Do you leave your work at the office at the end of the day? Didn’t think so. Most companies have at least several people, if not the majority of employees, taking work home; and many have staff members telecommuting from home on a regular basis. This too, is a wonderful trend. I personally haven’t seen the inside of a cubicle in 18 years, and this trend is only going to increase. The office is fast becoming obsolete and unnecessary.

But those security measures, and the trend of working at home, work at cross purposes. Security measures in the office usually stop at the network, protecting access to files and applications and ensuring that PCs within the physical boundaries of the workplace are protected against attack. But today, physical boundaries are irrelevant.

We saw this last week when an ethics report from the US House of Representatives was accidentally leaked onto a public P2P file sharing network. The document was an internal file that listed several members of Congress who were being investigated for ethics violations.

There is an argument, which has some legitimacy, which says that ethics investigations should indeed be made public. Citizens have the right to know whether their elected representatives are crooks. But that argument is misplaced. The policy of the Ethics Committee is not to disclose those investigations unless there is a formal investigation, and at that point it would be made public. But that again is besides the point.

The point is, the House of Representatives used lax security rules, and needs to tighten them up. Whether the information should have been public or not doesn’t matter; the fact is that they screwed up from a security perspective by allowing something to be made public that they had not intended to be made public.

The Ethics Committee was quick to release a “not our fault” statement, saying that the leak wasn’t caused by their own information systems. But this is only a half-truth. The leak was in fact caused when a junior staffer took the file home and stored it on a home computer where P2P software was installed, and as such, the Committee argues that it wasn’t their systems—but in fact, it was their own lack of policy and oversight that caused it. Security policy once again must go beyond the borders of the enterprise and into every computer that touches the network. If a worker telecommutes, then the computer used for telecommuting—especially if sensitive documents are being worked on—must also comply with corporate policy. And that means no P2P file sharing applications on it.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

P2P networks at the root of accidental disclosures, once again

However, you’ll sometimes find yourself with a never before seen problem. One such problem is that of duplicate emails. Thankfully, this is an infrequent occurrence.

Email inboxes use up a lot of space as it is and having limits on the amount of inbox space a user can use can be helpful as an alert mechanism for spotting trouble with duplicate email messages. A lot of duplicate emails can use up a lot of space and fill up your end users’ inboxes almost overnight. And these duplicate email messages can certainly cause confusion and negatively impact a company’s productivity.

Some administrators have noticed this problem when they’ve downloaded email messages using Microsoft Office Outlook 2003 from a POP3 (Post Office Protocol) email server and then on their next download they notice that duplicate email messages have been downloaded as well.

There are a couple of different reasons why this can happen. There is an option called, “Leave a copy of messages on the server” which if enabled can create an environment that allows duplicate emails to be downloaded. Luckily, this problem was fixed in a hotfix. That hotfix has been included as of Service Pack 2. The latest Office 2003 service pack corrects this problem.

If you’ve just installed the hotfix then you will see duplicate email messages the first time you download but the duplicate downloads will stop occurring after that initial download.

If you wish to enable the “Leave a copy of messages on the server” option then you can start by opening up the Tools menu and clicking on “E-mail Accounts”. Then click on “View or change existing e-mail accounts” and then click on Next. Locate your POP3 email account and click “Change”. You’ll next have to click on “More Settings” which will allow you to choose the “Advanced” tab. Here you will want to check mark the “Leave a copy of messages on the server” check box. Then click OK or hit the enter key.

There are other circumstances that allow for duplicate email messages to get downloaded. One such circumstance that allows this to happen is if there are multiple POP3 email accounts associated with the same profile in Outlook.  When your end user logs on to Outlook they may be prompted for their password for one of their accounts and that is the point when they will receive duplicate email messages. Those two accounts are likely pointing to the same POP3 email server which results in an end user getting duplicate emails.

You can fix this by turning off email reception for one of those accounts. Bring up Outlook and bring up the Tools menu. Locate “Send/Receive Settings” and click on “Define Send/Receive Groups”. You’ll have to determine which group contains the two POP3 email accounts. Once you know which group that is then double-click that group and under Accounts select the POP3 email account that you want to stop receiving duplicate email messages and click on it. Then clear the “Return mail items” check box. This will disable that particular email account from receiving any further emails and hence stop the duplicate emails from appearing.

Another situation that results in duplicate email messages is if the email server contains corrupt email messages in the users’ inbox. As the administrator you’ll have to check the logs for possible error messages related to corrupt email. If you determine that there are corrupt email messages on the server then you’ll have to log in to the server and delete them.

There are times when you have reinstalled the system software and also needed to reinstall Outlook. Sometimes, after an Outlook reinstall, your users will receive duplicate email messages. Other times duplicate messages may result after a user has synchronized Outlook with one of their mobile devices such as a PDA, Palm, a smart phone or other Windows mobile device.

If necessary, before any settings are changed – such as the ones mentioned above – it would be a good idea to have an end user scan and identify duplicate email messages. Obviously this is a non-productive use of their time. So having a tool in your toolbox that can scan for, identify and delete duplicate email messages can be a great time saver. There are many tools on the market that can help you with this activity.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Managing Duplicate Email Messages in Outlook

In a recent post I described the killer new High Availability feature of Exchange Server 2010 – the Database Availability Group (or DAG for short).

A DAG is an Organization-level object that allows a database to have several passive replicas on other servers (DAG members).  When a DAG is configured it permits individual mailbox databases to failover to passive instances should any problem with the active database arise.

The nature of DAGs means that they can be deployed to protect from failures at almost any layer of the Exchange infrastructure.  DAGs can protect from anything from a single failed server hard disk to an entire data center failure as long as the DAG is architected accordingly.

How this relates to backups is simply this – if a database is protected from all failure scenarios by the DAG, why would you need to back it up at all?  Let’s take a closer look at this question.

Exchange Failure Scenarios

The DAG will protect data from any Exchange failure scenario:

Database Corruption –the database will simply failover to one of the passive copies.

Server or Server Component – all active databases on the server (or just those on the disk that failed if that is the case) will failover to one of the passive copies.

Network Failure – if a DAG member becomes unreachable another member will bring those databases online.

Site Failure – because DAGs can easily span multiple physical locations, even those in separate Active Directory sites, if a data center fails another DAG member at a different site will bring those databases online.

Other Data Loss Scenarios

Deleted Mailbox Items – Exchange Server 2010 introduces a new feature known as Single Item Recovery.  This means that when a user deleted a mailbox item it is put into a recoverable items area instead of being permanently deleted.  This area has a configurable retention period, and so the administrator can simply configure a reasonable period to allow people to recover deleted items without relying on backups.

Deleted Mailboxes – although it is quite easy to export mailboxes before deleting them this requires manual effort to do so.  However because of the Journaling capability of Exchange Server the mailbox items for deleted mailboxes can be recovered from the journal store.  In addition to this, deleted mailboxes are not immediately purged from the database and so can be easily reattached if necessary.

What’s the Catch Then?

You might be thinking from the above that it is entirely possible and practical to never back up your Exchange Server 2010 environment provided the right features are configured for replication and retention.

In fact in some organizations this level of protection will be quite acceptable.  But none of the above protects the Exchange environment from accidental or malicious deletion of Exchange Server data.

