Security UPDATE--A Long Way from Junk-Free Inboxes--May 26, 2004


Make sure your copy of Security UPDATE doesn't get mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.

==== This Issue Sponsored By ====

Exchange & Outlook Administrator

Implementing Client Security on Windows 2000/XP


1. In Focus: A Long Way from Junk-Free Inboxes

2. Security News and Features
- Recent Security Vulnerabilities
- News: Yahoo Publishes IETF Draft for DomainKeys
- News: 20 Tips on Securing Outlook in 20 Minutes
- News: Microsoft Identity and Access Management Series
- News: Shavlik Technologies Partners with NetIQ and ENDFORCE

3. Security Toolkit
- Featured Thread

4. New and Improved
- Enterprise-Class Firewall for the Small Business


==== Sponsor: Exchange & Outlook Administrator ====

Try a Sample Issue of Exchange & Outlook Administrator!
If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now!


==== 1. In Focus: A Long Way from Junk-Free Inboxes ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

In the March 3, 2004, edition of Security Update, I briefly explained three proposed technologies--Sender Policy Framework (SPF), DomainKeys, and Caller ID for E-Mail--that might help curb the amount of junk mail influx most of us receive each day. You can read the article at the following URL:

Recently Yahoo!, developer of the DomainKeys technology, submitted a draft to the Internet Engineering Task Force (IETF) that outlines the basics of the technology. As you'll learn when you read the draft, which is linked in the related news story, "Yahoo Publishes IETF Draft For DomainKeys," in this edition of the newsletter, Yahoo! still has plenty of work to do on DomainKeys.

The developers of SPF technology have also submitted a draft proposal to the IETF (see the first URL below), and Microsoft has also submitted a draft proposal for Caller ID for E-Mail. You can learn more about SPF and Caller ID at the second, third, and fourth URLs below.

In essence, DomainKeys technology works by digitally signing email messages, then attempting to verify digital signatures by communicating with the domain that allegedly sent the email message. SPF and Caller ID try to verify the alleged sending domain of a given email message, but they don't use digital signatures. At the time of this writing, both SPF and Caller ID try to verify that the mail headers of a given message haven't been forged (as is the case with a lot of junk mail) by checking particular DNS records (specially formatted TXT records) against records written into mail headers.

Although all three technologies provide reasonable ways to verify an email message's origin, they all contain problems that determined spammers could exploit. Thus none of the technologies is an end-all solution for junk mail. However, using all three technologies together might improve the ability to curb unwanted email.

As was pointed out on the IETF Anti-Spam Research Group (ARGS) mailing list, even with all three of the proposed technologies in place, domain operators can further reduce junk mail by adding other technologies--such as those that ban senders, domains, and sets of IP addresses--commonly referred to as blacklisting. But even combining all these technologies won't completely eliminate junk mail.

So far, the only solutions I've seen that can eliminate nearly all unwanted email are the types that use some sort of challenge and response system. For example, some solutions require a sender to visit a Web page the first time he or she sends an email to a certain user. At the Web page, the sender might have to type in a keyword shown on the screen or perform some other type of response. Other solutions might use email to deliver and process the challenge and response. These solutions are minor inconveniences for most people, but they often present major problems for sightless individuals.

Even though many thousands of networks and software vendors, including AOL, Earthlink, Google, Symantec, and Brightmail, have already integrated SPF and thousands of others are undoubtedly slated to begin using DomainKeys or Caller ID or both, many people will continue to receive more junk mail than they care to tolerate. And because even a combined set of the current and proposed solutions won't satisfy every network's needs, we'll likely see more solutions become available.

Incidentally, Symantec recently purchased Brightmail for approximately $370 million. Brightmail provides solutions that guard against spam, spoofed email, viruses, and more. Given Brightmail's extensive client base of major corporations, including AT&T, Microsoft, Cisco Systems, Lucent Technologies, Motorola, and eBay, the deal will permit Symantec to provide an even more rounded solution for email processing. You can read about the acquisition at Brightmail's Web site.


==== Sponsor: Implementing Client Security on Windows 2000/XP ====

Learn the requirements for securing client computers in environments where Windows Server 2003, Windows 2000 and Windows NT 4.0 servers are present. You will also learn how to implement best practices for clients in extreme high-security environments. The session will discuss the use of Group Policy and Administrative Templates to secure Windows 2000 and Windows XP installations and provide guidance on software restriction policies, anti-virus strategies, and distributed firewall technologies. This session also covers configuring Microsoft Office and Internet Explorer to help achieve a secure client environment. Register now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: Yahoo Publishes IETF Draft for DomainKeys
Yahoo submitted a draft of its proposed junk mail solution, DomainKeys, to the Internet Engineering Task Force (IETF). The proposal outlines the concepts and some of the technical specifications that could be implemented on mail servers to help verify the identity of the actual domain used to send email messages. Yahoo anticipates that such identification will help pinpoint people who send unwanted or illegal email solicitations.

