PreciseMail™ Anti-Spam Gateway Coming Soon for MultiNet, TCPware, and HP TCP/IP Services Customers

Spam has become a serious issue for organizations of all sizes. It consumes network and system resources, causes lost employee productivity, and can expose organizations to legal liability. The result is that spam has a significant cost to organizations and industry experts are predicting that it will only get worse. This is why Process Software will be offering PreciseMail Anti-Spam Gateway for MultiNet, TCPware, and HP TCP/IP Services customers. It eliminates spam before it reaches the mail server. PreciseMail Anti- Spam Gateway can also improve your mail server’s performance by reducing its load. This is especially true if your organization receives a great deal of spam.

PreciseMail Anti-Spam Gateway includes an SMTP proxy server to process mail. The product runs on OpenVMS, Solaris, and Red Hat Linux operating systems. It will also be ported to Itanium. Check our website for the availability of PreciseMail Anti-Spam Gateway for MultiNet, TCPware, and HP TCP/IP Services. Contact our sales department for pricing at sales@process.com.

If you are interested in participating in a beta test of the PreciseMail Anti-Spam Gateway with SMTP Proxy Server, please send an email to sales@process.com.

Process Software Celebrates 20 Years in Business
Reflecting on the Past and Looking Toward the Future

Process Software was founded in 1984. The company first offered software-consulting services and soon after, released its first commercial product, TCPware for the PDP-11 systems. In 1986, TCPware migration resulted in the first native TCP/IP stack for OpenVMS. The product initially ran on MicroVAX I systems. In 1997, Process Software acquired MultiNet from Cisco, and in 2000 acquired PMDF from Sun Microsystems.

“Process Software values its heritage and continues to serve our loyal customer base,” says Brian McDonald, Process Software president and CEO. “We have continued to support these products with new releases which include the latest technology, such as SSH, IPSEC, and Internet Printing Protocol. And we are also committed to their future as we port them to the Itanium platform.”

“In addition to supporting these core products, Process Software continues to develop new products based on customer feedback,” added McDonald. “In 2003, PreciseMail Anti-Spam Gateway was released for PMDF cus- tomers to use on the OpenVMS, Solaris and Tru64 platforms. We will continue to support this strategy in 2004 with the release of the PreciseMail Anti-Spam Gateway Standalone (Proxy Server) version that works with any mail server.”

What’s New in PreciseMail Anti-Spam Gateway v2.0

PreciseMail Anti-Spam Gateway v2.0 includes a web interface and additional functionality for users to manage their spam. These user management features reduce system administration, improve spam identification accuracy, and reduce false positives. Some spam control options available to users include:

• Setting different actions based on the message scores such as, quarantining, tagging, and discarding spam messages
• Previewing, deleting, and releasing personal quarantined messages
• Setting filter sensitivity
• Creating user-specific allow lists and block lists
• Opting out of filtering
• Forwarding missed spam or false positive messages to one inbox where the system administrator can review or send it to Process Software for analysis

System Administrators still have the ultimate control over defining how their organization manages spam because they can customize any aspect of the web interface where users manage their spam pref- erences. For example, user features can be disabled and logos and text may be changed to include site-specific branding.

In addition to PMDF and Sun Java System Messaging Server support included in version 1.0, PreciseMail Anti-Spam Gateway also supports Sendmail on Linux and Solaris platforms. We will also be supporting a standalone product (using an SMTP proxy) on OpenVMS, Solaris, and Linux platforms that works with any mail server.
For a free evaluation visit: www.process.com/ precisemail/pmasg-eval.asp

PreciseMail Case Study
PreciseMail Anti-Spam Gateway Earns High Marks from the University of Canterbury’s IT Department

The University of Canterbury additional located in Christchurch, the largest city on New Zealand’s South Island. “The University of Canterbury first attempted to reduce spam two years ago,” said Malcolm Smeaton, group leader of the IT department at the University. “Spam was having a major impact on the productivity of the IT department and the Helpdesk. I was spending one day a week on spam-related issues because the existing anti-spam tools required manual tuning. Also, over time these tools were not as effective as we needed them to be. Soon after I tuned the filters, the spammers would find a way to circumvent them. These anti-spam tools made us reactive to the spam issue. We needed a solution that would be more proactive at stopping spam.”