For example, if someone deleted the Database Availability Group all of the associated databases would also be deleted.  Without a backup these could not then be restored.

To protect from both accidental and malicious destruction of the Exchange environment you must make use of the new Role Based Access Control (RBAC) features in Exchange Server 2010.  Although RBAC itself is not a new concept, previous versions of Exchange Server never included the depth and granularity of control over access permissions that Exchange Server 2010 does.

Using RBAC to allow people only the minimum permissions they need to do their job can protect the environment from accidental or malicious deletion of data.  Ultimately though someone needs to be trusted with the highest level of permissions, which still opens the door to some risks.

It is likely that even the least risk adverse organizations will still employ backups of some kind for their Exchange Server 2010 environment, though perhaps on a less frequent schedule.

Do you plan to modify your normal backup practices in light of the new Exchange Server 2010 features?

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

What if You Never Backed Up Your Exchange Server Again?

What might be happening is that a filter is being applied that only displays unread messages. Obviously what needs to happen is to either remove the filter or modify it.

If you want to reset to a known state you can also just remove all filters. This is a very easy procedure.

• In Outlook 2000 bring up the View menu and move to the Current View.
• Once there you can click on Customize Current View.
• This will bring up a View Summary dialog box where you can then choose Filter which will pop up the Filter dialog box.
• Here you’ll want to click on Clear All and then click OK or hit enter a couple times to exit the dialog.
• You should now be able to view all email messages whether they are read or unread.

There is another possible cause for disappearing emails. If one of your end users has managed to set Outlook so that email delivery is pointed at a personal folder file such as a pst file then this can have the undesirable consequence of disappearing email.

If you have installed Outlook with the Corporate or Workgroup option then this will support the use of Messaging Application Programming Interface (MAPI) services. This is important because it will allow you, as an administrator, to set the delivery target as your mailbox. You do not want a personal folders file set as the delivery target when you are running Outlook 2000 while viewing the inbox on the Exchange Server. You can set the delivery location by going to the Tools menu and clicking on Services. Next, click on the Delivery tab and check that “Deliver new mail to the following location” has your mailbox as the target location. If everything looks good then click OK or just hit enter.

If you suspect that it is your Rules or Rules and Alerts that is causing the disappearing email problems then you’ll have to go back and double check the logic and make the necessary corrections.

As a precaution you should also backup your email and contacts. You can then set up your account again and perform an import all. Then go back and recheck your Inbox. If this doesn’t correct the problem you can then try and uninstall followed up with a reinstall including all updates as required.

Another option you have is to use the Outlook Inbox Repair Tool to fix any questionable or corrupted files. You must first identify the .pst file(s) you wish to repair. Obtain the full pathname and then run the Inbox Repair Tool and input the pathname to the .pst file(s) you wish to correct. You can run this tool by clicking on the Start button, pull right on Programs or All Programs, pull right on Accessories, pull right on System Tools, and then click on the Inbox Repair Tool. Follow the wizard steps to repair the questionable file(s).

In previous posts I have strongly recommended implementing a routine email archiving practice for all email administrators. Email archiving can be used to recover from corrupted folders and files. It is much easier to work with than having to repair corrupted folders and .pst files.

Another diagnostic step you can take is to set up a new profile to see if you are able to view those “disappearing” emails. You can export your folders and email messages from the old profile and into the new one. This procedure will sometimes be enough to enable your end user to view his “disappearing” emails. Again, another good reason for email archiving and regular backups.

You should also go back and check your View settings. Verify that your ‘Views’ are set to allow viewing of all messages. An end user may have mistakenly changed the setting to view only unread email messages.

Now if you are using Microsoft Outlook 2007 it is known to have a feature that can block attachments that are considered unsafe. This can have an adverse effect on viewing email messages. The attachments that are blocked will depend on different factors that include configuration settings and policies all controlled and set  up by an administrator. Each client can have different implementations so an administrator will have to check the specific client that is having trouble with attachments.

This is where it gets interesting. An administrator or someone on their team will have to write some code that will allow an administrator to check if a particular attachment is being blocked. The code that will allow you to check on specific email attachments is called the IAttachmentSecurity application programming interface (API).

The IAttachmentSecurity API will allow your program to use the IsAttachmentBlocked function. Using this function will allow you to determine whether a particular attachment is blocked. Blocked files – attachments in this case – are not displayed by Outlook 2007.

Using all of the above diagnostic steps outlined in this post will allow an email administrator to correct most any disappearing email problems.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

How to prevent emails disappearing from the inbox

Archiving tools need to be carefully vetted before they’re adopted

So you’re thinking of acquiring a new email archiving tool and need to craft an acquisition and implementation strategy. Here are some things you may want to consider.

Regulations, rules, requirements and product warranties can make buying archiving tools a minefield. By consulting with your corporate legal and compliance people, as well as your company’s business managers, you can get an idea about where those mines are buried. Moreover, you can use your efforts to educate yourself about what requirements must be met by your new tools to build support and acceptance among your legal and compliance people.

When garnering information from legal and business colleagues, it’s important not to lose sight of your role as a technology advocate. While it’s critical to know what your new archiving tools must do to meet compliance and warranty demands, it’s also crucial that those unschooled in the intricacies of storage management understand basic concepts, such as the distinction between backups and archiving and the hard and soft costs attached to storage.

Keep in mind that your new archiving tools need to do more that meet compliance requirements if they’re going to be accepted by your users. After all, you don’t want to trade one headache–jumping through compliance hoops–for another–a disgruntled user base that sees your new technology as an impediment to its doing its job.

The obvious way to get your users to buy in to a technology is to obtain one that’s as friendly as possible. When introducing a new system, many times “friendly” is just another word for familiar. A system that allows users to interact with something they’re familiar with–Lotus Notes, for instance, or Microsoft Outlook–will calm their anxiety about adopting something new.

Remote access to email archives has become increasingly important not only to road warriors but also to an organization’s rank and file who may be working from home as well as in the office. You should take that into consideration when evaluating new archiving tools. The last thing you want to happen after installing a new system is to have frustrated users creating caches on their office computers where they’re squirreling away copies of their emails because it’s the only way they can see their past messages when they’re away from the office.

Because every day there are reports of court cases decided on emails acquired through legal discovery, it’s easy to lose sight of the fact that anything electronically stored on a company’s computers is fair game for legal beagles. Moreover, regulators make no distinction between emails and unstructured data when they go hunting for information at a business. Unstructured data–data outside the email umbrella–can account for some 80 per cent of the bits and bytes stored on a company’s servers, personal computers and laptops. You need to take that into account when reviewing new archiving tools. They need to support archiving of multiple data types, such as instant messages, telephone logs and calendar items.

It’s also important when considering archival tools to consider how–once they’re in place– they will help you enforce system policies. For example, it’s crucial–although it won’t make you or your system popular–to avoid exceptions to archiving policies. There may be some political gain in giving in to a senior executive who wants his or her email account exempt from policy because he or she is disgruntled about the system’s purge cycle or is displeased with the way a system displays archived messages, but when the company gets embroiled in litigation and an opposing counsel starts raising questions about why policies weren’t followed, chances are you’ll be left hanging from a flag pole twisting in the wind alone.

