Table of Contents

• What are the major misconceptions about e-mail (outgoing)?


• What are the major misconceptions about e-mail (incoming)?


• What criteria should I use in choosing an e-mail server (and the people to manage it)?


• Sure, sure, we care about Internet standards. Don't we?


• What guidelines should the company use for setting e-mail policies?

Spammers and other bulk e-mailers quite commonly put other stuff in the To:or Cc: header, often as part of a long list of actual recipients. This is why the address given in the To: or Cc: header may be alphabetically quite close to that of the person who received the message. It is just the first address in an alphabetically sorted batch of spam recipient addresses. The From: header can be similarly forged, and it may bear no relation to the address that the mail system understands to be the sender of a message (the "MAIL FROM" parameter), which itself may be forged. To confuse the true message source from the naive recipient, a spammer may put one address in the From: header and another address in the MAIL FROM parameter. Either could be set to the address of the recipient, and neither has anything to do with the spammer. Ordinarily, spammers use addresses of innocent bystanders.

Another common user concern is receiving nondelivery notifications for messages they did not send. Here, too, the end user is the unwitting victim. This activity is almost certainly the result of an infected computer. Many viruses and other malware generate e-mail (often spam). As one measure to disguise its origin, the Bad Guys forge the (apparent) return address, using the e-mail ID of an innocent third party. When the message fails to deliver, a "bounce" error message may be generated, which is sent back to the apparent sender (the forged e-mail address).

Unfortunately, neither the user nor the e-mail administrator can do anything to prevent an address forgery. It is inherently impossible, due to the way the mail transfer protocol standards are designed, and it is rarely possible to identify the culprit computer or its operator. The full Internet headers and content of the failure message may provide clues, but they depend on the mail system generating the errors.

What criteria should I use in choosing an e-mail server (and the people to manage it)?

Getting your money's worth out of an e-mail system requires a carefully balanced investment in technical and human resources and, for many organizations, in outsourcing some elements. There is no off-the-shelf, one-size-fits-all solution.

Your IT shop may feel more comfortable using proprietary software for mission-critical applications. (And for most companies, e-mail is mission-critical; imagine what would happen if it quit working for 48 hours.) However, e-mail is among the server applications that have fully embraced open source. This applies to both the store-and-forward e-mail application itself as well as related software, such as e-mail discussion lists, spam-fighting processors and antivirus tools. If your e-mail administrator wants to use an open-source mail server, listen; a high percentage of professional-quality mail systems are built on Unix- or Linux-based operating systems and use open-source software. Some administrators think very poorly of the proprietary options (though opinions do, of course, vary considerably).

For the most part, however, the key decision is not in choosing the software for your mail server, but in choosing the person to run it. All too often, particularly in small and medium-size companies, e-mail administration is not considered a full-time job. Instead, it's given as an extra responsibility to someone "technical" (such as an application programmer, or even a receptionist who figured out how to make Excel work). However, keeping up with mail server topics requires far more attention and much more training than many companies assume. This is a major shift from 20 years ago, when e-mail administration was relatively simple-and we didn't have to worry about spam, viruses, and (a growing problem) lame efforts to protect the enterprise from those threats.

Just as a lazy postal worker can play havoc with paper mail, a stressed-out mail admin can really mess up electronic mail. So many things have to work for mail to work-DNS, network routing, open ports on the receiving mail server-that it's sometimes amazing that e-mail works as well as it does. So choose the person wisely. (If that isn't feasible, consider outsourcing your e-mail management.)