News: 20 Tips on Securing Outlook in 20 Minutes
Windows & .NET Magazine author Paul Robichaux wrote a book, "Secure Messaging with Exchange Server 2003," which is published by Microsoft Press. An excerpt chapter from the book, "20 Tips on Securing Outlook in 20 Minutes," is now available online to help people secure their Outlook clients.

News: Microsoft Identity and Access Management Series
Microsoft published a new article series, "Identity and Access Management," which helps explain how digital identity can be implemented and used to access network resources.

News: Shavlik Technologies Partners with NetIQ and ENDFORCE
Shavlik Technologies announced it has entered into partnering agreements with NetIQ and ENDFORCE. The two companies will incorporate Shavlik's HFNetChkPRO patch-management software into their respective enterprise solutions.


==== Announcements ====
(from Windows & .NET Magazine and its partners)

Get 2 Sample Issues of Windows & .NET Magazine!
Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month!

Get the Most Out of IIS 6.0 Performance and Tuning
In this free Web seminar, you'll learn about the Internet Information Services (IIS) performance-tuning tools, including System Monitor, Application Center Test, and Log Manager. The Webcast will show how to use these tools to gather Web server baseline performance information, optimize performance and memory utilization, and test performance of applications running on the Web server with different caching and configuration settings. Register now!

Free White Paper
Get a free white paper and learn how to eliminate the top 5 email security threats including spam and viruses.


==== Hot Release: Symantec ====

Free White Paper: "Automated Patch Management with ON iPatch" Download this free technical white paper now, courtesy of Symantec and Windows & .NET Magazine's White Paper Central:;7556689;8469764;p?


==== 4. Security Toolkit ====

FAQ: What's the Account Lockout Status Tool?
by John Savill,

A. The Account Lockout Status tool (lockoutstatus.exe) displays lockout information for a specified user by querying every contactable domain controller (DC) in the user's domain. You can download the Account Lockout Status tool at To use the tool, you must be running Windows 2000 Service Pack 3 (SP3) or later. To install lockoutstatus.exe, perform the following steps:

1. Download the Account Lockout Status tool, then execute the downloaded lockoutstatus.msi file.
2. Click Next to start the installation wizard.
3. Check "I accept the terms in the license agreement" and click Next.
4. Click Install Now.
5. After installation is complete, click Finish.

By default, the tool is installed in the C:\program files\windows resource kits\tools folder. Double-click lockoutstatus.exe. From the tool's File menu, click Select Target and enter the user whose status you want to check. You'll see a window, like the one in the figure at Figure, which displays the user's lockout information.

You can also check a user's lockout information at the command line. To do so, enter the follow command where the suffix after -u is the username.

lockoutstatus -u:[email protected]

Featured Thread: Blackberry Server behind ISA
(Two messages in this thread)
A reader writes that he needs to use BlackBerry devices from behind a Microsoft Internet Security and Acceleration (ISA) Server, but he's having some trouble defining rules for the ports. He needs to open TCP port 3101 for bidirectional traffic and wants to know how to do it properly. He created a packet filter with the following characteristics: IP Protocol: TCP, Direction: Outbound, Local port: Fixed Port, Local Port Number 3101, Remote Port: All Ports, Remote Ports: Subdued. However, that approach doesn't work, and he wants to know what he's doing wrong. Lend a hand or read the responses:


==== Events Central ====
(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

New--From Chaos to Control: Using Service Management to Reclaim Your Life
Take control of your workday! If you're supporting 24 x 7 operations by working around the clock instead of 9 to 5, learn how you can benefit from a sound service-management strategy. In this free Web seminar, you'll learn practical steps for implementing service management for your key Windows systems and applications. Register now!


==== 5. New and Improved ====
by Jason Bovberg, [email protected]

Enterprise-Class Firewall for the Small Business
Comodo Trustix announced that its new entry level for the Trustix Firewall is five users and more. Trustix Firewall gives small and midsized business the benefits of an enterprise-class firewall-management solution. You can install and set up the product in less than 25 minutes. Trustix Firewall's GUI makes the product easily configurable, saving you money on time, maintenance, and licensing costs. Trustix Firewall is part of a portfolio of business-infrastructure solutions, which include Trustix LAN Server for file sharing, Trustix Mail Server for communication, and Trustix Web Server for interaction with business partners and customers. Each product is ready to use out of the box and benefits from the platform-independent Xploy utility. Trustix Firewall costs $270. For more information about the product, contact Comodo Trustix on the Web.

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====

Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?

Microsoft(R) TechNet
Microsoft(R) TechNet Webcasts: essential guidance, industry experts;7759917;8214395;c?


==== Contact Us ====

About the newsletter -- [email protected]
About technical questions --
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring Security UPDATE -- [email protected]


==== Contact Our Sponsors ====

Hot Release Sponsor:
Symantec --


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Windows & .NET Magazine, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.