How to Configure an Email Disclaimer in Microsoft Exchange Server 2007
Oct 1st
Microsoft Exchange Server 2007 includes the ability to add email disclaimers to your internal and external emails by making use of Transport Rules. In this article we will show you how you can configure an email disclaimer in Exchange Server 2007 and the various options that are available, including disclaimer formatting, positioning and avoiding multiple disclaimers. To configure an email disclaimer, follow the next steps:
- In the Exchange Management Console, go to Organization Configuration > Hub Transport.
- In the right-hand pane, select New Transport Rule.
- Enter a name and description for the rule. Leave the checkbox Enable Rule enabled. Click Next.
- In Conditions, you can select a number of options. For instance you can configure the disclaimer to only be added if the email is addressed to or from certain people or groups, when a word is present in the subject or body of the email, when the header contains certain words, when the message is marked with a classification or importance, or when an attachment file name or size is detected. In this example we will apply the disclaimer to all messages sent externally to the organization. To do this we will select the option ‘sent to users inside or outside the organization’.
- Now click on the ‘Inside’ link in the rule description. Select Outside and click OK. Click Next.
- You will now be able to specify the action that must be taken for any email that meets the selected conditions. There are several options such as adding text to the subject, sending a blind copy, removing/adding a header, redirecting the message to another address and setting a spam confidence level. Since we are creating a rule to add disclaimers, we will select the option ‘append disclaimer text using font, size, color, with separator and fallback to action if unable to apply’.
- Click on the ‘disclaimer text’ link. A dialog will appear allowing you to enter your email disclaimer text. Enter the disclaimer text and click OK.
- By default the disclaimer will be added in Arial, smallest font, gray color with a separator and fall back to wrap if unable to apply. Follow the next steps to change any of these default settings:
- To change the font type, click on the ’Arial’ link. From a drop down box you will be able to select Courier New or Verdana, instead of Arial.
- To change the font size, click on the ‘smallest’ link. You will be able to choose from smallest, smaller, Normal, larger, largest.
- If you wish to change the color, click on the ‘Gray’ link. You will be able to choose from a number of colors in the drop down list.
- If you do not wish to have a separator (this is a line separating the disclaimer from your message text), click on the ‘with separator’ link and select ‘without separator‘ from the drop-down list.
- Click on the ‘wrap’ link to select from one of three Fallback actions: wrap, ignore, reject. This option tells Exchange Server what to do if for some reason an email disclaimer cannot be added, for instance if the message is encrypted or digitally signed. If you select wrap, Exchange Server will create a new email message with the disclaimer in the body and the original email as an attachment. If you select ignore, Exchange Server will let the message through without a disclaimer. If you select reject, the message will not be delivered and an NDR will be sent to the sender.
When you are ready entering the disclaimer options, click Next.
- You will now be able to enter exceptions to the rule. If the email message meets any of the selected exceptions, the email disclaimer will not be added. For instance an exception can be used to avoid multiple disclaimers being added to the same message. This can be done by selecting the option except when the text specific words appears in the subject or the body of the message.
- Click on the ‘specific words’ link. Now enter a part of the disclaimer that is unique to your disclaimer. To make sure you do not enter text that could also be part of someone else’s disclaimer, it is recommended to enter text that includes your company name. Click OK. You can also select other exceptions such as certain senders or recipients, or when certain words are found in the subject or header. When you are ready configuring exceptions, click Next.
- Read the rule description. If everything looks good, click New. The rule will now be created. Click Finish. Your rule will now be listed under the Transport Rules tab.
As you can see, email disclaimers are easy to configure in Exchange 2007. Although there are quite a few available options, it is possible that the offered email disclaimer/signature functionality might not meet your needs entirely. We have listed some features below that are available in third party email disclaimer applications:
See disclaimers and signatures in the Sent Items of Outlook: Exchange Server does not show the email disclaimer or email signature in the Sent Items of Outlook. This means that the sender does not obtain proof that the disclaimer was added, the sender cannot see the actual message that was sent, and the email archive will not include the disclaimer text. Some third party applications do show email disclaimers in the Sent Items in Outlook, however most of them require client software to be installed or still allow users to edit or remove the disclaimer or signature. Using a server based email disclaimers application that shows disclaimers in Sent Items without allowing users to modify or remove the disclaimer is preferable.
