Email Policy

Revised: February 28, 2007

Provision of email accounts

All staff in ACD will be given email capability. While you may find that local addresses work (that is "user@eos.ucar.edu" or "user@acd.ucar.edu"), you should use and publish only the user@ucar.edu form of your address.

email retention

email is included in the backup of the Unix server, mail.acd.ucar.edu. This server is a 2-node cluster, each node of which has an independent copy of the system mailboxes (/var/spool/mail) and the IMAP directories (/imap/username). Backups of mail may also occur to other on-line storage devices, retained for approximately 30-days. Email in system mailboxes will not be retained beyond 30-days. However, email that exists on workstation or end-user platforms may be retained and included in whatever backups are performed on that machine. These backups are not performed by the ACD Systems Staff.

mailman email distribution lists

ACD uses the system "mailman" for creating email distribution lists. Users and designated list administrators may access mailman lists on the web. Mailman is also the system in use at UCAR. An email distribution list allows anyone to subscribe or unsubscribe. The ACD Systems Staff can set up a mailman list (or take one down) for any discussion topic. They will, by default, set themselves up as list administrators, but upon request may designate another list administrator. The procedure to set up a new email list is to open a work request and provide the following information:

  • The name of the list (e.g., "topse@acd.ucar.edu")
  • Any information you want to appear in the list's information page to orient a new user to the discussion list.
  • A list of initial subscribers

UCAR communications by email (Internal)

email is an important means of electronic communications at UCAR. It is a convenient way to disseminate information, send attachments to individuals, and otherwise conduct business in a way that keeps a record of the communications at hand. Communications should be professional and courteous. Communications by email, as with other communications must be in accordance with UCAR policy.

UCAR communications by email (Outside)

When sending email outside of UCAR, be aware of the "public" nature of email. Mistakes sometimes happen, so messages which contain sensitive or personal information can be read unintentionally by others.

Privacy

The privacy of email communications is important for us to preserve. The systems staff will take measures to protect email privacy by setting permissions on system mailboxes and by maintaining overall server security.

Email is not completely private, however. As with paper memos, email is considered UCAR property and can be examined by administrators who are following UCAR policies. Email can also be examined as a result of a court-order.

Most commonly, however, technical failures may occur which violate the privacy of email communications. For example, a system administrator may accidentally see a message when helping a user with an unrelated problem. Another staff member may see a message left up on a person's screen.

Because of the limits that we have on email privacy, each staff member must not leave email on NCAR equipment that would cause personal or legal issues to parties who are mentioned in the context of that email including the sender and recipient. Aspects of email such as complaint against another staff member, inappropriate aggression, offensive humor, sensitive documents, very personal communication, etc., are not apprioriate to leave stored on UCAR equipment and shown be offloaded and stored privately.

Personal communications by email

We do allow our email addresses to be used for personal communications as long as those communications are in accordance with other UCAR policy. (For example, we can't allow UCAR email addresses to be used for political or profit-making business communications). If you do use email for personal communications, keep in mind that we store and back up email along with email used for business correspondance. If privacy is a concern, be sure to delete email messages after you have read them.

protocols

ACD only supports the IMAP protocol. We do not support Unix-direct email, nor POP email. So mail readers must be used which can manipulate mailboxes via IMAP. Examples of readers include Thunderbird for Mac or Windows, or mutt for Unix. We do not encourage the use of Microsoft Outlook due to security concerns, and Outlook has been disrecommended by the UCAR Computer Security Advisory Committee (CSAC).

spam

As of late 2006 and early 2007, spam has become not just an annoyance full of unwanted marketing, but now a security problem. Techniques include scripts, phishing (with links to pages that look like legitimate sites), various methods to acquire sensitive personal information, and other malicious payloads designed to compromise systems, adding them to ever-growing networks of PC's which are then used in targeted attacks. Organized crime has even become involved in spam, and amounts reached percentages near 90% of all email during the Fall of 2006. For this reason, it has become important to the security of our institution to take spam seriously, and to take measures to reduce the spam we receive.

spam may appear to come from legitimate users -- even your systems adminsitration staff. Sometimes, but not always, it is easy to tell from the context of a message that it may be spam. Our general recommendation is never to open attachments unless you are absolutely sure they are trustworthy, and never click on unsolicited links contained within email messages. Doing so may put the institution at risk in terms of network security.

Unfortunately it is difficult to avoid receiving SPAM email. As of January 2007, UCAR has decided to perform some spam filtering by default. In some cases, this filtering can be lowered upon request. But at the lowest level of filtering, some spam filtering will take place.

At a higher level, we also offer the UCAR mailguard system (see http://mailguard.ucar.edu) and SPAMAssassin spam filtering at the ACD level. mailguard must be activated and configured to use, but is quite effective for reducing spam. In ACD, SPAMAssassin is used for all inbound email -- but it will not delete identified spam -- rather it is directed to a folder called "caughtspam".

Our general recommendation is to delete spam email. Don't read it, send it to anyone else (including the Systems Staff), or respond to it in any way. Responding to "unsubscribe" links offered by spam email mail just verify to the spam email sender that they have hit an actively used email account. The identity of that account is then sold to other spam email senders.

ACD is not responsible for email which is lost as a result of measures to filter spam. If legitimate email is being blocked, please see your Sysadmin to find out how to configure your user accounts and/or SpamAssassin settings to allow the email.

