#1: Write an email policy. If you do not already have one in place, the first thing you must do is to create an email policy. This is necessary to educate users but also to ensure that employees are aware that the company is monitoring their emails. This will protect your company against possible employee lawsuits regarding invasion of privacy. Have your users sign the email policy to confirm that they have read and understood the regulations. For more information on what to include in your Email policy, got to the blog article Ten points to include in your email-policy.

#2: Train users; Regularly train users in applying the email policy. Help users send effective emails by informing them of best practices, explain that offensive jokes and remarks can be much more harmful than they seem and stress that employees that witness abuse of the email system must report this to their supervisor. This will boost productivity and help avoid many of the email risks.

#3: Install anti-virus software. Even though nowadays almost all companies have virus software scanning files on the server and client machines, not all companies do the same for email. Be safe rather than sorry and scan all your incoming and outgoing emails for viruses too.

#4: Install a spam filter. There are many spam filters out there and most of them will do a good job at blocking spam. However, not all spam filters will allow your users to review their own spam mails, offer customization per user or allow for detailed message tracking.

#5: Content check emails; Even though you have educated your users, you cannot assume that all employees will adhere to the policy. Therefore you need to install software that can check all emails for inappropriate content. For internal mails this is to protect users from an unsafe work environment. For external mails this is to protect the reputation of your company and to avoid libel lawsuits. You must also check attachments and use word filtering to avoid confidential data leaving the company. For instance you can block external emails containing Social Security Numbers, credit card details or patient information.

#6: Add a disclaimer; In order to disclaim against company liability, ensure confidentiality and comply with regulatory rules you must add a disclaimer to all sent emails. Disclaimers must be added to internal mails as well as external mails. It is also a good idea to add a different disclaimer for internal mails to specifically address the unsafe work environment issue. For instance in your internal mails you can include a line saying ‘Employees are expressly prohibited to make offensive, disruptive or defamatory statements.’

#7: Compress attachments; by compressing attachments you can reduce the size of files by up to 95 percent. Needless to say this will save bandwidth and network storage.

#8: Limit personal emails; Personal emails not only cause loss of productivity, they can be the source of viruses and bandwidth hogging attachments. You might want to allow some personal use, but in your email policy you must stipulate in exact terms what is allowed and what is not.

#9: Archive emails; Many industries now face regulations that require them to archive emails for a number of years, including the health care, legal and financial industry. Fail to archive your emails and your company might face substantial fines. In addition, you need to be able to quickly search and access messages in case you need to retrieve emails on a court order.

#10: View reports on usage; Check how the email policy is being implemented by looking at email usage reports. Find out what attachments users are sending and their size. View reports on email policy violations and determine which rules are being violated and by which users. On the basis of this information you can adjust your email policy, tweak your email filtering software, or schedule further trainings to re-iterate certain email policy rules.

#1 Legal liability; In most cases the employer is held responsible for all the information transmitted on or from their systems. Consequently inappropriate emails sent on the company network can result in multi-million dollar penalties. In the last few years there have been several high profile lawsuits such as the case against a global oil company filed by four female employees. The employees alleged that sexually harassing emails sent through the company email system caused a threatening work environment. One of the sexually offensive messages was a sheet entitled ‘25 reasons why beer is better than women’. The company settled the case for no less than 2.2 million dollars.

#2 Regulatory compliancy; this now affects many companies across several industries. New and existing regulations are forcing companies to keep a record of their emails and to protect their client’s privacy. The Health Insurance Portability and Accountability Act requires health care institutions to keep a record of their email communications and secure confidentiality of information. In the new IRS regulation Circular 230, the IRS requires tax advisors to add an email disclaimer to any emails including tax advice, expressly stating that the opinion cannot be relied upon for penalty purposes. The U.S. Securities and Exchange Commission and Gramm-Leach-Bliley Act impose similar duties on financial institutions. Steep penalties can apply to those organizations that do not comply with their industry’s regulations. In a case lasting from 2000 until 2005, a well-known financial institution was recently forced to pay 20 million dollars in penalties by the Securities and Exchange Commission for not diligently searching for email back-up tapes and over-writing multiple back-up tapes.