Active Directory Merge fields: In order to create a global corporate email signature that is automatically personalized for each sender, some third party email disclaimer applications make use of Active Directory merge fields. These merge fields can be used in the disclaimer or email signature template. When an email is sent, the fields will automatically be replaced with the sender’s Active Directory properties, such as name, phone number and email address.
Message fields: Exchange Server 2007 does not allow you to use message fields which are retrieved from the email message, such as recipient name and date. It can be useful to include the actual recipient name in the disclaimer as follows: This email is only intended for [recipient name]. It can also be useful to ‘date stamp’ the disclaimer, indicating when it was added to the message.
Include logo or picture in your disclaimer/signature: Exchange Server 2007 does not allow you to include a logo or picture in your disclaimer or email signature. A number of third party disclaimer applications allow you to embed an image within your email disclaimer/signature.
Custom disclaimer positioning: Some third party applications can place the email disclaimer or signature after the most recent message text, not only at the end or beginning of the email. This is especially desirable if you are using email signatures and if you want to recipient to actually ‘see’ the disclaimer.
HTML formatting and inline CSS styles: Exchange Server 2007 only allows you to add formatted text to an email. It offers a limited set of font colors and sizes and does not allow you to use css styles or html tables, and other formatting options. Third party applications allow you to edit the disclaimer or signature straight from HTML, offering many more formatting options.
Add different signature on first emails: Should you wish to add a longer signature on the first email (with for instance the corporate mailing address and company logo), and then a shorter signature with only the person’s phone number and email address, this is also possible by using third party email disclaimer software.
Why worry about image spam if you have greylisting?
Sep 21st
MessageLabs recently reported an image spam déjà vu with image spam reaching a new peak in May 2009, and warned that users with outdated spam filters might be the victim of this new wave. Image spam is where spammers place their spam message in an embedded image within the email, therefore bypassing filtering solutions based on Bayesian filtering and heuristic filtering because the email does not contain any text to scan. Image spam first appeared in 2006 and enjoyed considerable success. Anti-spam vendors quickly created new techniques to block this kind of spam, including optical character recognition (OCR) scanning of the text in the image. The effectiveness of this was short-lived since spammers started to obfuscate their images by adding background noise and blurred text, therefore rendering OCR scanning useless. Spammers also easily defeated anti-spam solutions that relied on a database of known spam images by slightly adjusting the image in each spam mail. According to the MessageLabs report, we are now seeing a new type of image spam where the image is not embedded within the image but contains a link to a remote image on a website. It further warns that ‘it is notoriously difficult for traditional anti-spam techniques to safeguard against this type of image spam’.
Should we be worried by this new image spam? The answer is: no, not at all. That is, if you are using a spam filter that uses greylisting. You will not even have to continually upgrade your system to ward off the latest spammer invention; greylisting will continue to happily block tried and tested spam methods as well as new, nifty spamming ways. Instead of trying to analyze each different type of spam message and heavily interpret images using resource-intensive OCR methods, anti-spam filters must deploy more universal methods that deal with any type of spam, whether that is ‘normal’ spam, image spam, pdf spam or Excel attachment spam. Greylisting is a universal approach that can block any type of spam (and even viruses), and is very difficult for spammers to circumvent.
So what is greylisting? Greylisting blocks spam and viruses by temporarily rejecting initial emails from new (non white-listed) senders for one minute. Legitimate emails will still get through, but spam messages will not. This is because unlike spam engines and zombie machines, regular mail servers resend their messages upon initial rejection. Spammers simply cannot afford to resend their messages. If they would do this, it would take much longer to send out their spam. The longer it takes to send out spam, the higher the chance is that their domain is added to a blacklist, effectively blocking all their spam from that point onwards. This is also why it is highly unlikely that spammers will start resending their mails to bypass greylisting ; There simply is not enough time to resend emails before the spammer is blacklisted.
Granted, greylisting does have its disadvantages; emails from new senders are slightly delayed (usually not more than a couple of minutes, but it does depend on how long your greylisting system waits until it accepts a resend), and in rare instances the initial rejection can trigger a delayed message to the recipient, making the recipient think that the message was not delivered. The recipient will then usually resend the message, with the result that you might receive two identical messages. Since this only happens very occasionally it really does seem to be a small price to pay for a clean inbox. For more information on greylisting: http://www.greylisting.org/.
