Email security and the promotion of email authentication technology continue to be at the forefront of our efforts. This year Alt-N Technologies was privileged to have received the Online Safety Leadership Award from the Authentication and Online Trust Alliance (AOTA). And, we hosted the first DKIM Interoperability event to test different scenarios for signing and validating email messages between the products and services of participating vendors, service providers, and associations. While there is still more to be done in this area, 2007 turned out to be a very productive year.

We also released our most powerful version of MDaemon. Historically, the development team and I are continually responding to customer requests for new features to ensure that the MDaemon email server provides the latest security and performance features our customers need and want. We have always prided ourselves on our ability to quickly design, implement, and deploy new features throughout the year - 2007 was no exception. The latest release of MDaemon features almost 70 new enhancements including key technologies such as email certification, email backscatter protection, and implementation of the IETF’s latest Sender Signing Practices for DKIM - the next phase in email authentication.

Our customers truly drive our business. In the 4th quarter of this year we released the MDaemon Email Appliance as a response to many customer requests for an all-in-one software/hardware solution. Customers from education, government, legal, and finance industries have benefited from the ability to order the MDaemon email software on a preconfigured appliance that has been built with their unique business specifications in mind. The flexibility of a software or hardware email solution is just what many small and medium businesses want.

I am also happy to report that Alt-N Technologies continues to outpace the industry in terms of growth. Our international channel partners have done a great job at building customer relationships and we continue to hear from satisfied customers who have discovered the power of MDaemon as they look for new or alternative email servers to support their growing businesses.

I am also looking forward to 2008. We will release a new product: The SecurityGateway for Exchange/SMTP. It is a product that customers have been asking us to develop for some time now. The SecurityGateway for Exchange/SMTP has been developed leveraging Alt-N Technologies’ years of expertise in email security technology and will deliver exceptional gateway protection with some of the most flexible reporting capabilities on the market. We are very excited about this product so look for something early in the first quarter of 2008.

Finally, all of this would not be possible without the support and dedication of a talented staff and loyal customer base. When Alt-N Technologies was created over 10 years ago, I knew it would be successful if we stuck to the basics: listen to the needs of the customer and develop products that provide enterprise-level features that small and medium businesses could easily manage and afford. As our company continues to grow, we never forget the importance of earning our customers’ business and their trust.

Happy Holidays!
Arvel

We spent a lot of time torturing each others’ products trying to find bugs and weaknesses in the various implementations of DKIM and the specification which defines it: RFC 4871. And we did find a few bugs and ambiguities. What was exciting about this event was that it was well attended by engineers and developers who were able to fix their bugs right then and there in many cases. MDaemon had a few minor problems, which we were able to fix during the course of the Interop Event. A few ambiguities in the DKIM specification were also identified and we will get them cleared up.

Thinking about it days later, there are a few things that struck me as important about this event. First, I’m reminded that it was only a relatively short time ago that DKIM existed only on paper and in the minds of a small team of highly talented people devoted to doing something to combat the problems of Internet email fraud. I’m reminded that only a short time ago there were a total of three working implementations of DKIM: 1) in our own MDaemon email server, 2) in SendMail’s product, and 3) at Cisco.

Second, I was reminded about the importance of the IETF process. I believe that the increase in DKIM implementation and enthusiasm is due, in part, to the legitimacy and “completeness” implied by the rigors and review of an IETF process.

Third, I was struck by the importance of face-to-face interactions when it comes to community building. There really is no substitute for it. Although we did have some attendee’s participating remotely, it was the act of getting to meet, listen, and discuss this technology with peers in a face-to-face environment that I enjoyed most about this event. These folks really knew their stuff and I was honored to have hosted them. Believe me, when you come to Texas, you will get treated right!

Finally, I was struck by just how well this DKIM stuff actually does work. It really does deliver as advertised and we found no significant technological problems which would hinder adoption or deployment.

As I looked around the Alt-N conference room that was packed with people from all facets of the industry, I realized how much things have changed. Although we have more building to do towards wide-spread deployment of DKIM, we have made significant progress.

I will never forget this event and the feeling of community that was present. I am so glad to be able to play a role in building stronger email technology and to be associated with this level of talented and devoted people.

Arvel

Yesterday morning we were all awakened at 8am because the entire cruise ship was shaking violently. I’ve never experienced anything like this. We were at a port! This shaking lasted about 30 minutes and it was impossible for anybody to sleep. Outside my window there is a hot tub on the deck below. The water in the hot-tub was jumping up and down from the violent shaking. This wasn’t a gentle thing. It was a “rattle the jewelry off the night stand” type of shaking. It kept us awake and we’d been up until 4:30am the night before!

