Category Archives: Musings

TechEd 2003 is right around the corner. In addition to my session, there are a number of other useful sessions that security-minded folks should consider:

• Mortimore, SEC301, Best Practices for Security and Patch Management (Arena, Monday, 1330-1445)
• Attwell, MSG328, Reducing Spam with Exchange Server 2003 and Outlook 2003 (Ballroom C1/2, Tuesday, 1045-1200)
• Riley, SEC304, Enhancing Exchange, OWA, and IIS Security with ISA Server Feature Pack 1 (Arena, Tuesday, 1045-1200)
• Morris, MSG329, Controlling Viruses with Exchange Server and Outlook (D171/D173, Thursday, 1700-1815)
• Riley, SEC499, IPSec Internals and Implementation Examples (Arena, Friday, 1300-1415)
• Batthish, MSG345, Deploying OWA and FE/BE Topologies for Client Access (Ballroom C1/2, Thursday, 1330-1445)
• Riley, MSG308, Secure Access to Exchange From the Internet (Ballroom C1/2, Wednesday, 1700-1815)

I won’t be able to attend all of these, but I always make it a point to hit Steve Riley’s presentations, and if you’re interested in baseline security and patch management, Mark Mortimore’s session is a must-attend too.

TechEd is just around the corner, and I’ve been invited to give a security session.

SEC306 Secure Messaging and Communications with Exchange Server
This session delivers the critical information that Exchange administrators, security architects, and messaging designers need to understand to protect their Exchange systems. Protecting your organization from malicious content, and misuse of messaging communications is becoming ever more critical as we depend on our messaging systems to provide anytime, anywhere access from a wide variety of devices. If you are serious about secure messaging and communications, you must attend this session. This session will focus on security updates in Exchange 2003 including relay restrictions, OWA security improvements, authenticated and restricted DLs, improved AV & Anti-spam features, and RPC-over-HTTP. Key security concepts for Exchange 2000 and Exchange 5.5 will also be summarized. Come in, sit down, and hold on tight for this fast-paced and demo-packed presentation.

The next product on my evaluation list is CMS’ Praetor. My initial impression is that this is a complex, full-featured product, and it’s expensive, too. (The fact that CMS is offering a 30% discount if you’re using a competing product helps reduce the sting somewhat.) It supports X- headers for filtering and has a range of quarantine options. However, I’m not crazy about three aspects of the product:

• it doesn’t use the Windows Installer, and its custom installer doesn’t bother to check for existing SMTP services on a machine
• it has its own separate administration program (which apparently can’t be installed on any machine other than the one running Praetor– so much for remote administration)
• it doesn’t integrate directly with Exchange. Although CMS says you can run it on your Exchange server, they seem to recommend running it on a separate box, so that’s what I’m doing. It didn’t coexist well with ISA in my very limited testing, so for now it’s on a separate machine.

I’m also not too impressed with the documentation; while it is complete, it’s formatted using the old “ransom note” style template, and it’s a reference. For a product this complex, a task-oriented doc would be much more useful.

MailEssentials has been running for the last week or so. After a little experimentation, I discovered that it wasn’t catching spam because I’m an idiot. I hadn’t specified any SMTP domains as inbound, so ME was looking for spam sent to *@robichaux.local– since robichaux.net and 3sharp.com are the domains I use, it wasn’t catching anything. After I fixed that, it began behaving as expected. However, its lack of a way to add subject tags to indicate spam means that I have to route all suspected spam to a public folder– where E2K turns it into an IPM.Post item, so it loses its original addressee information. Redirecting all the spam to a single mailbox works, but that raises the question of how to redirect it; the only way I can see to do it is with a script that adds a spam tag to the subject and redirects the message. That’s more trouble than I’m willing to go to for this product. In GFI’s favor, their product installs and uninstalls cleanly, it’s stable, and it has good documentation. However, it’s time to try something else.
UPDATE: GFI support confirms that their product doesn’t allow subject rewriting, and they’re not likely to add it.

So, I finally decided that the volume of spam on my servers had grown past my ability to tolerate. I decided to hold a spam-off by testing several well-known products and reporting the results here. My critieria are simple if unscientific: whichever product gives the best price/performance/usability ratio wins.
I started with GFI MailEssentials, which has been widely praised in a variety of places. It downloaded and installed easily (great installer), but after three days, it hasn’t caught any spam, at least according to its own logs! It doesn’t offer a way to quarantine spam into a public folder, and there’s no way to mark a message as suspected spam. Other than that, it’s great 🙂 I’ll post an update after I check with their technical support; I can see that the event sink is working because some messages from hosts on the ORBS RBL have been NDR’d (at least according to the logs).

Hallejulah! Microsoft has released a patch that allows the Exchange System Manager tool to run on Windows XP. As it turns out, getting this done took a lot of work from several product teams at Microsoft. Good for them– this is a welcome, if overdue, release.