Making Microsoft products play nice together

MailboxI recently recommended MS Office 2003 Small Business Edition to a customer for his new laptop. There are several reasons why I did not recommend Office 2007 but I’ll save that for another time. He took my advice and, since he paid for it, he wanted to use as many of the programs as he could. Everyone in his office uses Outlook Express but he was now using Outlook. A couple days in, it was noticed, that certain attachments were not getting to recipients in the office – the ones using Outlook Express. The email would come through and so would some attachments but, for the attachments that were gone, there was never any indication that they even existed in the first place. These were standard graphics files, mind you, nothing fancy. Well, after going around for a bit with Microsoft (a bit = 1 week, or so), the problem was traced to the ISP email server.

Outlook and Exchange encode certain attachments in a manner that are stripped when processed by “improperly configured” email servers – namely Open Source ones. That seemed a little odd to me that the ISP was to blame for the attachments disappearing between two Microsoft products, so I tested it. I sent a few emails from Outlook to Outlook Express through our Open Source mail server – no problems, everything got where it was supposed to go. I then disabled support in our MTA for TNEF encoding – that, according to Microsoft, was the culprit, and sure enough, the attachments that weren’t working for my customer stopped working for me. Apparently, the ISP did have their server mis-configured.

Transport Neutral Encapsulation Format, or TNEF is, paradoxically, a proprietary attachment format used in Outlook and Exchange – there really is nothing neutral about it. Our company MTA was compiled with TNEF decoding so there were no problems passing these attachments to the recipients. Since it is unlikely for an ISP to rebuild it’s mail servers, TNEF related issues can be largely avoided by sending email as HTML of plain text. Avoid RTF in Outlook as this format uses TNEF while HTML and plain text use the standard MIME encoding. TNEF encoding can sometimes contain user login names, file paths, and other potentially sensitive information from which attack vectors could be derived. This vulnerability was patched in 2006 but there are certainly a large number of un-patched systems out there.

Eventually, my customer grudgingly went back to using Outlook Express, accusing the entire IT industry of being a racket, since the large cable company that provides their internet service was not interested in reconfiguring their mail servers, I advised him to buy a product that didn’t work with this mis-configured equipment, Microsoft, the biggest software company in the world, couldn’t get two of it’s flagship products to play nice with each other. Microsoft did offer free support hours to quell my irritation with them, demanding that they make their products work with each other. I declined because, as a Microsoft Partner, we get free critical support – and I only call them when it’s critical. I did get a really nice golf shirt with the Microsoft logo emblazoned on the sleeve though. I believe that Microsoft sent my customer a credit for future purchase, but he never got it. It was sent as an attachment.

Training – it’s not just for noobs

Announced at the end of June, the ISM Community issued it’s list of key issues to be considered in IT security and compliance. Number 6 on the list? “Recognize that Training and Education is Key”. The importance of proper training came up in a previous discussion (Don’t be fooled: Linux is not free) so I wanted to reiterate and expand a bit on the topic. From the ISM Top 10:

Training and awareness is one of the most cost-effective and powerful techniques any information security program can adopt, and tailored training and awareness for all users will pay ongoing dividends…

It has been my experience that the single weakest link in a businesses IT infrastructure is ignorance. I wrote a piece about what employees do with company IT resources. Between IM, file sharing, and email forward frenzies opening doors to your company network, employees jeopardize network security every day. Let’s not forget about liability due to inappropriate internet use too. These are the same people who have grown so accustomed to pop-ups and other manifestations of malware on their home computers, that they think this is the way the internet is. Even power-users sometimes aren’t aware of risks that they may be taking.

This ignorance leads to many potential security, compliance, and liability problems – not just for big business, but for small business as well. While firewalls and content filtering, in conjunction with a thoughtful and well written Network Acceptable Use Policy do stop most of the risk associated with these behaviors, they do little to change the attitudes and behaviors themselves. In fact, to many restrictions can alienate employees and cause even more problems.

Training all levels and job functions within an organization not only serves to improve the security of your company network, making security into common sense for employees also gives them a better understanding of what’s going on at home, instead of relying on their tech-savvy teen for the latest information – which is then brought back to the workplace. The ISM also points out that training materials must target specific functions within your organization. Security and compliance for the accountant is much different than that of the people in shipping. Relevance to job specifics also helps employees go from abstract concepts to concrete relevance in their day to day functions.

