AdmiNotes by Christopher Harvey

AdmiNotes by Christopher Harvey Mon, 10 May 2004 06:10:12 GMT http://chris.brotherhoodmutual.com/dev/adminotes.nsf Can the spam - quick statistichttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5YUJME Last week, mail from the internet is about 40% (of messages our users receive) on an average week day and 80% on the weekend. 2 weeks ago, mail from the internet was over 60% during the week and over 95% on the weekend. This big improvement is due to ...spamChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5YUJMEhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5YUJMELast week, mail from the internet is about 40% (of messages our users receive) on an average week day and 80% on the weekend.
2 weeks ago, mail from the internet was over 60% during the week and over 95% on the weekend.

This big improvement is due to blocking instead of tagging with DNSBLs which rejects about 85% of the spam. ]]>Mon, 10 May 2004 06:10:12 GMT0 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=8C8842A53E4F065E05256E90004DC4FB http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=8C8842A53E4F065E05256E90004DC4FBLotus is a nice bunch of folkshttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5YQ2TK 9 months ago, or so; I was working through an issue with Lotus support and was given an early version of a technote concerning the issue. Trying to be a good Domino Admin citizen, I posted the information here on my blog. Today, I received perhaps ...Just TalkChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5YQ2TKhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5YQ2TK9 months ago, or so; I was working through an issue with Lotus support and was given an early version of a technote concerning the issue. Trying to be a good Domino Admin citizen, I posted the information here on my blog.

Today, I received perhaps the most polite email request I've ever seen. It requested that I pull the post because it contained names of Lotus employees and was not a final version of the technote. I was also provided the correct url to the final technote on IBM's site. I'm afraid that many other software companies would have jumped straight to threats of legal action. How could I not respond positively to such a wonderfully respectful request.

Thanks Lotus for not being like the other guys. ]]>Wed, 5 May 2004 04:40:50 GMT2 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=0E2BC0BE8C90E7AA05256E8C0003BA38 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=0E2BC0BE8C90E7AA05256E8C0003BA38Spam Statisticshttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5Y8S7P We use a hybrid approach to stopping spam. We use SpamKiller to score the message and then in the 'before new mail arrives' agent we add 5 to the score if it has been tagged by an RBL (we use only Spamhaus and Spamcop). Then based on that score, users ...spamChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5Y8S7Phttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5Y8S7PWe use a hybrid approach to stopping spam. We use SpamKiller to score the message and then in the 'before new mail arrives' agent we add 5 to the score if it has been tagged by an RBL (we use only Spamhaus and Spamcop). Then based on that score, users can send to a quarantine and/or JunkMail folder.

One week ago, I started saving my Spam. These stats are from 9am Tuesday April 13 to April 20.

Count	Percent
1401	70.8%	blocked to quarantine (score over 8)
389	19.6%	JunkMail folder (score over 4.8)
190	9.6%	Inbox
1980		Total

> Previous statistics from 3 days during the first week of March.

Count	Percent
516	71.8%	blocked to quarantine (score over 8)
162	22.5%	JunkMail folder (score over 4.8)
41	5.7%	Inbox
719		Total

Compared to only 6 weeks ago you can see that the % to my inbox is significantly higher
SpamKiller and RBLs still block over 90%, but are less effective
The average number per day went from 240 to 283 (18% increase)
1679 of the messages (85%) of the messages were tagged by Spamcop or Spamhaus
175 messages (almost 9%) were scored over 5.0 but were not tagged by a Blacklist, so SpamKiller is still earning it's keep

Another quick RBL statistic - From 9:00 to 12:30 today we had 1016 inbound smtp messages, of which 541 were tagged by Spamcop or Spamhaus. That's over 50% in the middle of the day. I would guess that the percentage goes way up over night. At this point, I am hoping for a hard line on just blocking these before we receive them instead of our current tagging approach. ]]>Tue, 20 Apr 2004 12:37:51 GMT2 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=BEA1411C024D3E4E05256E7C00715427 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=BEA1411C024D3E4E05256E7C00715427Verisign Digital ID with Notes 6.xhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5Y2SCJ Yes, it has been over a month since I blogged, but I have a good excuse. I moved. Not to a new city, just a new house, but with a family of 8, things have been a little hectic. OK, now on to the issue at hand. We have a business partner who need ...NoneChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5Y2SCJhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5Y2SCJYes, it has been over a month since I blogged, but I have a good excuse. I moved. Not to a new city, just a new house, but with a family of 8, things have been a little hectic.

OK, now on to the issue at hand. We have a business partner who need to send us encrypted data. He uses a personal Digital ID from Verisign to send encrypted files to all sorts of folks and so he asked us to get one too. Seems like a reasonable request; but we run Notes so it took me 3 days of digging to figure out how do use the personal digital certificate from Verisign.