Phishing scams getting more and more sophisticated
Jun 3rd
Phishing scams have been around for some time. Consumers have been warned numerous times not to click on links in emails and give out personal information or passwords. But what if the phishing email really looks genuine, without the usual telltale signs? In the last few days, a number of Bank of America phishing scams have been circulating that seem to be getting more and more sophisticated.
One of the emails includes the following message: “The Digital Certificate for your Bank of America Direct online account has expired. You need to update the certificate using Bank of America Direct Digital Certificate Updating Procedure”. These emails have the same look and feel as legitimate Bank of America notification emails, and the link shown in the email seems to go to bankofamerica.com. In fact when you do a ‘View Source’ the link goes to an entirely different domain, but the masked link will be enough to fool non tech-savvy consumers. The email is not full of the usual obvious spelling and grammar mistakes (although the grammar is not quite correct). Another smart trick is that the phishers are spoofing the sender address that is used for legitimate Bank of America alerts. This allows them to bypass any spam filters that have this email address in the white list.
The link in the email, if clicked on (Readers: please do not click on the link!), will take you to a website where you will be asked to log on with your digital certificate. The phishing website is so sophisticated that it will then actually check with Verisign if your digital certificate is valid. If it is not valid, it will not store your information, but it will still infect your computer with a virus. If it is valid, they will record your digital certificate and more nasty stuff will await you. The following article by Gary Warner from his CyberCrime & Doing Time blog includes more details on this latest Bank of America phishing scam: http://garwarner.blogspot.com/2009/06/bank-of-america-digital-certificates.html.
E-discovery evidence can win or lose a case
Sep 14th
The Los Angeles Business Journal recently posted an interesting article about how today’s lawyers not only need to be experts in their field of law, but increasingly also need to be eDiscovery experts. More and more e-mails, instant messages and other electronically stored documents are being used as evidence in disputes ranging from corporate law to divorce procedures. This has resulted in the emergence of more lawyers and legal assistants specializing in the sifting through and extraction of electronic documents as legal evidence.
Today, e-discovery is a lot more complicated and critical to litigation. The 2006 Federal eDiscovery rules mandate that attorneys start an electronic discovery process early in litigation. They also need to share the retrieval of these documents with opposing counsel.
Litigators have seen a definite transformation in the way cases are tried. Where in the past, case evidence was limited to a contract, pieces of correspondence and possibly a few handwritten notes, today’s cases require advanced key word and phrase searching in order to uncover the critical evidence for a case. The eDiscovery process has become so crucial that many litigators go as far as hiring specialized e-discovery professionals to retrieve the required information.
According to Michael Zweiback, a litigator in the Los Angeles office of Alston & Bird LLP, just hiring experts is not enough: “You can hire experts, but sometimes experts are only as good as the questions that are asked,” Zweiback said. “And if you don’t know the right questions to ask, you are at a disadvantage”.
Since evidence is crucial to any case, it makes sense that the actual discovery of evidence is an extremely important factor in the outcome of a case, especially if that information is not readily available. Lawyers who are knowledgeable about e-discovery capabilities and can retrieve crucial electronic records as evidence are likely to have an edge in today’s litigation. Just keep that in mind the next time you hire a lawyer..
10 things you should be doing to protect your company against email risks
Nov 2nd
Last week we discussed the top 6 email risks that companies face. So what can we do to protect ourselves against these risks? Here are 10 things that you should be doing to protect your company:
#1: Write an email policy. If you do not already have one in place, the first thing you must do is to create an email policy. This is necessary to educate users but also to ensure that employees are aware that the company is monitoring their emails. This will protect your company against possible employee lawsuits regarding invasion of privacy. Have your users sign the email policy to confirm that they have read and understood the regulations. For more information on what to include in your Email policy, got to the blog article Ten points to include in your email-policy.
#2: Train users; Regularly train users in applying the email policy. Help users send effective emails by informing them of best practices, explain that offensive jokes and remarks can be much more harmful than they seem and stress that employees that witness abuse of the email system must report this to their supervisor. This will boost productivity and help avoid many of the email risks.
