Jungle Out There
e-mail in a dark, new world of spam, malware, confidentiality and
By Dennis Kennedy
September/October 2004 Issue
In Joseph Conrad’s seminal novel, “Heart
of Darkness,” Marlow entered the belly of the beast in the African
jungle, facing the evil of humanity in this unknown territory.
Unprepared for what he was to face, Marlow’s trip through darkness ends
in shock and dismay at humans’ capacity for malevolence. Learning by his
example, for all those about to face the dangers of the technology
jungle, preparation is key.
In many law firms, paralegals often are
the venturers of today’s e-mail jungle. They often communicate directly
with clients, courts, witnesses and opposing counsel. Paralegals
increasingly are delegated everyday matters of e-mail communication that
can have far-reaching results.
For every e-mail action, there is a
practical question that must be answered. For example:
“E-mail a copy of this document to the
other side.” In what format? Should metadata be cleaned? What rights
to edit the document should be enabled? Who gets copies? To whom can
the recipient further forward the documents?
“This message is privileged and
confidential.” Does that mean you should handle it in a different way?
If so, how? Does putting the same disclaimer on every e-mail message
help us or hurt us? What about encryption or password protection?
“Why can’t I find all the documents in
the file in one place?” How do you create a central document
repository without having access to everyone’s e-mail accounts? Should
there be record retention policies? If so, should the lawyer give you
“How did I send the client a virus?”
“Why am I getting so much spam?” “Why can you find e-mail messages and
I can’t?” The list goes on and the answers get even more difficult
In the meantime, the number of messages
you get each day continues to grow. It gets harder to find important
e-mail among the spam, forwarded jokes, intra-office e-mail and the many
messages carbon copied to you simply by being part of a case. The wave
of e-mail reaches higher and becomes more urgent. You want to run away
from your Inbox, but now the firm is giving you a BlackBerry handheld so
you can receive your e-mail anywhere, any time.
Welcome to today’s world of e-mail. Some
have called heavy e-mail users the “leading edge of the coming
information tsunami.” If you, on the other hand, think it’s not so bad
now, hold onto your hat for what will be coming soon.
How Real is the
Internet usability expert Jakob Nielsen has said, “Whether
people get 10,100 or 1,000 e-mails a day, they all say the number they
get is overwhelming.”
Spam has become a major problem for law
firms and businesses. In recent months, as much as 70 percent of all
Internet e-mail might have been unsolicited commercial e-mail or spam.
Of the spam that is received, an
estimated 50 percent of these messages contain viruses, spyware or other
malware (software designed to disrupt computer systems). The Federal
Trade Commission recently backed away from creating a “Do Not Spam” list
because such a list might benefit spammers more than e-mail users.
Experts also are beginning to believe
e-mail is being asked to do more than its original intended purpose.
Remember the days when getting an e-mail meant you were getting a short,
informal, usually helpful message?
As computer users increasingly ask
e-mail and e-mail programs to operate as document managers, record
retention policy tools, collaborative discussion and drafting tools,
message thread managers, security, confidentiality and encryption tools
and even more, the humble e-mail tool begins to break down.
Goals of E-mail Management
There are at least seven goals of e-mail management:
Control the overall volume of messages
Make the most important messages the
Turn actionable messages into to-do
Make messages findable
Minimize security and other dangers
Enhance your communications with others
Protect your client’s interests and
How many of these goals are you
currently achieving? How many can you realistically expect to achieve
and what are the consequences if you don’t? Your answers to these
questions will vary depending on your particular situation because the
use of technology and each person’s individual organizational structure
is very personal in nature.
While keeping your e-mail management
goals in mind, you should consider the following 10 Rules of E-mail
Ten Rules of
1. Protect Your Inbox.
If you forced me to boil down all of e-mail management into
three words, the phrase “protect your Inbox” would be it. What do I
mean? Your Inbox, ideally, should contain only recently actionable
e-mails. In fact, most of the time your Inbox should be empty, nearly
empty or in the process of becoming empty.
The key concept is: An Inbox should be
an Inbox, not a message repository, not a to-do list substitute, not a
research folder and not a junk drawer. I once heard a lawyer admit to
having more than 29,000 messages in his Inbox.
The Inbox is something you want to
protect. You want to limit the amount of unnecessary messages coming
into it. You want to move categorizable messages out of it and into
appropriate folders, either manually or automatically. You can protect
your Inbox before e-mail is sent to you, as you receive e-mail, as you
store e-mail and believe it or not, when you send e-mail yourself.