But wait, it gets better…

I purchased a new wardrobe for this trip before leaving Texas. Since this is a long cruise I needed to have some of it cleaned. This morning some of it came back from the ship’s laundry. Well, I put on my favorite new $90 polo shirt, determined not to let any of this “get to me.” Then I looked in the mirror and I could see my left nipple - ROFL! The cruise line’s laundry service had torn a hole in my new shirt making me look sort of like I’d just been lifted on board from a raft after three months stranded at sea. Consequently, I’ve decided not to inspect my other clothes until I’ve had at least 6 hours of hard drinking.

To add insult to injury, the laundry service lost my pajamas and all my underwear. This isn’t a total loss, however, as they have also mistakenly given me another man’s wardrobe of under-garments. Now, normally I would complain about this, but as I sit here in this other man’s boxers I find it strangely compelling. Well, the truth is, we did have to draw the line with this incident because we never signed up for the ship’s underwear exchange program! So, my wife and I have officially complained about the underwear situation, I’ve reluctantly removed my new boxers, and there are at least four officers now searching the ship for the phantom undergarments. Meanwhile, there’s some poor soul on board somewhere who’s in the same situation as me… I hope he likes my briefs.

All we want now it to get off the ship alive.

Yours,

The Prisoner of Davy Jones

It’s that time of year - time for a relaxing vacation with the family. Well, that’s what I thought anyway. I’m currently on a cruise, but this is not the normal cruise experience. So, I thought I’d write some of this down before I forget about it.

There are several problems with the cruise line I’m on (which shall remain nameless) - to say the least (ha, ha). At this point, my wife and I are viewing this as a new form of comedy and so now when we get treated badly, we just laugh about it. We are having a very good time. It’s all a matter of attitude.

First - the crew of the ship. These people are the rejects from the Flying Dutchman. Nobody smiles, nobody talks, and nobody says “thanks.” They are all just serving out their sentences hoping that one day Captain Blackbeard will release them from their debts.

A typical example: We went to the casino, sat down at a table and the dealer rolled her eyes and muttered complaints about us being there (ha ha). Just this morning our server treated us as if we had the plague. Nobody can understand why we’re laughing when we’re treated badly and I think this drives the crew into an even greater state of depression about being sentenced to serve time aboard “The Dutchman.”

Second- the ship itself. Periodically and for lengths of time between 15 and 30 minutes, the ship makes the loudest most gut-wrenching sounds of metal scraping against metal. It is enough to wake us all up when it happens at night. I still have no idea what it is but it’s coming from deep in the bowels of the ship. The crew seems unconcerned - maybe because they are also sentenced to this ship in the afterlife. I’m certain the sounds are from the anchor chain or something like that. Seriously, it’s nothing to worry about because we’d all be dead already but I’ve never in my life been on a ship that makes such noises.

Third - the actual cruise planning. This is the height of comedy because there isn’t any - really. For example, our first stop was Nassau Paradise Island. Now, I’ve been there before or I’d be really upset (as many other prisoners aboard the Dutchman were). We arrived about 2pm - everything closes at 5pm on the island and then we leave (ha ha ha!). There was just enough time for some people to leave the ship, get to the places they wanted to go, find them closed or about to close, and then get back to the ship. ROFL!! This is a joke compared to the other cruises I’ve been on which planned an entire day there with guides to a private beach on the island, time inside the Atlantis casino, for example, with time for the excellent aquarium they have at Atlantis, etc. Next we went to a “private island” apparently leased to the “nameless cruise line” from the Bahamians. We were graciously permitted a “shore-leave” of 5 hours on the world’s smallest beach. This really had my wife and me laughing. There were 2,000 people trying to find a space on 2 square feet of sand (ha ha). This is in stark contrast to a previous cruise that we took where we went to a real private island that had a real beach and more than enough room for everybody (ha ha).

Fourth - ship operations. They refuse to use the tenders on the boat. Instead they have contracted with shore personal to send out 2 very large 700 person barges. They use these to embark/disembark the passengers for “short leave” rather than the 40 - 60 man tenders that I see hanging on the sides of the ship. This means that the line to leave the ship and the line to get back on is 700 - 1,000 people long and if you miss the first one you have to wait for 700 people at a time to travel from shore to the boat and get processed one at a time through the metal detectors, etc. Most of the time spent off the ship so far is spent in this process. ROFL!! Real cruises will run 10 or more tenders in a continuous operation shuttling people on/off the boat so that nobody has to wait in any lines and so that no time is wasted in “processing.” They are doing this, I assume, to save money.

