Skip navigation

Security UPDATE--More About Blacklists and Passphrases--November 24, 2004

To receive Security UPDATE in HTML format in the near future, click the following link

You need to sign up only once--no need to click each week.

To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add [email protected] to your list of allowed senders and contacts.


This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Get thawte's New Step-by-Step SSL Guide for MSIIS

Debunking the Top 5 Myths of Outsourcing Email Security


1. In Focus: More About Blacklists and Passphrases

2. Security News and Features

- Recent Security Vulnerabilities

- Microsoft Releases Windows Update Services to Beta

- The Pitfalls of Antivirus Solutions

3. Security Matters Blog

- Junk-Proof Email at MengMail Skunkworks?

- Intrusion and Recovery

4. Security Toolkit


- Security Forum Featured Thread

5. New and Improved

- Centralize Event Management


==== Sponsor: Get thawte's New Step-by-Step SSL Guide for MSIIS ====

In need of a SSL Certificate for your Microsoft Internet Information Services (MS IIS) web server? This guide will provide a solution for your need by demonstrating how to test, purchase, install and use a digital certificate on your MSIIS web server. Best practices are highlighted throughout this guide to help you ensure efficient ongoing management of your encryption keys and digital certificates. You will also discover how a particular digital certificate can benefit your business by addressing unique online security issues to build customer confidence.


==== 1. In Focus: More About Blacklists and Passphrases ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Over the past month, I've written about how passphrases can improve security and how blacklists can help better determine whether some email messages might actually be unwanted junk mail. This week, I'll discuss a little bit more about both of those topics, beginning with blacklists.

After last week's edition of this newsletter, a few more readers wrote to offer additional insight regarding the use of blacklists. Charles Oriez pointed out that when you have trouble with a given blacklist service because it has inadvertently blocked your network while trying to block some spammer, it's more effective to get your ISP involved. A blacklist provider might not be willing to listen to you or, if it does listen, it might not take any action to help you. However, your ISP might be able to work things out with the blacklist provider. So get your ISP involved.

Another reader expressed another concern related to ISPs. Sometimes an ISP is to blame when its network addresses are put on blacklists. If what this reader and other people are telling me is correct, some large ISPs are problematic when it comes to spammers using the ISPs' networks. The problems might be related to the ISPs' acceptable use policies, downstream ISPs who resell the large ISPs' services, or other factors I'm not aware of. But in any case, Internet users suffer.

Other readers have suggested that you check out an ISP as thoroughly as possible before you decide to do business with it, and the same holds true for blacklist services. One way to start that process is to use search engines to check the Internet for complaints. But also keep in mind that some people have the mindset of a reckless vigilante. If they receive even one piece of junk mail, they blow a fuse and go into overdrive to do anything they can to get the involved networks blacklisted. And they hurt innocent people in the process. By the same token, there are people with an equally aggressive mindset who run blacklist services. So choose the ISP you use wisely.

We have a nonscientific Instant Poll question on our Web site (which will be removed in a few days) that asks whether you use blacklist services and if you do, how? Please take a minute to see how others are voting and offer your answer.

If you use Microsoft Exchange Server as your email solution, you might be interested in reading the recent Web chat, "Fighting Spam in the Exchange 2003 Environment," which was hosted by Microsoft. The chat (at the first URL below) offers some insight into the Intelligent Mail Filter (IMF--at the second URL below), which can help reduce unwanted email.

Ron Bradley wrote to offer a tip for Exchange administrators. He said that you should consider taking a look at Vamsoft's Open Relay Filter (ORF) add-on for Exchange. ORF uses multiple filtering methods, including DNS blacklists, reverse DNS lookup testing, and whitelisting, as well as keyword, attachment, and recipient filtering, to help reduce unwanted email. For less than $100 per server, it might be an inexpensive way to improve your mail filtering.

Now back to the issue of passphrases, which I discussed in In Focus on October 27 (at the first URL below) and November 3 (at the second URL below). As you recall, I wrote about how using longer passphrases instead of shorter passwords can increase security. We ran a poll during that time that asked, "What password length do you enforce on your network?" Eighty-two percent of respondents said that they use short passwords of 14 characters or less, 10 percent said they use 15 to 24 characters, and 8 percent said they use 35 characters or more. The poll is closed, but you can view the results on our Web site at the third URL below.

In my editorials about passphrases, I mentioned Jesper Johansson's article series "The Great Debates: Pass Phrases vs. Passwords." The third and final part of the series was published recently. In it, Johansson discusses the need to make passphrases stronger by using nonalphanumeric characters, how to enforce password policies, and interestingly enough, why setting an account lockout threshold is a bad idea.

It's long been common knowledge that using an account lockout policy for bad password attempts can lead to Denial of Service (DoS) on a machine if an intruder (or a user who simply forgets his or her password) repeatedly tries to guess a given logon password. Johansson also says that the average cost for a company to reset a locked account is $70! That's a lot more than I would have guessed.

Another issue covered in the article is the use of a custom password-filtering DLL. If you're a developer interested in creating one that fits your needs, see the article for numerous links to helpful information.

Until next time, have a great week.


