October 1, 2009
On July 22, 2009, Macon State College’s Office of Technology Resources CIO turned off secure POP3 and secure IMAP access to email. Apparently, some phishers obtained access to the system because some users replied to their emails with sensitive information. As a result, the maconstate.edu domain became blacklisted. The reaction was to make email inaccessible to non-proprietary solutions by MSC users. This presents several problems for an institution of higher education.
When I first arrived at MSC, both students and faculty could choose to use whatever email address they wanted. This policy was progressive and smart: after all, communication is the key when talking about email. They were given a simple form in Banner that allowed them to enter their preferred email address. However, after a couple of years—I’m not quite sure when it actually happened—they decided that students could no longer forward their email; students were now required to use their MSC email. Not only that, but email soon became the de facto means of communication. According to the student handbook [emphasis mine]:
“ | Macon State College students are provided an e-mail account free of charge. The College considers this account an official means of communication. The purpose of the official use of the student e-mail account is to encourage the use of existing technology to provide a more effective means of communicating important College-related information to students in a timely manner. Students are encouraged to check their accounts frequently. | ” |
I assume that this “official means of communication” will be in lieu of snail-mail documents. Again, this is a smart, eco-friendly, and economic solution. However, not allowing students to use the email account of their choice negates the stated purpose. Not only that, but the first-time access of the account—what the handbook calls “user friendly”—is anything but. New users are directed to this page. A review of the linked page might make it clear why most of the students I teach do not use their “free of charge” MSC email account.
I have even talked with administrators who said that if they receive emails from students who are not using their MSC email account, they ignore or delete them. I find this difficult to understand when, as I mentioned above, communication is the most important aspect of email, not where it comes from. I believe that attempting to force students to use an overly complicated system discourages effective communication. I even communicated my concerns at the time, but they were ignored. I continued to accept any email addresses from my students.
During this transition, I had always used the standard email protocols POP3 and IMAP. These protocols are not only email standards, but are also open source; i.e., users can use any computer system or client to access their email—providing an effective means of communication through convenience and accessibility. Soon, security concerns added secure layers (via another open source solution OpenSSL) to these protocols, making them robust and safe, yet still convenient. POP3 and IMAP allowed me to use the email client of my choice. I ultimately decided on a version of Gmail that I could use with this domain name (grlucas.net). I went with Gmail (part of the free and powerful Google Apps suite) as my client for many reasons: it is web-based, allowing me access from anywhere; it is an organizational dream, offering tags, search, stared items, and threaded conversations; it offers 2GB of free storage (up to almost 8GBs now).
I easily set up secure POP3 access to my Macon State email account which would occasionally and automatically download my MSC email to my Gmail account. Later, as a compliment to Gmail, I began using Postbox on my Mac. Postbox allowed me IMAP access to MSC when I was on my home computer.
On July 22, 2009 I stopped receiving email. I was teaching in London at the time, so it took me a day or two to notice that I had no new messages. I still didn’t think much of it, since it was the end of July and traditionally not much is happening. After a few more days of no email, I eventually figured out that my Gmail account was no longer able to retrieve email from my MSC account. On August 3, I sent an email inquiry and received the following response:
“ | In response to several recent email phishing incidents, we have discontinued the use of secure POP3 and secure IMAP. The only available methods of remotely accessing email are:
|
” |
So, secure POP3 and secure IMAP—protocols that have nothing to do with phishing—have been turned off without notice. Just like that. After a bit more email back and forth, I discovered that this was going to be permanent. I asked if I could just have my email forwarded (something they had done in the past). The reply: “No, sorry. It increases the risk of releasing personal information and takes control of official email out of our hands.” Releasing personal information is obviously a reaction to the phishing. Wouldn’t “official email” more likely be received by faculty and students at an address of choice, not one that’s more difficult to access?
Obviously, security is a major concern these days, and rightly so. I decided to contact the Chief Information Officer for our Office of Technology Resources for clarification. He responded:
“ |
The administration wants the amount of spam email we receive to be reduced. We are constantly being bombarded with phishing emails that masquerade as helpdesk@maconstate or variations of [email protected] probing for userid and passwords. External access using POP3 and IMAP require the usage of an external SMTP server. In order to validate Macon State College email is legitimate we need to force all inbound and outbound email through our SMTP servers. Eliminating pop and imap will allow us the ability to greatly reduce the masquerading problem described above since all traffic would go through our SMTP servers. We have an extremely small number of users using pop or imap at the present time. Some of the IT faculty are using RCP [sic] over HTTP rather than pop and are very happy with it. We can help with that if you like. As far as “increases the risk of releasing personal information” goes, all email interaction between faculty, staff and students remains internal as long as our Exchange system is used. Once email is forwarded offsite, it traverses the Internet where anyone in between can view it. POP3 also allows storage of official Macon State email on personal computers where it can be stolen or lost. |
” |
The latter paragraph again mentions “official” email. It also suggests that if we—the faculty and students—of MSC are forced to use MSC email, then everything will be safe and secure. However, most of my “official” email does not go to others at MSC, but to colleagues at other universities, journal editors, book authors, and other professionals outside the MSC domain. Turning off POP3 and IMAP makes it more difficult for me to effectively communicate. It is correct to state that email is viewable by anyone once it hits the Internet, but nothing done locally will change that fact. We cannot cut off our communication to the outside world.
The particulars in the former paragraph I wasn’t 100% sure about, so I sent it to a couple of network administrators: one from a medium-sized university and one from a large university. I received this reply from the admin of the large campus network:
“ | I’m not sure I follow their reasoning for turning off POPs and IMAPs. While you do need an outbound SMTP server for sending mail with these protocols, you can setup a secure SMTP server which requires authentication before it can be used for sending mail. So, it’s not like you must have an open SMTP relay out there that anyone can use.
However, on some ISP’s networks you may not be able to connect to a campus (secure or not) SMTP server for relaying if that’s done over port 25. ISPs sometimes block outbound port 25 traffic to cut down on spam. But, for example, on Roadrunner, I simply use gmail’s secure SMTP server (which uses TLS and runs on port 587). The point is, it’s a bit more of a support issue to deal with users out on all of these various remote networks. There’s not a single SMTP relay solution that will work everywhere (though gmail is pretty close to working everywhere). Anyway, if the IT staff is correct in that the number of folks using POPs/IMAPs is very small in comparison to the total user population, then I can somewhat understand them wanting to reduce their support footprint. But, if you want alternatives to shutting down POPs and IMAPs (which I can fully understand because I use IMAPs myself), try looking around for Secure (or TLS) SMTP resources. Perhaps you can convince them to enable authentication on their external SMTP server and keep POP/IMAP. |
” |
MSC might want to cut their “support footprint,” but that is not the reason I was given from the CIO. (If this is indeed the case, then I might suggest we turn our email over to Google for free! Seriously.) Therefore, the reason I was given seems like an arbitrary, knee-jerk decision that was not considered thoroughly. Yet, now that they committed to that solution, they ostensibly refuse to entertain any others.
OK, so how about the solutions I was offered: webmail; RPC over HTTP; and Microsoft Entourage? Surely one of those will suffice?
Let me start by saying that all of these are proprietary solutions for a common, open-source application; i.e., I must use Microsoft products if I want to check my MSC mail. Email is older than Microsoft, spanning almost fifty years. Electronic mail got along and gets along just fine without Microsoft trying to make me pay for access. Like everything that passes through a microchip, email has fallen under control of Microsoft. They invented a proprietary MTA (mail transport agent) for something that worked just fine: they call it Exchange. Sendmail is open source and free; Exchange is closed source and expensive. What is it we are paying for? The privilege of letting Microsoft control our communications? Microsoft is a known monopolist, and it has been well documented that their business practices are dubious at best. It wants to eliminate choice; this is what monopolists do. I have often found it difficult to believe that any institution of higher education would not only purchase Microsoft products but help in their morally questionable political agenda.
In an effort to not support a known monopolist, I have chosen over the years to use as much open-source software as I can. And where I have chosen proprietary systems, it is because it is the best solution for my needs. Microsoft consistently releases poorly designed software that is expensive, unsafe, and difficult to use. I can honestly say: I have never chosen a Microsoft product when presented with alternatives. The problem is: people rarely see alternatives, particularly when they are forced to use Microsoft products. Why would an institution of higher education do this to students? As an example: I’m always blown away when folks think they need Microsoft Office. I try to explain that they do not need to purchase software that’s freely available elsewhere, like Google Docs, Open Office, Buzzword, ZoHo, and others. Why would anyone pay Microsoft for freely available and comparable (in most cases better) software? Again, they think they don’t have a choice. I think it’s particularly important that we educators are aware of and educated about the alternatives to proprietary software.