#3 Lost productivity; Employees sending personal emails and sifting through spam mail can cause major loss of productivity. To give you an example, if each employee takes 5 seconds to view a spam mail, based on an average salary of 25 dollars per hour, this will cost the employer 3 cents per spam mail. If every employee received 25 spam mails per day, spam would cost a company with 100 users no less than 20,000 dollars per year. In addition to spam and personal emails, viruses can also lead to network downtime and lost productivity.

#4 Confidentiality breaches; Most confidentiality breaches occur from within the company. These breaches can be accidental, but they can also be intentional. Some years ago, a well-known software company filed a lawsuit against one of their former employees who had used the company’s email system to send out confidential information to their competitor, his new employer. The trade secrets included product design specifications, sales data and information regarding a prospective contract for which both companies were competing. The employee and competitor were both charged with trade secret theft.

#5 Damage to your company’s reputation; A badly written email, or an email containing unprofessional remarks will cause the recipient to gain a bad impression of the company that the sender is representing. A UK law firm had to find this out the hard way when two of their employees originated the ‘Claire Swire’ email, a sexually explicit email that ended up being read by over 10 million people around the world. Especially since the company in question was a law firm, and the employees were attorneys, this email caused severe damage of reputation.

#6 Increasing bandwidth and storage needs; Not only is the use of attachments growing, their size is increasing as well. According to the Radicati Group, attachments make up more than 85% of all email data. Large attachments use up bandwidth and storage space. Although the cost of storage space has decreased over the years, the larger the message store, the more management it requires and the longer it takes to restore messages after a mail server failure.

Next week we will be discussing what you can do to protect yourself against these email risks.

“It’’s been a case of a long goodbye as very little work has gone into maintaining ORDB for a while. Our volunteer staff has been pre-occupied with other aspects of their lives. In addition, the general consensus within the team is that open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community.”

Whether you used their list or not, it is always sad to say goodbye to a good spam fighting effort.

If you were using ORDB.org to check for spam, it is highly advisable to disable the list in your spam filtering software.

Follow these 5 tips to show that your organization has taken reasonable care:

1. Develop a records retention policy. Much like an email policy, company management will need to get involved in deciding about which documents need to be retained and when they should be purged.
2. Provide staff training to explain to users why the retention policy is needed and how it should be put into practice. Include retention policy guidelines in your employment handbook.
3. Identify and classify the electronic records that you currently have on your systems. Determine whether these are accessible or inaccessible, and whether some of these records should be deleted. Keep this database up to date.
4. Create an action plan that will be followed if your company faces a court order, in order to immediately inform your employees not to delete certain documents.
5. Keep evidence of the above activities so that you can demonstrate to the court that you showed good faith.

The good news is that under the new rules, the court must now recognize that a company is not able to retain all records and will not be sanctioned if a document is deleted in good faith: “Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” This means that if you are not able to produce a particular document but can prove that you have implemented a retention system and that this document was deleted in good faith, you will probably not be sanctioned for this.

Further good news is that if a company can prove that producing certain electronic records would cause undue burden and costs, the court may decide that the documents will not need to be submitted: ‘A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden and cost’. Beware though, that the court may still decide that the documents must be produced if the requesting party shows good cause.

All in all, the changes are an incentive for companies to think about how they manage their electronic records and to put a formal retention program in place. Check back in a few days for several tips on how your company can show good faith to a federal court.

Here is a quick sum up of the Spamhaus litigation events:

June 21: e360Insight, a marketing firm based in Wheeling, IL, files suit against Spamhaus (a UK based organization run by volunteers) for erroneously listing e360 on its Register of Known Spam Operations, the ROKSO list. The plaintiff argues that they only send emails to recipients who have subscribed to their lists and have ‘opted-in’. Also, the plaintiff states that according to the Spamhaus website, to be listed on the ROKSO list a spammer should be terminated by at least 3 ISPs for Acceptable Usage Policy violations. e360Insight claims that they have not been blocked by even one ISP. Spamhaus at first defended the action but then withdrew its answer and has taken no further action to challenge Plaintiff’s allegations. Spamhaus claims that according to U.K. laws e360Insight are sending unsolicited emails and will therefore continue to include them on the ROKSO list. Spamhaus also states that a US court has no jurisdiction over an organization based in the UK.

