R.I.P. Email?

George Fong, Nerd Herder, Lateral Plains, President, Internet Society of Australia

R.I.P. email. Well nearly. While the number of email accounts continues to grow rapidly, I'm predicting that email, as we know it today, will fade away as the world's most pervasive form of digital communications—possibly within three to five years. It’s not just that there are other ways by which people are communicating, it’s also because email is increasingly a risky way to communicate.

Let’s start at a simple level. Sending an email in the way that most of us do today is much like sending an old fashioned letter, one that is paper clipped to the outside of the envelope. The general population either doesn't know, or doesn't care much about whether anyone sees what in their email.

There are some professions who could, and probably should, protect their communications when sending them across the public Internet. The protection that most email users rely on is simply the sheer mass of emails being sent on a daily basis. And that their ISPs do the right thing and adequately protect their communications in transmission and in storage.

Unfortunately neither proposition holds up. Firstly, while going through the sheer mass of emails is a gargantuan task, it’s not impossible and email doesn't make it hard to search or parse if you have a clear idea of what you are looking for. Secondly, there are no industry standards as to how digital communications should be stored and what safety parameters should be put around that storage.

A significant number of users use POP mail, which most likely means the email is eventually offloaded on to the user's PC or device. It’s generally not the most secure environment.

There is a sense of security if the transmission of the email is encrypted (most devices and servers are (and should be) capable of talking to each other via SSL or TLS.) but that doesn't really address the issue of the storage of those emails. So how about we just encrypt email?

Savvy users know about creating and registering PGP keys. They know how to share their public keys to other savvy users. They can send encrypted emails as well as receive them, but at the moment, setting up good PGP encryption on your email is hard. It is essentially out of the technical reach of most users. PGP encryption is made hard by the lack of support for it from many email programs (usually it’s via an external plugin). And, of course, it will only work if the other party to your email is doing the same thing. Most larger corporate have no excuse, but they're still not doing it.

As a primary communications protocol, you wouldn't exactly call normal email systems secure.

We should also consider, of course, the issue of email as a tool of malevolence. Spam accounts for about 80% of global email traffic. The majority of malware and trojan systems that infect vulnerable PCs and devices are, by far, delivered via email either directly as a payload or through a phishing link.

Read more: Privacy is a Business Disrupter

Many service providers (including ourselves) offer email filtering as a standard part of our commercial email offerings, but nothing is 100% foolproof and not all email systems are filtered adequately. Email filtering is essentially a catch up exercise—putting preventative measures into place once you have found something bad permeating through email.

In-house corporate mail servers, especially those operating under a desk in an SME's business, are notoriously variable in the protection they offer. (For corporates using cloud based mail services, the news is getting better, but it’s not perfect. There are increasing concerns about which jurisdiction(s) corporate email resides in, and who is capable of accessing and analysing them.)

Email filtering is a complicated and resource intensive activity. Our filtering systems do a barrage of tests on every single email that attempts to come in, ranging from a preliminary check of the destination, to granular inspection of the content. One of the first lines of defence introduced is a cross check of Realtime Blackhole List (RBL) databases. Does the sending IP address show up as a spam source in any of these databases? Yes? Then the mail server doesn't even complete the handshake and the email never leaves its source.

Eighty to 90 percent of all email delivery attempts are rejected by our systems at this point. We rely heavily on a number of those RBL databases out there and they are very effective—for now. With the advent of IPv6, while we have not seen a huge surge in spam across IPv6 protocols yet, the bottom line is that the sheer number of IPv6 addresses out there will mean that literally every single spam email could have its own IP address. A different approach will be needed. A lot of organisations are putting their minds to the issue but until email via IPv6 becomes mainstream, we don't have all the answers.

As stated by Spamhaus, one of the leading RBL database providers:

“We expect that unforeseen scalability issues can be addressed incrementally as they start to make themselves apparent. Current traffic in the nascent world of IPv6 email today is of little use to predict what will happen when people start "using it for real".

Now that's before the email gets into the systems themselves. After that, a veritable and ever-changing barrage of form, header and content checks are done. Many are done against filters that are updated hourly. Anything that doesn't pass muster gets quarantined. Out of the 10 or 20 percent or so of emails that do get into the system, around 10 to 15 percent end up in quarantine.

Overall, legitimate emails account for a small minority of email traffic. Clearly email is still an effective vehicle for delivering badness of many kinds, whether it’s phishing scams or payloads for malware and/or botnets.

Putting this in perspective, corporates are sending lots of their main communications down information highways that look more like combat zones. But there are many signs of change.

In the health and medical field, secured, encrypted messaging is non-negotiable. Companies such as Argus Connecting Care provide essential point-to-point encrypted messaging for medical practitioners, specialists and hospitals.

Increasingly, government procurement portals provide ways in which businesses and non-profit organisations can submit tenders, reports, schedule events and activities and correspond. And, of course, there are a plethora of cloud-based groupware and project management systems such as Basecamp that provide complete end-to-end management, document handling and communications systems. Email is in many cases an optional function.

Perhaps what is noteworthy is that there are cultural changes in the way that we are communicating. There is now a generation of people moving into the workforce who were brought up on the Internet. Their primary form of communication is mobile and it’s social—and it’s one to one. Whereas you will receive email from anyone who has your email address whether you like it or not, with many forms of social media, you can choose who you want to talk to and how.

In the same way that smart phones are now used less and less for “traditional” phone calls, there's already clear evidence that email is falling out of favour with family and consumer users, which is from where this young generation is transitioning.

It’s interesting to reflect on the fact that email pre-dates the Internet as we know it and operated on hermetically sealed mainframe systems, where terminals were connected directly to it. In typical fashion, the innovators who integrated email into the Internet could scarcely have contemplated the explosion of its use by so many different quarters of the human population—or the dangers that would arise.

In typical fashion also, fixes, add-ons, extensions and myriad different technical adaptations of the original mail protocols have been applied to keep bad human behaviour and exploitation (and that's the heart of the problem really) at bay.

At the end of the day, it is a very hard job to keep emails clean and safe. I think we have to start questioning whether it’s viable or even worth the effort to keep breathing life into email.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags communicationsPCSME's businessRealtime BlackholeSSLemail filteringmalwareGovernment procurementipv6emailEnex TestLabdatabasesR.I.P.ISPstrojanCSO AustraliaTLS

More about ArgusCSOEnex TestLabPGP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George Fong

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts