January 2008

To say that LiveArchive has been a minor part of ExchangeDefender would be a tremendous understatement.

So with ExchangeDefender 4.0, we are taking our business continuity one step further.

Currently, LiveArchive is hardcoded to keep only last seven days of your email on a continuous basis. Unfortunately, business disasters do not come in nice friendly intervals, they can be extended, unpredictable, painful.

With ExchangeDefender 4.0 (scheduled for April/May timeframe) we will be providing LiveArchive that can scale up to 30 days, free of charge! While the default will still be 7 days, you can bump that time frame up and down depending on the needs of your client.

Note: The feature set of ExchangeDefender 4.0 is still forming. If you can think of something that would make ExchangeDefender more valuable to your organization I hope you take a moment to mention it to us. ExchangeDefender is built on user feedback.

One of the frequent comments we get from our users is the apparent sudden increase in SPAM between 9 AM and 7 PM. Overnight, hardly anything comes through but during the daylight hours the spammers seem to get going along with the rest of us!

Yes, yes they do. But not in the way you would imagine.

Most SPAM today originates from workstations, office computers, home computers, etc. There are many studies on the Internet that put the level of systems compromised by a worm or a virus at 25%. That means that one in four computers in use is being abused to send junk mail.

When the workers get to the office and power on their systems, they also power on the SPAM amplifiers that hackers have turned those computers into. With more companies going green and mandating computer shutdowns outside of regular business hours, we see a bigger trend in the SPAM activity start and end times.

This also contributes to delays and deferrals during the business hours. Because networks lay practically dormant overnight, as the millions of computers (“spam zombies”) come online, the mail servers are hit with a huge load that is amplified further by all the “opt in, confirm your email” systems and so on. These tend to overload the mail servers and cause huge delays and disconnects all over the place.

This in part is why we only troubleshoot issues during business hours. After hours everything appears to run correctly because there is significantly less load placed on the network. However, those tasks during business hours can quickly identify a host that is overloaded and not taking any mail.

We have been closely monitoring the Antispam engine since the upgrade took place on Tuesday and so far the performance is quite impressive. We are blocking more messages than ever before and the false positive ratio has gone down as well. What that means is that ExchangeDefender classifies far less legitimate messages as SPAM incorrectly once in every 800,000 messages processed.

Our SPAM training will now resume, please accept our apologies if you happened to receive more SPAM than usual over the last few days. ExchangeDefender uses automated processes to classify messages as SPAM or legitimate mail based on hundreds of thousands of rules, sender reputation, message contents and more. No message is ever screened by a human being. We do monitor honeypots (our mailboxes placed on the Internet for the sole purpose of collecting junk mail) and build message filters accordingly, so if you wish to help by anything that ended up in your inbox that looks like SPAM, forward it to spam@ownwebnow.com (if you can also include the headers that would help a lot as well)

We have already built a set of rules for SPAM that has been emerging lately, mostly Regions Bank forgeries, graffiti.net scatter, Treasury Department Circular 230 and the massive amounts of URI SPAM being distributed through Google – google.com, google.co.uk, google.co.tw and more.

“I am still receiving far too much SPAM”

First, “too much SPAM” is a relative term. If your message has been online since 1993 and is on every mailing list available, you are likely receiving thousands and thousands of messages a day. If a few slip through it is simply due to the volume of mail sent to you – SPAM arrives to you before it does to us, there is no rule to filter for it, and the message gets delivered as legitimate. As the SPAM becomes more prevalent, it starts getting blocked by ExchangeDefender. If you would like to help us filter it faster, forward the message to spam@ownwebnow.com

Second, we only guarantee SPAM filtering efficiency of 99.99% if you have IP restrictions in place. If you are accepting messages from anyone that connects to your mail server than you take ExchangeDefender out of the mail flow and we are unable to protect you. Please ask your system administrator to enforce the IP restrictions and other helpful deployment strategies described at ExchangeDefender Support.

Finally, there is a difference between SPAM and the SPAM you subscribed to. If you subscribed to many stock newsletters, mailing lists, etc, we will not consider them for a SPAM rule. These are legitimate messages and you should address the issues with the sender, not with ExchangeDefender. If that is absolutely beyond consideration, contact your system administrator and request that they put the senders domain (Constant Contact, MarketWatch, Yahoo Finance, Wall Street Journal, etc) on your domain blacklist.

“How much SPAM is too much SPAM?”

On average, a small business organization (5-30 people) receives approximately 20-50,000 messages a day. Of that ExchangeDefender automatically discards roughly 70% just on the sender reputation, multiple blacklists, address book exploits, address harvesting, etc. Of the remaining messages, SPAM tends to compromise 10% and SureSPAM traditionally takes between 80 and 90% of messages, depending on whether there are viruses or worms being spread at the moment.

Overall, ExchangeDefender keeps 96-98% of inbound mail from your mailbox. That means that the combination of legitimate mail and SPAM that is falsely classified as legitimate, accounts for 4-2% of all mail. It is normal to receive a few messages a day, for some of the older addresses and generic addresses (info@, sales@, contact@, bob@) it can be towards a dozen. Anything more than that gets investigated. Anything below that, honestly, is within the fault tolerance of the filters. Remember that these are not screened out by a third party or a live human being, and that these cannot be guaranteed in any way because there is no way to predict what is SPAM before it actually gets sent enough times. SPAM filtering and Virus filtering are not the same thing and the protection does not work the same way. For example, if we blindly filtered every “Viagra” reference no legitimate email containing that word would ever pass through. Same for word fragments, say we filtered every instance of “ass” as SPAM? How many words in the English language contain the letters “ass” in them? Pass? Class? 

Thank you for your business, thank you for your patience with the new engine rollout and we hope this blog post helps explain how the SPAM filtering works and how we can all get rid of more SPAM.

Please remember that our monthly conference call, one of many this year, is taking place tonight, Wednesday, January 16th at 4 PM EST (22:00 GMT, 2 PM PST, Jan 17 9:00 AM EDT/Sydney). We have found from previous conference calls that this time slot is the most attended compromise of time zones across our global client base and we will make every effort to record the conference call and post it for your listening pleasure if you are unable to attend.

The purpose of the call is to take feature requests for the upcoming Own Web Now Service Manager extension of Own Web Now Portal (Shockey Monkey) to streamline ordering, provisioning and initial support of our growing product lines. We will quickly discuss the features that we have already put into the product and would like to see what else might be helpful in the software to reduce the cost and time required to purchase and provision Own Web Now Products.

The conference call number is in the monthly Own Web Now News newsletter sent on January 5th. If you are unable to attend but still have a question or comment that you would like us to discuss, please email confcall@ownwebnow.com and we will consider adding it to the presentation. If you do not have the newsletter handy, you can get the dialin phone number from our support portal (on the front page announcements)

Note: This conference call is meant specifically for the discussion of the service manager feature set, we will not be able to answer questions or offer guidance regarding the schedules or features of our other products.

Several questions have come up in our support portal regarding automatic software rollout of ExchangeDefender SPAM Monitor we released earlier today.

The simplest way to roll out ExchangeDefender SPAM Monitor on a managed network is through Active Directory technology called IntelliMirror, standard in Windows XP, Windows Server 2000-2008 and Windows Vista. The following page describes the basics of the Windows Installer service that can be used to roll out the software package. The process of automatically rolling software out is a complex one and is beyond this article, please contact a trained professional if this is the route you choose. We hope you can understand that we cannot support you on the basics of network management from both legal and confidentiality aspects.

There are several ways to automatically configure the ExchangeDefender SPAM Monitor service for your users, as well as update the configuration from a central location. ExchangeDefender SPAM Monitor uses the following registry hive:

HKEY_CURRENT_USER\Software\OWN\ED

There are three string keys: email, password and suspended. Suspended can be set to True or False, in order for the software to function completely the value should be set to False. Software can be automatically configured without users knowledge by including the .reg file with the cab files mentioned above and the appropriate values for the email and password keys.