Another policy you’ll want to implement is control of email stubs. You’ll want to trash stubs every 90 to 180 days. Retaining the stubs for too long can impact your system’s performance and the daily irritation of hearing a chorus of “Why is the system so slow?” wherever you go. Since not all archival products dump the stubs when files reach the end of their retention period, that’s a feature you may want to make sure is included in your new archival tool.

Finally, you’ll want to thoroughly vet how a potential archiving system will handle copies of local email files. These files are commonly stored in PST files for Microsoft Exchange and NSF for IBM Notes. Those files are scattered throughout your organization on users’ computers and can be a nightmare for your retention program. Not only is finding those files a horror show when an opponent’s lawyers appear on the doorstep during the discovery process but the information in them can be ticking time bombs. Some systems allow you to block the creation of such files, but if that’s done, you’ll want to make sure your archiving software can accommodate your users’ legitimate needs to access their historical emails.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Tips when making email archiving choices

Passwords, PINs, and other sensitive information often comes in printed form before we commit them to memory. It may be in the form of a letter from a bank or a memo from the IT department, or it may even be a password that we wrote down on a piece of paper and stuck in a drawer. What happens to this paper? More often than not, it gets tossed into the waste bin, where it can be easily picked through by an opportunistic identity thief.

A recent survey showed that a surprising 79 percent of all businesses do not destroy sensitive information on paper that is being discarded or recycled. The UK-based survey showed that 64 percent of businesses have a clear policy on handling written documents with sensitive information, and 32 percent of employees admitted to discarding sensitive documents directly into the trash.

The survey, which was conducted as part of National Identity Fraud Prevention Week, says that identity fraud results in over £1.2 billion every year. Forty percent of the companies surveyed said they throw away information on customers, including home addresses, phone numbers, and even photocopies of passports, all of which can be used to perpetrate identity theft. Individuals are as vulnerable as businesses, and the report says that 44 percent of Britons still do not shred documents with sensitive information. And here’s a shocking statistic. The survey showed that half of all households threw away everything a criminal would need to perpetrate identity theft, and that 79 percent of all household waste had at least one item that could help a criminal.

The answer of course, is simple, non-technical and inexpensive. First, put a policy in place that says all documents with any personal information must be destroyed; and second, install paper shredders in convenient locations throughout the office.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Physical protection of passwords and sensitive information

Many of you here are from a Microsoft Exchange and therefore a Windows Server environment. While much has changed in the capabilities for Windows server clustering, especially in the Exchange area, many of the core concepts are the same regardless of what the latest features and options are. For example, block-level replication across drives on a SAN solution such as EMC’s SRDF/CE option is specifically designed to assist in replication of Windows databases such as SQL and Exchange, but the block-level replication works in essentially the same manner as DRBD does on Linux.

Clustering conceptually is the same regardless of the platform or systems as well. Although that might seem to be heresy to those that are irrationally tied to one platform or the other, it’s true. It’s even more true for dealing with the considerations for multi-site clusters or geo-clusters. Round trip times and network latency limits tied to the speed of light for geographically distant systems can’t be ignored, regardless of the platform or application. Also, clustering solutions have to deal with defining fail-over and fail-back procedures, and the theory behind most of these solutions is the same. Nodes in a cluster communicate via a heartbeat, and there is often a tie-breaker or “witness” node present to assist in validating that the primary node in the cluster has failed. For multi-site or geo-clusters, this is especially important both in the design stage and in understanding the possible failure modes. If network communication is down between sites, but not to and from clients at a site, multi-site clusters may fail-over and present a “split brain” situation where each site’s believes it is the active one, that the other is down.

Does the likelihood of a network outage mean that we must change our expected recovery time to be greater than the acceptable down-time for the network listed in our network SLA? Probably? This is a key question. How long must communication between sites be down before the secondary site decides that the primary site is really down and takes over as active?  Do you believe that having alternate paths for the heartbeat connection will solve this? Could that create an even greater problem? Let’s look at it:

Multi-path Communication for Multi-site Clusters
The servers will likely have a subnet spanning (cross-site VLAN) solution where their heartbeat network interfaces communicate. This network path therefore includes distinct network adapters (NICs), cabling, possibly separate switching, and may take a different path to and from the remote site. If the sites communicate via a traditional WAN link, but clients connect between sites or to each site via separate Internet facing routers or VPN concentrators, the client path to the remote site and its server(s) in the cluster may be very different. Consider already that client communication on the primary site with the active node(s) may fail, but the different network path for the hearbeat and quorum info may have the cluster in a state where it is healthy, but unreachable.

If the cluster fails over due to heartbeat communications failing, but when clients can still reach the primary site’s active servers, very strange problems can arise. Depending on how DNS is configured, and on how the cluster’s IP address is managed, clients might be directed to the secondary site based on the interruption of communications on the heartbeat network. In fact, the primary site is still active. Depending on the SAN or replication solution, one or the other of the sites will be writable with the data, while the other is just being replicated to. The load-balancing or DNS management needs to align with which cluster site is active. If the heartbeat network goes down and the cluster fails over to the secondary site, but clients are still directed to the primary site by a load balancer or DNS, that site likely won’t have access to the disk volumes since the SAN will have failed over to the secondary. If the replication solution still allows write access, the data between sites will be inconsistent. The cluster will think the secondary site is active, yet data has been written to the primary. Granted, if things are set up correctly this should not happen. But it can. Be warned.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Considerations for High Availability Designs Used for Disaster Recovery

There are times when clients are connected to your Exchange Server and your users are receiving their emails just fine. But when they attempt to send emails the emails get stuck in the email outbox. You open the Sent Items folder but you do not see the expected emails which indicate that they were not sent. Sometimes there are attachments and sometimes not, so this problem might appear random. All this can happen even while Outlook is connected.

Although users will have an imap connection configured for their email client no email can get sent through the Exchange Server. Sometimes your users’ data is stored in a local pst file and not on the Exchange Server.

They might also receive a Progress window that reports a Microsoft Exchange Server error message such as 0×80040115. It indicates that Exchange Server is unavailable and also indicates that Outlook is itself offline.

If you try to remove the message then Outlook will indicate that the message has already been sent but the process has not yet completed.

One possible solution is to exit Outlook and then delete the email in the outbox. You can do this by going to the lower left corner of the screen and click on the Start button to bring up your selections so that you can choose Run. In the Run window type “Outlook /safe”. Make sure you have a space between the word “Outlook” and the forward slash (/). Hit enter or click OK. You can then delete the email in the outbox.

How the send mail process is supposed to work is email should be moved to the outbox after an end user has clicked on the send button. Later, Outlook makes a connection to the email server, such as Exchange, and then tries to send the email. If successful then the sent email will show up in your outbox.

You should note that if you open and close the email message from within the outbox that this operation will cause the status to change and will result in the message not being sent. The email title will also no longer be italicised. You will have to click Send on the message toolbar if you want the message returned to send status. Later, when Outlook makes its connection to the Exchange Server, the message will be sent.

It is also possible that an end user’s personal folders have become damaged. Or their Personal Address Book files have become corrupted. You will need to repair those folders and files. I have outlined in previous posts how to make these corrections. This is also one of the reasons why email archiving is a recommended practice for all email administrators. Email archiving can be used to recover from corrupted folders and file. It is much easier to work with than having to repair corrupted folders and pst files.

An initial diagnostic step to perform is to run the Inbox Repair Tool. This tool will repair any damaged files. You must first identify the .pst file(s) you wish to repair. Obtain the full pathname and then run the Inbox Repair Tool and input the pathname to the .pst file(s) you wish to correct. You can run this tool by clicking on the Start button, pull right on Programs or All Programs, pull right on Accessories, pull right on System Tools, and then click on the Inbox Repair Tool. Follow the wizard steps to repair the questionable file(s).

Other solutions you can try is renaming any .pst and .ost files. You’ll have to locate those files on your systems, rename them and then create new profiles.

You may also have to check the Personal Address Book of your end user. Verify that the email address of the person they sent the email to is correct. You might even have to delete it and then add it in again.

Another diagnostic procedure you can perform is to try using another email client to send email to the recipient. If successful then you can compare the email dependent settings that are common to both clients and look for discrepancies that can be used to make corrections in the client configuration that is not sending emails.

You can also use “exchng32.exe” to send email using your existing services. If you are able to send email this way then you should try removing and then reinstalling Outlook.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Troubleshooting Stuck Email in the Outbox

I know that other IT professions carry varying degrees of complexity, but still wonder how often the email admin is the smartest person in the room.  Putting aside the ego behind that question there are definitely a lot of areas in which an email admin needs to have an understanding.

Let’s consider some of the technical skills that a good email admin needs.

Email Servers – often the email administrator is working in environments with more than one email server product in production.  Even those who only manage one server product will still encounter other products as they deal with outside parties, often trying to troubleshoot a mail delivery problem.

Operating Systems – the email admin is also usually responsible for the operating system running on the server.  Again in heterogeneous environments this may mean several different editions of Microsoft Windows as well as some form of Linux or Unix.

High Availability – larger environments often require high availability for their email systems.  This means the email admin needs to understand cluster, network load balancing, and the Exchange Server high availability features.

Firewalls – every email system needs to move data to and from the internet, so an understanding of firewalls from different vendors is necessary.

DNS – this plays an important role in several ways, not only the MX records but also concepts such as split DNS and how important reverse DNS is for delivery.

Network Protocols – there are many protocols at different layers involved for an Exchange Server system such as TCP/IP, HTTP, SSL/TLS, RPC, and MAPI.

Email Clients – the email server admin will inevitably be called upon to assist with email client software support.  In my experience this extends not just to the different version of Outlook but also to POP/IMAP clients.

Mobile Devices – mobile access to email is so common these days that an email admin will encounter many different devices such as PDAs and smartphones requiring support.

Server Hardware – an email server is almost guaranteed to have the most concurrent users of any system in a business at any given time.  This means that the server hardware must be sized with enough resources to handle the peak load.

Storage – Storage Area Networks are everywhere these days and in my experience getting a well configured storage subsystem for an Exchange server requires the combined knowledge of both the storage admin and the email admin.

Backups/DR – in most businesses email is among the most critical systems and so it must be well protected by Exchange backups and able to be quickly recovered when disaster strikes.

Telephony – fax integration with email has been around for a while now and more recently telephone integration has also become mainstream.  Exchange Server 2007 introduced Unified Messaging that included many features previously only found in dedicated PBX systems.

Without a doubt being an email admin requires a broad skill set to manage what is one of the most complex and critical systems within a business.

Can you think of other important skills for email administrators?

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Are Email Admins the Smartest People in the Room?

Email not giving up its crown yet.

Email no longer rules, declared a headline in a recent issue of the Wall Street Journal. Email has fallen from its throne as the king of wired communication, the author reasoned, because social media, like Facebook and Twitter, offer communicators a more immediate way to share their thoughts, situations and creative endeavors with others. However, while it’s true that email’s monopoly on communication is no more, that doesn’t mean it has relinquished its crown as the wallah of wired information exchange. In fact, social media, rather than snatching email’s diadem, have actually polished it.

Anyone with a Twitter or Facebook account knows how much “noise” those services generate. The compulsion by many users of those media to gush minutiae can be numbing. When email was the sole source of online communication, complaints abounded about information overload. That has only worsened with the likes of Twitter and Facebook. Email, though, as a mature technology, has developed ways to cope with noise. Filters sort messages as they arrive. Folders segregate items into bins where they can be logically acted on. Tags and categories further slice and dice clutter. Those things add value to email. By comparison, Twitter and Facebook can feel as if the postman drove a dump truck up to your house and jettisoned a year’s worth of mail on your lawn.

According to the WSJ writer, email is a quaint technology that reflects how people used to use the net. It’s made, she argued, for logging on, downloading and logging off. Social media, she continued, is more attuned to the “always on” connections people have today; this is a very peculiar contention. If anything, the spread of “always on” has been a boon for email. Checking email in bursts was never convenient. Now email programs can remain open from boot-up to shutdown and mail automatically gathered and delivered to an inbox. Moreover, many users are more likely to have their email application open all the time than to be camped at a social networking site. That’s why those sites offer the option of sending email notifications to their members when they receive a personal message or when a discussion they’re interested in is updated. Email quaint? Someone should let the folks at Research In Motion, makers of the Blackberry and who continue to make silos of money on that quaint technology, in on that development.

One assertion by the WSJ scribe that’s hard to refute is that the pretenders to email’s lofty status are fun to use. That alone, though, is hardly threatening to email. Fun has entertainment value, but when what a communicator needs conveyed has more than entertainment value, it’s hard to beat email. What would you take more seriously: a 140-character text message written in gibberish or a 200-word email with all the T’s crossed and I’s dotted?

Why wait for email to be delivered when a correspondent can be contacted immediately through Instant Messaging?, asked the WSJ scribbler. That kind of thinking, though, assumes the correspondent wants to drop whatever he or she is doing to instantly respond to you. Instant Messaging can be a meddlesome application. Email, on the other hand, is less intrusive and less likely to irritate than IM. In addition, one has to wonder just how many instant messages require instant responses, or are just sent because a user is more concerned with speed than common sense.

No Wall Street Journal story would be complete without numbers, and this author has some to show email’s decline from favor. She noted that in August 2009, email users climbed 21 percent to 276.9 million users over August a year ago. During the same period, users on social networking and community sites jumped 31 percent to 301.5 million. Do raw numbers translate into increased value?  Most people use email every day for work. So it’s very likely that most of those 276.9 million users are actually using email. On the other hand, how many members of social networks even check out their sites every day? And if they do, how much time do they spend there? If one has an application open on the desktop and is using it all day long, does that application have more or less value than an application that’s used only occasionally? What’s more, a user will have one email program, but may belong to multiple social networks. So while that person counts as a single user of email, he or she could count as multiple users of social networks, thus skewing the growth numbers.

