• E-mail Policies.
• Protecting E-mail Messages externally.
• Keep the bad stuff from getting in or out.
• Protecting E-mail Messages internally.

• Who are you sending it to and what are you sending?
• Using the right tool for the right job.
• Personal Use.

By International Data Corp estimates, 90 million US workers send 1.1 billion business related e-mail messages per day, an average of 12 messages per worker. By the year 2000 they estimate 130 million workers sending 2.8 billion e-mails, an average of 22 messages per worker. Clearly, e-mail, along with the telephone and voice mail, has become one of the indispensable tools of organizational communication. With that many messages flying around, there's bound to be problems.

For the remainder of this paper e-mail message refer to both text in the email message body and any file attachments that may contain text and visual images.

Policies, although they bring a vision to mind of communist drones spewing out the latest dictates of the party overlords, in the organizational e-mail world, they can serve as a shield against a far more heartless enemy, lawyers determined to bury you. Melodramatic, yes, but a good policy on the organization's expectations and what it will not tolerate in the use of its e-mail system is crucial to avoid any future misunderstandings that could result in legal action. The policy informs the employees what the organization expects regarding e-mail use and what it considers abuse. Policies should be easy to understand yet comprehensive enough to cover most if not all issues. The following list is an example of what an e-mail policy should contain and why those clauses are important.

Ownership clause: It should be clear to the employee that the organization providing the e-mail account does so for the employee to conduct business related communications. The organization owns all messages and attachments sent from and received by that account. The organization also owns the e-mail address itself, which is usually based on the employee's name and organization's domain name. It should reserve the right to keep that address functional for both internal and external communications after the employee has terminated. This clause is to ensure that the final ownership of the e-mail mailbox, contents, and address are clearly defined as belonging to the organization. Ownership, like real estate, determines access, use, and the standards of behavior for an e-mail account. Ownership comes with responsibility and liability.

Inappropriate use clause: This clause should make it clear what the organization considers an inappropriate use of their e-mail system. Most policies should include warnings against sending messages containing any kind of pornographic, racial, religious, age biased, gender based, or ethnic jokes, comments, or derogatory slurs in either written or visual form. They also include messages that could be considered libelous, disruptive, or harassing. The organization must clarify if it will allow the employee to use this account for any personal messages, and if so, that the personal use must not interfere with the employee's work. The organization should also make it understood that any e-mails sent to any other organization represents their organization. The organization should state how it wants proprietary or sensitive information transmitted over e-mail. One company the author worked for, considered sending a global e-mail to be an inappropriate use of the e-mail system.

Privacy clause: There should not be any expectation by an employee of privacy regarding any e-mail sent or received on the organizations e-mail system stated in the policy. The question is to what extent is the organization going to allow access to an employee's e-mail account? Who has access, when do they have access, and what are they allowed to do? Are they going to allow access by a direct supervisor or just senior management? What about the other employees or contractors that maintain the system and repair it, what access do they, or will they have? Does the employee have a right to be notified if their e-mail account is accessed? When it is determined who has access, will they be allowed to just read the messages? Delete or resend them? Post them company wide? This clause warns the employee that any e-mail they send or receive can be accessed by whomever the organization grants the right to. The employee should also know that in the case of criminal or civil investigation the e-mail messages could be handed over to one or more third parties. For governmental organizations, this may mean the general public, the media, or an opposition campaign!

Backups clause: The organization should mention in the policy that e-mail messages are routinely backed up, and all policies regarding e-mail also apply to the e-mail files on the backup media.

Punishments and enforcement clause: The organization should state what punishments are possible for violations of the e-mail policy. The policy should contain information on who will be enforcing the policy and how they will accomplish it. Is it the administrator of the e-mail system's job to monitor it for misuse? Is an employee who saw or read something in violation of the policy, required to report it? Should there be routine scans of the messages to monitor them for inappropriate content? The policy, at least, should provide a method for employees to report e-mail abuse they receive by another employee or outside party.

As the preceding shows, there is a lot to be considered in formulating an e-mail policy for any organization. One must consider the current work environment, e-mail system capability, who will and how the policies are going to be enforced, and weigh the litigation risks of extensively monitoring messages (a proactive policy) or only taking action when a report of abuse is made (a reactive policy).

