R.I.P. email. Well nearly. While the number of email accounts continues to grow rapidly, I'm predicting that email, as we know it today, will fade away as the world's most pervasive form of digital communications—possibly within three to five years. It’s not just that there are other ways by which people are communicating, it’s also because email is increasingly a risky way to communicate.
Let’s start at a simple level. Sending an email in the way that most of us do today is much like sending an old fashioned letter, one that is paper clipped to the outside of the envelope. The general population either doesn't know, or doesn't care much about whether anyone sees what in their email.
There are some professions who could, and probably should, protect their communications when sending them across the public Internet. The protection that most email users rely on is simply the sheer mass of emails being sent on a daily basis. And that their ISPs do the right thing and adequately protect their communications in transmission and in storage.
Unfortunately neither proposition holds up. Firstly, while going through the sheer mass of emails is a gargantuan task, it’s not impossible and email doesn't make it hard to search or parse if you have a clear idea of what you are looking for. Secondly, there are no industry standards as to how digital communications should be stored and what safety parameters should be put around that storage.
A significant number of users use POP mail, which most likely means the email is eventually offloaded on to the user's PC or device. It’s generally not the most secure environment.
There is a sense of security if the transmission of the email is encrypted (most devices and servers are (and should be) capable of talking to each other via SSL or TLS.) but that doesn't really address the issue of the storage of those emails. So how about we just encrypt email?
Savvy users know about creating and registering PGP keys. They know how to share their public keys to other savvy users. They can send encrypted emails as well as receive them, but at the moment, setting up good PGP encryption on your email is hard. It is essentially out of the technical reach of most users. PGP encryption is made hard by the lack of support for it from many email programs (usually it’s via an external plugin). And, of course, it will only work if the other party to your email is doing the same thing. Most larger corporate have no excuse, but they're still not doing it.
As a primary communications protocol, you wouldn't exactly call normal email systems secure.
We should also consider, of course, the issue of email as a tool of malevolence. Spam accounts for about 80% of global email traffic. The majority of malware and trojan systems that infect vulnerable PCs and devices are, by far, delivered via email either directly as a payload or through a phishing link.
Many service providers (including ourselves) offer email filtering as a standard part of our commercial email offerings, but nothing is 100% foolproof and not all email systems are filtered adequately. Email filtering is essentially a catch up exercise—putting preventative measures into place once you have found something bad permeating through email.
In-house corporate mail servers, especially those operating under a desk in an SME's business, are notoriously variable in the protection they offer. (For corporates using cloud based mail services, the news is getting better, but it’s not perfect. There are increasing concerns about which jurisdiction(s) corporate email resides in, and who is capable of accessing and analysing them.)
Email filtering is a complicated and resource intensive activity. Our filtering systems do a barrage of tests on every single email that attempts to come in, ranging from a preliminary check of the destination, to granular inspection of the content. One of the first lines of defence introduced is a cross check of Realtime Blackhole List (RBL) databases. Does the sending IP address show up as a spam source in any of these databases? Yes? Then the mail server doesn't even complete the handshake and the email never leaves its source.
Eighty to 90 percent of all email delivery attempts are rejected by our systems at this point. We rely heavily on a number of those RBL databases out there and they are very effective—for now. With the advent of IPv6, while we have not seen a huge surge in spam across IPv6 protocols yet, the bottom line is that the sheer number of IPv6 addresses out there will mean that literally every single spam email could have its own IP address. A different approach will be needed. A lot of organisations are putting their minds to the issue but until email via IPv6 becomes mainstream, we don't have all the answers.
As stated by Spamhaus, one of the leading RBL database providers:
“We expect that unforeseen scalability issues can be addressed incrementally as they start to make themselves apparent. Current traffic in the nascent world of IPv6 email today is of little use to predict what will happen when people start "using it for real".
Now that's before the email gets into the systems themselves. After that, a veritable and ever-changing barrage of form, header and content checks are done. Many are done against filters that are updated hourly. Anything that doesn't pass muster gets quarantined. Out of the 10 or 20 percent or so of emails that do get into the system, around 10 to 15 percent end up in quarantine.
Overall, legitimate emails account for a small minority of email traffic. Clearly email is still an effective vehicle for delivering badness of many kinds, whether it’s phishing scams or payloads for malware and/or botnets.
Putting this in perspective, corporates are sending lots of their main communications down information highways that look more like combat zones. But there are many signs of change.
In the health and medical field, secured, encrypted messaging is non-negotiable. Companies such as Argus Connecting Careprovide essential point-to-point encrypted messaging for medical practitioners, specialists and hospitals.
Increasingly, government procurement portals provide ways in which businesses and non-profit organisations can submit tenders, reports, schedule events and activities and correspond. And, of course, there are a plethora of cloud-based groupware and project management systems such as Basecamp that provide complete end-to-end management, document handling and communications systems. Email is in many cases an optional function.
Perhaps what is noteworthy is that there are cultural changes in the way that we are communicating. There is now a generation of people moving into the workforce who were brought up on the Internet. Their primary form of communication is mobile and it’s social—and it’s one to one. Whereas you will receive email from anyone who has your email address whether you like it or not, with many forms of social media, you can choose who you want to talk to and how.
In the same way that smart phones are now used less and less for “traditional” phone calls, there's already clear evidence that email is falling out of favour with family and consumer users, which is from where this young generation is transitioning.
It’s interesting to reflect on the fact that email pre-dates the Internet as we know it and operated on hermetically sealed mainframe systems, where terminals were connected directly to it. In typical fashion, the innovators who integrated email into the Internet could scarcely have contemplated the explosion of its use by so many different quarters of the human population—or the dangers that would arise.
In typical fashion also, fixes, add-ons, extensions and myriad different technical adaptations of the original mail protocols have been applied to keep bad human behaviour and exploitation (and that's the heart of the problem really) at bay.
At the end of the day, it is a very hard job to keep emails clean and safe. I think we have to start questioning whether it’s viable or even worth the effort to keep breathing life into email.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Original Article appeared in CSO online in 2014