Many of the items on the Top 10 seem like no-brainers, but to have these things articulated and and organized in an intelligent fashion does help to see what more can be done within our organizations. Remember: Training isn’t just for users, our IT staff can benefit as well. Good training for the entire organization and ongoing education campaigns by the IT department are a couple more ways that we can ad value to IT and have a positive impact on the bottom line.

Cybersquatting and the typo pirates

Domain parking, speculation, and other methods that attempt to monetize the traffic generated by popular phenomena and typographic errors weren’t necessarily the types of issues U.S. lawmakers had in mind when they drafted the Anticybersquatting Consumer Protection Act in 1999, but they managed to hit the nail right on the head. Basically, the issue was seen solely as trademark infringement, or dilution of same. [15 U.S.C. 1125(d)] This cyberpiracy prevention amendment allows for civil recourse if it is proven that a domain name was registered or used with the “bad faith intent” of capitalizing on or hurting the reputation of a company’s trademark. Without getting into trademark law, superficially, one can gain preliminary trademark protection just by adding the ® the ™ symbol to that for which protection is wanted, provided it is not already registered. Obviously, formal registration with The US Patent and Trademark Office, establishes precedence.

Grabbing a “good” domain name and sitting on it until someone wants to buy doesn’t really fall into this bad faith intent, unless you get lucky enough to register a domain name related to a company that’s been around. Here’s where speculation comes in; Let us suppose that a reliable source has indicated that The X Company (a hypothetical company for the purpose of demonstration) is set to start marketing and selling “Super X Widgets” in the next year. You check for variations of superxwidgets.com, .net, etc. Fortunately for you, the marketing folks at The X Company only registered superxwidgets.com and you snap up all the rest. Assuming The X Company has a trademark for Super X Widgets, holding these additional domains with the intent of profiting when The X Company calls you is explicitly covered by this law. If they don’t hold trademarks on these widgets, The X Company should consider hiring different people.

While capitalizing on a popular brand names and trademarks are apparently violations of this law, what about typo-piracy? One of the most common mistakes when entering a URL is to mistype .com as .cm. If I want to go to www.coke.com, miss the “o” and end up typing www.coke.cm, I am redirected to the coca-cola worldwide website. This is often not the case though; For example, www.hotmail.cm loads a page with several paragraphs about consumer debt and three AdSense blocks surrounding the top of the page. Incidentally, Google is in the process of weeding out these ad farms. Their advertisers want to be in front of quality traffic that is more likely to click through, and not this transient numbers game. Is the registrant of hotmail.cm capitalizing on the trademark of Microsoft? They certainly are monetizing traffic – traffic that is fairly good according to a quick alexa search. The authorities in Cameroon, where the .cm domain is assigned to, have authorized a DNS wild-card to further monetize this typo traffic.

Is it right to capitalize on these errors? Is it okay to speculate about who or what will be a desired domain name in the future? These are some of the questions that need to be addressed when considering the purchase of domains for these uses. If you manage to get a domain name that could be related to or possibly construed as a trademarked name, product, or known company, don’t be surprised if you have to give it up for nothing. Tread cautiously as many may take the attitude that someone else will get this money if they don’t. Someone else will also get the lawsuit. Keep in mind too, someone may be willing to pay you for a good domain name.

SPAM & AV Stats

The mail server in the Gartner Web Development office receives a very low volume of over all incoming emails but our SPAM, or Unsolicited Commercial/Bulk Email is about the same, proportionally, to much higher volume servers. The Open Source software used in this particular configuration is scalable to volumes much greater than these.
Unsolicited Commercial/Bulk Email, or SPAM (representing 2.52% of incoming email as of May 1, 2007) is removed with 95.47% accuracy. (Based on 22,303 incoming emails with 8,652 SPAM and 189 viruses and phishing scams blocked by Spamassassin and ClamAV – Open Source SPAM filtering and Anti Virus software – with only 4 verifiable false positives over a 7 month period.) Undesirable email can then be held on the server or tagged as SPAM to be placed into your “Junk e-mail” box within your favorite e-mail client, (Outlook, Outlook Express, Eudora, Thunderbird, etc.). Viruses and phishing scams are safely quarantined on the server, never to reach a desktop within our organization.

I’ve got the Power!Worthless as a Microsoft NT 4 Domain Controller, this PowerEdge became a workhorse, thanks to the scalability and resource efficiency of FLOSS products.