#3: Install anti-virus software. Even though nowadays almost all companies have virus software scanning files on the server and client machines, not all companies do the same for email. Be safe rather than sorry and scan all your incoming and outgoing emails for viruses too.
#4: Install a spam filter. There are many spam filters out there and most of them will do a good job at blocking spam. However, not all spam filters will allow your users to review their own spam mails, offer customization per user or allow for detailed message tracking.
#5: Content check emails; Even though you have educated your users, you cannot assume that all employees will adhere to the policy. Therefore you need to install software that can check all emails for inappropriate content. For internal mails this is to protect users from an unsafe work environment. For external mails this is to protect the reputation of your company and to avoid libel lawsuits. You must also check attachments and use word filtering to avoid confidential data leaving the company. For instance you can block external emails containing Social Security Numbers, credit card details or patient information.
#6: Add a disclaimer; In order to disclaim against company liability, ensure confidentiality and comply with regulatory rules you must add a disclaimer to all sent emails. Disclaimers must be added to internal mails as well as external mails. It is also a good idea to add a different disclaimer for internal mails to specifically address the unsafe work environment issue. For instance in your internal mails you can include a line saying ‘Employees are expressly prohibited to make offensive, disruptive or defamatory statements.’
#7: Compress attachments; by compressing attachments you can reduce the size of files by up to 95 percent. Needless to say this will save bandwidth and network storage.
#8: Limit personal emails; Personal emails not only cause loss of productivity, they can be the source of viruses and bandwidth hogging attachments. You might want to allow some personal use, but in your email policy you must stipulate in exact terms what is allowed and what is not.
#9: Archive emails; Many industries now face regulations that require them to archive emails for a number of years, including the health care, legal and financial industry. Fail to archive your emails and your company might face substantial fines. In addition, you need to be able to quickly search and access messages in case you need to retrieve emails on a court order.
#10: View reports on usage; Check how the email policy is being implemented by looking at email usage reports. Find out what attachments users are sending and their size. View reports on email policy violations and determine which rules are being violated and by which users. On the basis of this information you can adjust your email policy, tweak your email filtering software, or schedule further trainings to re-iterate certain email policy rules.
The top six corporate email risks
Oct 27th
We all know that email is a great business tool. It’s fast, cheap, universal and easy to deploy. However, companies that make use of email are confronted with a number of risks. So what are the email risks that companies face? Red Earth Software has identified the following top 6 email risks:
#1 Legal liability; In most cases the employer is held responsible for all the information transmitted on or from their systems. Consequently inappropriate emails sent on the company network can result in multi-million dollar penalties. In the last few years there have been several high profile lawsuits such as the case against a global oil company filed by four female employees. The employees alleged that sexually harassing emails sent through the company email system caused a threatening work environment. One of the sexually offensive messages was a sheet entitled ’25 reasons why beer is better than women’. The company settled the case for no less than 2.2 million dollars.
#2 Regulatory compliancy; this now affects many companies across several industries. New and existing regulations are forcing companies to keep a record of their emails and to protect their client’s privacy. The Health Insurance Portability and Accountability Act requires health care institutions to keep a record of their email communications and secure confidentiality of information. In the new IRS regulation Circular 230, the IRS requires tax advisors to add an email disclaimer to any emails including tax advice, expressly stating that the opinion cannot be relied upon for penalty purposes. The U.S. Securities and Exchange Commission and Gramm-Leach-Bliley Act impose similar duties on financial institutions. Steep penalties can apply to those organizations that do not comply with their industry’s regulations. In a case lasting from 2000 until 2005, a well-known financial institution was recently forced to pay 20 million dollars in penalties by the Securities and Exchange Commission for not diligently searching for email back-up tapes and over-writing multiple back-up tapes.
#3 Lost productivity; Employees sending personal emails and sifting through spam mail can cause major loss of productivity. To give you an example, if each employee takes 5 seconds to view a spam mail, based on an average salary of 25 dollars per hour, this will cost the employer 3 cents per spam mail. If every employee received 25 spam mails per day, spam would cost a company with 100 users no less than 20,000 dollars per year. In addition to spam and personal emails, viruses can also lead to network downtime and lost productivity.
