why it is highly unlikely  that spammers will start resending their mails to bypass greylisting ; There simply is not enough time to resend emails before the spammer is blacklisted.

Granted, greylisting does have its disadvantages; emails from new senders are slightly delayed (usually not more than a couple of minutes, but it does depend on how long your greylisting system waits until it accepts a resend), and in rare instances the initial rejection can trigger a delayed message to the recipient, making the recipient think that the message was not delivered. The recipient will then usually resend the message, with the result that you might receive two identical messages. Since this only happens very occasionally it really does seem to be a small price to pay for a clean inbox. For more information on greylisting: http://www.greylisting.org/.

Posted in Anti spam | Top Of Page | Leave a Comment »

Phishing scams getting more and more sophisticated

June 3rd, 2009

Phishing scams have been around for some time. Consumers have been warned numerous times not to click on links in emails and give out personal information or passwords. But what if the phishing email really looks genuine, without the usual telltale signs? In the last few days, a number of Bank of America phishing scams have been circulating that seem to be getting more and more sophisticated.

One of the emails includes the following message: “The Digital Certificate for your Bank of America Direct online account has expired. You need to update the certificate using Bank of America Direct Digital Certificate Updating Procedure”. These emails have the same look and feel as legitimate Bank of America notification emails, and the link shown in the email seems to go to bankofamerica.com. In fact when you do a ‘View Source’ the link goes to an entirely different domain, but the masked link will be enough to fool non tech-savvy consumers. The email is not full of the usual obvious spelling and grammar mistakes (although the grammar is not quite correct). Another smart trick is that the phishers are spoofing the sender address that is used for legitimate Bank of America alerts. This allows them to bypass any spam filters that have this email address in the white list.

The link in the email, if clicked on (Readers: please do not click on the link!), will take you to a website where you will be asked to log on with your digital certificate. The phishing website is so sophisticated that it will then actually check with Verisign if your digital certificate is valid. If it is not valid, it will not store your information, but it will still infect your computer with a virus. If it is valid, they will record your digital certificate and more nasty stuff will await you. The following article by Gary Warner from his CyberCrime & Doing Time blog includes more details on this latest Bank of America phishing scam: http://garwarner.blogspot.com/2009/06/bank-of-america-digital-certificates.html.

Posted in Anti spam, Phishing | Top Of Page | Leave a Comment »

E-discovery evidence can win or lose a case

September 14th, 2008

The Los Angeles Business Journal recently posted an interesting article about how today’s lawyers not only need to be experts in their field of law, but increasingly also need to be eDiscovery experts. More and more e-mails, instant messages and other electronically stored documents are being used as evidence in disputes ranging from corporate law to divorce procedures. This has resulted in the emergence of more lawyers and legal assistants specializing in the sifting through and extraction of electronic documents as legal evidence.

Today, e-discovery is a lot more complicated and critical to litigation. The 2006 Federal eDiscovery rules mandate that attorneys start an electronic discovery process early in litigation.  They also need to share the retrieval of these documents with opposing counsel.

Litigators have seen a definite transformation in the way cases are tried.  Where in the past, case evidence was limited to a contract, pieces of correspondence and possibly a few handwritten notes, today’s cases require advanced key word and phrase searching in order to uncover the critical evidence for a case.  The eDiscovery process has become so crucial that many litigators go as far as hiring specialized e-discovery professionals to retrieve the required information.

According to Michael Zweiback, a litigator in the Los Angeles office of Alston & Bird LLP, just hiring experts is not enough:  “You can hire experts, but sometimes experts are only as good as the questions that are asked,” Zweiback said. “And if you don’t know the right questions to ask, you are at a disadvantage”.

Since evidence is crucial to any case, it makes sense that the actual discovery of evidence is an extremely important factor in the outcome of a case, especially if that information is not readily available. Lawyers who are knowledgeable about e-discovery capabilities and can retrieve crucial electronic records as evidence are likely to have an edge in today’s litigation. Just keep that in mind the next time you hire a lawyer..

Posted in Email compliance, e-Discovery | Top Of Page | Leave a Comment »

10 things you should be doing to protect your company against email risks

November 2nd, 2007

Last week we discussed the top 6 email risks that companies face. So what can we do to protect ourselves against these risks? Here are 10 things that you should be doing to protect your company:

#1: Write an email policy. If you do not already have one in place, the first thing you must do is to create an email policy. This is necessary to educate users but also to ensure that employees are aware that the company is monitoring their emails. This will protect your company against possible employee lawsuits regarding invasion of privacy. Have your users sign the email policy to confirm that they have read and understood the regulations. For more information on what to include in your Email policy, got to the blog article Ten points to include in your email-policy.

#2: Train users; Regularly train users in applying the email policy. Help users send effective emails by informing them of best practices, explain that offensive jokes and remarks can be much more harmful than they seem and stress that employees that witness abuse of the email system must report this to their supervisor. This will boost productivity and help avoid many of the email risks.

#3: Install anti-virus software. Even though nowadays almost all companies have virus software scanning files on the server and client machines, not all companies do the same for email. Be safe rather than sorry and scan all your incoming and outgoing emails for viruses too.

#4: Install a spam filter. There are many spam filters out there and most of them will do a good job at blocking spam. However, not all spam filters will allow your users to review their own spam mails, offer customization per user or allow for detailed message tracking.

