ExchangeDefender 9 Launch & Bugfix
ExchangeDefender 9
ExchangeDefender 9 launch has gone very smoothly and in the interest of keeping everyone on top of little bugs that may get reported over the next week we’ll keep this post pinned and updated with new bugs and ongoing fixes. So far all the issues have been minor and addressed within 24 hours of reporting.
PDF Download: New ExchangeDefender 9 User Guide
Bugfix log – Monday, August 6th
Trusted sender button in Quarantine view. Messages were properly processed and email addresses added to Trusted Senders so future messages would not be categorized as SPAM by ExchangeDefender. Unfortunately, messages were never released from the quarantine and delivered to users Inbox, which is the desired outcome. This bug has been fixed on Monday, Aug 6th.
Multiple message action. New ExchangeDefender quarantine allows you to take an action on multiple messages by checking the checkbox next to the message. Unfortunately, ExchangeDefender did not properly grab all messages, only the first one. This bug has been fixed on Monday, Aug 6th.
Full email address preview in Quarantine view. New ExchangeDefender UI has removed hover functionality from the portal entirely. Vlad/CEO Note: “Sorry guys, it’s 2018. Everything is touch enabled and touch devices have a terrible hover gesture, we’re moving to actually tapping the screen for info”; Due to the volume of complaints, we have added the expansion of the email address to the UI temporarily while we think of a better way to display it. The problem is with SPAM and mailing list companies that mask/forge the sender address and embed it in the From line for tracking and bounce purposes. This makes the From line too long to display in the ExchangeDefender quarantine view so we trim it. You can now hover over the email address and see the full address in your desktop browser. This feature has been added on Monday, Aug 6th.
SPAM quarantine message counter on the dashboard displays all messages, not just new/unreviewed messages. This problem has been resolved and the counters on the dashboard now only show messages that are new and haven’t been previously reviewed. This bug has been fixed on Monday, Aug 6th. There is an outstanding feature request tied to this bugfix to have counters update in realtime.
Authentication fails when logging in to admin.exchangedefender.com from the SPAM report. This issue has to do with the change of encryption and password security in XD9. This bug has been fixed on Monday, Aug 6th.
Users login is rejected if they used certain special characters. In prior versions of ExchangeDefender, we simply stripped non-alphanumerical characters. With XD9, we use a hashed password so matching the password is only possible when it’s exactly the same as the one we are expecting. We have implemented an authentication workaround on Monday, August 6th.
Domain login failures. ExchangeDefender 9 features a domain administrator account (simply using domain.com) that gives clients the ability to manage the entire organization centrally. This bug has been fixed on Monday, Aug 6th.
Bugfix log – Tuesday, August 7th
Quarantine message preview fails. Several bugs have been filed regarding the ExchangeDefender CAMP (Compliance Archive Message Preview engine) and how display was either off or mangled messages. This bug has been fixed on Tuesday, Aug 7th.
SPAM Czar is unable to retrieve dangerous attachments. ExchangeDefender 9 and the underlying security infrastructure does not allow dangerous content, no matter how badly you want it and have a business case scenario to support downloading a virus/malware. In order to reconcile the request with legitimate use, we’ve implemented a temporary workaround. This bug/feature was added on Tuesday, Aug 7th.
PDF Download: New ExchangeDefender 9 User Guide
CEO’s Note
Every screen in ExchangeDefender 9 features “Give us feedback” link where every user can provide what they would like to see more/less of. As mentioned in countless blog posts and multiple webinars about ExchangeDefender 9, this is the next generation designed for mobile, for touch, for rapid development and flexibility needed to meet modern regulatory compliance requirements. Well over 90% of our features are direct result of client and partner feedback – so please keep it coming. For our part, this has been the smoothest launch we’ve ever had and we’re aggressively fixing bugs while adding new features that make a ton of sense as fast as we can. ExchangeDefender 9 has been in beta since March so our partners have had plenty of time to check it out and familiarize themselves with the new UI but just about every function in the end-user UI is exactly where it was before – so no retaining is needed and so far we’re not getting reports of users not knowing how to get basic stuff done (either directly through our reporting function or indirectly through partner feedback). Huge thanks to our partners and beta testers for making this a smooth launch, we really appreciate it and are thrilled to show you all the new stuff that will be driven by this new, modern, agile platform. I’ve personally been writing ExchangeDefender since 1999 and this is the first release in nearly 20 years to feature 0 lines of code written by me – so at least we got that!
ExchangeDefender and Mobile Device Security
Mobile Device Security
ExchangeDefender protects pretty much any device that has access to email – and a category most prone to email-borne security exploits are mobile devices. ExchangeDefender Pro and our Exchange hosting services can nearly eliminate an attack vector through malware detection, phishing attempt alerts and can help you wipe a device remotely without having physical access to it.
The number one way to get malicious content to a mobile device is still via email – it’s so easy to trick a user to click on a malicious link and on a mobile device it is far harder to tell if the sender is legitimate or spoofed. Hackers format messages in such a way that it’s easy to see legitimate links and accidentally click on malicious ones so ExchangeDefender is extremely useful in making sure any such dangerous content is stripped off in the cloud. Anyone can email any content they wish to your mobile device and with ExchangeDefender you are assured that even the most aggressive of 0 day exploits do not arrive in your users mailbox.
Phishing, or forging/deceiving an identity of a third party, is a popular way for hackers to get users to click on links that appear to be legitimate. It’s very easy to copy a look of an Amazon or bank email notification and get the user to click on the link that takes them to a forged web site to download malicious content. Unlike Malware protection, which removes dangerous content from the email, phishing protection deactivates links in email messages and highlights phishing attempts when links to third party sites do not match the domain name of the sender. If you were getting an email from jeff@amazon.com would he be including a link to http://1001smallbizscamsandfrauds-519.org? Our system will deactivate that link and keep your user safe from whatever is on the malicious site.
Remote Wipe & Device loss management
In the event that your users device is lost, users employment is terminated, you don’t have physical access to the device but need to wipe it for security reasons – you can start a remote device wipe through your Outlook Web App under Settings > Mail > Options > Mobile devices and selecting Wipe Device. Within moments the device will be wiped clean of any data, content and settings and this works for both iPhone and Android devices (tables and phones).
ExchangeDefender Pro offers users a VPN server to connect to in a secure manner no matter where they go. Public Wifi hotspots tend to have questionable security at best and can be used to compromise a device that is connecting blindly across the Internet. Connecting your phone automatically to a VPN can assure that email access (and all the confidential data in the email) can never be snooped on.
We are currently in beta with our mobile OTP/2FA applications which will further turn the mobile device into a part of your authentication so you don’t have to remember complex passwords at all. In the meantime, it’s important to let the users know what ExchangeDefender is currently capable of doing for them and to enable/configure those features so they are actively protecting every email user in your organization.
ExchangeDefender Support: Enhanced Security and Password Management
Password Policies
You’ve seen us blog endlessly about improved security that is being rolled out with all the brand new features across our entire product and service portfolio. Trust us, this is not a simple process of just changing the password complexity requirements, people hate password changes and for the most part have become predictable in what their current and next password will be. Add to it the fact that almost everyone uses the exact same password all over the web and not a single day passes by without at least one major provider having a data breach. Sometimes it becomes comical – even LifeLock had a security issue today where they exposed a bunch of data and had to take their site offline!
So passwords suck and short of using our One Time Password / Two Factor Authentication service, it’s going to remain that way. The cool thing about ExchangeDefender, and all of our service, is that we’re going to help you better manage security and password expiration so that your users and services can remain protected and still user friendly.
New password policy at ExchangeDefender, for all of our services going forward, will be a required mixture of upper case, lower case, numbers and special characters with minimum length of 9 characters.
That is just the beginning. Some services will require a transparent OTP/2FA using your email address or cell phone as an additional real-time identity verification process. If you are about to make a large-scale change, we want to make sure it’s you and not just someone that got your password. Calling in will now require PIN or txt verification as will any service request changes – the cool thing is, if you can provide us with that information we can do just about everything you want or need through phone and chat.
The reality of security on the web is that it’s as weak as the laziest user – and it only takes one careless one to mess up the entire organization. We are on your side, we are on your team – that’s why you hire ExchangeDefender – so we’re stepping things up in terms of support and management functionality to help identify, train, and assist users when they run into an issue. Passwords and password changes may continue to suck until the end of time – but we are currently making huge changes in the way we handle support in order to help our partners and CIO’s become more productive by letting us both better secure and support users.