September 13: Since Spamhaus failed to respond, the Court enters a default judgment against Spamhaus in the amount of $11.7 million.

October 5: e360 submits an order to suspend www.spamhaus.org since Spamhaus failed to comply with the court’s previous order. If signed, the order will call for ICANN and/or Tucows (Spamhaus’ Registrar) to take the Spamhaus website down.

October 9: ICANN makes a statement warning that they do not have the ability nor the authorization to suspend www.spamhaus.org.

#4. Message body contains remote image: In order to avoid spam messages from being blocked by word filters, spammers include an image in their message that cannot be filtered for words. In addition, upon opening the email message the image is downloaded from the spammer’s website. Since each message contains a unique ID, the spammer will know exactly which recipient has viewed the mail. This indicates which email addresses are ‘live’ and can be sent even more spam.

#3. Message contains only HTML body: HTML messages usually include a plain text version of the email so that recipients with email clients that cannot read HTML can still view the message in plain text. However, many spammers tend to send HTML messages without this plain text body part. This is done to save on size and to force recipients to read the HTML version which automatically opens an image and connects to a web site when the message is opened. Newsletters also tend to send messages without a plain text body part, so it is important to use a white list of allowed newsletters so as not to catch any false positives.

#2. Message contains many or only tags: Some spammers try to circumvent content filters by placing lots of HTML comment tags within the email body text. In this way, content filters will not recognize the spam words since they are separated by comment tags. The recipient however, will not see the comment tags since these are not displayed when viewing the message in HTML. Therefore it is important to use an email filter that can filter emails by removing HTML tags first.

#1. Recipient’s email address is not in the To: or Cc: fields: Red Earth Software found this to be the most commonly found characteristic in current spam messages. The reason for this is that the recipient’s email address is hidden in the Bcc: field or X-receiver field, along with a substantial number of other email addresses. Spammers do this in order to conceal the fact that the mail was sent to a large number of recipients, and presumably so as not to publish their email list. Some persons might add recipients to the Bcc: field for sending out ‘legitimate’ mailings, but these will tend to be of a more personal nature (which you might wish to block anyway) since most professional companies do not use this method for sending newsletters or mailings. Note however that if you do block emails without a local recipient in the To: or Cc: field, you will be blocking all bcc: messages.

Bottom line: Many spam filters check for the existence of these characteristics (and more) and use these to determine whether the message should be identified as spam. Some characteristics are strong indicators that a message is spam, others really cannot be taken into account at all since they can also exist in legitimate emails. A system checking for spam characteristics can be very effective, but must make use of a sophisticated scoring system in able to flag spam correctly, applying a different weight for each characteristic.

I have numbered each spam characteristic according to the frequency in which it is found in today’s spam mails, where #1 is the spam characteristic that Red Earth Software found to be most common. Today I am posting #10 through #6. Keep a look out for the top 5 coming soon in this blog.

#10. Illegal HTML exists: Some spam messages include a code for identification in the text of the message. The text is entered outside the HTML tags so as to hide the code from the recipient. There is no legitimate reason to add text outside HTML tags, so the mere presence of illegal HTML can be treated as suspicious.

#9. Message body contains small font size: In order to circumvent Bayesian filters and filters that block messages with only images, spammers enter ‘normal’ text at the bottom of the message in order to appear legitimate. Some spammers include this text in small font size.

#8. Message subject contains email address or recipient name: Either the complete email address or part of the email address (the part before the domain) is added to the subject in order to personalize the message and trick the recipient into thinking that it is a legitimate message. For legitimate mails there is no reason to enter the recipient’s email address in the subject, so the presence of this is a pretty sure sign of spam.

#7. Message body is base64 encoded: Spammers use base64 to encode the message headers and body so that spam filters are not able to read the content and perform any filtering. Most email clients will decode the message so that the message can still be read by the recipient.

#6. Sender address contains number or character sequence: Spammers use automated programs to register thousands of email addresses. Since they are generated in bulk, they often include number or character sequences such as FRfJIrqOpV@hotmail.com or bob36189624@gmail.com. At first spammers used number sequences but when most spam filters started to block these types of addresses they changed to using character sequences which are harder to detect.