Viruses, Virus Hoaxes, and Scams

Viruses are most often, but not always contained in email attachments. We require the use of Norton Antivirus Corporate Edition on PC/Windows systems, or appropriate antivirus software on other systems in the division.

Attachments containing viruses are now filtered by the UCAR mail server which sees all email coming to a ucar.edu address or from outside of the security perimeter. To filter "unknown" viruses, all non-verified attachments are also filtered. Also all executable attachments are filtered (.exe files for instance).

"email hoaxes" and scams are sometimes more common than email viruses. If your message sounds like any of the following, it is probably a hoax or a scam:

  • "Craig Shergold is dying of cancer and wants postcards"
  • "The FCC is about to ban all religious broadcasting"
  • The "Good Times" virus
  • "Join the Crew"
  • "Win a Holiday"
  • "A Little Girl is Dying"
  • "Penpal Greetings"
  • "Make Money Fast"
Such messages usually implore you to forward the message to others, may not have a PGP signature, and usually try to establish credibility with either technical-sounding language, or by association (pretending to be from the government, Microsoft, AOL, or some such).

If you receive a hoax, do not inform the systems staff -- as with spam email messages (see above), simply delete them. They are common and there is no technological way to prevent them. Also, if you receive a hoax or scam message, do not forward it to others. Be very careful that any message that you forward to another person contains truthful information. In particular, do not circulate virus warnings without checking with technical staff to assure their validity. Serious virus warnings will usually be sent by organizations such as CERT, ASSIST, Technet, etc., through system administrators who in-turn will send announcements informing their staff. Chain letters may also fall into this category and should be deleted without forwarding them to other users.

procmail, .forwards, and vacation notices

Because email is served off of a 2-node cluster (mail.acd.ucar.edu) which only gives you IMAP, not login access, we must set up any filtering for you. We can accomodate simple .procmailrc scripts, temporary email forwarding, or temporary vacation notices. Just submit a work request if you have a need for any of these services (by sending email to sysadmin@acd.ucar.edu).

What the Systems Staff cannot do

There are a few requests we cannot honor regarding email -- either because of the need to protect email privacy, the need to follow UCAR policy, or the need to meet other legal and ethical obligations. The Systems Staff of ACD cannot:
  • Extract an email message from a mailbox to give to another user
  • Remove an email message from another user's mailbox (except where sensitive personal information disclosure is involved)
  • Guarantee that email older than one year will be deleted. (This is because email can exist on individual desktop machines, in multiple locations, or saved as separate documents).
  • Guarantee that an email message can be recovered from backups (Because it may have been downloaded off of the mail server).
  • Report on the contents of an email message to another user
  • Deny a court-order request to examine an email message
  • Scan all email for viruses on the server (Because of the distributed nature of email)
  • Decrypt an encrypted email.

Email Software

Only email software which supports the IMAP protocol is supported by ACD. This excludes SMTP-only software such as "elm" and POP software. IMAP is supported by the following software which we can recommend
  • Thunderbird Mail -- formerly known as Mozilla Mail.
  • mutt installed on our Unix/Linux systems. Also see http://www.mutt.org
We specifically disrecommend Outlook and Outlook Express even though they are probably installed on your Windows PC. This is due to a long history of security vulnerabilities and a fundamental design that allows and even prefers the transmission of executable scripts. CSAC, UCAR's Computer Security Advisory Committee, has also disrecommended Outlook and Outlook Express.

In some cases, we will provide support for the OS vendor's mail client (Apple Mail or Vista's Mail application), but we prefer the use of Thunderbird mail if possible.

We do not provide support for legacy email software include Mozilla Mail, Netscape Mail, and Eudora. These packages no longer have support from their manufacturers -- if you are using one of these applications, you should consider upgrading to Thunderbird or another supported application. This is optional as long as there are no known security vulnerabilities for the application -- but it will be mandatory to move to another email application once a security vulnerability has been identified for the legacy application in question. The ACD Systems staff is not responsible for the correctness of documentation with regard to legacy email applications.

Email through the UCAR Security Perimeter

The solution which we offer for access to your email from outside of the security perimeter is webmail. The webmail URL for ACD is http://webmail.acd.ucar.edu. We allow our Webmail server to access ACD, ASP, EOS, and MMM email at this point in time. There is currently discussion about creating a UCAR-wide webmail server which in turn uses IMAP to access divisional servers such as ours. This has not yet been implemented, but once implemented, we will be using that web mail server instead.

If you are a visitor, or leaving NCAR for extended travel, We will, on request, also forward your email to a non-UCAR address. We can offer this option even for accounts that have been deleted from our servers.

We offer an imaps service by connecting through securemail.acd.ucar.edu -- see your Sysadmin for details on using your IMAP program (such as Thunderbird) to read email using this service outside of the UCAR network. We also have some documentation on the setup at http://www.acd.ucar.edu/Staff/Computing/imapsproxy.shtml.

Email for departing staff/visitors

It is not ACD's responsibility to accept and store email for those staff and visitors which have left. In fact, email will most likely be deleted from our mail spool when an account is closed. For departing staff and visitors, be sure to make arrangements with your primary Sysadmin in order to have mail forwarded to a new address. Such email forwarding may occur even if the ACD accounts have been deleted.