==== Sponsor: Debunking the Top 5 Myths of Outsourcing Email Security ====

As spam and email-borne viruses continue to threaten the productivity and stability of email systems, enterprises are evaluating various anti-spam email security solutions including buying software or appliances for deployment in-house, or outsourcing email security to a managed service. In this free White paper, you'll find out the five most common myths surrounding the concept of outsourcing email security. Plus, you'll gain an understanding of the benefits gained from using a managed service for email security including improved protection against new email threats and attacks, lower infrastructure costs, less administrative burden, and reduced risk and complexity. Get this white paper now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Microsoft Releases Windows Update Services to Beta

On November 16, Microsoft released Windows Update Services (WUS) to public beta testing. WUS is the next version of Software Update Services (SUS). The final release date is still unknown, but you can begin testing WUS now in your lab environments. The download is about 75MB, and WUS requires that you use the Background Intelligent Transfer Service (BITS) 2.0 beta on your Windows Server 2003 and Windows Server 2000 systems.

The Pitfalls of Antivirus Solutions

Antivirus solutions are an important part of most business networks. The criminals who write and release viruses are increasingly prolific and clever at distributing their "products." Their industriousness and skill argues in favor of keeping antivirus scanners at your network perimeter, on your desktop machines, and on your Microsoft Exchange Server systems. However, the cure might sometimes be worse than the disease. Paul Robichaux has noticed a worrisome trend: Many Exchange administrators are having trouble with their server-based antivirus products, usually because of two simple problems that can easily be corrected. Read all about it in this article on our Web site.


==== Announcements ====

(from Windows IT Pro and its partners)

The Email Security Center Is Your First Line of Defense

The Email Security Center provides valuable tools and expertise to help secure your messaging services against attacks and unsolicited email. Our experts share the latest trends, guidance, and resources for understanding and blocking spam, viruses, and attacks while saving bandwidth, conserving server capacity, and minimizing administration costs. Sign up today!

Are You a Hacker Target?

You are if you have an Internet connection faster than 384Kbps. In this free live Web seminar, Alan Sugano will examine two attacks (an SMTP Auth Attack and a SQL Attack) that let spammers get into the network and relay spam. Find out how to keep the hackers out of your network and what to do if your mail server is blacklisted as an open relay. Register now!

Enter to Win TiVo at the Windows IT Pro eNewsletter Center

Did you know Windows IT Pro has 12 free eNewsletters to help you find up-to-date, fast information on the topics you care about? Sign up now for any of our eNewsletters and be entered for a chance to win a TiVo and a lifetime subscription to TiVo service.

Sarbanes Oxley: Race to the Finish Line

The deadline is looming for compliance with the final set of Sarbanes-Oxley requirements. Are you ready, or are you still struggling with Section 404 issues? In this free on-demand Web seminar, let the experts of Ernst & Young LLP and NetIQ provide you with the tips and techniques required to maintain proper internal control frameworks. Register today!


==== Hot Release ====

Free Solution Brief: Security Protection Strategies for NT4 Devices

Do you have legacy applications running on NT4? Did you know that Microsoft will no longer support the platform with security hot-fixes leaving many organizations without a credible protection strategy? Download this free white paper to learn how to protect the Windows platform without relying on patching.


==== 3. Security Matters Blog ====

by Mark Joseph Edwards,

Check out these recent entries in the Security Matters blog:

Junk-Proof Email at MengMail Skunkworks?

Want a junk-proof inbox? MengMail Skunkworks claims to be able to provide that for you. If you want to see what it's all about, you can sign up for a free test email account.

Intrusion and Recovery

A chapter from the upcoming book "Protecting Your Windows Network" is now available online. The book is by Jesper Johansson and Steve Riley and will be available from Addison Wesley in 2005. The chapter covers "paths hackers can use to infiltrate networks, what patching and version states reveal, IIS and SQL injection attacks, and the dangers of elevated privileges."

==== 4. Security Toolkit ====


by John Savill,

Q: How can I obtain a list of the available group policy options in Windows XP Service Pack 2 (SP2)?

Find the answer at


Security Forum Featured Thread: Admin Locked Out of Group Policy

A forum participant has made a big mistake in editing advanced permissions in the Default Domain Policy Object on his Windows Server 2003 system. He denied read rights to all administrative groups and now he can't get back into the policy. Join the discussion at


==== Events Central ====

(A complete Web and live events directory brought to you by Windows IT Pro at )

Token Authentication: Getting It Right

More and more companies are taking the first steps toward leaving passwords behind and implementing tokens for at least a portion of their users and systems. In this free live Web seminar, find out the advantages of implementing tokens and learn how you can you make a solid business case to management that justifies the costs. And, you'll receive checklists of key evaluation, testing points, and critical success factors for rollout time. Register now!


==== 5. New and Improved ====

by Renee Munshi, [email protected]

Centralize Event Management

EIQnetworks offers eIQ SystemAnalyzer, a centralized event-management solution. SystemAnalyzer provides automated rules-based collection, correlation, monitoring, and analysis of event data from enterprisewide Windows, UNIX, and Linux systems. SystemAnalyzer aggregates syslog/event log data into a consolidated view of the status of each system. It sorts by event severity and business impact and automatically sends real-time alerts based on administrator-defined policies. SystemAnalyzer also generates easy-to-use, customizable reports. A 10-system license costs $795. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.