Managed Outbound Network Services
Beta Launch: Managed Outbound Network Services
ExchangeDefender is proud to announce the beta launch of our Managed Outbound Network Services – interjecting support, monitoring, and management of outbound mail delivery services. If you’ve ever had to deal with outbound delays, deferrals, rejections, SMTP channel errors, etc we will now have the ability to assist you with email delivery and facilitate problem resolution for outbound email delivery in realtime.
One of the biggest problems in troubleshooting outbound mail problems is that problems are noticed days later, and are generally resolved well before a ticket is opened. The same goes for abuse, sometimes a mail blast is caught only after hundreds of messages have been sent and domain/sender had their reputation damaged.
Tighter Restrictions Means Better Monitoring
Our new ExchangeDefender Managed Outbound Network Service involves tighter restrictions and better monitoring of email traffic by actual humans reviewing statistical models in realtime. This is not something that is possible through automation because it’s very difficult for computers to determine legitimate content from illegitimate or dangerous content. Sending patterns also change depending on the sender, time of day, day of the month, devices, etc. User may run a mail merge marketing campaign or invoice batch and send hundreds of messages in a very short period of time, blocking their access automatically would interrupt legitimate activity. By adding people to the mix, that can analyze the content and sending patterns we have the ability to stop outbound mail abuse the same way we do it on the inbound side.
“Considering that almost 30% of our support time is dedicated to outbound mail delivery inquiries,
we expect this new solution to reduce our partners and clients time significantly.”
-Vlad Mazek, CEO ExchangeDefender
The best part about the new service is that it will be free and will require no configuration or management on our clients or partners behalf. Any notices we may have to issue to end users will automatically carry our partners or clients logo and contact information and will be resolved in realtime. Historically, we know that 90% of the time our clients are not aware of an issue at all, and we hope that the new service will reduce ongoing support and technical troubleshooting struggle our partners have had to go through regarding email delivery. By catching the issue in realtime, we will also help our partners appear more proactive and able to protect their clients better during 0-day infections and outbreaks. Additionally, we will be able to minimize the damage that a single careless user or hacker can cause an entire organization by stopping an outbreak at the source.
We will be writing more about this service in August and the first beta clients will be onboarded during the 2nd week of August – if you are interested in participating please send an email to beta@ownwebnow.com and let us know!
So You Think GDPR Doesn’t Apply to You?
That Four Letter Monster: GDPR
We know – you’re tired about hearing about GDPR – and you’ve probably received a billion emails about it from marketers all over the world urging you to “confirm” your subscription. As our CEO recently posted on Facebook:
“There were two kinds of IT people this week on Facebook – those that whined about
GDPR and those that got richer as a result of it.”
You can hear more of Vlad’s unfiltered thoughts on GDPR in the Game Changer webinar held earlier this month, but needless to say the GDPR is something that is here to stay and with every public privacy breach the notion of government regulation worldwide is going to start with GDPR as the foundation.
What this means for you – regardless of whether you’re the CIO or an MSP partner – is that client data privacy, disclosure, search, and reports will start consuming more of your time.
Do you currently have a solution in place that can quickly tell you what sort of data you have on your clients? Beyond your CRM.
What about the invoices that get emailed out with account numbers and addresses?
What about any contracts or agreements that got emailed back and forth?
I think you see where we are going with this: you need to prepare your IT for eDiscovery even if you don’t have urgent, current, and pressing reason to do so. Penalties for exposing financial data are extreme and the more the world gets used to privacy disclosure and where client data may be stored the more requests and inquiries you will start seeing. Businesses (aka “people with money”) are the low hanging fruit that will be sued first.
This is by no means a new trend: We have been selling Compliance Archive and Corporate Encryption for years but GDPR has really put the demand for these products into a new gear. For our partners, this has significantly increased both sales and service requests that are a giant opportunity for many to be ahead of the curve and regulatory changes worldwide.
Get ready for it today and call us – we have the products, the service, documentation, marketing collateral and back office legal support –
all you need to do is present it to the client and can help you do the rest.
ExchangeDefender 9 Going Live! July 28th
ExchangeDefender 9
ExchangeDefender is proud to announce that ExchangeDefender 9 will be exiting the beta stage next week and will be in production for all of our clients on Saturday, July 28th, 2018. We want to prepare our partners and clients for our rollout schedule so that everyone is ready to go for what we expect to be a very seamless and effortless transition. You can see the new version at https://admin8.exchangedefender.com and we have written about it extensively here.
ExchangeDefender 9 has been running with new infrastructure since August of 2017, new UI launched earlier in the Spring of 2018 and all the automation and functionality has been tested extensively.
To sum it up:
Brand new outbound network Brand new inbound network
All new infrastructure, network, switching and security workflows
Brand new user interface and user experience
Tons of new features
The best part of it all is that all the functionality that you already use is in the exact same place, behaving the exact same way, and yielding the exact same results. The magic is in everything around it – everything is faster, more accessible, more streamlined and has far more functionality and flexibility than before. Just as a minor example, the new user interface allows you to interact with ExchangeDefender the same way no matter whether you’re at your desktop or on your mobile phone – and you get the full feature set, not just limited mobile experience.
Rollout Schedule
ExchangeDefender infrastructure is already running on the new code and has for months. This piece of our network is under constant maintenance and monitoring and we’re certain about it’s performance. You will not see any changes here.
On Saturday, July 28th, 2018 we will switch https://admin.exchangedefender.com to the new version of the UI/UX. Users will begin to see changes nearly immediately starting with 9AM EST. There may be a period of about an hour during which some users will experience the new UI and old UI – our support desk will be available via phone, chat, Facebook, twitter and support portal at https://support.ownwebnow.com the entire weekend to handle any issues that may come up. End users will also have a direct link to us to resolve any issues so if you’re one of our partners and don’t have a 24/7 support line – consider it covered.
On Sunday, July 29th, 2018 we will conduct a routine maintenance crash test – intentionally taking down random sections of our platform in order to determine resilience. This test will be conducted at random times during the day and we do not expect it to interfere with any operations.
New documention, marketing and collateral will become available the week of July 23rd but most of it is already available at www.exchangedefender.com right now.
Thank you for your business!
ExchangeDefender IoT Email Relay Service
The Internet of Things
ExchangeDefender IoT has concluded it’s beta period and we’re thrilled to announce that the system will go into production this week. We have blogged about this previously and the demand for this service really surprised us – so we’re rolling with the production and adding all the new features into the beta product as the applications for this service are quite extensive. To sum it up:
ExchangeDefender’s IoT Email Relay Service
ExchangeDefender IoT Email Relay Service is a custom email smarthost (outbound relay) designed specifically for Internet of Things devices and services to securely dispatch realtime email alerts. Feature-wise:
– XD IoT Relay assigns every device has it’s own account/credentials so if one device is compromised the email capabilities of others aren’t impacted.
– XD IoT Relay is secure permitting traffic only via TLS/SSL SMTP protocol to assure security credentials cannot be sniffed on the network.
– XD IoT Relay allows dynamic IP ranges, allowing for cell/4G/LTE devices and sensors with remote/unsecure network connectivity to relay alerts.
– XD IoT Relay is compatible with every device that can send out email via SMTP/SSL (should be all of them) and is backed by our support and automated throttle management (in the event of an infection)
New feature is available in the ExchangeDefender admin portal under Domain Admin > Accounts > IoT Accounts.
Simply add a new account for each device you wish to have relay rights for (they are free for now) and configure your device to relay through outbound-auth.exchangedefender.com. Our service is globally redundant (no single point of failure) and is under our SPF/DMARC announced range.
We will be blogging more about this feature as we develop it and get a better handle of how it’s used but the feedback so far has been very positive and constructive. The biggest surprise (read: shock) is the level of unreliability of some of these devices/sensors and their rather infant API/app development – but they all know how to send email so many of our partners are looking to us to help fill the void between these devices/sensors going dark/offline and production email notification service. Many of our partners also looked to use this for printers, blogs, contact forms and a seemingly endless set of services that a remote ISP should be providing but they don’t – so when it comes to business and email people come to ExchangeDefender.
P.S. If you’d like to hear more about this feature and all the other new stuff we have set for ExchangeDefender in 2018, please download the webinar where we go into the details of how/why/what that might give you a broader perspective on how to position, sell, and implement these new features. Please click here to download the webinar.
Three Simple Ways To Begin Regulatory Compliance Archiving
Have you been putting off offering or relying on Compliance Archiving to meet regulatory compliance requirements? If so, you’re among friends as most businesses tend to view it as a form of a backup until they receive a letter from a law firm. Recently we published a quick and informal techie-free post about business continuity and we wanted to do the same for archiving because the #1 thing that will keep you out of trouble is making sure your entire organization is on the same page.
With that in mind, here are three steps that your organization needs to follow to get started with Compliance Archiving:
Step 1: Understand how your organization communicates
If you only knew what everyone did and what they had access to, things like security and compliance would be a non-issue. In the real world, organizations have a revolving door of staff, vendors, clients, laws, and projects that is constantly spinning. The notion that you can get something to manage it all, held together by IT staff and automation, is nothing short of a fantasy. Or rather, a nightmare, because you’ll get in trouble over one thing that was missed and went wrong not a million things that went right.
Our Compliance Archiving touches every message in your organization: doesn’t matter if it’s a message you sent to a client, a message you received from a vendor, or an interoffice email you sent to a coworker – we get them all. The important thing in step one is identifying the people and making sure that the way you communicate is set in stone: “We communicate with everyone through @ownwebnow.com email addresses, every ticket, every update, every inquiry, every quote, every bill pay – everything either comes from or is cc’d to an @ownwebnow.com address.”
Step 2: Get a grip on your devices, apps, and processes
Convenience is the enemy of order. And if you’re going to run a business, you cannot have everyone do exactly what they want to do. Yes, Subway will make your sandwich any way you want them to, but if you walk in and order a key lime cheesecake you’re going to be hungry. Same method applies to all the devices, apps, processes, etc. The simplest, most common sense, most effortless thing to do is to just give everyone that works on your behalf an email address on your infrastructure and have them use that email for all company communications.
If they use something else, and for some reason you wish to permit that rule change in your business, request that everything is cc’d to a local shared mailbox where you can keep ownership of it. Don’t make a big deal out of it – we get our office beer and red solo cups from Costco – and believe me we don’t have a massive asset inventory tracking system around it with people signing off on stuff left and right. We just take a picture of the receipt/order form and email to a receipts@ address – done.
Step 3: Get a regulatory compliance plan
The worst thing you can possibly do is start thinking about a plan when you’ve received a request for information or a legal hold. The good news is, step #3 is the simplest one because it’s just a matter of calling us at 877-546-0316 and talking to someone about implementing the Compliance Archiving solution. The complexity isn’t in the technology, it’s with the people and the constant sprawl of apps and devices that hold vital corporate information.
The great news about what we offer with our partners is that anything going in and out of your company can be screened, monitored, reported, and produced on demand or automatically for just a few bucks a month. The biggest challenge is knowing what to do – and you have to actually get started.
We look forward to serving you and making regulatory Compliance Archiving a breeze.
Security Problems vs. Business Problems When It Comes to Email
We live in interesting times when it comes to business email. The widespread abuse of email by hackers and spammers has always provided a cover for some rather shady email sending patterns used by small businesses. The rise of GDPR, CAN-SPAM, and other rules, regulations, and acts has built a financial incentive for regulators to go after businesses that violate the rules and small businesses are a sitting duck – too local and easy to track, too easy to report, and often very easy to fine.
Email is quickly becoming a great source of revenue for enforcement agencies – and protecting businesses from themselves (your marketing department in particular) is a challenge so many small businesses need to get a grip on before excessive penalties threaten the very existence of the business that crosses the line even once. So congratulations MSPs, VARs and security professionals, now your SPAM and mail flow management isn’t only going to concern illegal/hacker abuse, you’re now going to be at odds with your clients and how their “unique business case scenario” that will likely get them fined out of business. Fun, right?
Management of all these new things is a subject of our upcoming webinar, next Wednesday, where we hope to give you some technical insight and practical business advice on how you can help businesses manage their email activity properly. Bring your techies and business/sales team in as well, as this affects both sides of the house. Or, you can just tell your clients not to SPAM out and hope they listen to you – my wallet thanks you in advance if you choose this route (sarcasm heavily implied).