Email no longer rules? Not quite. The new generation of communication services have their place, but it’s mostly removing chaff that detracted from the value of email. Pithy messages that clogged email boxes can be relegated to text messages from mobile phones, a twit or a posting to a Facebook wall. For high value communication, for communication that’s important, email remains king.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Email still king despite pretenders

According to a Microsoft blog entry, Windows 7’s UAC now has a little more flexibility, with four settings: “Never notify”, “Notify me only when programs try to make changes to my computer (without desktop dimming), “Notify only when programs try to make changes to my computer (with desktop dimming)”, and “Always notify.” Vista on the other hand, was all or nothing, with choices only for “Always notify” or “Never notify.” The risk now however, is that users will tend towards shutting it off completely, since that option is now a lot easier to do—thereby leaving the door open to more attacks.

Of course, Microsoft took a lot of flak over the UAC under Vista, and they’ll probably take more flak now for going in the other direction with Win7’s UAC. The medium setting on Windows 7, which is the default setting, may offer inadequate protection, though time will tell. It is advisable to bite the bullet and use the “Always notify” setting—although it may be a hard sell to get users to agree.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Windows 7 and security

Well, in larger organizations both operational responsibilities and security policies make the separation of duties for IT staff a reality. What does this mean? Well, the person who manages the firewalls and configures rules to allow email traffic between company sites or business units is very likely not the same email admin who is going to configure the SMTP connector or inter-site replication. The staff member that gets information from human resources and provisions accounts is likely not the same staff member that builds out hardware for servers, or configures desktops or notebooks for the new users. The security staff that manage proxies, load balancers, network anti-virus solutions and other security solutions are not the ones that will perform tuning and regular maintenance to your email servers, in most all cases. If you have backup and storage managed by a separate group in the IT staff, they may or may not know the specifics of backing up an Exchange database or server.

What will all the results of this separation of duties be? Will things work better or more poorly? Are you already in this sort of situation and frustrated that nothing seems to get done and that things take many times longer than they used to or seem that they should?

If you are a growing organization and thinking of separating duties and responsibilities because of workload, security, expertise, or all three, consider carefully what the impact will be. When one group does not know what another is doing, when, or why, it can make otherwise simple changes into boondoggles. Scheduling with clear communication between groups of planned outage times, priorities, and potential risks of course are important. Clear communication sounds easy, but when everyone is busy with their own work sometimes we forget that not everyone knows what we are doing and that everyone else may not have read every single email before they left work for the weekend, especially if the email was about another group’s project. When things do go wrong and problems erupt, affecting systems unexpectedly, is there a well-understood escalation process and means of contacting the staff needed to troubleshoot and resolve things? Monitoring systems and automatic email or text alerts are great as long as those systems can function properly and they have a connection outbound to the Internet and from there to you when the crisis happens.

Recently we discovered at one location that backups for some systems had not been running for a long time. No alerts or warning about that, because the backups weren’t configured in the first place. A few days later we discovered that some of the systems were not being monitored for performance at all, although there was monitoring software available and a plan was in place, it just wasn’t happening. These things went unnoticed by the staff directly administering and supporting those systems, because they did not have administrative or even read-only access to the backup technology or the monitoring solution. The staff did not have the means to even look and see if these important functions were active and operating as assumed. The problems have been corrected, and going forward, the staff has been granted access to check that the backups and monitoring are operating. This is an example of where separation of duties was problematic. The lessons learned were that we can’t assume that others know what we want, and that we should verify things. Just trusting someone in another area’s word that something is true isn’t enough–”show me” works better.

Organizations can be and will be so large that any one IT staffer simply can’t know everything about everything. The field is becoming complex enough that this is no longer possible. For large organizations, it’s not possible to have the same group manage every IT service. Since this is the reality, we are left with the task of ensuring that the different IT roles can and do work best together. As an email admin you may discover that you know more and more about less and less of the whole IT infrastructure. Just don’t take it to the point where you know everything about nothing!

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Is Separation of Duties in IT a Help or a Hindrance?

Virtual Desktop Interfaces like GoToMyPC can be more secure than VPNs for remote workers.

As workers become increasingly mobile, they’re demanding access to their computers–both at home and in the office–from whereever they can connect to the Internet. Cube rats want to access their home computers. Road warriors need to connect to their office desktops to maintain their productivity while traveling. Linking to headquarters is essential for telecommuters.

Over the last decade or so, the vehicle for establishing secure connections outside a company’s firewalls has been the Virtual Private Network, or VPN. It allows a remote computer to tap into a corporate network by creating a secure tunnel to it through the Internet. This method, though, can have security risks. That’s opened a market for alternatives to the hoary VPN.

Because VPNs originate with a company’s IT department, their operation is unquestioned by their users. After all, the reason users are told they need to use the VPN is so they can connect to headquarters securely. That creates a false sense of safety among users so they’re likely to transfer sensitive data through the VPN without using additional encryption and deploy protocols that transmit authentication credentials without any protection at all.

In addition, the VPN can serve to protect an intruder’s mischief rather than block it. In many networks, the Intrusion Detection System (IDS) is located outside the VPN server. Because traffic through the VPN is encrypted, the IDS can’t see it. So if a cracker gains contol of the VPN, he or she can attack the internal systems without being picked up by the IDS.

Here’s another problem with a VPN. When a VPN is established from a remote computer to a host computer, the remote computer essentially becomes part of the corporate network. Data moves between the two computers. If a document is opened up on the host computer, that data is sent to the remote computer. If changes are made to that document on the remote computer, the document is changed on the host computer.

“If the remote computer is already compromised by malware or viruses or anything like that, then the data that you exchange with your host computer could get infected,” Kishore V. Kalidindi, director of engineering at the The Tolly Group Companies in Boca Raton, Fla. explained to me.

“Another thing,” he continued, “if you have a Trojan or keylogger on your local PC and it connects to your corporate network, then the malware can start spreading on your corporate network.”

“That’s a risk that administrators have to protect against before granting access from someone through a VPN,” he added. “They have to decide, do we need to do Security Posture Evaluation before letting a remote computer connect to our corporate network? That poses additional challenges for the administrator.”

Some Virtual Desktop Interface solutions, though, like GoToMyPC from Citrix Online, offer an alternative way to connect to a corporate network without a remote computer becoming part of that network. They do that by delivering a screen image to the remote computer, not the actual data from the host. Whatever is displayed on the host computer’s screen is being digitized, encrypted, compressed and transmitted to the remote computer. The host computer sees keyboard and mouse actions at the remote as if they were being executed on a keyboard and mouse connected to the host. “It doesn’t make the remote computer physically part of the corporate network, so certain security risks are mitigated by solutions like those,” Kalidindi explained. “Actual file data doesn’t get transmitted from your local computer to the corporate network.”

“That is a more secure approach of doing things,” he added.

Managing remote users has always been challenging to system administrators, although it’s more challenging now than it was when the only network access available to out-of-office workers was a phone and modem. Access can be less challenging with Virtual Desktop Interfaces. They can make an administrator’s life simpler, not only because sensitive information need not leave the network and their bandwidth requirements are modest, but VDIs will often function in situations where VPNs won’t. Moreover, they remove the burden of the admin acting as Big Brother monitoring what mobile jocks can and can’t do with their laptops. In addition, should a user complain of unsavory happenings on his or her remote computer, the VDI can be used to quickly assess the situation. While VDIs may not be a viable substitute for a VPN in all cases, if they are viable, they can reduce the security concerns  of administrators opening up their networks to remote access by their company’s workforce.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

More secure alternative to VPN

In Microsoft’s own words, “an accepted domain is any Simple Mail Transfer Protocol (SMTP) namespace for which a Microsoft Exchange organization sends or receives e-mail.”

Accepted Domains fall into one of 3 categories – Authoritative, Internal Relay, and External Relay.  Any given namespace that is an Accepted Domain can be only one of those three types.

Authoritative Domains

Authoritative Domains are those for which an Exchange organization hosts mailboxes that have email addresses that use that domain.

For example, a company named Contoso Pty Ltd may own the domain name contoso.com and use email addresses of name@contoso.com.  The Exchange organization would be configured to consider contoso.com an Authoritative Domain.

An organization can have more than one Authoritative Domain configured.  Using Contoso Pty Ltd as an example again, they may have a second brand name of Contoso Services and use the contososervices.com domain name in marketing materials.  In this case the Exchange organization would be configured with both contoso.com and contososervices.com as Authoritative Domains.

Internal Relay Domains

Internal Relay domains are those for which an Exchange organization hosts some, but not all of the mailboxes that use that domain.  This scenario is sometimes also referred to as a “shared SMTP namespace”.

Internal Relay domains are common when two companies have merged but are yet to consolidate their Exchange environment into a single organization.  When they have a need for consistent email addressing across both Exchange environments Internal Relay domains are the solution.

When an Accepted Domain is configured as Internal Relay it tells the Exchange organization to accept mail for that domain, but if no recipient in that organization has that email address then it looks to the list of Send Connectors to determine where to send it next.

For example, if Contoso Pty Ltd and Northwind Traders formed a new company Contoso Traders with a new domain name of contosotraders.com, then each existing Exchange organization is configured with two items to share the SMTP namespace:

• An Internal Relay domain of contosotraders.com
• A Send Connector for the namespace contosotraders.com that sends email for unknown recipients to the other Exchange organization

External Relay Domains

External Relay domains are those for which an Exchange organization will accept email, but hosts no mailboxes for that domain.  This scenario might occur when one organization is acting as an ISP for other organizations, or offering services such as email content filtering.

External Relay domains are used when one Exchange organization is accepting email from the internet for a non-authoritative domain name, and then forwarding it on to the authoritative Exchange organization.  This is usually performed at the Edge Transport Server to keep email for non-authoritative domains from entering the corporate network.  For this to occur the Edge Transport Server is configured with two items:

• An External Relay domain
• A Send Connector for the namespace that sends the emails to the authoritative Exchange organization

In these scenarios it is also common for the Edge Transport Server to be used as an outbound email relay, or smart host, for the authoritative Exchange organization.

Summary

For most Exchange organizations the Authoritative Domain type is the only one used, however it is important for email administrators to understand the full capabilities of Accepted Domains as explained above.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Understanding Exchange Server Accepted Domains

Password problems can be perplexing – sorry I couldn’t resist the tongue twister

Seriously, administrators will have the challenge of correcting password issues under time constraints as business activities and users are all working toward completing projects on time. So having a tool chest of techniques for solving and correcting password issues is a requisite of any good administrator.

One problem that you will encounter from time to time is when passwords are not being kept by Outlook even though they have been specified to be retained. This may happen even if the “Save Password” box has been checked.

Several solutions have been offered on the internet.

Deleting User Account Information

One solution involves deleting the user account information and resetting the password. This method involves making changes to the Registry. As always, anytime you touch the registry you should always back it up first.

There are other times when Outlook doesn’t remember the passwords after the operating system has been reinstalled. The system is configured correctly in that the correct passwords are in the account properties but when the end user attempts to send or receive an email they get the username and password dialog box popup.

Disabling Prompts

Another solution you can try is to disable the prompt that asks to save passwords. You can do so by bringing up the Control Panel by going to the lower left corner of the screen and clicking on the Start button and then click on Control Panel. Once you have the control panel up you should then double click on Internet Options and select the Content tab. Next, click on the AutoComplete button in the Personal Information section. Check the box for “User names and passwords on forms” and uncheck the box for “Prompt me to save passwords”. You should now close Outlook and then restart it and try your password again.

Sometimes you will have a user who is able to receive email without being asked to enter a password but they are unable to send email without getting the password prompt request. The administrator should check the account properties server tab on the outgoing mail server and then, for that end user, uncheck the “My server requires authentication” setting and click OK or hit enter. This should stop the password requests from occurring when sending email.

Creating a New Email Account

Another problem situation can occur if you have any users who are using Microsoft Office Outlook 2007 then you might run into a problem when you go to create a new email account. For instance, when creating a POP3 email account you have the option to specify “Require logon using Secure Password Authentication”. If you do not type in a password and the “Remember password” check box is left unchecked in the Add New Email Account dialog box, then when you go to test your account settings you will be prompted to enter in your credentials. This prompting for credentials will happen every time the user starts Outlook.

What is happening is that Outlook 2007 is not using the logon credentials configured in the Windows operating system.

Microsoft has provided a hotfix package as of April 30, 2009. You can correct the problem by applying the hotfix and set an appropriate value for the AlwaysUseCachedCredsForSPA registry entry. As always, anytime you touch the registry you should always back it up first.

To start the Registry editor go to the bottom left corner of your screen and click Start. Next, click Run and type “regedit” in the Open text field. Click OK or just hit enter. Find the following registry subkey and then click on it:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\InternetMail.

Then, from the Edit menu, move the cursor to New and then click on DWORD Value. You can then type in “AlwaysUseCachedCredsForSPA” and press or hit enter. This procedure will allow you to modify the value for “AlwaysUseCachedCredsForSPA”. Right click on it and then select Modify. Enter a value of “1” in the Value data box and hit enter or click OK. Lastly exit the Registry editor.

As an alternative you can implement a workaround which consists of entering in your credentials when in the “Add New Email Account” dialog box. You can do so by clicking on the “Test Account Settings” and entering in the credentials. Select the “Remember password” check box and type in the password.  This workaround will allow you to not be prompted for the credentials when you test the account settings.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Troubleshooting Outlook Password Problems

Digitally signing email messages is a form of protection that can be used to prevent identity fraud and the abuse of email messages sent to and from Outlook. Outlook allows email messages to be sent with cryptographic features such as S/MIME digital signatures and encryption.

Such messages can utilize “public key/private key” encryption technology to make private their email messages so that only recipients who possess a public key are able to view the encrypted email message. There is a complicated mathematical relationship between the two keys such that any message encrypted with the public key can only be decrypted using the specific private key. The reverse relationship is also true: any message encrypted with the private key can only be decrypted using the corresponding public key. It is this reverse relationship which supports digital signatures.

Oftentimes you will run across the situation where an end user complains to you that they cannot open a digitally signed message. When they attempt to do so they receive the following warning message: “Signature not trusted.” This is usually an indication that their email system has not implemented email security yet.

If it is a problem with the certificate then an error message will appear that has a red colored X indicating what part of the certificate is having a problem. Your potential solutions can include editing the trust level for the sender’s certificate. Another possible cause of the problem is an outdated or expired certificate.

You can change the trust level of the sender. You should see a Certificate dialog box that will allow you to edit the trust level by clicking on it. You should click on “Explicitly trust this certificate”.