ExchangeDefender SPAM Monitor 1.0.2 is an optional upgrade for the customers that encountered instability issues with the original release. The original software did not handle 404 errors very elegantly, leading the monitor software to crash if the Internet connection was not available or wifi software launched after the monitoring service did. If you are affected by this issue, ExchangeDefender SPAM Monitor 1.0.2 is for you, if the current release is running without problems the other minor bugfixes may not be worth the download (major fix for multiple email accounts):

DownloadIconTrans

 

ExchangeDefender SPAM Monitor 1.0.2

 

 

Note: Due to popular demand we have also released .cab/.msi files as a part of the package for automatic deployment via Active Directory, Kaseya and other popular management tools.

Our new antispam engine will be launching on Tuesday, January 15th. We have been investigating a number of SPAM patterns over the past few weeks and really building up the techology to fight what we believe is becoming the dominant strain of junk that bypasses virtually all SPAM gateways.

We don’t expect any issues with the new engine as it has been under beta test with our larger clients since Jan 1st.

The other day someone asked how do we decide what goes on the Network Operations page, which is due for a big overhaul in the month of March based on everything we have learned so far. How do we figure out if something is important enough to put something there you ask? Very simple:

If an issue is affecting more than 10 customers, or more than one server, it gets posted.

If an issue is likely to affect more than 10 customers, or more than one server, it gets posted.

Simple enough. We are a partner company, we are an extension of their business that provides essential Internet services. As that extention, our duty is to communicate to our partners and our clients when things are different than usual. We have found that it is more effective in terms of providing timely support, that it is far easier for the clients to be aware of what may be going on so when they are asked for support they can be fully informed of any service issues.

The site has been very successful, it has contributed to a huge decrease in support requests and consequently savings for everyone involved because we are all that much more efficient. There has been only one negative comment so far, “I want all my information on one page, I don’t want to have to look at three pages to find all my Own Web Now information!” While we can understand the concern, this is a problem that technology has already fixed, people no longer surf the Internet. People subscribe to the data feeds that go on their desktop, portal, SharePoint, you name it. If you are actively seeking out information, instead of letting information come to you in the fastest and most efficient way possible, it’s time to learn about blog aggregators.

If your mail server ever goes down, ExchangeDefender automatically spools messages for it and delivers them when the server connection is restored. Because the delivery is staggered (we don’t fire a thousand connections to your server the moment it boots up) it can take over an hour to deliver spooled messages that have been stored due to an outage that lasted over an hour.

By default, we keep these messages for an interval of five (5) days, but since we are based in the southern United States and prone to hurricanes, flash floods, tornados and other inclement weather (one DC even got hit by a earthquake this year) we tend to extend the spooling period on ExchangeDefender from June through November of each year to 14 days. Last year, in light of many of our customers in the northwest suffering from ice/snow storms, we extended this period through January.

This is a notice that our mail spooling will revert back to 5 day interval on February 1st, 2008 and we will extend it back to 14 days starting June 1st, 2008. Email spooling is an automatic low-level process, that has since been supplemented by the free ExchangeDefender LiveArchive service. The two are meant to be used in conjunction to provide full business continuity and guard against less-than-reliable Internet connections.

As usual, thank you for your business.

January 2nd, when it falls on a weekday, is the worst day of the year to send email on. From business perspective, it’s the first day of the calendar year so everyone is back and probably from more than just a few days off, some even two weeks off. From the technical side, this is also the first day of the year that IT admins come back to work, doing the tasks they do to keep the systems working, usually catching up on a few days of missed maintenance tasks.

Every year the SPAM problem gets worse. On January 2nd not only are you going to be fighting maintenance intervals that didn’t take place but also people coming back from work and catching up to days of piled up emails, where catching up means sending out even more mail. Most email servers out there are overloaded with just the SPAM problem alone, compounding a few days of email correspondence on top of it will make today the least likely day for your email message to be delivered and read.

So if you have a newsletter, a really important note, a critical deadline to meet or an important contact that you absolutely have to reach… email is not your friend on January 2nd.

Of note, ExchangeDefender is currently performing at 43% capacity (10 AM EST, -5:00 GMT)