In his article, “Preventing Internal Email Abuse with Exchange Server 2010”, Paul Cunningham has stated,”… there is a lesser amount of attention given to preventing internal abuse of email systems. The risk of internal email abuse may seem low but for some organizations the risk is actually quite significant.”

In Exchange Server 2010, one of the more interesting features that have been improved is that of Transport Rule Predicates and Actions. Using Transport rules an administrator can create a rule which will inspect messages for conditions specified in the rules. The administrator can also create exceptions to the rules such that if those exceptions are met then no actions are applied to the email messages that have been identified by the rule which filtered out the identified message. With Exchange Server 2010 additional flexibility has been added for creating rules and actions to be taken against those identified messages.

In Paul Cunningham’s post he discusses how Transport Rules can be created and applied to internal messages with the purpose of identifying abusive email practices and their originators.

It is nice to have such a feature added to Exchange Server that can be used to help eliminate or at least reduce abusive internal emails sent and received within an organization. But I think companies and their IT departments will also have to speak with their legal departments to ensure they are not encroaching on any privacy laws.

The situation which Paul describes in his post is that of essentially creating filters so as to prevent abusive emails sent to co-workers but this capability could also be used to block or filter out emails of a political nature which could become the basis for a challenge to the right of free speech. I know this sounds a little extreme but let’s see how this could possibly play out using Transport rules.

The way this type of a word filtering Transport rule would work is that a rule would be configured to include:

• A condition that would identify email messages sent from internal senders to internal recipients.
• The condition would identify certain words or phrases in the email subject, body, or attachments.
• An action to be applied against any email that matched the condition above.
• And any exceptions to that rule would also be created.

So in our example, if a company or any other organization decided that email messages that contained the words “Libertarian Party” were to be identified as inappropriate they could create a Transport rule which recognized those key words and then sent those emails to the “bit bucket” or trash can. Exceptions to the rule might be something along the lines of if no profanities were found in the email then let the email message pass through to the internal recipient.

Another possible action to be taken when a Transport rule was initiated is to redirect the filtered email to the company’s legal department or to security for further review.

I do agree with Paul that implementing a company wide filtering system such that every internal email sent is scrutinized by a key word or phrase methodology would be very complex and costly in terms of not only compute resources but capital outlays.  There would sure to be some overhead from using a single centralized filtering system as a single point of failure that would most likely impact performance and prove costly should the system ever go down.

Paul points out that even “…Exchange Server’s own anti-spam filtering can’t help.”  He notes that any emails sent between mailboxes within the same organization is given a Spam Confidence Level (SCL) of -1 (on a scale of 0 to 9) which means that Exchange Server is treat the email message as trusted.  With a “-1” SCL value assigned to the email message this basically eliminates any further SCL-based filtering decisions from being applied to those emails. This could also mean that the email sender had possibly been white listed in some manner.

A SCL value of 0 means that email message is most likely not spam whereas a SCL value of 9 means that the email message is most likely spam which would make that email message obviously eligible for SCL-based filtering decisions to be applied.

It is for these reasons that Transport rules should be considered as a component for any email content filtering system that requires an intra-company email messaging filtering capability. And since administrators can configure this feature centrally the benefit is that the effect is rippled across all Hub Transport servers in the organization allowing for a streamlined and distributed implementation.

Exchange Server 2010 Email Abuse Prevention

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

U.S. Appeals Court for Ninth Circuit.

Workers who use company email for disloyal activities may be targeted for administrative sanctions, but they’re not necessarily criminals under U.S. law, according to a recent decision by a federal court. The ruling by the Court of Appeals for the Ninth Circuit, which includes California, found that an employee for a residential treatment center for addicted persons in Nevada could not be prosecuted under the federal Computer Fraud and Abuse Act (CFAA) for emailing himself client files for use in a competing business after his employment was terminated from the center.

The case, LVRC Holdings v. Brekka, involves Christopher Brekka, who was hired by LVRC and worked at its Fountain Ridge facility in Nevada. Brekka’s duties included conducting Internet marketing programs and interacting with Web metrics company, LOAD, which LVRC employed to provide email, Web site, and related services for the treatment center. At the time of his hiring, Brekka owned and operated EBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of Internet sites and advertisements. According to the court, LVRC was aware of Brekka’s involvement with EBSN and EBSF when it brought him on board.

While working for LVRC, Brekka commuted between Florida, where his home and one of his businesses were, and Nevada, where Fountain Ridge and his other business were located. Brekka was issued a computer by LVRC, but routinely emailed himself documents he used at LVRC to his personal computer in Florida. After working for LVRC for several months, Brekka legitimately obtained an administrative log-in for the company’s Website to obtain metrics about the site which he used to manage its internet marketing.

Brekka did not have a written employment agreement with LVRC and the company did not have any employee guidelines governing emailing company documents to the personal computers of workers.

About six months after hiring Brekka, LVRC terminated its relationship with him. Later, LVRC discovered someone accessing their computers using Brekka’s login. When LVRC discovered that, they voided Brekka’s login and filed a number of lawsuits against the former employee,  including one alleging he violated the CFAA when he emailed documents to his personal computer and continued his administrative access the company’s Web site.

The CFAA, enacted in 1984, is a federal law aimed at punishing computer hackers who access computers to steal information or to disrupt or destroy a computer’s functionality. Among the crimes cited in the law are accessing computers without authorization or in excess of authorization and stealing information or damaging a computer or its data. LVRC argued that Brekka violated the authorized access provisions of the law.

LVRC contended that Brekka’s access to confidential information to further his interests rather than the company’s constituted unauthorized access under the federal law. But the court didn’t see it that way. “[A]n employer gives an employee ‘authorization’ to access a company computer when the employer gives the employee permission to use it,” it reasoned. “Because LVRC permitted Brekka to use the company computer…Brekka did not act ‘without authorization.’”

As for the allegations that Brekka accessed LVRC’s computers after he left the company, the court found that LVRC did not meet its burden of proof to support that contention.

“Brekka holds that a person uses a computer ‘without authorization’ when she has not received permission to use the computer for any purpose, or when the employer has rescinded permission to access the computer and she uses the computer anyway,” Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, wrote in an analysis of the decision posted at the EFF’s Web site.

“Similarly, a person who is authorized to use a computer does not exceed authorization simply by acting contrary to the computer owner’s interest, but only by obtaining or altering information in the computer that she is not entitled to obtain or alter,” she continued.

“The Brekka opinion is in line with the more recent and better line of district court cases that have rejected a ‘thought crime’ interpretation of the CFAA where the employee’s mental state determines whether she was authorized or not,” she added. “Brekka says that neither the statutory language nor the canons of criminal law allow such a broad reading that leaves people uncertain of when this criminal statute would apply.”

What lessons can be learned by email administrators from this court decision? Certainly, the ruling illustrates the importance of an email policy for companies. If you don’t want your workers forwarding important documents to their home computers, then you should tell them so in black and white. It also might be wise to work with your HR and Legal departments to make sure email issues like those raised in Brekka are addressed in boilerplate employment agreements your company executes with contract employees.

Disloyal use of email isn’t a crime

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators