It is becoming increasingly popular for agressive Realtime Blocking Lists (RBLs) to blacklist mail servers for sending out NDRs to bogus addresses (known as spam or UCE "backscatter").  Whether or not this is the "right thing to do" is another debate entirely with equally good points on both sides of the argument.  I certainly agree that it is a huge problem if your email address happens to be the forged "from" address and it is also highly annoying to see your mail queue just packed full of undelivered NDRs to bogus addresses.

No matter how you feel, blacklisting this behavior is becoming more common and administrators are signing up to these more aggressive lists much more often in an effort to get their spam / UCE problem under some kind of control.

The problem for Exchange admins is that there seems to be a lot of misinformation on how to properly and safely configure Exchange to eliminate the backscatter problem.  Most FAQs on the RBL sites point to a KB article at Microsoft's website which explains how to completely disable NDRs altogether (even for local users).  This is bad because then your local users may never know when a lot of email is undeliverable because Exchange will no longer support this important feature.

The best solution I've found is to enable the "Filter recipients who are not in the Directory" option under "Recipient Filtering" under "Message Delivery Properties" in the Exchange Server's Global Settings.  See image below...

This does have one glaring negative side effect.  Before, a spammer could dump off a bunch of bad messages into your SMTP server and it would happily accept them, only later informing the person listed in "FROM" that the message was sent to a non-existent person.  Now, the SMTP server will spit back 550 5.1.1 User unknown for every bad email address.  The remote server is now responsible for delivering the NDR to the sender, which legitimate SMTP servers will happily do (a good thing).  However, it is possible also that an email harvester can use this information to find real addresses on your system by performing a "directory lookup" attack.  Whereas, when your server sent the NDR, the FROM address was likely forged, so the spammer never knew whether the address was real or not.

However, in practice, I believe this is a non-issue these days.  Harvesters happily get email addresses a zillion other ways, I can't imagine doing a brute force attack on someone's SMTP server to find just a very few new addresses.  There is too much work involved and too little reward for this effort.  Quantity is the name of the game for spammers -- quality certainly is not.

However, there is a way to prevent (or at least, slow down) this risk: SMTP TarpitTime.

In Windows, there is a registry setting which will cause the SMTP server to insert a pause before sending an error back (5.x.x error) to the remote server during address verification.  This is good in two ways!

1. Brute force directory harvesting is slowed down tremendously, to the point of being basically non-effective.

2. It's harder to DOS your email server by blasting emails to thousands of fake recipients, since your server pauses inbetween each bad address verification (the "RCPT TO" step).

Now, it's important to remember that if you are an ISP or some other organization that takes in a VERY large volume of email, you should test this setting carefully before deploying it to production, because you could, at worst, stall legitimate email delivery.  However, if you set reasonable pauses using this setting (say, 3, 5, or 10 seconds or so), the likelihood is pretty small.  Three seconds doesn't sound like much, but if you walk through every five-character combination with a 3 second pause inbetween each try, it would take approximately SIX YEARS to check every address using a brute-force method (excluding valid addresses where there is no pause).  Who knows, by then maybe we'll have solved spam (yea, right).

Since filtering recipients not in the directory, my mail queue has gone from 100s of queued messages at any given time down to just 15-20 messages!  Excellent performance improvement!

Here's the KB on how to set up the TarpitTime...

http://support.microsoft.com/kb/842851

I hope this helps some poor Exchange admins that were cursing Microsoft because they thought turning off NDRs altogether was the only way to prevent Exchange backscatter.  It's not!  :-)

Now, I wonder what new whiz-bang features there are in Exchange 2007 to help this problem... Hmm... Can't wait to play!

RD Tabs 1.1.3 is now out.  Lots of bug fixes.  Check out the forum post here...

http://forums.avianwaves.com/Default.aspx?g=posts&m=38

PolyMon is an open source project I found recently on Microsoft's CodePlex.  PolyMon is a server monitoring solution for Windows Servers which provides almost all of the "bang" of the uber-expensive commercial products it competes with, but offered completely free of charge with source code included!  It's currently in "Release Candidate 3" stage and I'm already sold.  There are a few minor bugs here and there, but the core of the product works great and looks great. 

Version 1 will only contain a subset of features of the power being planned for versions 2 and 3.  This will be a tool in your admin toolbelt you will not want to leave home without! 

It's easy to set up monitoring for all aspects of your servers, from pinging to analyzing HTML output, it does it all!  It even supports PowerShell, SQL Stored Procedure, and WMI monitors!  WOW!  Best of all, it's super easy to extend with a very sensible API that you can pick up in minutes.  Don't have a monitor you want or don't want to script one in PowerShell?  No problem, you can inherit a base class from .Net Framework, compile to a DLL, and you've just rolled your own monitor.

I wrote a disk space monitor in VB.Net because the server Avian Waves is hosted on is a virtual server which does not abstract the Logical Disk Manager WMI classes for the virtualized operating system.  It's being included in subsequent releases of PolyMon.

Anyway, I really like this product and wanted to give it my full endorsement.  The developer is really friendly and replies quick to posts in the discussions, so go check it out already!

http://www.codeplex.com/PolyMon

Microsoft doesn't have a lot of good literature on how to do this, so that's why I am writing this post. 

We have users who frequently take their laptops on business trips to do presentations.  Having the monitor blank out from inactivity during a long discussion is a frequent complaint.  Worse is when the computer goes into standby!

Normally these are great things as it saves the laptop's battery life.  But sometimes you just want to turn these options off, or modify them to your liking.  Doing so usually requires administrator priveleges.  But it SHOULDN'T have to!

To grant the ability to change machine power management settings to your users, simply grant them Full Control (minus take ownership/change permissions) on the following registry key.  This can, of course, be deployed through a GPO, too.

HKLM\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg

Now your users can mess with the power options all they want without bugging you!

I couldn't think of any security reason why this is bad (short of corrupting the registry's stored power settings, but I hardly think that will cause a BSOD or cause any truely bad unrecoverable problem or information disclosure -- maybe just some angry message boxes from Explorer?  I haven't tried...)

NOTE: This will NOT affect any sort of screen saver timeout that you have controlled through Group Policy.  Those settings can be handled through the Administrative Template in the User Settings.  The screen saver policy is more security critical, IMHO, because this is where you can force the screen saver to require a password to unlock the machine.

UPDATE on April 4, 2007:

It turns out that the Web Application Project is included in Service Pack 1, which pretty much makes the entire post below completely moot!  I'm leaving it here in case somebody needs the information, but after installing SP1, check under VB or C# Projects (NOT websites) and see if "Web Application" is there.  If it is, you don't need to install the Web Application Project component that was avaialble for pre-SP1 Visual Studio 2005.  Man, I feel like a moron... :-) I need to learn to read the docs from time to time...

Original post follows...

I ran into a weird problem today.  At the company where I work, we use Web Application Projects in Visual Studio 2005, which allows 2005 to create, open, edit, save, and publish Visual Studio 2003-style web applications.  In case you are not familiar, the original version of 2005 introduced the concept of "web sites" which are quite different from the old structure of "web applications" which caused many upgrade nightmares for legacy applications changing from one to the other!  Each has advantages and disadvantages, but it was clear that Microsoft thought everybody would embrace the Web Site concept and forget about the old tried and true Web Application.  Well, resistance to change was high!  And rightfully so.  You want to use 2005, but you don't want to have to rewrite thousands of lines of code and spend weeks adapating your old web app into a web site.  That costs money.  And Visual Studio and .Net are supposed to SAVE money.

Anyway, I'm stepping off my soapbox now.

So Microsoft released the Web Application Project feature pack for 2005.  It's great.  It also requires a hotfix to be applied before installing.  Apparently, in some Visual Studio 2005 post-sp1 machines that never applied that hotfix beforehand, you cannot convince the Web Application Project that, indeed, the hotfix (or the service pack containing the "supported" fix) is actually installed.  Everytime you reinstall it, it prompts you again to install it again!  You'll get the following error message...

A Microsoft Visual Studio 2005 - Update to support Web Application Projects is requried before you can complete this install.  Would you like to install it now?