When you limit the amount of unnecessary
messages you receive, you deal with spam, security and volume issues.
You can do so before e-mail is sent to you by using “non-work” e-mail
addresses, not publicizing your work address and avoiding unneeded
mailing lists or carbon copy lists.
You can combat unwanted e-mail as you
receive it by using spam filters, rules that move certain messages
directly to folders and “safe practices” in handling suspect e-mail, and
when storing it, using a variety of folders and having a firm finger on
the “delete” key. You also can protect yourself when you send e-mail by
not responding to every message, not opening spam and resisting the urge
to forward or “cc” extra people.
When you set up folders and subfolders,
you allow yourself to move messages out of the undifferentiated mass of
your Inbox and into appropriately named and organized folders. Rules and
filters are tools I discuss in more detail later. If you use them
wisely, your Inbox will contain only uncategorized messages, allowing
you to focus on them and deal with or dispose of them quickly.
Finally, the term “protect your Inbox”
becomes especially meaningful when you consider that e-mail is the most
likely entry point for viruses, spyware and other malware. Poor
protection of your Inbox all but guarantees security problems.
2. Never Reply to Spam Messages.
Spammers make a lot of money, and none of the ways they make
money is beneficial to you.
First, they make money by selling lists
of active e-mail addresses to other spammers. By replying to a spam
message (even to request you be taken off the list), you have confirmed
you have an active e-mail address and you will receive even more spam.
Second, they might make money by using
identity and other information you voluntarily supply for nefarious
purposes. This process is now known as “phishing,” but you can think of
it in terms of identity theft or looting your bank accounts and credit
Third, a spammer might be able to make
money by allowing a virus maker to attempt to spread a virus through
Fourth, spammers might actually sell
products or find people willing to send deposits or other funds to
Nigeria as downpayment. This happens in a surprising number of cases.
All these reasons have two things in
common: They don’t help you, and replying to an unsolicited e-mail
greatly increases your chances that something bad will happen to you.
Don’t take the risk.
3. Never Click on Anything in a
Clicking on any link in a spam (or any other message, for that
matter) might take you to a place on the Internet other than where you
expect, launch a file or script you don’t notice, or install viruses,
spyware and other bad stuff.
Clicking on links can take you to fake
Web sites that appear to be legitimate Web sites, to Web sites that pull
information off your computer or install tracking or other software, or
do other things limited only by the imaginations of the bad people and
the current security holes in your operating system. At the very least,
clicking on a link will show someone you have an active e-mail address,
priming the pump for you to receive even more spam.
4. Never Open a Suspected Spam
Do you see a trend here? You want spammers to believe your
e-mail address is not active. You also want to reduce the opportunity
for an e-mail to load a virus or gather information from you. In certain
unpatched versions or older versions of Microsoft Outlook and Outlook
Express, for example, the simple act of opening an e-mail actually can
open the attachments to that e-mail. In fact, in some cases, even
viewing an e-mail in the “preview pane” can have the same effect. New
attacks are being devised every day.
Usually, you easily can identify spam
from its subject line. Simply delete it and go on. I go even further. If
I have any doubt an e-mail is legitimate or if there is a blank subject
line, I delete the message without reading it. In addition, a message
with a subject line suggesting it was sent to you because a message from
you contained a virus can safely be disregarded and deleted. If you
actually send a virus to someone you deal with, he or she will call you.
5. Only Open Anticipated E-mail
Attachments in Expected Formats.
The common advice on e-mail attachments is never open an
attachment from someone you don’t know. While that is good advice as far
as it goes, it gives you the false impression you safely can open
attachments from people you do know.
Many common viruses work by gathering
names from the address book of an infected computer and sending copies
of the virus to those addresses. Today’s most malicious viruses appear
to be sent by someone who has your information in his or her “contacts”
folder or address book. Your biggest danger is more likely to come from
an attachment from someone you know than from someone you don’t know.
Sometimes a message that doesn’t make
sense will alert you to a danger, but that isn’t always the case. Open
an attachment from someone you know only when you are expecting to
receive an e-mail with an attachment. The other piece to the puzzle is
to realize techniques are available to create file names that hide the
true nature of the underlying files. For example, we now know files that
end in the extension “.exe” or “.pif” are bad, but many people don’t
know the “.exe” or “.pif” can be disguised so the file appears to be a
common “.doc” or Portable Document Format file. Therefore, if you are
expecting a PDF file from someone you know and you get an e-mail with an
attachment that isn’t a PDF file, call to verify what has been sent.