Start here - https://digitalid.verisign.com/ to request the Personal Digital ID from Verisign.
You will receive an email from Verisign with instructions on how to retrieve the ID and pull it into Internet Explorer.
Once you have it in IE; select Tools - Internet Options, click the Content tab then the Certificates button.
On the 'Personal' tab, select your certificate and click the Export button.
Give it a name and save it do disk in PKCS 12 format

Now we need to get the certificate into Notes

Choose File - Security - User Security
Click Your Identity and then Your Certificates
Click the Get Certificates button and choose Import Internet Certificates
Select the file that you saved above

Before you can encrypt a message to a non-notes user, you must have their public key. I found that the easiest way to get this is for the other user to send you a 'signed' (but not encrypted) message and then when you get it do Tools - Add Sender to Address Book. That will add their public key to your address book which will be used whenever you send an encrypted message to that user. ]]>Wed, 14 Apr 2004 12:45:36 GMT9 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=F28BB9142E3EC08205256E76007209BE http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=F28BB9142E3EC08205256E76007209BEBlocking executable attachmentshttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WS4FH As I mentioned on February 25 blocking executable attachments with server side rules gives us many advantages over using McAfee for this function. Here is a dilog box of the rule and which extensions we block. Note: we also block .vb but that is ...NoneChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WS4FHhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WS4FHAs I mentioned on February 25 blocking executable attachments with server side rules gives us many advantages over using McAfee for this function. Here is a dilog box of the rule and which extensions we block.

A picture named M2

Note: we also block .vb but that is a separate rule because we also use an exception. ]]>Thu, 4 Mar 2004 05:03:54 GMT6 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=E2AE5F5AB0EEAE2505256E4E000B5CE3 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=E2AE5F5AB0EEAE2505256E4E000B5CE3What to do with ZIPshttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WJ3JGWell, we narrowly avoided Netsky.c today. I updated McAfee dats at 3:45 and by 4:30 we had blocked 75 inbound messages with Netsky.c. So, we were minutes from receiving messages that our users would not have been protected by accept that we also had a ...virusChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WJ3JGhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WJ3JGWell, we narrowly avoided Netsky.c today. I updated McAfee dats at 3:45 and by 4:30 we had blocked 75 inbound messages with Netsky.c. So, we were minutes from receiving messages that our users would not have been protected by accept that we also had a rule to block all ZIP files like I mentioned yesterday.

I was really leaning towards the "let ZIPs through and let the anti-virus tool do it's job" approach. But, when I stop to think about it, we block all executables as an 'added precaution' even though the anti-virus software is there. So, now it looks like blocking ZIPs may be a good idea too; and that's a real shame. ZIP files in an email are a really useful way to move data around.

Not just for McAfee users: I have made one tweak to how we are blocking the attachments. I am blocking ZIPs with a server side mail rule in the Server Configuration document. That rule sends them off to a quarantine database. This is better than letting McAfee quarantine all ZIPs because:

McAfee's quarantine doesn't allow me to copy and paste the message to the user's Inbox for retrieval
McAfee's extension block happens prior to virus blocking (which is more efficient) but then all emails with a ZIP file end up in the same bucket. By blocking attachments with a rule, known viruses are still blocked by McAfee and whatever gets through (which is a much smaller number) can be examined individually in a separate place.
By letting McAfee's virus detection stop the virus (instead of by extension) I get a good count of the viruses that are being stopped by type, and not just what attachments are blocked not knowing which viruses they may or may not be associated with.

So, how does this compare to other products. If you use something else to block viruses on your Domino server, what do you really like about how it works?]]>Wed, 25 Feb 2004 04:17:28 GMT2 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=3C3FC8E78E7F0D0705256E460007189B http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=3C3FC8E78E7F0D0705256E460007189BHit with another virushttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WGVZ2 Just when you think you're ahead of this stuff. Well, one user in our company was infected with Mydoom.f just 8 hours prior to the newer dats being released that would have saved us. Anyway, this viscous little bugger ripped through our file ...virusChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WGVZ2http://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WGVZ2
Just when you think you're ahead of this stuff. Well, one user in our company was infected with Mydoom.f just 8 hours prior to the newer dats being released that would have saved us. Anyway, this viscous little bugger ripped through our file server and deleted thousands of .XLS and .DOC files.

Initially we weren't sure how widespread the outbreak was and had everyone shutdown. After scanning the home drives on the File Server we found only the one user's drive was affected. Then we started the arduous process of requesting the off-site tape and restoring files while our anti-virus guru spent hours on the phone with McAfee. Apparently we were one of the first companies hit and our guy was a primo source of info on the virus for McAfee.

Well, here we are one day later, and we are now blocking all ZIP files in addition to the 20+ executable extensions we have blocked for months. We are debating if this change will be permanent or if we can resume simply trusting the latest dat files from McAfee. I guess someone has to get hit first, and there's always the chance that it's you. I just hate the idea of blocking all ZIP files. It's like the flippen virus writers have won; but on the other hand, maybe it is the safest and most prudent approach.

