ExchangeDefender

One of the frequent comments we get from our users is the apparent sudden increase in SPAM between 9 AM and 7 PM. Overnight, hardly anything comes through but during the daylight hours the spammers seem to get going along with the rest of us!

Yes, yes they do. But not in the way you would imagine.

Most SPAM today originates from workstations, office computers, home computers, etc. There are many studies on the Internet that put the level of systems compromised by a worm or a virus at 25%. That means that one in four computers in use is being abused to send junk mail.

When the workers get to the office and power on their systems, they also power on the SPAM amplifiers that hackers have turned those computers into. With more companies going green and mandating computer shutdowns outside of regular business hours, we see a bigger trend in the SPAM activity start and end times.

This also contributes to delays and deferrals during the business hours. Because networks lay practically dormant overnight, as the millions of computers (“spam zombies”) come online, the mail servers are hit with a huge load that is amplified further by all the “opt in, confirm your email” systems and so on. These tend to overload the mail servers and cause huge delays and disconnects all over the place.

This in part is why we only troubleshoot issues during business hours. After hours everything appears to run correctly because there is significantly less load placed on the network. However, those tasks during business hours can quickly identify a host that is overloaded and not taking any mail.

We have been closely monitoring the Antispam engine since the upgrade took place on Tuesday and so far the performance is quite impressive. We are blocking more messages than ever before and the false positive ratio has gone down as well. What that means is that ExchangeDefender classifies far less legitimate messages as SPAM incorrectly once in every 800,000 messages processed.

Our SPAM training will now resume, please accept our apologies if you happened to receive more SPAM than usual over the last few days. ExchangeDefender uses automated processes to classify messages as SPAM or legitimate mail based on hundreds of thousands of rules, sender reputation, message contents and more. No message is ever screened by a human being. We do monitor honeypots (our mailboxes placed on the Internet for the sole purpose of collecting junk mail) and build message filters accordingly, so if you wish to help by anything that ended up in your inbox that looks like SPAM, forward it to spam@ownwebnow.com (if you can also include the headers that would help a lot as well)

We have already built a set of rules for SPAM that has been emerging lately, mostly Regions Bank forgeries, graffiti.net scatter, Treasury Department Circular 230 and the massive amounts of URI SPAM being distributed through Google – google.com, google.co.uk, google.co.tw and more.

“I am still receiving far too much SPAM”

First, “too much SPAM” is a relative term. If your message has been online since 1993 and is on every mailing list available, you are likely receiving thousands and thousands of messages a day. If a few slip through it is simply due to the volume of mail sent to you – SPAM arrives to you before it does to us, there is no rule to filter for it, and the message gets delivered as legitimate. As the SPAM becomes more prevalent, it starts getting blocked by ExchangeDefender. If you would like to help us filter it faster, forward the message to spam@ownwebnow.com

Second, we only guarantee SPAM filtering efficiency of 99.99% if you have IP restrictions in place. If you are accepting messages from anyone that connects to your mail server than you take ExchangeDefender out of the mail flow and we are unable to protect you. Please ask your system administrator to enforce the IP restrictions and other helpful deployment strategies described at ExchangeDefender Support.

Finally, there is a difference between SPAM and the SPAM you subscribed to. If you subscribed to many stock newsletters, mailing lists, etc, we will not consider them for a SPAM rule. These are legitimate messages and you should address the issues with the sender, not with ExchangeDefender. If that is absolutely beyond consideration, contact your system administrator and request that they put the senders domain (Constant Contact, MarketWatch, Yahoo Finance, Wall Street Journal, etc) on your domain blacklist.

“How much SPAM is too much SPAM?”

On average, a small business organization (5-30 people) receives approximately 20-50,000 messages a day. Of that ExchangeDefender automatically discards roughly 70% just on the sender reputation, multiple blacklists, address book exploits, address harvesting, etc. Of the remaining messages, SPAM tends to compromise 10% and SureSPAM traditionally takes between 80 and 90% of messages, depending on whether there are viruses or worms being spread at the moment.

Overall, ExchangeDefender keeps 96-98% of inbound mail from your mailbox. That means that the combination of legitimate mail and SPAM that is falsely classified as legitimate, accounts for 4-2% of all mail. It is normal to receive a few messages a day, for some of the older addresses and generic addresses (info@, sales@, contact@, bob@) it can be towards a dozen. Anything more than that gets investigated. Anything below that, honestly, is within the fault tolerance of the filters. Remember that these are not screened out by a third party or a live human being, and that these cannot be guaranteed in any way because there is no way to predict what is SPAM before it actually gets sent enough times. SPAM filtering and Virus filtering are not the same thing and the protection does not work the same way. For example, if we blindly filtered every “Viagra” reference no legitimate email containing that word would ever pass through. Same for word fragments, say we filtered every instance of “ass” as SPAM? How many words in the English language contain the letters “ass” in them? Pass? Class? 

Thank you for your business, thank you for your patience with the new engine rollout and we hope this blog post helps explain how the SPAM filtering works and how we can all get rid of more SPAM.

Several questions have come up in our support portal regarding automatic software rollout of ExchangeDefender SPAM Monitor we released earlier today.

The simplest way to roll out ExchangeDefender SPAM Monitor on a managed network is through Active Directory technology called IntelliMirror, standard in Windows XP, Windows Server 2000-2008 and Windows Vista. The following page describes the basics of the Windows Installer service that can be used to roll out the software package. The process of automatically rolling software out is a complex one and is beyond this article, please contact a trained professional if this is the route you choose. We hope you can understand that we cannot support you on the basics of network management from both legal and confidentiality aspects.

There are several ways to automatically configure the ExchangeDefender SPAM Monitor service for your users, as well as update the configuration from a central location. ExchangeDefender SPAM Monitor uses the following registry hive:

HKEY_CURRENT_USER\Software\OWN\ED

There are three string keys: email, password and suspended. Suspended can be set to True or False, in order for the software to function completely the value should be set to False. Software can be automatically configured without users knowledge by including the .reg file with the cab files mentioned above and the appropriate values for the email and password keys.

ExchangeDefender SPAM Monitor 1.0.2 is an optional upgrade for the customers that encountered instability issues with the original release. The original software did not handle 404 errors very elegantly, leading the monitor software to crash if the Internet connection was not available or wifi software launched after the monitoring service did. If you are affected by this issue, ExchangeDefender SPAM Monitor 1.0.2 is for you, if the current release is running without problems the other minor bugfixes may not be worth the download (major fix for multiple email accounts):

DownloadIconTrans

 

ExchangeDefender SPAM Monitor 1.0.2

 

 

Note: Due to popular demand we have also released .cab/.msi files as a part of the package for automatic deployment via Active Directory, Kaseya and other popular management tools.

Our new antispam engine will be launching on Tuesday, January 15th. We have been investigating a number of SPAM patterns over the past few weeks and really building up the techology to fight what we believe is becoming the dominant strain of junk that bypasses virtually all SPAM gateways.

We don’t expect any issues with the new engine as it has been under beta test with our larger clients since Jan 1st.

January 2nd, when it falls on a weekday, is the worst day of the year to send email on. From business perspective, it’s the first day of the calendar year so everyone is back and probably from more than just a few days off, some even two weeks off. From the technical side, this is also the first day of the year that IT admins come back to work, doing the tasks they do to keep the systems working, usually catching up on a few days of missed maintenance tasks.

Every year the SPAM problem gets worse. On January 2nd not only are you going to be fighting maintenance intervals that didn’t take place but also people coming back from work and catching up to days of piled up emails, where catching up means sending out even more mail. Most email servers out there are overloaded with just the SPAM problem alone, compounding a few days of email correspondence on top of it will make today the least likely day for your email message to be delivered and read.

So if you have a newsletter, a really important note, a critical deadline to meet or an important contact that you absolutely have to reach… email is not your friend on January 2nd.

Of note, ExchangeDefender is currently performing at 43% capacity (10 AM EST, -5:00 GMT)

MyspammonToday we proudy introduce yet another way for users to conveniently get rid of Junk Mail and still have it all stored just a mouse click away, on a network far far away. ExchangeDefender Spam Monitor is a piece of .NET 2.0 software that runs on your computer and pops up a small bubble notification letting you know how much SPAM is waiting for you. If you ignore it, it goes away in seconds, if you click on it the browser pops up and logs you right into your account so you can quickly review your SPAM and go about your day.

SPAM Monitor runs as a standalone application and consumes just 74kb of memory. Double clicking on the icon brings up the configuration window that allows you to enter your ExchangeDefender email address and password. Right clicking on the icon gives you an option to suspend the agent or View Spam. Suspending the agent stops it from checking the web site and displaying hourly message counts while View Spam menu option launches the browser and gives the user access to their account.

Spamcap

The agent was designed to assist users that needed a realtime, accountable way to get to their SPAM without waiting for email reports, but who didn’t want to create desktop shortcuts. We also hope this allows our resellers to support their customers in a more efficient way – “Do you see the orange box with the X on it in the lower right hand corner? Right click and select View SPAM.”

We hope this makes Howard Cunningham happy

To download SPAM Monitor please click here.

On December 16th, 2007 we will be releasing a massive update to the ExchangeDefender policy server, to account for a number of rather unpleasant bugs that have come up as a result of changes from 2.x to 3.0 and 3.1.

Because this is a large scale upgrade with lots of changes under the hood, there may be some temporary downtime while we roll the new system out. This downtime is only going to affect the web site https://admin.exchangedefender.com but mail will continue to flow and no other systems will experience issues. We expect the outages to last a few seconds at most as we reload one system after another.

We chose to announce this on the corporate blog instead of the Network Operations site because some of these bugs have been inconveniencing many of our users and we wanted to let you know that this bulk of updates addresses all the issues that have been brought up in our portal. Specific changelog will be posted at a later date.

This release will not have any new features and the new feature releases will resume on Jan 2, 2008. We have used the past two months to correct all the outstanding issues in the system, from nagging bugs to poor documentation, and I believe you will be very pleased with the results starting next Monday.

We have folks at Own Web Now that do nothing but troubleshoot ExchangeDefender delivery issues all day long and we figured we’d share in the fun. This is the first draft of the document titled Troubleshooting ExchangeDefender Delivery and is meant to help the jr administrators master the art of troubleshooting SMTP.  

Download: Troubleshooting ExchangeDefender Delivery (PDF)

Covered in the document are steps to troubleshoot inbound and outbound delivery, server configuration, IP restrictions and even how to help remote senders find out where the issue may be. I have been working hard on designing a troubleshooting portal (to send sample messages, check RBLs, etc) but we thought putting the whole best practices process on paper would be very helpful an save a few trouble tickets in the process.

Take a look at it, hope you enjoy it. Feedback is always appreciated.

Please be advised that we’re upgrading ExchangeDefender’s SQL Server backends throughout this week.

No services will be interrupted, however, you may see slight delays at times (from a few minutes to potentially 20–30 minutes if you are on a low bandwidth solution).

We expect this routine maintenance to be completed by Wednesday evening, EST.

Service work completed. We will do one final pass on Satuday evening, October 13, starting at 8 PM and ending at Midnight but all major work has been completed.