6. Use Windows Updates, Antivirus
Programs, Firewalls and Spyware Detectors.
E-mail is the biggest source of an entry point for viruses,
spyware and other malware. Running antivirus software is essential, but
it’s not enough.
Most computer attacks today exploit
known security holes in Microsoft Windows. Although the time lag from
discovery of the hole to the release of a virus that exploits the hole
has dropped to less than two weeks, every major, highly publicized virus
in the past few years has successfully targeted Windows security holes
for which patches already were available. You can and should set up
Windows to automatically search for, download and install critical
updates. Hackers actually have taken advantage of Windows holes to
disable antivirus programs.
A personal software or hardware firewall
protects your computer from outsiders trying to break in and prevents
information from being sent out of your computer without your knowledge.
A hardware firewall takes the form of a router or switch, but requires
careful attention to the setup instructions. Windows XP has a free
software firewall built into it, but it’s turned off by default.
Software firewalls, such as ZoneAlarm by Zone Labs (www.zonelabs.com),
are highly rated and available in free versions. If you are not
convinced, try one and see how quickly attempts are made to break into
your computer and how much information is going out to the Internet from
Finally, many bad e-mails carry a
combined payload of viruses and spyware. Removing the virus doesn’t
remove the danger. Spyware is software that collects and sends out
information about you, your passwords, your use of your computer, and
other information. Trojan horses are programs that allow an outsider
easy access to your computer. Keystroke trackers record all your
keystrokes and send them to third parties. Spyware is a growing problem.
The good news is two of the recommended spyware programs, Ad-aware by
and Spybot Search & Destroy (www.safer-networking.org/en/index.html),
7. Use Folders, Filters and Rules
A great Inbox protection technique is to use folders, filters
and rules to bypass the Inbox completely. If you don’t know how to
create folders, a quick visit to the Help menu in your e-mail program
will bring you up to speed in a few seconds. Create some folders that
reflect your other types of folder classification schemes. You might
have a “Client” folder, with subfolders for individual clients. You
might have “Firm,” “Department,” “Newletters,” “Court” or other
descriptive matter folders. Some people prefer to create “action” or
“priority” folders, such as “Reply,” “File,” “Urgent,” and the like.
There is no “perfect” approach, although reading David Allen’s excellent
book, “Getting Things Done” (Pengum Putnam, 2001), might suggest a very
effective approach to use as a model.
If all you do with your folders is “drag
and drop” e-mail from your Inbox to the appropriate folder, you will
accomplish a great deal. After a few hundred drags and drops, you might
find yourself longing for an easier way. This is where filters and rules
come into play.
Filters and rules (they are the same
things, but different programs use different terms) are relatively
simple computer scripts that automatically perform specified e-mail
tasks. As a practical matter, you create them painlessly by using
“wizards” in your e-mail program that walk you through the process. If
you would like any e-mail from a certain individual or with a certain
word in the subject line to be grabbed when it arrives and moved to a
specific folder without ever appearing in your Inbox, just check a few
selections, give the rule a name and apply it. The next e-mail you
receive will skip the Inbox and appear in the correct folder. In
Outlook, the number of new messages in each folder are indicated in
parentheses and the folder name becomes bolded when there are unread
If you use recent versions of Outlook,
look for a menu option called “Organize.” It’s a stripped-down wizard
that creates some of the most common rules, including “move to a
folder.” If you have a highlighted message in your Inbox, you can use
the Organize tool and it will grab the information it needs to set up
your rule (e.g., sender’s e-mail address) and streamline the rule
creation process. Even better, it asks you if you also want to apply
your new rule to the messages already in your mailbox. If you say “Yes,”
the rule moves all the old messages that fit the rule out of your Inbox
and into the folder. You don’t have to find each message and drag and
drop it into the folder. This tool can cut an overstuffed Inbox down to
size very quickly.
8. Use a Heavy-Duty E-mail Program
and Make Better Use of Advanced Features.
People use a variety of e-mail programs. Some are free. Some are
simple. All will get the basic job done. However, in the law firm
environment, remaining at the “getting the basic job done” level is a
classic example of being “penny wise and pound foolish.”