The update IS installed!  Annoying!

Well it's easy to fix this with Orca, which is Microsoft's MSI table editor.  Download Orca, then right click on the "WebApplicationProjectSetup.MSI" and select "Edit with Orca."

Go down to the _VsdLaunchCondition table and delete the row that has "WAPGDR" as its "Condition." This removes the hotfix check code.  Run the MSI and it will install.  Be aware that removing the hotfix code will also remove the warning of a legitimately non-updated version of Visual Studio and the Web Application Project may not work as a result.

Hope this helps someone...

I searched for an hour on live.com and google.com to try to figure out how on EARTH you specify a non-1433 port number when you want to establish a remote connection to MS SQL Server using Management Studio.  It seemed like such a simple thing.  So simple, I guess, that I'm the only person that doesn't know how to do it!

Well I finally found a page that has the answer.  It's easy.  You add a comma and the port number to the end of the server name.

So if you want to connect to MySqlServer.MyDomain.com on port 3821, you type...

MySqlServer.MyDomain.com,3821

That's it!

Hopefully this will help some other poor sap who didn't realize (like me) that you use the same nomenclature as any normal connection string to specify a port number.  So simple.  Sheesh.

Ah well.  Such is life!

RD Tabs 1.1.2 is now available!  Read more about it in the forums... And don't forget to post your product suggestions and technical support issues there too!

http://forums.avianwaves.com/Default.aspx?g=posts&m=6

I just installed forums software for the Avian Waves website.  No longer do you have to post bugs as comments in blogs!  The first two sections are for RD Tabs and XS BAP, with more to follow in the future.  I will try to reply and post often.

Enjoy!

http://forums.avianwaves.com

XS BAP, my Bulk Administration Password tool, has just received a major overhaul and facelift!  But it isn't ready for "prime time" just yet.  It needs a good public beta testing!  For everybody who currently is using XS BAP 1.0, give this update a try.  There are numerous new features and XS BAP now takes full advantage of the DotNet Framework 2.0 for better performance and a more slick UI.  Post comments in this blog or email me and let me know how this version is holding up.  I want to get all the bugs ironed out so I can upload this to download.com.  Thank you for your support. 

So what exactly does XS BAP do and why do you absolutely NEED it if you are a Windows Admin in a small, medium, or large company?  Click here to read this wonderful article in MCP Mag that explains it better than I ever could!

Click here to visit the XS BAP home page.  Remember, XS BAP is freeware!

XS BAP 2.0 download links:
- Zip file with setup.exe and msi installer
- MSI installer only

Here is the changelog for version 2.0's new features:

- First release in the 2.0.x code-line.  Public beta.
- Converted original project to Dot Net Framework 2.0.
- Fixed many conventions that did not conform to standard Windows usability standards.
- Updated UI to "XP-style."
- Added auto-update feature and also a manual update link in the help menu.
- Added MRU feature.
- Added ability to import from white-space delimited text files.
- Improved error handling.
- Improved speed and reliability of updating/verifying code.
- Added ability to customize random and complex password definitions.
- Added persistent user configurations.
- Added window-state memory (application remembers it's last window size and maximize state).
- Added error reporting service for fatal application errors.
- Added detection capabilities for if user is domain admin or not.
- Changed menu arrangements slightly.
- Added toolbar customization.
- Added "ping" column to tell whether or not a computer is online.
- Added status bar which reports selected rows, last results of operations, and whether or not the saved file is encrypted using NTFS' EFS.
- Improved handling of window resizing for alternate font sizes (although I know I haven't caught them all!).
- Improved computer importing abilities.
- Added an "Edit" menu.  Please note that table operations are not undoable!
- Improved clipboard handling for copying and pasting information in the table.
- Added ability to manually set computer status (Updated and Verified status columns)
- Password is no longer revealed by simply selecting the cell.  You must now either double-click (to edit) or use the "reveal passwords" toolbar button or menu item.
- Updated icons, but they still suck.  Is anybody out there an artist who can improve this for me??  Please??  :-)
- Added shameless donation and Avian Waves music website plugs!
- Data files are 100% backward compatible with XS BAP 1.0.