If the problem is with an outdated or expired certificate then, within the same Certificate dialog box, you should click on View Certificate and then click on the Details tab. You will see fields for the “Valid From” and “Valid To” dates. Check to make sure that the certificate has not expired. If it has expired then you can notify the sender of the email using the expired certificate of the expiration status. That sender will most likely have to contact their administrator to create a new certificate.

This process of creating a new certificate will involve an administrator having to contact a trusted third party who is currently storing all of the public keys for the sender’s company. This third party is called a “Certificate Authority” or CA for short. Such a Certificate Authority would be Verisign. Normally a new public/private key pair will have to be generated and the public key sent to Verisign for the authentication process.

What I’ve just described is the problem and solution for when a recipient cannot open a digitally signed message. Sometimes the problem is just the opposite. Your end user has called you to complain that they themselves cannot send an encrypted email message.

When this situation occurs, you, as the administrator, must verify that the email recipient’s digital ID is stored with the address in the contact list or address book. Check for multiple entries. It is possible that your end user had selected and email address for the recipient that did not have the copy of the recipient’s digital ID. They must use the email address for the recipient that includes a copy of the digital ID before they can successfully send the encrypted email message.

If the changes mentioned above do not correct the security problem then you might have to change the security settings for zone.

You can change the zone settings by:

• Clicking on Options from the Tools menu.
• Then click the Security tab.
• Click on the Zone settings
• Click on the OK button or just hit enter when you get the warning box.
• Select Internet for the “Select a web content zone to specify its security settings”. If you want to see content without getting warnings then move the slider bar for the “Security level for this zone” until you select Low. If you want to see the warnings then move the slider bar until you select Medium.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Troubleshooting Security Problems in Outlook

So consider that a seemingly simple upgrade to your mail servers, or a client security patch could result in significant downtime and give you and your IT organization a “black eye” due to the failure. We don’t want that. So, how can we avoid it?

Well, you may be thinking, “I’ve got backups, and even snapshots and images of the systems I’m altering, so if things go wrong, we can roll-back to the previous state almost instantly.” That’s great, and I hope you do have good backups, and even better restore procedures in place for when things do go wrong, as they will sometimes.

But how do we ensure that we are successful, so that we don’t need to quickly restore to yesterday’s configuration? After all, if we can’t get the changes and improvements in place, that will start to look bad as well. The question is, how do you test your changes, improvements, and upgrades? How do you ensure that when you roll the changes out into your live production environment that things will work properly and as expected?

What we need is a complete test environment that fully mirrors (as much as possible) the functions and operations of the production environment. Does it need to be identical? No. But what we need is an environment that has all the components in place. This is often overlooked in budgeting and in planning. Why, I don’t know. How management can expect you to successfully upgrade and expand features and functions without complete testing is beyond me. Without testing it is essentially a trial-and-error operation.

Testing on individual systems just doesn’t cut it. And trying to replicate the interactions of a modern email infrastructure with just two systems, one as “the server” and another “the client” is unlikely to be even a close simulation of an enterprise network’s messaging environment. Now, if you do have just a single email server, that’s great. You can probably test with a single box and a test client PC then. If your business is that size, you’re in luck. I would ask you to consider though, what happens if that email server crashes? What are you doing next? Do you have a spare system ready? Do you have to install the OS, then restore from your backup? Does that work? Have you tested it? If not, you should.

For a more extensive messaging infrastructure, we ask: what’s the best means of creating a test environment? There are several obvious options. First, you could clone the entire production network. Either setting up separate systems on an isolated, independent network or deploying virtual machines in a separate network can work here. The cloning and imaging of the systems is a solid plan, and can leverage the methods you use for backups and disaster recovery. Knowing that you can take images of your production systems and redeploy them and have everything continue working is a very comforting bit of knowledge.

There may be some benefit from creating new systems on the test network and installing the systems and applications “from scratch”. Why you would choose this is up to you, there may be a need to capture some of the processes, or the configuration complexity may be great enough that it’s actually simpler to install than to go in and modify the configuration manually on a copy of a system. This may not seem likely, but consider that if an automated install process updates a system, database, or remote host name in 20 places during the install, you’ve possibly got to go in and make those 20 changes manually on your clone.

We do want the test environment to be as close as possible to the production environment. So, we have to decide, is a scaled-down version of the infrastructure close enough, or do we need to make it exactly the same, just not with the same domain and host names, and client connections? That seems extreme. If we have four servers with mailboxes that have no difference in configuration than the particular user mailboxes present, we can be pretty sure that there is no need to duplicate that–one server should be sufficient for testing. On the other hand, if user directories and content are in an environment with automatic replication, we don’t want to test changes on systems that don’t also have that replication in place. Don’t assume something is not relevant–if it’s a “moving part” in production, you want it in your test environment.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

The Importance of a Testing Environment

I presented three options for protecting lists, each of which carried pros and cons.  Ultimately the best defense against spam to distribution lists is effective anti-spam filtering.

However anti-spam protection does not deal with mail that is not necessarily spam, but may be unwanted.  For example, a company’s “All Staff” email list may be available for use by anyone within certain guidelines, and the company wants each email checked first before they are sent to everyone to make sure inappropriate usage does not occur.

Exchange Server 2010 solves this problem for customers with a new feature called Moderated Transport.  Moderated Transport, or Email Moderation as most people will probably refer to it, is the capability to set certain recipients (either mailboxes or distribution groups) as a “moderated recipient” and designate one or more moderators who is responsible for deciding whether emails are delivered to that recipient or not.Moderated Transport operates in several ways.  Firstly, for users running Outlook 2010 or the Exchange 2010 Outlook Web App (the new name for Outlook Web Access) they will receive an on screen notification that the recipient they are sending to is a moderated recipient.

After the message is sent instead of delivering to the recipient it is instead sent to an arbitration mailbox.  The designated moderators are then each sent a message notifying them of a new email requiring moderation.  If the moderators are running Outlook 2010 or Outlook Web App they will see a clear explanation of what is required of them.  For users running older versions of Outlook they will see the traditional voting buttons instead, which will allow them to perform their moderation duties.

As mentioned earlier there can be multiple moderators assigned to a moderated recipient.  In fact this is wise so that any staff absences or other distractions don’t hold up delivery of messages.  Even though there are multiple moderators only one is required to make a moderation decision.  Once a moderator has approved or rejected a message all other moderators have the moderation request automatically removed from their Inbox to save on clutter and confusion.

There are a few other caveats for email moderation that customers should be aware of.  It is only applied by Exchange Server 2010 Hub Transport servers.  If an organization still has Exchange Server 2007 Hub Transport servers anywhere in the network they will ignore moderation settings and deliver all emails to their recipients.

Any groups that are nested within other groups also need to be considered.  Moderation needs to occur for all moderated groups, even those nested within another moderated group that has already had the message approved.  This is, however, unless an override flag has been configured to allow a parent group’s moderation to apply to all groups nested within it, which is useful to prevent child group moderators from rejecting messages that other parent moderators have already approved.

Finally, email moderation is not intended to completely replace other delivery restriction settings.  Those restrictions can still be applied and will take precedence over moderation settings.