I recommend moving to the high-end
e-mail packages and the newest versions. These include Microsoft
Outlook/Exchange, Novell’s Group Wise, Eudora Pro, Netscape Mail,
Mozilla Thunderbird, and, in certain cases, IBM’s Lotus Notes.
Why? Control, management, flexibility,
power and built-in safety features. You want to become a high-level
e-mail user. You can’t do that without the adequate tools. The
professional programs allow you to create rules and filters that will
sort and move your mail to folders on arrival, view mail in ways that
work for you and create mailing groups. They also flag and set reminders
on e-mails, convert them to to-do and calendar items, customize your
spam filter rules and block dangerous attachments or hidden programs.
E-mail is a better and safer experience
with the high-end tools. One caution: Be careful with older versions of
these programs. They might not be supported, have known security holes
or lack updated features.
9. Become an Artist With Your
Make good use of the subject matter (or “re”) line of your
e-mail messages. Give a good, concise summary of the content of your
message to help people assess the priority of your message and locate
your message when they need it later.
Compare an e-mail with the subject line
of “Depo” with one that says: “List of Proposed Questions for John Smith
April 15, 2004 Deposition (NEED COMMENTS BY FRIDAY).”
You might also find adding the phrase
“No Response Needed” will help you by reducing the number of “OK”
replies you receive.
Today’s spam filters also place a
premium on well-chosen, well-crafted subject lines. Lack of a subject,
capitalization or use of certain words can trigger many spam filters and
keep your message from successfully making it to your intended
recipient. In fact, this spam filtering problem has grown to the point
where many people call to make sure important e-mails have been
Another benefit of great subject
headings is you easily can track and collect all the messages on a
certain topic. Never send e-mails with blank subject lines.
10. Use Your Delete Key With
Unless there is a specific policy in place at your firm, there
is no reason to keep every single e-mail you receive, legitimate and
spam, forever. Delete what you don’t want and you will feel better. The
first step in dealing with my Inbox each day is to go through and delete
everything I can before I open the first message I want to read. It’s
therapeutic and it lets you see what you have.
Issues to Consider
The Internet is now a different, more dangerous place than it
used to be. If you don’t pay serious attention to the changes that have
happened and continue to occur, it will be a miracle if you avoid
serious problems as a result of your or your firm’s e-mail practices.
Unfortunately, as frontline e-mailers, paralegals increasingly are being
placed in shaky situations. However, there are several steps legal
assistants can take to make sure they don’t inadvertently place their
firm in danger.
historically have assumed everyone knows how to use e-mail. Serious
e-mail training is relatively uncommon. It’s quite reasonable to ask for
advanced training on your firm’s e-mail program.
Because of client confidentiality agreements, law firms must
practice extremely safe computing and safe e-mailing, especially since
so much of law firm work and client communication takes place via
Many firms think confidentiality
disclaimers at the bottom of e-mails cover client confidentiality
agreements. Think again. These disclaimers automatically are placed at
the bottom of every e-mail, even the ones you send to say at what
restaurant you will meet someone for lunch. If your firm is faced with a
question of confidentiality and privilege in court, a judge might notice
you attach the same confidentiality label and disclaimer to the bottom
of every e-mail and disregard their validity as a result.
A better option is to conspicuously
label only selected messages with the words “CONFIDENTIAL/
ATTORNEY-CLIENT PRIVILEGE” at the top of the message and either encrypt
or password-protect attachments to those messages.
Pornographic spam. Finding
a mountain of image-laden, hardcore pornographic spam in your Inbox is
embarrassing, distressing and demoralizing. It’s also likely to be a
symptom of a bigger cultural problem your firm must address before it
leads to major repercussions.
I guarantee the presence of pornographic
spam in your Inbox means people in your office have either been using
office computers to visit pornographic Web sites or indiscriminately
opening pornographic spam and clicking on links. The common result is
spammers send what is known as “domain-spam” (a salvo of spam) to every
address at your firm.
Opening these messages and visiting
these sites are ultra-high risk practices. It increases the volume of
spam you receive and the likelihood your firm will suffer from viruses,
spyware and other security risks, in addition to the possibility of
public embarrassment (or worse if child porn is involved). You must
insist management deal with this issue immediately and forcefully by
instructing everyone at the firm of its dangers and consequences,
emphasizing the applicable requirements in the firm’s acceptable
Internet usage policy and following up with individuals as appropriate.
