How To Make The World Safer For Email

Guest author Jeremy LaTrasse is the CEO and co-founder of Message Bus, and was a co-founder of Twitter.

30 years ago a Digital Equipment Corporation rep sent the first piece of spam. In 2013, the problem of spam has become an epidemic with severe if often unseen consequences. We now live in a world filled with digital messaging abuse; according to security giant Symantec, 65.9% of all email is spam!

These days, the vast majority of that spam is caught and filtered before it reaches end-users’ inboxes. But it’s still out there, gumming up the works of the Internet and wasting huge amounts of network bandwidth as well as compute power and storage. And still enough gets through to make the practice worthwhile for the spammmers.

The threats faced by everyone who gets email vary wildly from penny stock ads and offshore pharma spam to phishing emails and virus-laden attachments. Socially engineered email content leveraging relevant and timely news are hardest to spot. A classic example is tax-time emails that claim to come from the IRS (despite the IRS stating it will never contact anyone by email).

Malicious content and links are hidden behind innocent URL shortners (such as Bit.ly, Ow.ly etc.) and hyperlinked text make detection of bad links particularly challenging. And compromised social media accounts may be the most effective ways to spread abuse and malware because we trust our friends and family.

A Question Of Trust

Yet trust is required for effective communication, especially when identity is involved. How can you, as an email recipient, trust that you are who you claim you are and that the message you are sending me is not malicious?

The answer comes in the form of email authentication technologies that help establish identity. These technologies present evidence establishing where the message came from and who sent it.

The email industry’s leading organizations and thinkers have been working on ways of stopping fraudulent email for years. The most recent innovation, DMARC (Domain-based Message Authentication, Reporting & Conformance) is helping email services like Yahoo, Gmail and Hotmail quickly determine the legitimacy of incoming messages. For DMARC to be successful, though, both senders and receivers need to come to the table; recently Twitter announced that it would sign all of its outbound email with DMARC.

DMARC’s rapid adoption by the receiver side of the email world (ISPs and mailbox providers) has resulted in nearly 60% of the world’s inboxes secured using DMARC technology in the first year alone. Much of the technologies actively establishing trust and identity are invisible to the end recipient, but Hotmail users might have seen a little green Shield icon in their inboxes – this seal informs recipients that Hotmail has taken an extra step to ascertain the identity of the sender.

Despite the email industry’s best efforts, however, fighting spam still requires the cooperation of the people and organizations who send and receive emails.

(Mass) Email Senders Have A Responsibility

Senders of legitimate email must take steps to ensure message security and protect their customers and their brand:

1. Ensure all messages pass SPF (sender policy framework) and DKIM (domain keys identified mail) authentication.
2. Publish a “reject” DMARC policy with reporting enabled.
3. Scan the Internet for “cousin” domains, domains that may be mis-spellings of a legitimate message/corporate domain and have those taken down. (These are often a source of malware and spam aimed at unsuspecting recipients.) Protecting the brand’s integrity also protects customers, everything is connected.
4. Respect existing acceptable use policies and terms of service as they’re published by ISPs and mailbox providers.
5. Stay familiar with the data privacy laws in the countries where they do business; ensure that all messages and messaging practices follow applicable regulations defining privacy and data security.

5 Ways To Protect Yourself

And regular email users also have to take steps to protect themselves:

1. Use different passwords for different logins.
2. Never share personally identifiable information (passwords, social security numbers, bank accounts, etc.) via email: Your bank will never email you and ask you to confirm your bank account number or the password you use to log into your account.
3. Remember, if it seems too good to be true, it probably is. If you don’t know who sent it, delete it. If it was important, they’ll send it again.
4. Your operating system will update itself if you allow it to; usually you just have to agree once and it’ll happen forever after.
5. Look for email personalization in messages. Marketers leverage first name/last name, and other information you’ve shared with them when setting up an account to help identify them as legitimate senders.

Image courtesy of Shutterstock.