Did you ever wonder how data, including e-mail messages, travels from one place to another on the Internet? There is a command in Windows 9.x and NT called tracert (must have TCP/IP protocol installed)(Unix command is called traceroute). This command can show you the route that data takes from your machine to another over the Internet (may not work in all configurations). The data path may change due to the awesome dynamic routing capabilities of the Internet. The following is an example of the possible path an e-mail message may take sent from the author to the instructor of this class.

So, a message may appear to get from one place to another almost instantaneously, but it does travel over all these networks. If someone were to have a packet sniffer (a device that can read and record packet traffic sent over a network) they could see my packets and intercept my message. Once they intercept the message they are capable of viewing, modifying, deleting, the message and then resending it to recipient without any knowledge on either of our parts that the message was intercepted! On a higher level, messages sent from an entire server can be re-routed to another machine to be viewed, modified, or deleted, then resent to the original destination. This technique is called DNS spoofing, it requires more work and an actual attack against the e-mail server or the DNS server of the e-mail server. Of course the payoff is greater, lots of messages intercepted rather than just one. How can these types of attacks be defended against?

There are at least two ways to defend against these attacks, server side signatures and encryption and direct connections. The downside of these techniques is they require both the sender and recipient to cooperate on a common method to ensure protection, also both e-mail systems must support the method. Then, protection is enabled for message delivery between these two organizations. It does not mean that messages sent to anyone else are protected!

Direct connections are simply a message conduit between the parties that does not travel over the Internet. It could be a dial-up link between the two or the more expensive WAN connection. Both e-mail systems must be configured to use the new connection instead of the Internet to ensure protection. Direct connection can be the more expensive of the two options, depending on the choices made, but it can ensure the security of messages sent between two organizations are not violated by a third party, and the connection may be used for other purposes. It should be noted that this connection should be guarded to prevent someone from the other organization attacking your organization through the link.

Server side signatures and encryption are more complicated, they require both parties to get a server certificate from a common certificate authority and install the certificates on their e-mail servers, then install the other's public keys on their server. When a message is sent the e-mail server digitally signs and encrypts the message for that certain organization before it is sent out over the Internet. The receiving organization's e-mail server checks the signature to ensure that the message has not been tampered with by comparing the signature against the previously installed public key, if the message checks out, the message is then decrypted and sent to the recipient. This scenario provides the maximum protection possible using this technique. Needless to say, this can consume significant resources on the servers, message encryption and decryption is especially CPU intensive due to the math involved. There are options of just digitally signing the messages to detect tampering, the message may still be read or copied, or just encrypting the messages to prevent possible unauthorized reading, but the message may still be tampered with.

Both direct connections and server side signatures and encryption have the benefit of ensuring that managements decisions on how to protect e-mail messages are made on a organizational level, not on an employee level. Both techniques once setup and running are fairly autonomous and happen without the employee's knowledge or input. Employees must be informed of what they may or may not be allowed to send over these secure links, and how it relates to the e-mail policy, and when the information is not secure.

One factor that has taken on huge importance recently is putting a shield in place that guards your organization's email system from becoming a carrier or transmitter of viruses, Trojan horses, and worms from infecting your computers, or anyone else's computers. Most PC based e-mail systems have anti-virus software, or add-ins, that will inspect all messages going in and out and block any infected messages before they cause any harm. They can also notify the sender, receiver, and administrator that an infected message was detected. The anti-virus software must be closely monitored and updated frequently, but the old adage is true, "an ounce of prevention is worth a pound of cure".

Problem, the president of your organization has just received an e-mail from you telling him what a complete bone-headed loser he is. While standing in the unemployment line, you think to yourself that even in your worst drunken rage you would never send an e-mail telling him that, and you ask yourself, how did he get it? There are a number of possibilities: someone could have snuck into your office while you were on a break and sent him that e-mail from your machine while it was turned on, logged in, and the e-mail client software running. You were dumb enough to give someone your username and password and they accessed your e-mail account and sent the message. You were really nasty to the e-mail administrator and they took over your account and sent the message.