Again, I can’t emphasize enough that in
today’s e-mail world, if you have frontline client contact, it’s likely
this internal behavior will have external consequences for you rather
than the individuals at fault.
There probably are many more e-mail issues today than you
ever imagined. The good news is you can significantly improve your
handling and management of e-mail, use inexpensive tools to address many
of the major problems, and drastically reduce spam problems and related
security dangers by using the ideas and suggestions in this article.
That statement comes with a money-back guarantee.
However, the bad news is, despite what
you do individually, practices at your firm can put you in very
difficult, embarrassing and career-threatening situations through no
fault of your own.
If you work at a firm that tolerates
risky e-mail practices, takes a cavalier attitude toward serious e-mail
issues, ignores your concerns and fails to implement procedures and
guidelines, your wisest move is to polish up your résumé and leave
before the inevitable disaster occurs. Otherwise, roll up your sleeves
and get to work on reclaiming e-mail from the spammers and other bad
actors. You must be careful out there.
Beat Inbox Overload
Become as well-informed as possible
about current issues, trends and developments. You might have
noticed I didn’t define the term “metadata” in this article. It
was a little test. If you are not aware of what it is and what the
problems are, you need to start your homework lessons immediately
(see “Creative Computing” on Page 34 of this issue).
Accept the burden of educating your
employers and colleagues by constantly raising important e-mail
issues and formally requesting policies and procedures. There
are worse things than being known as the “security gadfly.” It
should be obvious by now that your clients share in the risk of
unsafe e-mail practices. There is no question law firms will
respond quickly to “suggestions” made by clients. If you can
enlist the aid of one or more of your client contacts, your
concerns will receive a better hearing.
Refuse to fly solo on the big issues.
Request specific instructions and sign off on important e-mail
issues such as metadata, encryption, passwords and the like. The
best approach is to make the effort to keep everyone informed —
circulate articles, give people information about available tools
and share different options.
Be a role model, especially for your
children. Most people have good intentions to stay safe on the
Internet, but they don’t know how to do it. Let people see your
better ways of doing things. Show them the problems and the
solutions. Most important, don’t pass risky e-mail behavior genes
down to your children. We are all in this Internet thing together.
Do what you can to help clean up the mess we are creating for our
Commit to three doable, concrete
actions you can and will do today. Create some folders. Learn
how to create a rule or two. Start deleting spam without reading
it. Get a copy of Dan Appleman’s “Always Use Protection: A Teen’s
Guide to Safe Computing” (Apress Publishing, 2004) and share it
with the attorneys you work with. Make sure your computers are
current on upgrades, virus definitions and other security tools.
Learn the symptoms of virus or spyware infection, especially for
the most common problems. If you are ambitious, try to clear your
Inbox completely just to see what it feels like. Make a list of
the four or five biggest e-mail concerns you have and ask how your
firm is addressing them. Talk to your colleagues in other firms to
find ideas that might be working or to share your concerns.
Rethink Your E-mail Practices
Many people and organizations continue
to use e-mail in ways that are based on assumptions that no longer have
any basis in reality, if they ever did.
Replace your current assumptions about
e-mail with the following seven assumptions that more accurately reflect
what is happening today.
There is no requirement to open, read or
reply to every e-mail message you receive. In fact, you no
longer need to see every message.
You no longer are obligated to reply
instantly to every e-mail message and there is no longer an
expectation that you will do so. Savvy e-mail users understand
your e-mail management issues. They will expect that you reply
in a timely fashion to high priority or time-sensitive e-mails.
If they want an immediate response, they will call or use
instant messaging. Many people explicitly discuss expectations
about responses at the initiation of the relationship.
Spam is a security issue best addressed
by managing behaviors. Combine an aggressive spam-filtering
program with risky behaviors and you risk viruses, security
problems and blockage of good e-mails.
Used properly, your Inbox will be empty
or nearly empty most of the time.
E-mail and e-mail programs are
increasingly used for purposes for which they were not
originally designed and are proving to be inadequate to meet the
demands now being placed on them. On the current path, things
are likely to get worse.
The perfect solution is not even in the
realm of possibility. Good, solid solutions that can be
implemented quickly are far superior to extended efforts to find
the “best” solutions.
Unless you become an aggressive agent
for change, e-mail practices in your firm are unlikely to