Tuesday Mar 25, 2008

Haven't they heard of phishing?

I received an Email from my health insurance provider. A few days before, I had used the "Contact Us" section of their website to send them a question about my account.

At a quick glance, the Email seems unremarkable. But instead of a response to my question, it contains instructions to decrypt my message, which involves opening the HTML attachment as a first step (red flag #1). Normally, I don't open any HTML attachment from unknown sources, to avoid validating my address to spammers, but this one should be fine, right? I look at the From: header, it looks legitimate, but of course it could have been forged (red flag #2). Then I expand to full header view, and the set of Received headers supports the From: identity. The earlier Received headers could have been doctored, but I trust the one added by Sun's MX gateway. After all, I've been anticipating an Email from them, so I decide it's ok to proceed.

When I click on the attachment, Mail.app prompts Are you sure you want to open the application "securedoc.html"? Could this be a trojan horse disguised as an HTML file? I examine the source of the Email, and find that the MIME Content-Type field of the HTML attachment was mislabeled as "application/octet-stream" rather than "text/html" (red flag #3), so there's no foul play here. I drag the HTML icon over to Safari and it opens.

According to the instructions provided, once I open the HTML file I should get two choices. Either click on the "open" button and an applet will be downloaded and installed to my C: drive, or click on the "here" link and my browser will open the secure email without any applet downloading. Since I'm on a Mac, I don't have a C: drive, and I prefer (just in case this indeed is a trojan horse) not to install any applet, I look for the "here" link. But there is none (red flag #4). Left with no other choice, I click on the "open" button.

Fortunately, this correctly initiates the process of key retrieval from the insurance provider and message decryption. I'm glad it didn't ask for my membership number and password, which would've raised another red flag or two. Below the response, an underlined heading says "Original Message Excluded" (red flag #5). The footer/signature has only three words, "PostX Secured Email," which is the technology behind all this.

Although the response provides the information I asked for, so many red flags went up in my head, I can't help but wonder if they had run this process by a messaging consultant. Regardless, here's some free advice:

  • Solution to #1: Don't ask or expect your recipients to open any attachment or URL, until you have built confidence with them.
  • Solution to #2: Sign your messages with a certificate to prove your identity.
  • Solution to #3: Label your MIME fields correctly, it's unprofessional not to do so.
  • Solution to #4: Make sure you provide instruction that matches actual experience precisely.
  • Solution to #5: Include the original message (where applicable), ideally before you ask for user action.

Come to think of it, these suggestions can help any Email marketer wanting to distinguish themselves from phishers/spammers.

Friday Dec 14, 2007

A way to stop Email Cc abuse?

Do you frequently add others to the Cc: distribution?

Carbon copying (Cc for short) in Email is undoubtedly one of the most useful features. Alice sends Bob and Charlie an Email, then Bob invites Dave to the discussion by adding him in the Cc: field.

[Growing Inboxes]

As it happens, however, Cc is also one of the most abused features. WSJ has an article titled Email's Friendly Fire which says:

Email overload is now considered a much bigger workplace problem than traditional email spam. Inboxes are bulging today partly because of what some are calling "colleague spam—that is, too many people are indiscriminately hitting the "reply to all" button or copying too many people on trivial messages, like inviting 100 colleagues to partake of brownies in the kitchen."

If you're Bob, the person who adds others, Cc is great. But if you're Dave, the person who is being added, sometimes you may wonder why you're on the distribution at all and silently curse Bob for contributing to the "colleague spam" you receive in your INBOX.

One difference between Facebookmail and Email I've noticed is that in Facebook, once the sender defines the distribution scope, it becomes fixed and cannot be expanded or shrunk. In other words, Alice, Bob or Charlie may not invite Dave into the discussion, nor could Bob respond in private to Alice or Charlie without starting a new thread. The upside is that whatever is said between Alice, Bob and Charlie remains private to them, but the downside is that others cannot chime in or add value.

In contrast, Facebook event scheduling system allows participants to invite more friends as long as the event is open. A bigger party is always a better party, I suppose. :)

Can we think of a way to prevent Cc abuse yet maintain the flexibility of it at the same time?