Moderated Transport is a very useful new feature of Exchange Server 2010 that many organizations will be able to benefit from immediately.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Protecting Distribution Groups with Exchange Server 2010 Email Moderation

I’ve written in the past about various issues involving Outlook and security, third-party software, add-ins, etc. But there are also less email specific issues that can affect the basic working functionality of Outlook. These basic issues can be addressed with some standard troubleshooting procedures.

I already discussed the use of the “ping” command to ensure your internet connection is working by pinging servers using only their IP address and also by using only their domain name – which has the added benefit of confirming a correct DNS configuration.

You can also use the “nslookup” command to verify that you are talking to the correct DNS server that you are expecting to use for your DNS name lookups. The nslookup command is a good tool that allows administrators to perform a reverse lookup of an IP address of a domain or host on a network.

From the command prompt window you would issue the nslookup command as follows:

C:\Documents and Settings\Administrator>nslookup
Default Server:  machinedns-1.server.company.com
Address:  (some IP address output here)
>

If you ping address and DNS commands don’t produce the expected results showing a successful connection then there is also the chance that you may just have a problem with the system’s network interface card. It is best to bring in your hardware support if you suspect this as the source of your problem.

Additionally, you might want to check and verify that there are no active firewalls on the specific system having trouble.  Sometimes your end users may inadvertently or purposely for that matter, setup firewall software for test purposes and then get interrupted or distracted while testing and forget to turn off that firewall service or forget to reopen relevant communication ports. You can make this check by issuing the following command from a Command Prompt window: “netsh winsock reset”. Netsh is a network configuration tool. You can type “netsh /?” to learn more about it. Type “exit” at the “netsh>” prompt to exit the tool. After issuing the command you can then restart the system.

You might also need to recheck your VPN settings or your subnet configurations. And in the past there were problems with having your profile setup to include multiple services that required a modem connection. There were problems if, for example, internet and fax services were setup in the same profile. They sometimes caused conflicts within Outlook.

In terms of your profile configuration a default profile exists that is called Microsoft Outlook. This default profile is created by Outlook. During the administration process most administrators will either add services to this profile or create a new profile with new services. When you encounter problems sending and receiving email one of the first troubleshooting steps you can perform, after verifying that your network settings and configuration is working properly, is to create a new profile that includes only the service that is giving you the problems. Then you can begin testing that profile’s ability to send and receive email.

After each success you then add another service, test, and then add another service, test, and then continue the process until finally you reach a point that an error is produced. This process of adding services, testing, and then adding more services will lead you to the service which is either the cause of the problem or at least a contributing cause of the problem. This is a very basic way of diagnosing which service is producing the error messages.

You can create a new profile from Control Panel. In the lower left hand corner of your screen click on the Start button and then click on Control Panel. Note that you may have to click on Settings before being able to click on Control Panel depending on how your system is setup. Once your Control Panel is up then find and click on Mail And Fax or just simply Mail. Next, locate the Services tab and then click on Show Profiles to list your profiles. You can then startup the Inbox Setup Wizard by clicking on the Add button. Verify that the “Use the following information services” option is set as the default setting. Find the service that you have already identified as the source of your problems and then clear all other services. Click Next and then type in a new profile name, such as “Test Profile”, in the Profile Name field. Continue to follow the Inbox Setup prompts until you are able to successfully exit.

Remember to add only one service at a time during your testing process.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Troubleshooting Outlook Configuration Issues – Part 2

The Bahama botnet is a Robin Hood of sorts.

History has a way of turning common thieves into romantic heroes. A band of woodland poachers in the Middle Ages becomes Robin Hood and His Merry Men. A crew of border state marauders becomes re-distributors of wealth on horseback led by Jesse James. A Depression Era pair of bank robbers becomes two lovebirds salting the salt of the earth with purloined cash as Bonnie and Clyde. And now we have the Bahama botnet.

While the Bahama botnet may not have the joie de vivre of a Robin of Locksley or the grit of the James boys or the youthful rebelliousness of “Romeo and Juliet in a Getaway Car”–after all it’s only a computer program–it does share a common characteristic with those outlaws. It robs from the rich to give to the poor–sort of.

“We have conducted additional research into the behavior of the Bahama botnet and found that it acts as a sort of perverted ‘Robin Hood’ among ad networks by robbing ad revenue from the top-tier players and delivering fraudulent traffic to second- and third-tier ad networks and publishers,” Matt Graham, of  Click Forensics, an Internet advertising traffic analysis firm, reported in the company’s blog last week.

One of the top-tier players gypped by the bot, Click Forensics revealed, is the Big Cahuna of clicks-into-cash, Google. Here’s how the malware does it.

When a Web surfer with an infected machine performs a Google search, the results appear genuine, but they’re not. That ’s because the malware uses a technique called DNS Poisoning to make what one sees not what one gets.

DNS Poisoning exploits the way Web addresses are parsed by a browser. All computers connected to the Internet have an IP address. The address is a string of numbers like 216.239.51.99. But since human beings have an easier time remembering words than strings of numbers, the Domain Name System was devised. The system associates a domain name, like Google.com, with an IP address and sends a browser to that address. What DNS Poisoning does is intervene in that process. It tricks the browser into going to an IP address other than the one assigned to the domain by the DNS system.

In the Bahama Bot case, it diverts Google traffic to a server in Canada. It uses the text of the Google results, but it alters the underlying links. So when users click on an apparent “organic” link, they’re actually clicking on a pay-per-click link. Advertisers should be paying Google for that click, but they don’t. That’s because the malware diverts the traffic away from Google’s click-counting technology. Moreover, the infected Webster is none the wiser. Although the click is registered at the advertiser’s site, the site never appears in the traveler’s browser. Instead, after registering the click, the browser is taken to the source of the original organic result. Everything looks copacetic to the user. The advertiser gets a free click and its traffic metrics are incremented. And Google makes no revenue from the transaction.

Whom the botnet, named after its original traffic diversion pattern through some 200,000 parked domains in the Bahamas, is designed to benefit is a bit of a mystery. According to Click Forensics, some of the sites receiving free clicks are aware of the scam; other are not.

Click-fraudsters have a number of motives for their mischief. Some want competitors to waste their online advertising dollars on empty clicks, clicks without a popcycle’s chance in hell of creating a sale. Others want to collect commissions on the clicks, even though they can’t be linked to prospective customers. The commission angle is the most likely one behind the Bahama botnet, according to Click Forensics.

What makes the Bahama botnet particularly hard to identify is the lengths it goes to shield its activities. For example, it limits the number of ads a single user can click on to avoid appearing suspicious to click-fraud filters. Click too many times on a bogus search page and the software will stop diverting your clicks through the ad networks it uses.

“What makes the botnet so insidious is that it operates intermittently so that the user doesn’t really know that anything is wrong,” Click Forensics noted.

“Additionally,” it continued, “it can operate independently of the user because the authors appear to be building a large database of authentically user-generated search queries.”

“And because the queries come from many different machines (IPs) across a broad segment of the Internet population,” it added, “it is very difficult to find and identify these clicks as fraudulent.”

According to Click Forensics, in some cases, the botnet has turned as much as 30 percent of an advertiser’s pay-per-click budget into bogus traffic.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

“Robin Hood” botnet siphoning Google traffic