Wednesday, December 27, 2006

RBL/Blocklists RIP? Hardly...

With the shutdown of the ORDB realtime block list (or blackhole list if you prefer), I have seen chatter in mailing lists, newsgroups, and newsletters claiming that the time of the RBL has past. One good friend of mine (that despises RBLs) claims they are ineffective and offer too much risk. There is too great a chance that a valid connection will be rejected to even consider using them.

My primary mail server gets a LOT of spam. I use the Spamhaus composite blocklist (SBL-XBL.SPAMHAUS.ORG) as my sole block list provider. Your honor, I submit the following in to evidence. (You can click on the image for a larger view.)

Out of the 163,000 connections made to this server over the last 5 days (yes, since Thursday before Christmas!), 111,000 of these were rejected because they were on the Spamhaus list. That is a whopping 68% of the connections that were rejected without having to accept the message or process it further. That is pretty darned good, IMHO.

The Intelligent Message Filter stats are above there. The SCL value is set to "Reject" anything above a 6 or above. Almost 88% of the mail inspected over this time was considered to have an SCL of 6 or above!

And the best part, I have not heard a single complaint in over a year about someone's message being rejected because they are on an RBL.

Tuesday, December 26, 2006

Exchange 2007 Technology Specialist Beta Exam

Microsoft announced that the first Exchange 2007 Beta exam will be in beta between January 2 and January 16. This is Exam # 70-236 which is focused to technology specialists. Essentially this is someone working with and administering an Exchange 2007 server. Now is the time to make all that time you spent playing with the E2K7 beta pay off!

Friday, December 22, 2006

Exchange 2007 eval downloads available

Can't wait to get your hands on E2K7? Both the 32-bit version intended for testing and lab environments as well as the 64-bit version are available for download. The eval period is 120-days, but once you have a licensed copy, you can convert these versions to production versions.

Thursday, December 21, 2006

The little demon and I

I talk about Russell all the time, but I don't ever put him in a blog. Here is the little demon when he is being a little more calm (and not plotting a way to take over the house and find out where we hide the TV remote controls).

Tuesday, December 19, 2006

Directory Update price increase next month

Self Service Active Directory Update (our GALMOD alternative) is going up in price. It is currently US$250, but it will be $359 after January 15, 2007. If you have not already taken a look at it, you won't know how you managed your Active Directory without it!

Monday, December 18, 2006

Open Relay Database (ORDB.ORG) is shutting down

One of my favorite real-time block lists (RBLs) is shutting down. This is from their web site:
"We regret to inform you that, at the ripe age of five and ahalf, is shutting down. It's been a case of a long goodbye as verylittle work has gone into maintaining ORDB for a while. Our volunteerstaff has been pre-occupied with other aspects of their lives. Inaddition, the general consensus within the team is that open relay RBLsare no longer the most effective way of preventing spam from enteringyour network as spammers have changed tactics in recent years, as havethe anti-spam community." Read more...

Sunday, December 17, 2006

Enabling SMTP protocol logging for Exchange 2003

When diagnosing problems relating to Exchange 2003 and SMTP, the SMTP protocol logs are one of the most useful things you can enable. They are not enabled by default. On the SMTP virtual server (found under Protocols) that handles inbound and outbound mail, click the Enable Logging checkbox. The logging type defaults to W3C Extended Log File Format and that should be fine.

Click the Properties button and then click the Advanced button. You should enable the following extended logging options:
Date, Time, Client IP Address, User Name, Method, URI Stem, URI Query, and Protocol Status.
The rest of the options are not necessary for STMP.


Thursday, December 14, 2006

Get Ready for Exchange 2007 slide decks

If anyone is interested, here are my slide decks from the Get Ready for Exchange 2007 events in Europe, Africa, and the Middle East. These are the most recent versions so if you attended an event in Norway or Germany, these are more up-to-date.

EX01-Architecture and Deployment
EX02-Management Interfaces
EX03-Security and Compliance
EX04-Anti-spam and Antivirus
My keynote slides from Helsinki and Dubai

Microsoft in Finland recorded the entire conference if you want to see the presentations. Plus, on the opening page, you get a studly (not!) picture of me goofing off while Dejan Foro tries to get some work done.

Wednesday, December 13, 2006

Does my hardware support Windows 2003 x64 and Exchange 2007?

I have been looking for an easy answer to the question of "can my existing hardware support Exchange 2007?" I have been telling people to confirm their exact server models with their vendors. That is probably still good advice, but I found a neat piece of software called CPU-Z (thanks to Jeff C. at LRS for telling me about it!).

In the graphic you see here in this posting, this is an AMD Opteron processor. Notice the Instructions line that it includes x86-64 as supported instruction sets. Intel CPUs will have the text EM64T if they support the x64 architecture.

Please note that if you are lucky enough to have some IA-64 processors in your organization, those do NOT support Exchange 2007. Well, I guess you are not lucky if you have thos, but they are a nice processor.

