E-Mail Filtering Best Practices: Cause for Action

IT security directors should design their e-mail filtering architecture and business policies around legal, risk-avoidance and infrastructure best practices.

Particularly during the past two years, the onerous task of filtering e-mail messages has grown to become a business and operational necessity-largely because of the influx of spam, as well as regulations and legislation that mandate the retention of e-communications such as e-mail and, increasingly, instant messages. Coupled with the traditional reasons for filtering-malicious code attached to or embedded within the message, and inappropriate or sensitive message content-filtering technologies and the market are undergoing radical change. This makes purchasing and implementation decisions difficult. Best practices for effective e-mail filtering can ease the decision-making process.

How can I justify the expense of e-mail filtering technologies?

Unlike other technology investments, e-mail filtering investments will rarely require business justification. Senior management will find budget to rid themselves and the enterprise of spam. Regulated-industry enterprises will deploy technologies and processes to ensure compliance with rulings. Enterprises that have paid millions of dollars-and have had their corporate credibility challenged-because of class-action civil lawsuits (in which an electronic message was the “smoking gun”) will implement whatever they must to protect themselves. In the case of e-mail, filtering is generally acknowledged as baseline security. The cost of doing nothing is self-evident.

Which e-mail filtering technologies should I implement?

The term “e-mail filtering” can refer to a single-purpose application or to a group of applications, each employing respective technologies. Cleansing or “hygiene” technologies filter for malicious code (commonly viruses), spam, and harmful text or graphical content. E-mail relay, denial-of-service protection and some level of message encryption, although not filtering technologies, often are bundled with the filtering applications.

The two distinct evolving categories of e-mail filtering technologies are the following:

• Message cleansing
• Message content reuse (where message content is put into a separate database-for knowledge management purposes, perhaps)

This research focuses on filtering for message cleansing.

What direction will e-mail filtering technologies and the market take?

A major consolidation of products and services is ongoing, most noticeably in the spam-filtering space, where vendors are attempting to keep one step ahead of sophisticated spammers.

Vendors with e-mail filtering products or services are moving away from stand-alone applications toward a framework model, where best-of-breed applications can be purchased and installed modularly. These are controlled through a central console with consolidated, analytic reporting.

How should I evaluate spam-filtering applications?

With spam comprising more than 50 percent of enterprise mailboxes, you need to know spam-filtering vernacular and techniques to avoid getting caught up in vendor hype when selecting anti-spam products and services. Question the vendor on its methodologies for spam identification, disposition and management.

Enterprise-level spam technologies may use a multilayered approach (messages are scanned through each filtering layer sequentially) or a “cocktail” approach (messages are scanned through one layer that comprises multiple filters) by using different spam-detection methodologies for ranking the probability that a message is spam. Some methodologies, such as Bayesian analysis (statistical identification), are maturing.

With the spam identified, a robust spam-filtering application will enable different disposition actions. For example, “gray mail” (that is, mail with a questionable probability of being spam) is sent to the recipient, but annotated as possibly being spam. Management capabilities include such services as defining the specificity of control that the administrator and user have over spam-for example, by providing users with a digest (listing) of the messages that were quarantined as spam, as well as the ability to view and release the messages.

Spam-filtering applications should be policy-driven so that they can adapt to changing business requirements and spammers’ schemes.

Should I filter e-mail that is sent within the enterprise?

It depends. Most enterprises will only filter inbound Internet e-mail for malicious code and spam. Filtering for text-based content, such as inflammatory language, is normally done “as needed”-for example, when an employee is suspected of sending harassing messages to a colleague. Regulated industries may use text-based content filtering for post-send self-audits.

Should I implement a centralized or region-specific e-mail filtering policy?

This is more a business issue than a technology concern. Filtering policies typically will be centralized, but enterprises may need to make exceptions for business centers with more rigorous legislative or regulatory requirements. For example, European business centers may be subject to the restrictions of the European Union Data Protection Directive, which sets far higher standards for privacy than comparable U.S. regulations.

Our legal department does not want to perform message inspection for fear of raising employee privacy issues, particularly where privacy legislation is strong, such as in Europe. What should I do?

The central issue for policymakers, enterprises and individuals is determining the proper balance between individual privacy and the interests of society, and deciding how it can be achieved. New technologies, such as instant messaging and location-based mobile services, make it necessary for regulators and enterprises to adjust their requirements for the monitoring and interception of communications.

In a global enterprise, creating a consistent policy on workplace privacy can be challenging, due to the legal differences among countries. In the United States, case law has established that employees in the workplace have no expectation of privacy. However, there are exceptions, including the employee’s person and personal possessions. In the European Union, laws and regulations have been enacted to restrict an employer’s ability to monitor employee activity that is deemed “personal.” The Sept. 11 terrorist attacks accelerated many government and law enforcement regulations and codes toward greater interception and monitoring of e-communications.

Because privacy legislation differs among countries, develop your e-communications policy to ensure compliance with national and local data privacy legislation, as well as legislation in countries where you operate. In general, the e-communications policy will state that the employee should expect no right to privacy related to communications that travel the enterprise infrastructure. This protects the enterprise’s interests if a suspected wrongdoing triggers an ad hoc message inspection, for example. The policy should cover e-mail, instant messages and other types of digital communications. It should align to and reference the enterprise’s human resources “code of conduct” policy. The e-communications policy should define the conditions under which filtering may be used for business, regulatory or legislative compliance.

Privacy issues may not be as relevant when filtering messages for spam and malicious code (such as viruses). However, the e-communications policy should clearly define the degree to which the enterprise is expected to filter for spam and malicious code. The potential for hostile work environment lawsuits, for example, can be minimized by stating in the policy that the enterprise will provide a “best effort” at filtering spam, but that it does not guarantee 100 percent of spam will be filtered. Higher-education institutions may elect to filter spam for faculty and staff (because they are enterprise employees) but not for students, to mitigate the risk of infringing on what local legislation may deem to be free speech. In all cases, the enterprise’s legal organization should translate privacy issues into business policy, which filtering technology enables.

“Because privacy legislation differs among countries, develop your e-communications policy to ensure compliance with national and local data privacy legislation, as well as legislation in countries where you operate.”

Bottom Line: E-mail filtering is a combination of technologies designed to combat different security threats. IT security directors should involve the enterprise’s legal, records management and human resources organizations, as well as relevant business unit leaders, in defining how business practices will affect e-mail filtering design and deployment. Use a phased implementation of e-mail filtering technologies that moves gradually from audits to reporting to active filtering.

For more information on the current security topics affecting IT and business, visit gartner.com