Académique Documents
Professionnel Documents
Culture Documents
Introduction
In every company it happens: employees sending out mass email mailings to customers and
contacts by creating one email and entering all the recipients in the Cc: field (or the Bcc: or
To: field). It is something that can happen so easily, yet can also have serious
consequences. Read more about how these undesirable mass mailings can occur, the
damage they can do, and how you can protect your company by preventing these emails
from leaving your network.
This could happen to you: Your new sales rep is eager to get results and fast. He decides to
contact his 200 customers with your latest promotional offer. In order to get the message
across in the minimum amount of time, he creates one email, pastes all the email addresses
in the Cc: field and hits ‘Send’. Now he just needs to wait for the orders to come in.
Your nightmare has begun. A potential privacy breach and damage to your company’s
reputation has been set in motion. Not only has this one email exposed your valuable
customer list and opened you up to 200 potential lawsuits for privacy breach, it has severely
damaged your company’s reputation. If your company is this careless with its customer
information, what does that say about the quality of the services and products you provide?
And you don’t even want to think about what will happen when the recipients hit the ‘Reply
to All’ button and start complaining about your company’s spam practices and asking you to
remove them from the list. A true ‘mail storm’ could erupt with your company as the source.
Some employees might think that they are being smart if they put all the addresses in the
Bcc: field instead of the Cc: field. In that way the recipients will not see the other email
addresses and they will not be able to select ‘Reply to All’. However, listing email addresses
in the Bcc field will get the message detected as spam and will land you on a spam black list
or two. You don’t want to have to find out firsthand how difficult it is to get removed from
these lists, and you don’t even want to think about how many of your emails are being
blocked by spam filtering software until you do get off those lists. Even if you are not
blacklisted, would you want your company to be sending emails to your customers with an
empty To: field, or a To: field with a different recipient? In the best case this is confusing; in
the worst case this email severely damages the professional reputation of your company.
This is a disaster just waiting to happen. You can train employees on email etiquette, you
can include a notice in your Employee Handbook or Email policy that they should not send
one email to many recipients for email mailings (using either the To:, Cc: or Bcc: field), but
A Cc mass mailing, where one email is sent to many recipients in the Cc: (or Bcc: or To:)
field, might produce the following unwanted results:
Although unauthorized Cc mass mailings occur frequently within companies, most of them
do not reach any exposure in the press. Below are a few cases where the incidents were
covered in the press:
The ‘Brown Daily Herald’ recently reported an unauthorized Cc mass mailing case that
occurred when a worker at a college’s Financial Aid Office sent email messages to hundreds
of students reminding them about which documents they needed to submit for their
application of financial assistance. The problem was that the worker sent only three email
messages and included all the students’ email addresses in the To: and Cc: field. In total
the three email messages exposed 1800 student’s addresses and full names.
A few years ago the UK news site ‘The Register’ reported that a UK photo sharing website
had sent out a welcome email to 1500 of their subscribers with all their email addresses
clearly visible in the To: field. According to ‘The Register’ one of the affected customers
commented that it was such a fundamental breach of simple protocol and Internet security
that they would be closing their account forthwith and passing details of the incident to the
UK Information Commissioner. Apparently the affected photo sharing company responded to
‘The Register’, explaining that a technical error was the root of the problem and that they
had apologized to their customers and assured them that their personal registration
information remained secure.
‘Techdirt’, an online news blog, also covered this story, saying: “Of course, there was no
‘technical’ error. There was the very, very human error of someone putting the addresses in
the wrong box and/or not using a decent mailing list program.”
The next day the story unfolded further since one of the company’s competitors had gotten
their hands on the list (possibly they were one of the 1500 subscribers) and sent the 1500
subscribers an email saying that they would be better off registering with their company
Luckily most unauthorized mass mailings are not covered in the press. There are still
substantial costs that could arise out of a Cc mass mailing though. Below is an example of
the potential cost of a Cc mass mailing sent out to 200 customers:
The actual cost and impact can differ from company to company and from situation to
situation, but this example shows you what kind of costs you could be facing due to a Cc
mass mailing.
What do you do when this happens to you? And more importantly, how can you prevent this
from happening? If such an event does occur, the best course of action is to immediately
send out an apology to the impacted customers, explaining that this email mailing was
against your company’s policy and that you will maintain stricter measures in order to
prevent this from happening again. But what can you do to prevent this from happening
again? You can include a warning regarding mass mailings in your email policy under the
Don’ts section. You can train your employees on email etiquette and inform them not to
send out mailings without using your mailing list software. Although these are good
solutions, they will never be watertight.
The only way to be sure that this cannot happen to your company is to physically block the
email from leaving your company in the first place. This can be done with email server
Policy Patrol is an email filter product that can scan all email messages before they are sent
out, giving you the opportunity to block these kinds of emails before they can do any
damage. All you need to do in Policy Patrol is configure a rule that will quarantine all
externally sent messages with more than for instance 5 or 10 recipients. Once a message is
caught, Policy Patrol can send an email to an Administrator or Manager allowing them to
verify whether this message should be sent out, or whether it actually breaches the
company policy and must not be allowed out. It is as simple as that, but it will surely save
you some major headaches.
A mass mailing to 200 users as described in the above example could cost your company
over $6,000 and potentially even more depending on the lawsuits and the severity of the
damage of reputation. If your company is in the health or legal industry, this kind of
‘blooper’ could have much higher price tags. Compare this to the cost of Policy Patrol Mail
Server Tools: For a company of 50 users, the cost of Policy Patrol Mail Server Tools is $395,
with an annual maintenance fee of $79.
In addition to preventing unauthorized mass mailings, Policy Patrol Mail Server Tools
includes many more features such as detecting and blocking emails with offensive words,
attachment checking and stripping, reporting, email policy violation monitoring,
compression, email backup and optional anti-virus. Policy Patrol Mail Server Tools is part of
the Policy Patrol Email Suite that offers anti-spam, keyword filtering, attachment blocking,
email disclaimers, email signatures, virus checking, compression and many more email
management features.
References
http://www.theregister.co.uk/2005/10/26/spam_customer_list/
http://www.databreaches.net/?p=2486
http://www.browndailyherald.com/2.12235/e-mail-error-generates-changes-1.1667477
http://www.techdirt.com/articles/20051025/1243206.shtml
http://www.theregister.co.uk/2005/10/25/spymedia_email_mistake/
Red Earth Software is a Microsoft Gold Certified Partner that specializes in the development
of content security solutions that help companies regulate and optimize the use of their
email and Internet systems. Policy Patrol currently filters emails for more than one million
users worldwide and is used by customers in nearly every industry including educational,
non-profit, financial, legal, health care, manufacturing and government. Included among
Red Earth Software clients are large international organizations such as Nissan, Targus,
Canadian Pacific Railway, USA.net, Lotto, Fujitsu Services (Central Government customer),
and Sony of Canada Ltd.
Ö For more information about Policy Patrol or to download a 30-day evaluation version,
please visit http://www.policypatrol.com.
Policy Patrol® is a registered trademark of Red Earth Software®. Copyright © 2001- 2009 by Red Earth Software.