Wed, Jun 27, 2018 12:00 PM – 1:00 PM EDT
Click here to register
To be clear, this is not another webinar about GDPR. At all. But you can use GDPR to inform your clients about the potential issues that are coming up. Big businesses and marketers are already facing the inevitable and I bet you that even with the onslaught of all the emails and notices you didn’t quite appreciate what those “notices” were meant to do in the first place. Inform you about GDPR and updated privacy policies, right? Wrong. They are being used to get you to opt back into messages that you accidentally got rolled up in the first place. And this is for things you knowingly entered into – think about how a typical small business gets it’s leads – from purchased lists to sweepstakes and raffles and “win a free lunch for your company” business card drops – all of that is about to become a nightmare for the IT department to manage and protect.
Or you could just see how we do it with Corporate Encryption and Compliance Archiving.
Redesigning Our Outbound XD Network
As we hinted before in our Outbound IoT announcement, there are some big enhancements coming to our ExchangeDefender outbound network. The job of getting the mail delivered over the Internet is more art than science and we are looking to put more resources behind this as encryption, compliance and GDPR take over. So today, I want to briefly walk you through our vision (roadmap to follow on this months webinar) of what we’re about to offer at scale.
The biggest obstacle to efficient email delivery are the actual users. I know it sucks to have a finger pointed back at you but truth is most of the delivery problems aren’t caused by connectivity, routing, or SPAM filtering software, they are caused by behavior and sending patterns of users. They fall into two categories: negligence and inappropriate email usage. Negligence comes in many forms but primarily lack of security (weak passwords, unpatched servers, compromised networks/accounts) leading to a SPAM outbreak from a domain that otherwise wouldn’t be sending SPAM. Inappropriate email usage comes from users knowingly abusing their personal email accounts to send large mail merge, mailing list, commercial SPAM sort of content. Yes, everyone has a justification and an excuse for behaving the way they do and we’re not here to judge that – but machines have 0 judgement and only work off “score” that is calculated by adding points to a total until a message has enough to qualify as SPAM. If you look like a spammer, the remote system isn’t going to care much that you aren’t. We can only address these through education and we’re committed to doing that at ExchangeDefender… but, we can do even better. And that’s our vision for our supported outbound network.
We are currently working on consolidating our entire outbound network into a single outbound.exchangedefender.com – that means saying goodbye to –corp, –jr, –int, –misc and specialty email routing services we’ve written to help address unique business requirements of our users. Starting soon, the entire network will simply allow outbound mail for person-to-person communication regardless of the message format and contents (yes, you’ll be able to use out of office (OOF) notices and autoresponders again). For non person-to-person email, we’ll use outbound-auth for devices, services, etc. For marketing (newsletters) we’ll have one as well.
The big change will be in support and an active managed postmaster. This simply means that there will now be a monkey-in-the-middle facilitating, reporting and auditing outbound mail sending patterns to assure delivery and proper routing. Say Bob from Marketing decides to do a mail blast using his Outlook and attempts to hit 5,000 contacts. All but maybe 100-200 of those messages will actually make it through our network. Say your “Password1!” security credential was compromised and someone started using your Exchange login to run a SPAM campaign – that too isn’t getting out. And the support team that will be managing this flow will be the same one that will be helping you address mail problems immediately, not as a reaction 3 days later when your domain ends up on an RBL.
That and you’ll have additional intelligence embedded in outbound mail routing to assure delivery and start realtime conversations for things that are better handled in a chat vs. email. But sssssh that’s a secret for now. Everything else about this (and the new UI) is coming in this months webinar, I cannot encourage you enough to register for it, tune in live and ask questions:
New Features Webinar
Wed, Jun 27, 2018 12:00 PM – 1:00 PM EDT
Click here to register
We believe that the division of email flow – separating machine/service/device/non-person mail from person-to-person email will give us the unique ability to more precisely deliver messages over notices and also improve our ability to get around bulk filtering that plagues us just because of the way email is routed. Getting support in there, in realtime, will make the difference between an issue being handled directly and right away as opposed to dragging on for days and offering no assurance to the client or recipient where the message went. So not only will support and client relationships improve, so will our ability to embed more features into outbound mail that will make it more effective as opposed to leaving it at “best-effort”.