Thursday Dec 13, 2007

Plaintext vs HTML Email

A new group called Email Standards Project was recently started to improve the state of web standards support in Email clients by working with both client developers and the designer community. I mentioned in passing that HTML Email doesn't always appear to the recipient the way its sender intended. One reason is that different clients render HTML Emails differently, so it's good to see an effort towards standardization.

That being said, however, I used to be strongly against HTML Email. I had my mail client set to display plaintext alternative when available. I had, whenever a choice is given by the mailing list or online merchant, set preference to receive plaintext rather than HTML. I felt that the sender should not dictate the font size and background color I like to read my Emails, especially on mobile devices.

But over the years, my view gradually shifted. I now consider HTML Email to be complementary to plaintext. Like a presentation or a speech, HTML Email is structured, well-prepared and unidirectional; whereas plaintext is more informal, friendly and dialog-like. Both are important forms of communication, so it would be a bit naive to write off either one. How should one choose one form over the other? Here's a guideline I recommend:

Plaintext Email

  • Good for discussions or two-way exchanges.
  • Preferred on mailing lists.
  • Not suitable where formatting of information is essential to the recipient.

HTML Email

  • Good for announcements, newsletters, press releases, status reports, e-bills, coupons and generally Emails to which you don't expect a reply.
  • Must always include a plaintext alternative.

Reason being that there are reasons for an organization to send professional-looking Emails to its clients, but it's very difficult for both humans and mail client software to respond to and properly quote formatted text, and you never know if someone in your audience may not care for visual appeal, such as an eyesight impaired person. A plaintext alternative ensures graceful degradation.

I wish there was a mail client that would auto-select between plaintext and HTML based on previous habit and context...

Tuesday Nov 27, 2007

Mulberry is back and now open source

mulberry_logoWhile I have never used it, Mulberry is an Email client praised by many power users for its large set of features and standards compliance. The company that made it went bankrupt in 2005, but it's back again and released as open source. I should give it a test drive and write a review.

Sidenote: Mulberry is developed by a very talented Cyrus Daboo who now works at Apple on their CalDAV server.

Essential things everyone should know about email

  1. Anyone can send Email to anyone pretending to be from anyone else.
  2. Email is not guaranteed to arrive quickly or at all.
  3. Your Emails can be read by other people.
  4. Email wasn't designed to handle large files.
  5. Any Email that asks you to forward it on to other people is a chain letter, and should be deleted.
  6. You can't trust any Email from anyone.
  7. If you put your Email address on the public internet even once, you will forever get spam.
  8. Never reply to junk mail or scams.
  9. Emails do not convey emotion and can easily be misunderstood.

Source: http://bla.st/site/blog/34/

I'd like to add a few more:

  1. Once you click 'send', there's no 'undo'.
  2. There's no way of knowing if and when the recipient has read your Email.
  3. The danger with composing HTML Email is that it may not look the same on the recipient's end.

Thursday Nov 15, 2007

Email getting lots of attention

A quick rundown:

Nov 13, 2007:
  • Marshall Kirkpatrick from readwriteweb.com wrote "it took Facebook to introduce people to RSS in a way that was really compelling." and "The social network of the future will be populated by the RSS feeds of the activities of your friends and your friends will be determined by email."
  • "The Death of E-Mail" on Slate said "Those of us older than 25 can't imagine a life without e-mail. For the Facebook generation, it's hard to imagine a life of only e-mail..." and "Instant-messaging, mobile text-messaging, blogging, micro-blogging, and social-networking profiles all help compensate for e-mail's shortcomings." and "It's not hard to imagine a future communications command center where, on a single screen, you'll be able to choose between sending an e-mail, instant message, status note, or blog post—or sending all of them at once—and then have all those bits of text neatly and securely archived."
  • Nick O'Neill wrote on "Email Becomes Center of Social Networks?" "I’m not quite sure how I feel about using my email for the center of my social network but maybe my feelings will change once it launches."
  • "Inbox 2.0 isn’t coming, it is here." on Xobni blog said "We realized after building Xobni analytics and playing with email data for 6 months that the most interesting data in email revolved around relationships."
  • Mathew Ingram wrote skeptically on Can getting social make email better? "for me, email is pretty close to broken."
  • Don Dodge wrote "Email contacts - the natural social network" and said "Email is where [people] naturally communicate and collaborate. Social networks are another isolated island of information."
  • Steven Hodson wrote "For me using email as my social network hub doesn’t depend on integration with outside environments or the need to be widgetized in some fashion or other. Instead my Inbox needs tools like Xobni and some serious attention to dealing with spam." and "We already have been using the original social network for a very long time - it just needs some fixing up and new tools to make it better."
  • Google announced the new Google Apps Email Migration API for customers whose existing mail systems don't support IMAP.
  • Sachin Balagopalan thinks it’s time to phase out email from the work place. "The profound difference [...] is that social networks enable you to participate in a virtual team or community and IMO that is conducive to the business environment - we all belong to a team at work and we interact with our team members. Email on the other hand was not designed with the community in mind rather it’s based on an “account” and you can send and receive emails from any account."

I shared my Messaging 2.0 idea with Han today and she seems to like it. I'm hoping to find some time during Thanksgiving holiday to refine and formalize the architecture.

Thursday Nov 08, 2007

Email privacy to disappear?

That position, if accepted, may mean that the government can read anybody's e-mail at any time without a warrant.

As they say in the comments, if you want privacy, better start encrypting your Email or running your own mail server.

Source: http://www.securityfocus.com/columnists/456

Traffic to social networks surpasses webmail in the UK

According to Hitwise, UK internet users visited Facebook, Bebo and MySpace more times last month than they visited Hotmail, Yahoo! Mail, Gmail and other webmail services:

This confirms that social networks are starting to eat into the web-based email providers’ dominance of the internet messaging market.

Does it? While traffic to social networking sites grows steadily, visits to webmail sites as shown above do not decline correspondingly for most part of the chart. Also, the graph only counts hits, not time spent on the sites or number of messages generated (not to mention non-webmail Email traffic).

Until the walls come down between social networks, I can't see myself giving up Email as the primary method of staying in touch with friends and family.

Source: Hitwise - Social networks overtake webmail

Tuesday Nov 06, 2007

Why Twitter won't delete Email

Because it isn't designed to be Email 2.0.

On a recent debate titled "E-mail Faces Deletion" hosted by BusinessWeek, Robert Scoble suggests that Twitter could overtake Email as the leading business communications tool. I read it a few weeks ago but I wasn't on Twitter so I didn't feel qualified to comment. Since then, I've become more familiar with Twitter and found a few of his arguments flawed.

  1. Knowledge retention. While policy varies from country to country, publicly-traded companies and even SMB who don't host their own Email nowadays typically keep Email on the server side and have retention policies (for compliance reasons) which determine how data of former employees is retained and transferred to replacements.
  2. Spam problem. Twitter doesn't suffer from it because users decide who they wish to follow or unfollow. This method is similar to whitelisting and blacklisting and only works in Twitter because it is a walled communication platform and you don't give out your Twitter username as you would give out Email address (on the last page of your presentation, when you fill out online forms, to merchants and service providers, etc).
  3. What happens in Twitter, stays in Twitter. You can depend on Twitter for as long as it is around. Possibly the best way to explain Twitter to non-technical people is that it is a news broadcasting system in which any member can be a broadcaster. This is very appealing to consumers but not so to corporations. For various reasons, good or bad, internal businesses communication most often flow in a controlled and structured manner rather than a broadcasting model.
  4. Twitter lets you filter what others are saying. For example, when Google launched the Open Handset Alliance yesterday, also known as Android, you can do "track android" in Twitter and it'll automatically direct every Twitter message (called "tweet") containing that keyword to you. The upside is that you get to tap into a global community and track actions and thoughts on that topic in near real-time, but the downside is that the signal-to-noise ratio can be very low because everyone can be a broadcaster.

Furthermore, Twitter has a few design choices that make it unsuitable for business use:

  1. Messages are limited to 160 characters.
  2. No support for attachments.
  3. Can't define scope of distribution.
  4. No verification of status. Companies (especially large ones) may wish to cut its tie with terminated employees and it's not clear how Twitter can handle that.

That being said, is Email perfect as a business communication tool? Absolutely not. It's been around for 25 years and I'm confident it'll stick around for another 25 years, but if its weaknesses are not addressed and improvements are not made in time then I doubt it'll maintain its usefulness. Although it's not fair to compare Email with Twitter, there is a few things Email can learn from Twitter:

  1. Needs stronger sender identification. When an Email claims it was sent by Aunt Betty, it must truly came from her and no one else. Twitter's solution is to require account registration and username/password. Systems such as SPF and DomainKeys go so far as to ensure domain-level authenticity, but we need something that goes farther to sender-level.
  2. Needs an API. Twitter offers an API so that users and other developers can discover new ways to use Twitter. Email doesn't have an API, it has RFCs written by lots of people over many years to ensure interoperability, but its fundamentals are largely unchanged even though the rest of the world has progressed. I say it's time for an update, a rethink on modern and future requirements, similar to what ZFS did to filesystem. Excuse the overuse but we need an "Email 2.0".
  3. Needs Permalink. A permalink is basically a fixed index to a web resource to which others link or respond. The vast majority of Email is either an inquiry for response or a response to another inquiry. If every Email message you write has a permalink, then it's a lot easier to track or search when others respond or add value to it.
  4. Follow & track. Once all of the above are in place, these become trivial. In fact, all kinds of new possibilities open up.

Do you think an old dog can learn new tricks? It's only limited by our imagination and drive. Consider how Google uses Email for project management (it's a rather long story, just search for "project management" when the page loads).

Thursday Nov 01, 2007

How Gmail's spam filter works

Gmail does a marvelous job at keeping spam out of its users' INBOX—probably the best among free spam filters (and better than some paid ones, too). But they have not said anything publicly about how they're doing it or how effective it is until now.

These are the four elements that make Gmail's spam filter tick:

  • Gmail users participation
  • Google's compute grid
  • Other Google technologies
  • Sender verification
You could read the full article, or watch Brad Taylor, Gmail's top spam fighting engineer, talk about their techniques in this educational video:

Tuesday Oct 02, 2007

Has Email become counter-productive?

Recently, I went to a technology conference in San Francisco, where I kept hearing about two recurring themes. One is that Email is counter-productive and interruptive—Email is dead. Another is that IT is the disabler of social networking (or any kind of new technology for that matter) in the enterprise. "The CIO's job is to say 'No'", said one of the attendees.

For a moment, I questioned myself if I'm at the wrong place with the wrong crowd. After all, I'm the Email guy in Sun IT. It felt awkward, but I wanted to understand what the perception and negativity were all about.

To a certain extent, I share their feelings. I get hundreds of Emails every day, and spend a significant portion of my day reading and writing Emails. As of this moment, I have 5407 messages in my INBOX (yes, I know it's a sin and I'm aware of GTD). With the exception of a few spam now and then, the vast majority of Emails I get contains information and knowledge I can use towards my job. If I didn't receive them in the form of Email I'd still be consuming them through other means, such as news feeds, discussion forums, documentation, IM and webpages, etc. Having them all served to me in one place, where I can read them and sort them, actually saves me time.

However, there is a few cases where I agree Email can be annoying. Spam, for example. Invitation to internal meeting (that's what calendar's for, you idiot). Notification about end of Email service outage (how redundantly useless is that). Request that carbon copies everyone to stop Cc'ing everyone. None of them have any value. If your INBOX has more noise than signal, I can see why you wish Email is dead.

That's a wrap for now. Gotta get back to work. I'll explore the other topics in future posts. Let me know in the comments how you feel about Email. No comments about spam please, let's save that subject for another day.


I currently live in San Francisco Bay Area. For the past seven years, I have been designing and building messaging solutions for Sun.


« July 2016