Open-source software allows people to see the source code of the software to make improvements, additions, modifications to fit their needs. It is owned by the community, not a corporation. The users decide what they want to software to to, not a corporation. Why would we want the most important means of communication that we have today under control of a known monopolist? Why do we continue to throw money at Microsoft and at the same time eliminate any choice we have?
The choices I now have all involve Microsoft—which are no choices at all, really. The Exchange 2003 web interface pales in comparison to even the most rudimentary web-based email applications. RPC over HTTP is a proprietary protocol developed by Microsoft and implemented on their severs and clients. Why? In order to force people to use their products. I can see no other reason. Microsoft Entourage for my Mac is much like webmail: a poor alternative to many free mail clients. The problem: the free clients (open source) require POP3 or IMAP.
Another problem with turning off POP3 and IMAP is that I can no longer use my iPhone to receive my MSC mail. The trend is going toward these small devices, and those of us who use them are finding them indispensable to how we work and communicate. I had my mail setup on the iPhone, so when students or colleagues emailed me, I received it almost instantly. This made communication very efficient. However, my iPhone uses IMAP. So that’s out. Oh, yeah, I can access my webmail through the iPhone’s browser, but it’s unusable. See the picture on the right; yes, it’s actual size.
The bottom line is this: turning off these services have crippled my ability to do my job. I have tried to use webmail for the last two months. Yes, it is usable, but barely. Not allowing us choice in how we receive email is a big mistake, and at a time when recruitment, retention, and progression are being emphasized, it might be a fatal mistake. When students find their ability to communicate with faculty and administrators difficult and frustrating, it certainly doesn’t help to retain them. Doesn’t this new policy discourage communication?
Let me end with one final observation. Part of this problem, says our OIT director, is the amount of spam (phishing included) that is sent to MSC email accounts; he writes: “We blocked 103,420 spam messages last week.” As a colleague of mine points out, that’s only about one or two spam messages per email account per week. Doesn’t really seem like a big problem.
Gmail’s spam filter is almost perfect, in my experience. It puts all the potential spam in a folder that I can easily access and sort. It’s 99.9% correct—all the time. Yet, I can easily check Gmail’s accuracy any time I want, particularly if I know something should be in my inbox, but isn’t. I have been plagued by students this semester asking me if I’ve gotten their email. Sometimes, it’s just impatience, but sometimes I just don’t get their emails. Now, if I was using Gmail, I could check my Spam folder, but I don’t seem to have that option with Exchange. It does have a folder labeled “Junk E-mail,” but it’s always suspiciously empty. If, like the director claims, MSC is inundated with spam, shouldn’t I have some to look through? Where’s it go? And more importantly: who is deciding what is spam and what is legitimate email? I suspect it’s the Exchange server, but I know that I don’t want any server—particularly a Microsoft sever—deciding what mail I see and what mail I don’t.
This is analogous to my mail delivery person deciding that this catalog is junk and this letter is official, rather than just delivering all of my mail. Would you want this? This fact might be the scariest part of all. What legitimate emails has the MSC Exchange 2003 Server not delivered to me?
There are a couple of solutions as I see them to this problem:
- Allow faculty and students to begin forwarding their email again.
- Turn secure POP3 and secure IMAP back on and put in place an SMTP server that requires authentication.
- Update the web interface to something this-century.
Ultimately, this might seem pretty trivial. Yet, it’s the first step to further marginalization of alternatives. If Microsoft comes out with a better product, I’ll have a look, but I will not be forced to use their products on my client machines. In an institution of higher education where we teach students to be critical, to seek alternatives, and to be thoughtful in an ever-increasing technical world, eliminating our choice in such an integral and simple mode of communication can only hurt us. This policy looks backward while the college seems to want to move forward. Allowing students and faculty to use email addresses they choose to use and check those the way they want to check them will likely make “official” communications more accessible to those who need to se them.
I understand the need for security, but I also understand the need for accessibility. When you make systems more secure; you make them less usable. There’s an area of usability where we keep the bad guys out and allow the users access; turning off POP3 and IMAP will not stop the spammers and the phishers (I know I still get them); the only thing it’s doing is punishing the users.