September 8, 1999 Web posted at: 12:54 p.m. EDT (1654 GMT) by Carolyn Duffy Marsan

From...

MESSAGE BOARDS: Hotmail Microsoft

(IDG) -- E-mail administrators are clamping down on users who send and forward messages to free Web-based e-mail services, such as Microsoft's Hotmail or Yahoo Mail. The new policies are designed to prevent exposure to e-mail security breaches, such as last week's hack of Hotmail, one of the worst on record.

Some administrators are blocking end users from forwarding messages to Web-based e-mail services, while others are filtering e-mail messages headed to those sites. Companies that don't have policies about Web-based e-mail still expect users to know better than to put corporate data at risk.

Attorneys at Greenebaum, Doll and McDonald, a Louisville, Ky., firm, are allowed to forward e-mail to Web-based accounts. "But I hope they're not doing that," says Mandi Turner, who manages the firm's network services. "If they forwarded something inappropriate, it could be malpractice."

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Network World Fusion home page
Free Network World Fusion newsletters
Reviews & in-depth info at IDG.net
		IDG.net's bridges & routers page
		IDG.net's hubs & switches page
		IDG.net's network operating systems page
		IDG.net's network management software page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for network experts
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

Turner recently installed TenFour's TFS Secure Messaging-Server software for e-mail virus checking and encryption. She plans to begin using the software's e-mail content filtering soon. "We'll be looking for Hotmail addresses," she says.

At the other end of the spectrum is Westinghouse's Anniston, Ala., plant, which blocks all messages to Hotmail, America Online and other Internet e-mail services. "We just started filtering out the Internet e-mail sites about two months ago," says LAN manager Steve Sanders. He uses Elron Software's CommandView Internet Manager to search outgoing e-mail for key words such as "free mail" and "MSN," and then blocks those destinations.

The security risks of Web-based e-mail came to the forefront last week when a design flaw in Hotmail was exploited by hackers. The hackers set up Web sites that allowed anyone to open a Hotmail user's account without a password, read or delete that person's messages or send messages under that person's name. Hotmail users were exposed to the security breach for hours before Microsoft shut down and fixed the service.

The most popular free Web-based e-mail service, Hotmail has more than 40 million e-mail accounts.

Hotmail has become the preferred alternative e-mail address for corporate America. Whether it's for job hunting, sending off-color jokes, distributing the football pool or chatting with family members, Hotmail is where executives send and receive the e-mail messages they don't want seen at work. What makes Hotmail so popular is that messages can be easily accessed over the Internet from the office, home or on the road.

"Hotmail is used by all of the executives who have grown tired of roaming software and firewalls. When they're travelling, they just forward everything to a Hotmail account so they can go to an Internet cafe or a friend's computer and access their e-mail," says Eric Arnum, a consultant with e-mail outsourcer United Messaging. "E-mail administrators need to recognize that as a giant gaping hole in their security."

Hotmail also has some legitimate uses in the enterprise: backup and testing corporate e-mail systems and serving as a spam repository, for example.

"I use my Hotmail account for spam. I redirect it to that account," says Dale Seavey, senior manager of the Global Strategic Application Technology Group at Cisco.

"We use Hotmail to test our Internet connections," says David Byrkit, e-mail administrator for ITT Avionics in Clifton, N.J. "Almost all of us in the IT area keep Hotmail accounts in case we're called upon to see if the connectivity is working."

The challenge for e-mail administrators is setting up policies that allow benign uses of Web-based e-mail services while protecting companies from exposure through these nonsecure sites. Entertainment giant 20th Century Fox has reached a compromise by allowing traffic to Web-based e-mail services but monitoring that traffic with content-filtering software.

"We see a tremendous amount of traffic going across the network to Hotmail, AOL and Yahoo," says Jeff Uslan, manager of information protection at the film studio. He uses Elron Software's CommandView Internet Manager to search outgoing and incoming e-mail for words that might indicate proprietary or inappropriate content.

"We don't want information sent out about our latest movie or our latest star being signed," Uslan says. "We have to protect our intellectual property."

Meanwhile, ITT Avionics keeps all its sensitive e-mail on a classified network that has no connection to the Internet. All other e-mail can be sent out over the Internet without restriction, Byrkit says.

"We haven't been terribly concerned about any security issues with respect to using Hotmail or any other ISP-based mail system," Byrkit says. "We have a lot of mail that has to go to the Internet. We have to be very careful about restricting that in any way."

Others, however, are just saying no.

"We get an occasional request from our users to forward e-mail to Hotmail," says Dale Cybela, a senior consultant with eFunds, a Milwaukee-based provider of electronic payment services. "We tell them, 'Sorry, we already provide facilities for people to get e-mail while on the road.'"