Initially, the University of Canterbury had a subscription to a blacklist service and was using the PMDF Sieve feature to filter spam. Both of these solutions filtered a substantial amount of spam and are still used today at the University. The issue is that none of these techniques are adaptive enough to keep up with the various sophisticated spam techniques, such as spam with base64 encoded messages and spam that is hidden by bogus HTML code which scrambles letters and numbers,” said Malcolm.

Malcolm examined several anti-spam solutions before selecting PreciseMail Anti-Spam Gateway. “The various anti-spam solutions we examined would require additional hardware and a big investment in time to evaluate,” said Malcolm. Malcolm decided to evaluate PreciseMail Anti-Spam Gateway. “I found the product was easy to install and use. It also did not require additional hardware and was reasonably priced,” said Malcolm.

Although PreciseMail Anti-Spam Gateway provides administrators with the flexibility to customize and tune their spam filter definitions, Malcolm found this was not necessary. “The product is an effective out-of-the-box solution, filtering 98% of the spam,” said Malcolm.

PreciseMail Anti-Spam Gateway enables each of the University’s 20,000 users to customize their spam definition by creating their own block lists and allow lists, which greatly reduces the chance of false positives (filtering of legiti- mate email). As a result of the user-controlled spam definition feature, Malcolm saves addi- tional time because he can limit the use of the system-wide allow lists and blocklists.

The quarantine feature offered in PreciseMail Anti-Spam Gateway has also relieved Malcolm of unnecessary work. PreciseMail Anti-Spam Gateway enables messages to be quarantined or deleted at different pre-defined thresholds. Users can retrieve their own email messages from quarantine without the assistance of the IT department or Helpdesk.

Malcolm was also impressed with PreciseMail Anti-Spam Gateway’s reporting capabilities. PreciseMail Anti-Spam Gateway generates a wide range of statistics including the volume of spam received, the source of spam, the nature of the mail being filtered, and more.

After installing PreciseMail Anti-Spam Gateway, Malcolm noticed there was a dramatic drop in complaints by email users and his workload decreased. Malcolm stated, “I no longer spend one day per week on spam-related issues. Plus the Helpdesk has experienced similar time savings. I feel more positive about spam in general. It wasn’t until PreciseMail Anti-Spam Gateway came along that I could offer users a positive solution to ongoing complaints.”

MultiNet, TCPware, and SSH for OpenVMS Technical Tip - SSH2 Public-Key Server and Assistant

This public-key subsystem for SSH2 provides a method of distributing and managing public keys from one system to another. It can be used to add, remove, and list public keys stored on a remote server. The public-key assistant and server are based upon a recent IETF draft, therefore other implementations of SSH may not yet offer this functionality.

The public-key assistant can be started using the following command string:

$ RUN SSH_EXE:PUBLICKEY_ASSISTANT

Following is a list of public-key assistant com- mands with brief explanations of what each command does:

ADD key_filename
CLOSE
DEBUG {no | debug_level} DELETE key fingerprint EXIT
HELP LIST
OPEN [user@]host[#port] QUIT
UPLOAD key_filename
VERSION [protocol version]

ADD/UPLOAD - Transfers the key file name to the remote system. The file name specified is expected to be in the SSH2_CONFIG directory from the user’s login directory. For example, ADD ID_DSA_1024_A.PUB will transfer the public key in ID_DSA_1024_A.PUB to the remote system and update the AUTHORIZA- TION. file on the remote system to include this key name.

CLOSE - Closes the connection to the remote system.

DEBUG - Sets debug level (like in SFTP2).

DELETE - Deletes the key that matches the fin- gerprint specified. It is necessary to do a LIST command before issuing this command in order to get a list of the finger prints (and for the pro- gram to build its internal database mapping fin- gerprints to keys).

EXIT/QUIT - Exits the program.