What do you think? ]]>Tue, 24 Feb 2004 02:51:57 GMT7 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=5F82686667EF3DFC05256E44008315BF http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=5F82686667EF3DFC05256E44008315BFNew BackupExec feature - Ignore Notes databaseshttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WDTKT This one bit me (and yes, I still feel very angry and betrayed) so I will share in the hopes that someone else is saved some pain. It seems Veritas added an exclusion feature for Lotus R5 backups to BackupExec v.9 that causes your backup job to ...AdminChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WDTKThttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WDTKT
This one bit me (and yes, I still feel very angry and betrayed) so I will share in the hopes that someone else is saved some pain.

It seems Veritas added an exclusion feature for Lotus R5 backups to BackupExec v.9 that causes your backup job to skip Notes databases and templates under the Domino\data file structure. In addition there is no mention of those files being skipped or missed in your job log. Even when you specifically check .nsf or .ntf files in the job properties; they will simply not be backed up and the software will not tell you that it did not follow your instructions.

We don't use the Domino backup module for BackupExec and never have. We simply run a pre-backup job to stop Domino and then start it again after the job completes. This seems like a natural way to backup databases if you can afford the downtime. If you use the Domino module then this probably won't harm you at all.

So, I found myself needing to restore a backup/test/dev server that runs Domino. I went ahead and scrubbed the drive because I knew I had a good backup from the night before. (meaning I told the job to backup the entire drive and the log said it 'completed successfully') Much to my horror, when I went to restore, I found all the .nsf and .ntf files missing from the Domino\data folder on my backup tape. Fortunately for me, most of the data was stored in .dir redirection folders and did not get skipped.

Actually If I had saved all 40gig of the data directly under the data folder; I probably would have noticed my backup job going from 45 gig to only 5 gig upon upgrading to version 9.0. But with only the data folder and one other being affected we just didn't notice.

Now, how smart is it for a company that makes backup software to implement a change that defaults to NOT backing up files? And how understanding of their customers is it to NOT log that those files are being skipped and simply report 'backup completed successfully'? And how helpful is it to put this change into a new version without any warning or 'readme note' to your current customers.

Is it just me or is this asinine? ]]>Sat, 21 Feb 2004 12:48:26 GMT2 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=960773C38E87018805256E410077CC44 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=960773C38E87018805256E410077CC44Nice overview of the 'state of spam'http://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WCJKH Richard Schwartz gives The Latest on Spam in an Advisor article. The best thing about this article is that my boss saw it first. He then came over and asked if I had heard of this 'spf stuff'. (Which I hadn't until the Spam BOF at Lotusphere) ...spamChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WCJKHhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5WCJKHRichard Schwartz gives The Latest on Spam in an Advisor article.

The best thing about this article is that my boss saw it first. He then came over and asked if I had heard of this 'spf stuff'. (Which I hadn't until the Spam BOF at Lotusphere) Then I explained what I knew of it and how it would help us. This validated some of my harping on the need for good whitelists and emerging technologies like spf the last few months. ]]>Fri, 20 Feb 2004 05:07:07 GMT2 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=F9F711FB0470AE7305256E40004D8E45 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=F9F711FB0470AE7305256E40004D8E45Smart Upgradehttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5W5LBD I have only done a few users, but I love this. Here is my experience so far. First of all, I primarily followed the procedure in sec. 16.1.5 of the Upgrading to Lotus Notes and Domino 6 redbook. Creating the Smart Upgrades database was a ...UpgradeChristopher R Harveyhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5W5LBDhttp://chris.brotherhoodmutual.com/dev/adminotes.nsf/plinks/CRHY-5W5LBDI have only done a few users, but I love this. Here is my experience so far.

First of all, I primarily followed the procedure in sec. 16.1.5 of the Upgrading to Lotus Notes and Domino 6 redbook. Creating the Smart Upgrades database was a no-brainer. Unfortuanately, I have been doing installs with whatever Lotus put out as the most receint flavor of the client, so my upgrade documents looked like this.

So, here's the tip. Obviously I used a UNC name to point to the location of the upgrade file so that I wouldn't have to attach it in 5 separate documents. Also, I used the /qb+ switch so that the upgrade would be non-interactive, but not actually silent. These switches give the use a status bar, so they can see what's going on.

Also, I didn't bother with a policy document, because I have a smaller number of users (just a couple hundred) and don't need to force users to upgrade by a specific date. Good job Lotus, this really was simple and looks very clean to the end user. ]]>Fri, 13 Feb 2004 06:36:32 GMT3 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/CommentsRSS?Open&id=349088854913D9C705256E390055BED1 http://chris.brotherhoodmutual.com/dev/adminotes.nsf/PostComment?RunAgent&id=349088854913D9C705256E390055BED1