The IT industry will never eradicate security threats to e-mail systems and organizations should take a holistic approach to securing their communication systems to the level where they believe risk is at a manageable state, according to panelists at this week’s Inbox e-mail conference in San Jose.

“Spam will be solved on the third Tuesday of when viruses will be solved,” joked John Thielens, CTO of Tumbleweed, an anti-spam and anti-virus software maker. “It will never be solved but there are a lot of products that are highly effective to the point of manageable risk,” he added.

At a packed panel session on e-mail accreditation and reputation, the panelist told audience members that reputation services have taken off rapidly. These services profile the sender's behavior to determine the likelihood that a message is legitimate or spam. The sender's reputation is determined based on multiple criteria then assigned to categories, or lists.

In most cases, reputation services look only for negative information. “There’s still no standard to do positive reputation,” said panelist George Scholssnagle, co-founder and vice president of engineering at OmniTI Computer Consulting. “It’s exciting what [Habeas and e-mail performance management company Return Path] are doing. They’re not just identifying people who are bad, but identifying things that are good. That’s how you ensure those things pass through.”

Last month, Habeas said it would make available for free to ISPs and e-mail security vendors SenderIndex, its collection of information on more than 60 million IP addresses and domains, which also has details about good senders. SenderIndex is expected to be available at the end of June. Habeas hopes that other reputation services vendors will also share their information on the list as well.

Speaking on the panel, Habeas Vice President of Marketing J.F. Sullivan says it’s beneficial for organizations to deploy multiple reputation systems to ensure broad coverage. “The coverage I have vs. other black lists is less than 6%. There are bad senders that other [reputation services] don’t see so an aggregate of multiple systems is good for you,” he said.

At a panel discussing e-mail encryption, Verizon Director of Product and Platform Services Kaushik Pillamarri described a Verizon desktop to desktop e-mail service that encrypts sent e-mail. The e-mail remains encrypted as it sits on the recipient’s desktop waiting to be opened. If the recipient is a not a subscriber to the Verizon service, the service prompts the sender to nominate a shared password that the recipient would know, such as the location of their last meeting. The recipient is asked for that password before he can open the e-mail.

Fellow panelist, Chris Apgar, president and principal analyst of Apgar and Associates, which provides security consulting to healthcare organizations, said when dealing with e-mail messages with sensitive content, IT managers should ensure that the information is encrypted while the messages are in transit or sitting somewhere waiting to be opened. “Anything that is outward facing – you need to make sure that the server is hardened and the data is encrypted.” He said that even if organizations use tools to scan outgoing e-mail messages to select sensitive content to encrypt – a method that may not catch all sensitive data – it is better to send an empty encrypted e-mail than rely on users to remember to hit the ‘send as secure e-mail’ button.