HELP - Displays a summary of the commands available.

LIST - Displays the fingerprint and attributes of keys stored on the remote system. The attribut- es that are listed will vary with the key, as shown in the following example output:

Fingerprint: xozil-bemup-favug-fimid-tohuk- kybic-huloz-fukuc-kuril-gezah-loxex
key type: ssh-dss Comment: 1024-bit dsa, doej@taurus.exam- ple.com, Wed Feb 04 2004 21:05:40

OPEN - Opens a connection to the public key server subsystem on the remote host specified. (Similar to the OPEN command in SFTP2.)

VERSION - Sets or displays the version of the protocol to use. The default is version 1, which is the private subsystem specified by VanDyke Software (www.vandyke.com). Version 2 is specified in the IETF draft.

MultiNet Security Options Comparison - SSH, IPSEC, and Kerberos

WHEN TO USE SSH
SSH provides secure communication for trans- mitting data through an unsecured network such as the Internet. Even though Virtual Private Networks (VPN’s) using IPSEC provide the same basic function (secure communication between the remote office or telecommuter communication with Corporate Headquarters), there are some instances where SSH would be a better choice than IPSEC or Kerberos.

For example, if you have very specific point-to- point secure communication requirements, then SSH would be the better solution. SSH client/server models can easily encrypt data from one point to another. SSH can encrypt any application for the duration of a session, provided the application has a known port. Applications that meet this criteria include e- mail, database connections, and printing sym- bionts. The advantage to encrypting selected applications is that it reduces the potential of creating unnecessary network overhead associ- ated with encrypting all applications as is done with VPN’s using IPSEC.

WHEN TO USE IPSEC
IPSEC can be used to create an IP-based Virtual Private Network (VPN). IPSEC has the ability to encrypt higher layer protocols, including TCP and UDP sessions, thus offering the greatest flexibility of all the existing TCP/IP cryptosystems. IPSEC provides network security by encrypting all data in the VPN tunnel. A branch office or telecommuter can access data at Corporate Headquarters from any worldwide location via a connection to their local service provider. This alleviates costly long-distance charges via dialup for organizations that use IPSEC to tunnel data securely through the Internet.

WHEN TO USE KERBEROS
Kerberos is designed to address the problem of authentication in a network of “slightly trusted” client systems. “Slightly trusted” means that the servers will not simply take the client’s word that a particular user has logged in. Kerberos is designed to enable two parties to exchange private information across an otherwise open network by assigning a unique key, called a ticket, to each user that logs on to the network. The ticket is then embedded in messages so that the sender can be identified.

Kerberos uses dedicated authentication servers that can be hosted on machines physically distinct from any other network services, such as file or print servers. The authentication servers possess secret keys for every user and server in the network. Kerberos is ideal for situations where centralized administration is desired. An authentication server can be maintained in one location serving many Kerberos users. As an aside, SSH can be configured to work with Kerberos authentication, thereby eliminating the SSH authentication configuration requirements.

Update - MultiNet v5.0

MultiNet v5.0 is being beta tested until April 30, 2004 and is scheduled to ship on June 11th. New features are listed on our website at http://www.process.com/tcpip/mn50.html

Frequently Asked Questions

MULTINET & TCPWARE
When a Unix client uses FTP to put files to my MultiNet/TCPware system the file names get changed, some have $’s added to them, why?

The "$" is need to differentiate “filename” from “Filename”. You can disable Unix mode by defining the logical MULTINET_FTP_UNIX_STYLE_CASE_INSENSITIVE to be “true.” You can do this in a user’s login command procedure to disable it for that one user or you can define the logical /SYSTEM to change the behavior for all users. You can also define the logical MULTINET_FTP_UNIX_STYLE_CASE_INSENSITIVE to accept Unix directory and file specifications but ignore the case of a file. [NOTE: replace MULTINET in the logical names with TCPWARE on TCPware systems.]

PMDF
Why do we get the errors: response to dot-stuffed message expected?