#4 Confidentiality breaches; Most confidentiality breaches occur from within the company. These breaches can be accidental, but they can also be intentional. Some years ago, a well-known software company filed a lawsuit against one of their former employees who had used the company’s email system to send out confidential information to their competitor, his new employer. The trade secrets included product design specifications, sales data and information regarding a prospective contract for which both companies were competing. The employee and competitor were both charged with trade secret theft.
#5 Damage to your company’s reputation; A badly written email, or an email containing unprofessional remarks will cause the recipient to gain a bad impression of the company that the sender is representing. A UK law firm had to find this out the hard way when two of their employees originated the ‘Claire Swire’ email, a sexually explicit email that ended up being read by over 10 million people around the world. Especially since the company in question was a law firm, and the employees were attorneys, this email caused severe damage of reputation.
#6 Increasing bandwidth and storage needs; Not only is the use of attachments growing, their size is increasing as well. According to the Radicati Group, attachments make up more than 85% of all email data. Large attachments use up bandwidth and storage space. Although the cost of storage space has decreased over the years, the larger the message store, the more management it requires and the longer it takes to restore messages after a mail server failure.
Next week we will be discussing what you can do to protect yourself against these email risks.
Email footers now required by EU
Mar 1st
A European Union Directive has recently come into effect requiring companies to add their company address, registration number and VAT number to all business emails or risk a fine. In the UK and Germany this law came into effect on January 1, 2007 but in other countries such as the Netherlands this law was already passed in 2006. More information on the new requirements for UK companies can be found at the following website: http://www.out-law.com/page-7594.
ORDB offline
Jan 15th
In case you have not yet heard; the open relay database ”ordb.org” is now officially offline. For five and a half years the ORDB volunteers maintained a comprehensive list of known open relays. ORDB.org posted the following notice on their website that is now no longer:
“It”s been a case of a long goodbye as very little work has gone into maintaining ORDB for a while. Our volunteer staff has been pre-occupied with other aspects of their lives. In addition, the general consensus within the team is that open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community.”
Whether you used their list or not, it is always sad to say goodbye to a good spam fighting effort.
If you were using ORDB.org to check for spam, it is highly advisable to disable the list in your spam filtering software.
5 tips to comply with new ediscovery rules
Dec 11th
The new electronic discovery rules are good news for prepared companies. If your company can demonstrate that you have taken reasonable care in creating guidelines as to what information needs to be retained and what should be purged, this will help in a court order since you can prove that your organization has taken electronic record retention seriously and that there are no ‘irregular’ deletions of specific documents or emails.
Follow these 5 tips to show that your organization has taken reasonable care:
1. Develop a records retention policy. Much like an email policy, company management will need to get involved in deciding about which documents need to be retained and when they should be purged.
2. Provide staff training to explain to users why the retention policy is needed and how it should be put into practice. Include retention policy guidelines in your employment handbook.
3. Identify and classify the electronic records that you currently have on your systems. Determine whether these are accessible or inaccessible, and whether some of these records should be deleted. Keep this database up to date.
4. Create an action plan that will be followed if your company faces a court order, in order to immediately inform your employees not to delete certain documents.
5. Keep evidence of the above activities so that you can demonstrate to the court that you showed good faith.
The new e-discovery rules – what they mean for your company
Nov 30th
On December 1 the new electronic discovery rules take effect in Federal court. The new rules now obligate companies to address e-discovery issues within 30 days after a lawsuit is filed. Under the old rules, companies could just wait for a discovery request, which could take up to a year after the initial filing of the lawsuit. The new rules mean that all companies, large and small, must pull their socks up and get serious about managing their electronic records.
The good news is that under the new rules, the court must now recognize that a company is not able to retain all records and will not be sanctioned if a document is deleted in good faith: “Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” This means that if you are not able to produce a particular document but can prove that you have implemented a retention system and that this document was deleted in good faith, you will probably not be sanctioned for this.
Further good news is that if a company can prove that producing certain electronic records would cause undue burden and costs, the court may decide that the documents will not need to be submitted: ‘A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden and cost’. Beware though, that the court may still decide that the documents must be produced if the requesting party shows good cause.
All in all, the changes are an incentive for companies to think about how they manage their electronic records and to put a formal retention program in place. Check back in a few days for several tips on how your company can show good faith to a federal court.