Fifth - the food situation. As for quality, it’s suitable and appropriately terrible as befitting the Flying Dutchman. One of the things that make a cruise special is getting assigned your own wait staff who follows you from restaurant to restaurant each evening, taking care of all the particulars for you. You feel special when they treat you special. They have dispensed with that here. The ship has hot-dogs and cheese-burgers. Anything else requires a reservation at one of the independently operated restaurants on the ship, which can be quite expensive. In fairness, we’ve been visiting these restaurants and the food is excellent. But, for the most part, it’s hot-dogs.

Now let’s talk about the room service. Here I don’t even know how to begin to describe how funny this is. For starters, you can not understand the English of anybody working at the other end of the telephone here. It’s truly comical. I have a new game that I play now with room service: every night before bed, I order something just to see if they get it right. It took four calls over two days to get “nachos” right. They think it’s just chips and salsa. However, there is still a disconnect. When I explained that nachos are just chips with cheese on them, I thought they finally understood until they asked me later, “so you want ‘nachos’ and cheese too?” I said, “no, that’s what nachos are - oh forget it!” Tonight I’m going to try soft-tacos and see what happens.

Oh God, they tell me we’re headed into the Bermuda Triangle now. Hope to see you all again.

Yours,

The Prisoner of Captain Blackbeard

Firstly, MDaemon 9.60 has been in development for over 8 months. One of the first things we did was move all the source code and build procedures off of Visual Studio 6 using Source Safe 6 and onto Visual Studio 2005 with Team Foundation Server. For a project that had been using those older tools for many years, this required an intense effort.

Next, I made it a point to re-visit some of the old “known issues” that dated back a long while and which have persisted due to design limitations. Several of these were happily fixed, which will make long time users of MDaemon very happy!

Several significant technological advances have made their way into MDaemon 9.60. These include support for image spam and child pornography detection and blocking which will be appearing in SecurityPlus for MDaemon soon. You’ll also like account grouping which allows you to arbitrarily define groups of users to which policy can be applied. We will be expanding on this capability throughout the 9.6 series. There is also support for sub-addressing which allows you to route email directly into various folders by using special email address forms.

One particularly exciting new capability is message certification. MDaemon now has the ability to check whether messages are “certified”. Certified messages can help you determine whether a message should be accepted or not. Alt-N offers a free certification service for MDaemon customers.

Backscatter Protection puts a stop to the problem of email backscatter - email your users receive telling them that a message they never sent in the first place failed to be delivered.

The gateway feature set is important to a large percentage of our customers and has seen numerous and significant improvements including a totally new email address verification system.

Don’t forget DKIM. DKIM was approved by the IETF as an industry standard and has been assigned as RFC 4871 (http://www.dkim.org/specs/rfc4871-dkimbase.pdf). Naturally, MDaemon 9.60 contains a completely up-to-date and thorough implementation of this email authentication method.

On top of all this, several performance improvements make this the best performing MDaemon ever!

In summary, MDaemon 9.60 includes some 69 new features - 8 of them I’ve classified as major improvements - and 94 specific fixes and improvements to various customer requests. It is a major accomplishment for us. I hope you love it as much as I do! But, now, it’s onward to the next release!

Arvel

Links:

• MDaemon 9.6 Release notes
• New customers, Evaluate MDaemon 9.6 for free
• Existing customers, upgrade to the new MDaemon 9.6

This past week the AOTA held its annual Authentication and Online Trust Summit in Boston, MA. Events like this are important because they provide a venue where like-minded people can be reminded of the scope of the problem we are facing.  We’re also informed of the success (or failure depending upon your view) of our attempts to meet these challenges. Finally, we’re able to recharge each other’s batteries for the on-going battle.

Now, it’s not all bad news. Although the bad-guys never seem to sleep there are those in the online safety community who are equally tired. One need look no further than the AOTA’s recitation of the millions of email domains (and counting) protected today by authentication techniques such as Sender-ID and, increasingly, DKIM.

At the AOTA summit in Boston, I was honored to accept the first Online Safety Leadership Award on behalf of the employees of Alt-N Technologies for work in the early adoption and deployment of email authentication technology. On behalf of all small businesses everywhere, I reminded the audience that it isn’t just the Fortune 500 who care about the illicit use of their domains and wish to protect their users from email-borne abuse. Those concerns do not depend on the size of a business.

Receiving this award was very meaningful for us. It’s difficult to put into words the feeling that a small entity like Alt-N has when so honored by corporations the size of the known universe. It’s very humbling and honoring and should remind us that even contributions from small companies can make a difference.

