Monitor Outgoing Email


#1

I want to archive outgoing email from all our users. Archiving incoming email is simple enough… Outgoing, well, can I use a cron job on a folder somewhere? I hate to do it that way. I would also hate to sniff packets, especially if there is an easier way to do it.

Thank you


#2

There is no way to do this on our side (was there an article about this recently? I seem to be getting a lot of requests about this lately).

You could possibly do this locally by restricting outgoing SMTP access to mail servers you control, and setting the appropriate options… but basically, you’re not really ever going to be able to fully control this, unless you can control ALL outside access (smtp, web, ssh, telnet, etc.) to all of your users.

Many people (myself included) would also consider this a rather disturbing trend… even if it’s not illegal, it has very unpleasant privacy implications.


#3

[quote]Many people (myself included) would also consider this a
rather disturbing trend… even if it’s not illegal, it has very
unpleasant privacy implications.

[/quote]

Yeah. For this reason, I wouldn’t expect to see us involved in making this a standard function of our service offerings. As Will said, you can do it, but you’ll probably need to utilize some outside servers to do it. While there are some legitimate (legally and ethically) uses for such a function, there are a lot of potential abuses as well.

If you do this, make sure to make it known to those being monitored that they are being watched. As long as there is no real expectation of privacy, I don’t think it’s that big a deal - though you might want to consider the implications this may have on employee morale (if you’re a company).

  • Jeff @ DreamHost
  • DH Discussion Forum Admin

#4

This probably stems from a number of online and offline articles aimed at higher-management about the legal “responsibility” of their users email and how they should “snoop” to “cover their own backs” as it were.

I agree with your stance on this; but as this is technicaly legal I see a lot, if not all managers demanding this option in the future to keep tabs on all their employees communication.

:-/

  • wil

#5

Thank you for the speedy reply!

A few thoughts: Businesses have every legal right to fully monitor their employees’ electronic communication, so long as the employees are made aware of it (indeed, with things like the Patriot Act popping up, businesses [of a cricial mass] may soon be REQUIRED to monitor their employees!). All of our employees are required to sign paper explicitly stating this, as part of our abuse policy.

I don’t know about any article on this. We just need to maintain a very tight network in our line of business. I can, in fact, currently control all electronic access (unless someone has shoved a wireless router under their desk that I don’t know about ;)) I know of other ways of doing this, but was hoping for an easier way.

This sounds callous, but electronic monitoring is a valuable tool when it comes time to fire abusive employees.

I understand that this seems disturbing, but this is the world we live in. I would rather everyone do their job, and be pleasant every day, and such. But maturation of odds says that if you hire enough people, and if bad eggs exist, then you’ll accidentally hire a bad egg at some point. As a business, you have to do what it takes to stay profitable, as long as you are ethical and legal. I consider this to be ethical as long as the employees are warned, which they have been.

Thank you


#6

By the way, I think DreamHost is completely awesome. Excellent service, excellent price, excellent organization, excellent execution of everything!

Thanks again


#7

[quote]I consider this to be ethical as long as the employees are
warned, which they have been.

[/quote]

I too consider it ethical as long as employees have been warned, though again I as an employee wouldn’t feel comfortable in a work-place where I felt under suspicion all of the time (and I’m a mostly-good apple :>).

Then again, here at DreamHost we have what may be considered a relaxed work environment. If an employee is found to have violated the trust of the company or exposes us to liability through their own actions, this would be dealt with on a case-by-case basis. Maybe it’s just a small company thing, but there’s a sort of familial relationship here, and if someone hurts the company they know it also hurts their co-workers.

This may not work well in larger companies, though. I don’t know. I worked for a much larger company before I came here, and I do suspect that this sort of arrangement wouldn’t have worked as well there. There was web/email monitoring in place there, and every employee had to pass a 1-2 month background check. It was also, in my opinion, a far less efficient operation than we have here (though there are other factors involved).

To be fair, I worked at a privately-run government laboratory, and violations of trust could be a lot more serious than they are in the entirely private sector.