#5: Content check emails; Even though you have educated your users, you cannot assume that all employees will adhere to the policy. Therefore you need to install software that can check all emails for inappropriate content. For internal mails this is to protect users from an unsafe work environment. For external mails this is to protect the reputation of your company and to avoid libel lawsuits. You must also check attachments and use word filtering to avoid confidential data leaving the company. For instance you can block external emails containing Social Security Numbers, credit card details or patient information.

#6: Add a disclaimer; In order to disclaim against company liability, ensure confidentiality and comply with regulatory rules you must add a disclaimer to all sent emails. Disclaimers must be added to internal mails as well as external mails. It is also a good idea to add a different disclaimer for internal mails to specifically address the unsafe work environment issue. For instance in your internal mails you can include a line saying ‘Employees are expressly prohibited to make offensive, disruptive or defamatory statements.’

#7: Compress attachments; by compressing attachments you can reduce the size of files by up to 95 percent. Needless to say this will save bandwidth and network storage.

#8: Limit personal emails; Personal emails not only cause loss of productivity, they can be the source of viruses and bandwidth hogging attachments. You might want to allow some personal use, but in your email policy you must stipulate in exact terms what is allowed and what is not.

#9: Archive emails; Many industries now face regulations that require them to archive emails for a number of years, including the health care, legal and financial industry. Fail to archive your emails and your company might face substantial fines. In addition, you need to be able to quickly search and access messages in case you need to retrieve emails on a court order.

#10: View reports on usage; Check how the email policy is being implemented by looking at email usage reports. Find out what attachments users are sending and their size. View reports on email policy violations and determine which rules are being violated and by which users. On the basis of this information you can adjust your email policy, tweak your email filtering software, or schedule further trainings to re-iterate certain email policy rules.

Posted in Email security, Email policy, Email compliance | Top Of Page | Leave a Comment »

The top six corporate email risks

October 27th, 2007

We all know that email is a great business tool. It’s fast, cheap, universal and easy to deploy. However, companies that make use of email are confronted with a number of risks. So what are the email risks that companies face? Red Earth Software has identified the following top 6 email risks:

#1 Legal liability; In most cases the employer is held responsible for all the information transmitted on or from their systems. Consequently inappropriate emails sent on the company network can result in multi-million dollar penalties. In the last few years there have been several high profile lawsuits such as the case against a global oil company filed by four female employees. The employees alleged that sexually harassing emails sent through the company email system caused a threatening work environment. One of the sexually offensive messages was a sheet entitled ‘25 reasons why beer is better than women’. The company settled the case for no less than 2.2 million dollars.

#2 Regulatory compliancy; this now affects many companies across several industries. New and existing regulations are forcing companies to keep a record of their emails and to protect their client’s privacy. The Health Insurance Portability and Accountability Act requires health care institutions to keep a record of their email communications and secure confidentiality of information. In the new IRS regulation Circular 230, the IRS requires tax advisors to add an email disclaimer to any emails including tax advice, expressly stating that the opinion cannot be relied upon for penalty purposes. The U.S. Securities and Exchange Commission and Gramm-Leach-Bliley Act impose similar duties on financial institutions. Steep penalties can apply to those organizations that do not comply with their industry’s regulations. In a case lasting from 2000 until 2005, a well-known financial institution was recently forced to pay 20 million dollars in penalties by the Securities and Exchange Commission for not diligently searching for email back-up tapes and over-writing multiple back-up tapes.

#3 Lost productivity; Employees sending personal emails and sifting through spam mail can cause major loss of productivity. To give you an example, if each employee takes 5 seconds to view a spam mail, based on an average salary of 25 dollars per hour, this will cost the employer 3 cents per spam mail. If every employee received 25 spam mails per day, spam would cost a company with 100 users no less than 20,000 dollars per year. In addition to spam and personal emails, viruses can also lead to network downtime and lost productivity.

#4 Confidentiality breaches; Most confidentiality breaches occur from within the company. These breaches can be accidental, but they can also be intentional. Some years ago, a well-known software company filed a lawsuit against one of their former employees who had used the company’s email system to send out confidential information to their competitor, his new employer. The trade secrets included product design specifications, sales data and information regarding a prospective contract for which both companies were competing. The employee and competitor were both charged with trade secret theft.

#5 Damage to your company’s reputation; A badly written email, or an email containing unprofessional remarks will cause the recipient to gain a bad impression of the company that the sender is representing. A UK law firm had to find this out the hard way when two of their employees originated the ‘Claire Swire’ email, a sexually explicit email that ended up being read by over 10 million people around the world. Especially since the company in question was a law firm, and the employees were attorneys, this email caused severe damage of reputation.

#6 Increasing bandwidth and storage needs; Not only is the use of attachments growing, their size is increasing as well. According to the Radicati Group, attachments make up more than 85% of all email data. Large attachments use up bandwidth and storage space. Although the cost of storage space has decreased over the years, the larger the message store, the more management it requires and the longer it takes to restore messages after a mail server failure.

Next week we will be discussing what you can do to protect yourself against these email risks.

Posted in Email security, Email policy, Email compliance | Top Of Page | Leave a Comment »

Email footers now required by EU

March 1st, 2007

A European Union Directive has recently come into effect requiring companies to add their company address, registration number and VAT number to all business emails or risk a fine. In the UK and Germany this law came into effect on January 1, 2007 but in other countries such as the Netherlands this law was already passed in 2006. More information on the new requirements for UK companies can be found at the following website: http://www.out-law.com/page-7594.

Posted in Email policy, Email compliance | Top Of Page | Leave a Comment »

Next Page »