Another great thing about events such as the AOTA summit is that it affords smaller, more focused groups an opportunity to find some time alone in which to transact their concerns. Such was the case for DAC (the Domain Assurance Council) which held a dinner to both socialize and discuss progress made over the past months. This group is focused on addressing a specific portion of the “what can we do with authenticated email” question and revolves around attempts to standardize access to email certification and reputation services. I’m fortunate and honored to be in a place where I’m allowed to help with the technical development of these concepts while at the same time guide Alt-N into serving as an encouragement for others by demonstrating that these concepts can be put into practice. We are about to prove with MDaemon 9.60 and our email certification project that the ideas of DAC do work.

So, in conclusion, events like the AOTA summit increase my optimism concerning our ability to deal with the threats to user confidence and trust in email. As long as we are dealing with the issues we will make progress.

What the IESG approval means is that the DKIM signature document is now an official industry standard. This should send a signal to vendors and implementers who’ve been sitting on the fence. It says, “It’s ok to make DKIM products and services now - we’re done changing things.” What I’d hope to see is an accelerated proliferation of DKIM capable products and services. That’s a Good Thing. The more companies we have adopting authentication technology in general, and DKIM in particular, the better our efforts will be toward combating those individuals who seek to harm others through malicious use of email.

Authentication is the foundation required in order to get domain based reputation off the ground. When that occurs, the benefits to senders and receivers will be tremendous. But even without formalized reputation assessments, DKIM has benefits. With DKIM alone, one can know for certain that a message not only claims to be - but that it actually was - sent through paypal.com, as an example - helping to fight Phishing scams. With DKIM alone, one can determine that a message has arrived unaltered - byte-for-byte - as the sender intended - helping businesses reclaim trust with their customers. I am perplexed by how little attention this core feature of DKIM is understood. With DKIM alone, one can setup internal Whitelists such that authenticated messages from approved sources don’t waste time in “false-positive” prone spam filters - helping messages get to their intended recipients more efficiently.

My friends, this is real progress!

To this day, I consider my involvement in the creation of DKIM to be one of the major highs in my career as both someone involved in the email business for over 10 years and as a developer of email software that is used around the world today.

The DKIM work is not over yet. Even though the base specification is now an official standard we have more work to do in the market through promoting adoption and deployment of this standard.

Email is a powerful communication tool that has become an important part of our business and our lives. And as CEO of Alt-N Technologies, I am committed to doing all I can to keeping us focused on providing small-to-medium businesses with the most feature-rich, affordable, and secure messaging solutions in the industry.

Stay tuned. We’re not finished yet!

Another use which is perfect for DKIM goes like this: We run a service whereby customers using our email security solutions can receive specially formatted “Urgent Update” emails which trigger an immediate virus signature update. We blast out these emails during new virus outbreaks so that our customers, rather than having to wait for their next scheduled update, acquire the protection they need immediately. Authentication of these messages by our email platform is, of course, critical. Without it, an attacker could flood our customers with bogus “make work” emails. In the past we’ve used path-based authentication techniques - our software would only honor “Urgent Update” emails received from our IP addresses. However, this presents the obvious problems of not being able to out-source the sending of these emails and not being able to change IPs when necessary. Cryptographic authentication approaches like DKIM completely solve these problems.

The most anticipated application of DKIM that I am aware of would be the assessment of an authenticated identity associated with a message using the services of one or more of the major reputation providers. Such services would be domain based rather than IP based which seems to make more long term sense. Fledgling steps toward this are already taking place. Through the work of the Domain Assurance Council (DAC), Alt-N is helping to define protocols by which such assessments can be acquired. The first, Vouch By Reference (VBR), will be fully supported by the next release of the MDaemon email server. VBR describes a mechanism through which certification data can be obtained. Certification is a process whereby a source that you trust “vouches” for the “good behavior” of some third party. If you trust the judgment of the “voucher” (or certifier) you could, for example, skip expensive spam filtering on messages which should be “ok”.

So, who’s doing the certifying? So far, nobody. But that doesn’t mean that the effort is worthless. It’s our hope that the major reputation/ accreditation vendors will take up the mantle and provide these domain based services on a global level. Until then, regional or “specialized” certification programs might materialize. For example, Alt-N will be running a certification server using VBR and will certify messages on behalf of the MDaemon community. My hope is that this will serve to prove that VBR can work, while at the same time provide a real value-added service for our customers.

Who knows where DKIM will take us. Authenticated email is relatively new. One thing is certain: there is a lot of brain power working this one and you can bet that there will be many applications on the horizon.