All these possibilities point to the problem of securing the e-mail system against various threats. The first possibility can be guarded by, setting all machines with individual screen saver passwords, or requiring people to disconnect from the network when they are not within visual range of the machine they're logged into. Some network systems disconnect people automatically if they haven't had any activity for a certain length of time, although most newer e-mail packages will simply queue messages if they aren't logged into the e-mail system. All of these solutions are a hindrance to computer service personal. Unless someone saw the offender sending the message, proving who did it may be impossible. The second possibility is simple to defend against in theory, users should never give out usernames and passwords, but it still happens. The best an organization can do is forbid employees from giving passwords out, require unique passwords, and force password changes after a certain length of time (this is difficult to do in heterogeneous environments). Proving responsibility is hard but not impossible, if the server log files show you logged in at a time, and you can prove you were gone, then you know someone logged in as you, but if your whole department knows your password, narrowing down who did it may be impossible. Depending on the network, the offender may be tracked to the computer they logged into as you. Most networks are capable of limiting how many simultaneous logins a user is allowed and where they can login from, preventing a possible attack while you are at work. The third possibility is a nightmare because the offender may be the one investigating how the message was sent. Depending on the e-mail server, log files may exist of the takeover, but who controls the log files? Usually the administrator does. Who investigates the investigator? Organizations could implement strict policies and procedures for the e-mail and network administrators regarding abuse of fellow employees through the e-mail system. This type of problem is probably more of a concern for smaller organizations that have a sole administrator or a small administration staff. In large companies, are all the administration staff suspect? So whom do you determine to lead the investigation?

Remember the last scenario, how did the president get the insulting e-mail? Maybe you sent it to him by accident. You wrote that message to a friend of yours who just happens to be right next to the president in the e-mail list, you clicked on the president's name instead of your friend's and didn't notice. Or you thought you were forwarding a message from the president to your friend but instead you replied. Either way you messed up, and it cost you.

A scenario somewhat based on the above has happened to the author a few times. I get a frantic call from someone asking how they can retrieve a message they sent before the recipient reads it. On most systems there is no way to retrieve the message unless the e-mail administrator accesses the account and deletes the message. No system can retrieve a message once the recipient has opened it. Employees should always double check who they are sending a message to and what it contains, e-mails can easily be forwarded to someone without your knowledge containing things you've said that you don't want certain other people to see!

Any system in the world can be ruined if the parties using it don't at least take some responsibility for their actions in using it. E-mail systems on the whole are designed and built for reliability, and are easy to use. These factors may make the e-mail system open to uses for which it was not intended, like serving as a fileserver.

Most employees think it's easier to open a file attached to an e-mail than get information about where that file is stored on the network, then opening it from that location. Also sending attachments makes it easier to send files to several people at once. But behind the scenes attachments can cause serious overloading of the e-mail system, as well as version difficulties and security issues. Take the example of someone sending a two MB file to ten people; this one file gets copied ten times, so now this one attached file is consuming twenty MB of space, as well getting dumped into ten e-mailboxes, whether the person needs it or not. This file will most likely be consuming space on the backups as well, maybe getting backed up ten times. If a recipient works at home or at a remote office, they must now download this huge file over a slower dial-up or WAN connection rather than the fast LAN connection. Now these ten people can also send the file to other people as well, say five of them send it to five other people and two of the original ten make changes and send back out again to the original ten, plus the person who originally sent the file. You can see where this is going; there soon may be fifty different versions of this file flying around the e-mail system consuming a hundred MB of space! All for one two MB file! Sensitive files can also end up in the wrong places quite easily, like the insulting e-mail scenario; just one wrong click can send a sensitive file to the wrong person. Most organizations provide secure file storage on the network to prevent these problems. If employees are complaining about the e-mail systems being slow and unreliable, they should check to see that they are not contributing to the problem by misusing the e-mail system in this manner. Most e-mail systems have restrictions on the maximum file size that may be sent through e-mail, but employees should not make a habit of sending files that reside on the network through the e-mail system as attachments. Some e-mail systems can also be configured to send reminders to or disable accounts that consume too much storage space. The author worked at a company where the Macintosh e-mail system was unstable for months, and finally crashed and was unavailable for five days because it was being used as a fileserver.

Clearly e-mail is not going away. The best protection is:

1. Carefully considered policies, with clear information on the organization's expectations and restrictions regarding e-mail use, how the policies will be enforced, and punishments for violations.
2. An informed decision when and if e-mails sent outside the company will be secured.
3. Safeguard against infection or transmittal of malicious programs.
4. Serious thought to how to protect e-mail accounts internally.
5. Employee care and consideration in using the e-mail system.
6. Employee personal use of the e-mail system should be discouraged.

The author of this paper has been administrating various e-mail systems since 1995.