  • Jeff @ DreamHost
  • DH Discussion Forum Admin

#8

I agree that it’s legal - I just don’t think it’s a good thing to do. I also think that snooping on your employees (even if you tell them that you’re doing it) is probably not the best way to show them that you trust them.

Also, you’re putting a whole lot of (probably sensitive) information in one place. Agreed, if someone has privileged access to the server or network, they could probably obtain most / all of the same information, but keeping it around seems like a bit of a risk. When you’re talking about letting an outside company (e.g., us) handle this information, you’re opening up an even bigger can of worms.

In any event, it’s not really possible for us to do this on a per-domain basis, at least not without using some sort of ugly hack, and we do not maintain this sort of information globally either (other than the usual logging information; envelope-senders and envelope-recipients, client IP addresses, etc.). But, as I mentioned, doing something like this locally probably wouldn’t be too difficult. With Postfix, you can just specify an “always_bcc” address / user in main.cf. I’d assume that other MTAs have similar facilities.

Just be sure to be careful about it - encrypt (and archive) the file periodically, don’t keep the encryption key on an internet-connected machine, limit access and root / administrator access to a small group of people, make sure to notify employees that their messages are being monitored, etc.


#9

[quote]indeed, with things like the Patriot Act popping up

[/quote]

/me shudders violently


#10

/me shudders violently

[/quote]

Even with the Patriot Act, you don’t need to do monitoring unless you are specifically asked to by the Federal Government - and even then, it’s still on a selective basis (ie. they’ll ask you to provide information on a per-user or per-domain basis).

I’m pretty sure there isn’t any sort of law (yet!) saying that you have to hold a certain amount of logging information “just in case”, unless you receive a court order or order from the Justice Department and again that would be for specific cases.

There have been cases where companies have been required to keep copies of corporate email, based on court decisions. Microsoft had to do this during the anti-trust trial, I believe.

It seems to go a bit beyond the norm to do it when you’re not ordered to, though. Legally, keeping records of all email may land you in more hot water rather than keep you out of it (again, as happened with Microsoft).

  • Jeff @ DreamHost
  • DH Discussion Forum Admin

#11

All good points. Let me wrap this up with a few final comments.

  1. We have had [almost] no grumbling about our policy. Indeed, some hard-working employees appreciate that there is recourse when the person at the other cubicle is on the Internet 5 hours every day, when that person has no work-related reason to do so. I do understand, however, that in the future, some employee may object, in which case, that employee is free to find employment elsewhere. Honestly, most communication is never even looked at until a problem arises.

  2. Wait till you get that psychotic employee who makes up a bunch of crap and sues your company for millions, alleging everything from sexual to racial discrimination, just because they were fired (I really can’t give details). You need every bit of evidence you can muster when court time comes.

  3. I can sympathize with your belief that DreamHost should not be responsible for such communication.

  4. There are many good ways to run a smaller business. I say whatever works, great. We have struggled with a lot of issues as we have become larger in the last few years, and have had to make hard, impersonal decisions.

  5. There are some private sector companies that need high levels of security and monitoring (like ours). We are a service bureau for the retail brokerage industry. A lot of money is always at stake. This industry is perhaps the most cut-throat, yet still legal, corporate environment in the U.S. There are no two-week notices when millions of dollars of accounts are on the line. Suing is a common occurrence. Corporate espionage is common. I wave a big bat about any kind of communication with the outside world, which is why most of our employees have no Internet access to speak of. Our environment is not relaxed, nor will it ever be. Our employees know that there is a huge body of information that they are privy to that they are not allowed to communicate outside in any form.

However, we are still relatively small, and we have just one overstressed IT guy (yours truly), which is why I choose to outsource when possible. Security is a big enough headache for me already, and some corporate hacker wants to get in to our network, well, he won’t do it easily, since our site and email are with you, and I won’t allow anything really important to be kept at DreamHost (even such outgoing communication as I would like you to archive is really just for internal abuse monitoring, not gravely important info). And I keep our intranet very secure and simple (I hope).

Good discussion. I need to wave farewell, though, before I have to reprimand myself for wasting too much company time on a non-work related matter! :wink:

Good day