Monday, December 11, 2006

Exchange 2003 SP2 IMF tuning

Okay, I should be working on the E2K7 book, but I'm playing. Sort of. I needed to tighten down my Exchange 2003 SP2 Intelligent Message Filter (IMF) a little more. All that holiday spam is creeping in my mailbox. And no one at work has time to manage an IMF archive. So, we started rejecting the mail that arrives with an SCL of 7 or above. But that is still quite a bit of spam that got through. Plus, the rejection message was not exactly friendly. If someone sends me a real message that just happens to get tagged as spam, this is included in the NDR:

This is an automatically generated Delivery Status Notification
Delivery to the following recipient failed permanently:
Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 12): 550 5.7.1 Requested action not taken: message refused

However, I was doing some research and found that you can customize this message. Locate the following Registry key:

In that Registry key, create a new REG_SZ value called CustomRejectResponse and then put the string you want to see in that value. Here is my new message:

This is an automatically generated Delivery Status Notification
Delivery to the following recipient failed permanently:
Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 12): Your message looked like spam. Our filter rejected it. We are very sorry, but we hate spam. Please add some more text to your message or contact CTA support.

Actually, I will probably change that to have a URL once I can get someone to post me a page explaining why we rejected their mail and how they can fix it. The IMF is famous for rejecting very short mail, though. I might add to the Custom Weighting File something like CTACTACTA and say that if a message has that in the body it is never spam.

Anyway, if you are wondering how I'm testing the IMF to see the reject message, here is the easiest way. (I got this from the Exchange 2003 course #2400 class, by the way. Thanks David Elfassy!)

Go out to an external mail system such as GMail, create yourself a message, set the subject line to Low mortgage rates *** and set the message body to Cheap rates on your mortgage $$.

Thursday, December 07, 2006

Exchange 2007 RTMs

It's official. Exchange 2007 was signed off to manufacturing today. Probably be in customer's hands within 6 - 8 weeks. Get ready for PowerShell! :-)

Saturday, December 02, 2006

Creating SPF / Sender ID records

It seems like a few ISPs out there are "demanding" that people get valid SPF records. I have not tested this, but a few admins have reported to me that unless their domains have SPF records, HoTMaiL is putting their mail in the Junk Mail folder.

SPF / Sender ID is not really an anti-spam technology. It is an anti-spoofing / anti-phishing technology. If your SPF records are correct, and someone checks them, then it means that any message that claims to be from one of your users is REALLY from one of your users.

Before you can create an SPF record, you need a record of EVERY public IP address that will be sending mail on your behalf. That includes managed providers, bulk-mail senders (if you have mailing lists that you outsource), and the public IP addresses from which every SMTP message in your organization originates. Once you have these, then you can create an SPF record.

Make sure your records are accurate. The only thing worse than no records at all is having an incorrect record!

Here are couple of resources you can use to learn more about these as well as wizards for creating the SPF records that you will need to put in to DNS.

SPF: A Sender Policy Framework To Prevent Email Forgery
Sender ID Framework SPF Records Wizard

The Port25 folks have a neat feature that will do a status check on your SPF records. Send an e-mail message to and they will reply with a report of whether they find SPF records for you or not.

DCPromo and Exchange 2007 - Don't do it!

An interesting tidbit came up on one of the mailing lists I'm on. The gist of it is, do NOT run DCPromo on a machine that is running Exchange Server 2007. It is not supported and it WILL break something. I know this is a small thing, but sooner or later people are going to need to know this. (The same goes for Exchange 2003!).

If you have only one piece of hardware available (that happends to be running Exchange), and you need an additional domain controller, virtualization works well!

Friday, December 01, 2006

Yahoo! is getting serious about preventing spam

Yes, Yahoo! is getting so serious about preventing spam that they reject connectoins from EVERYONE! It does not seem to matter who you are or where you are sending mail from, they immediately reject your connection. Here is a sample connection attempt:

421 Message from ( temporarily deferred - 4.16.50. Please refer to

Connection to host lost.

This technique is called gray listing. It is supposed to reduce spam by always rejecting you the first time on the assumption that a spammer won't call back, but a legimate mail server will. And Yahoo's own bunch of yahoos that answer their support questions seem fond of the automated "gee it must be your fault" messages.

I had not really noticed, but several customers and friends have commented to me that they have problems sending to Yahoo! And if they are eventually successful, their mail goes in the Junk Mail folder. I have noticed that myself. Messages I have sent to Yahoo! users that never in a million years would a content filter have found the message to be spam, yet it ends up in the user's Junk Mail folder. Yahoo! claims that if you implement their Domain Keys technology, then this will reduce the amount mail that gets flagged as spam. Right.

Doing some research today, I found this article and had to laugh a couple of times. If it were not so infuriating then the whole situation would be funny.