Our configuration:

The Hardware:

Dell PowerEdge 4300

  • Pentium III Xeon 497.44 MHz processor
  • 511 MB RAM
  • 17 GB RAID 5 (hardware) Ultra2 Wide SCSI – hotswap
  • Triple redundant hotswap power supply(s)

The Software

  • Postfix – MTA – Postfix can be configured to bounce/discard email based on header checks and myriad other variables.
  • Dovecot – POP3/IMAP
  • ClamAV – Antivirus
  • Spamassassin – it really does assassinate spam – It plays nice with:
    • Vipul’s Razor – A distributed, collaborative, spam detection and filtering network.
    • DCC – Distributed Checksum Clearinghouse
  • amavisd-new – the middle man by which ClamAV, Spamassassin, and Postfix where integrated. Amavisd-new has many, many knobs, some of which allow further enhancement to email filtering.
  • Mailgraph to generate the nifty graphs. David Schweikert has some other interesting contributions to IT as well.

All of this was run alongside Apache 2.2, MySQL 5.0, PHP 5, and many other necessary packages and libraries on FreeBSD 6.2

Where did the nifty graphs go?

Because the high volume of traffic to our sites was saturating our puny internet pipes, all GWD Network sites have been transferred from our in-house servers to an external host. The hardware, as listed above, easily handled 100 plus hits per minute on the web server. Email for our domains are now being handled by Google Apps- incidentally, the amount of SPAM that reaches our desktop has not changed as Google does a decent job of filtering SPAM. Web hosting is now with 1 & 1. The rates are good, we get a ton of features, and we have CLI access for scheduling cron jobs and whatnot – Fedora Core 4 as of August 2007. No up-selling or “suggestive” sell when I buy or add new products or features and I’m not embarrassed to tell our more conservative customers where their site is hosted – one of several issues we had with our former client hosting at goDaddy.
You can see mailgraph in action at http://www.stat.ee.ethz.ch/mailgraph.cgi. It is an excellent lightweight tool for mail flow visualization.

Don’t be fooled, Linux is not free

C. Marc Wagner’s article Don’t be fooled, Linux is not free, makes several good points, but fails to remind the reader what the GNU says about “free” in the context of Open Source and GNU Linux:

Free software is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free” speech, not as in “free” beer…

Much of the money saved on software cost, assuming you are not using one of the many commercial (i.e. license fees) Linux distributions, is best spent on training. Proper implementation of IT must affect the bottom line of an organization in real and positive ways. Knowledge based on experience and thoughtful training at all levels of user and administration, serve only to realize these benefits.

Let’s be realistic. It’s a mixed platform world. It’s really nonsense to be all or nothing when it comes to operating systems, or proprietary v. open source as an IT professional. Serving the best interest of our organization and that of our user base should be paramount – not personal passions and prejudice. It is good to expose people to other technologies. Ignorance breeds fear – this fear is a barrier to implementing open source software. While I appreciate the innovation of many Open Source programs, I also appreciate some of the things that can be done with Microsoft products. Besides, Microsoft has been our bread and butter for years. Average users, and especially power users, are hesitant to try something new. It’s been my experience that once that initial barrier is crossed, the “novelty effect” has to be overcome as well. *NIX are just as “serious” as Microsoft products.

These barriers do not typically occur in children though. To them, a computer is a computer. If adults could only understand this! IT professionals are not exempt from ignorance either. To wit: At a meeting of the regional technical college IT curriculum advisory board, I was expounding the joys of spammassasin, clamAV, and new-amavisd when an enterprise IT manager pointed out that, “…business don’t want something new and gimmicky – they only want to use what is tried and true.” When I explained that *NIX has evolved from a code base that has been around for decades longer than even the oldest lines of Microsoft products, he quietly took his seat and said no more about it. I really enjoy checking out the various distributions of *NIX. It’s the same sense of discovery that I had with DOS 4.0 back in the day – you could take a text editor to command.com and make it say stuff like “formatted 1433.6 KB of crap”, so long as you padded the left-overs with asci spaces. I often see, what in my opinion, are superior programs and methods on these OS’s. Regardless of my enthusiasm, it’s a big deal for an organization to change platforms. Making sure that their accounting software, or SAP is going to work are just some of many considerations. In an education environment though, this is not a big issue, nor is it an issue at any level when given realistic cost analysis and proper implementation. When we talk of “free” software in this context, let us be reminded of Richard Stallman’s words:

“When talking about free software, it is best to avoid using terms like “give away” or “for free”, because those terms imply that the issue is about price, not freedom.”