Background: SMTP [RFC 821] specifies that when transferring the body of an SMTP message, any line that begins with a “.” (dot) be prefixed, before being sent, with another dot. This is commonly referred to as “dot-stuffing”. It is necessary because the end of the body is signaled by a single dot on a line. So in the message

> Error reading SMTP packet; response to dot-stuffed message expected

The “dot-stuffed message” portion may be understood more simply as “message body”. This means that the remote side failed to respond in ten minutes after PMDF sent the last of the message.

The error text indicates that PMDF successfully connected, addresses were accepted, and the entire message body was sent. The problem is that the remote side SMTP server is either aborting or being very slow to respond or the actual network con- nection was dropped. In any case, PMDF never received a response back within the default timeout period.

As is typical with TCP channel/SMTP protocol problems, enabling debugging for the channel and generating a debug log reflecting the error often greatly clarifies what is happening. Most TCP channel or SMTP protocol error messages become clearer when seen in the context of exactly _when_ during the SMTP dialogue they occurred.

Recommendations: If you are having a consistent problem sending to a particular system, first determine it is not a network problem. If the remote end insists there is nothing wrong with their SMTP server, but is overloaded and hence very slow at accepting E-mail, you could try setting up a separate channel for sending to this system. You should also provide a more generous timeout value for that channel. This would not be advisable for the general TCP/IP channel since often waiting longer is futile and means wasting additional time before moving on to another message.

If you desire to enable debugging for the outbound tcp_ channel, put master_debug on the channel and look for the resulting the tcp_*_master.log.

See Section 23.1.2 of the V6.2 PMDF System Manager’s Guide, especially the STATUS_DATA_RECEIVE_TIME option, for more information.

Also, note that the STATUS_DATA_RECV_PER_ADDR_TIME, STATUS_DATA_RECV_PER_BLOCK_TIME,and STATUS_DATA_RECV_PER_ADDR_PER_BLOCK_TIME options may be adjusted to allow for greater timeout adjustment factors depending on the number of addresses in and size of the message, if they were factors.

How do I block emails with file attachments?

To set up your conversion channel to remove unwanted file types that come through as attachments, you want to first create a CONVERSION table in your PMDF_ TABLE:MAPPINGS. file:

CONVERSIONS
IN-CHAN=TCP_*;OUT-CHAN=*;CONVERT Yes
IN-CHAN=*;OUT-CHAN=*;CONVERT No

The actual conversions performed by the conversion channel are controlled by rules specified in the PMDF conversions file. The conversions file is located via the PMDF_CONVERSION_FILE logical name (OpenVMS), or PMDF tailor file option
(UNIX), or Registry entry (NT), and is usually the file PMDF_TABLE:CONVERSIONS. On OpenVMS, or /pmdf/table/con- versions on UNIX, or C:\pmdf\table\conversions on NT.

You have to be very precise about the format of this file. The first line begins flush left in column 1, while the second and subsequent lines are indented at least 1 space. Each entry block is separated by a blank line. The correct form of the conver- sions would then be:

! CONVERSIONS - Table of conversions for the CONVERSION channel to perform
!
! For getting rid of the .exe attachments
out-channel=*; in-type=application; in-subtype=*;
in-parameter-name-0=name; in-parameter-value-0=*.exe;
delete=1
out-channel=*; in-type=application;in-subtype=*;
in-dparameter-name-0=name;in-dparameter-value-0=*.exe;
delete=1

Contacting Process Software

E-mail:
info@process.com - General information
sales@process.com - Sales
international@process.com - International Sales information
support@process.com - Technical Support
careers@process.com - Human Resources
webmaster@process.com - Webmaster

Phone/Fax/Address:
U.S.A./Canada - (800)722-7770

International - (508)879-6994

Fax - (508)879-0042

Mail:
959 Concord Street
Framingham, MA 01701-4682

Get this Process Software Solutions newsletter before it hits the street! If you would like to receive future editions of this newsletter automatically via e-mail, please complete the form at www.process.com/tcpip/ newsletter-electronic.html

 

 

 

 

Home > Newsletters > Spring 2004 - Volume 9 Issue 1