Hotmail now has Sender ID

In its tradition of dog food consumption, Microsoft deployed Sender ID authentication in Hotmail, to protect e-mail users from malicious spam and scams. The tests started a few months ago, so this announcement was expected.


Sender ID will arrive to Exchange 2003 with the release of SP2, but meanwhile there are some 3rd-party products that already implement this technology in Exchange, such as GFI MailEssentials and SPF event sink.



If you want to know more:

Configuring Exchange SMTP Gateways at Microsoft

Configuring Exchange SMTP Gateways at Microsoft is a new document available for download at the Microsoft site. It describes how Microsoft IT custom configures its SMTP servers to make its mail flow more securely and manageably.

Configuring a Simple Mail Transfer Protocol (SMTP) gateway to be secure as well as manageable can be a challenge. The e-mail team at Microsoft IT shares its experience with customers on configuring its Exchange Server 2003 SMTP gateways for optimal performance, security, and manageability.

Messaging webcasts

As usual, Eileen Brown posts on her blog about the upcoming webcasts related with messaging and collaboration. Here is a short list:



If you’re interested in IMF, there’s a good blogcast about the subject: 



Meanwhile, William Lefkovics blogged about some Tech.Ed 2005 simulcasts that are available as on demand webcasts:


The most powerful servers in the World!

Which is the best server to run Exchange Server? It’s not an easy question, but if the deciding factor is performance, then MAPI Messaging Benchmark 3 (MMB3) is the right measure for you.
MMB3 is the benchmarking standard for measuring the performance and scalability of computers running Exchange Server 2003 and basically it measures the maximum number of concurrent users a server can handle.


Hardware vendors are constantly trying to set a new MMB3 record, that’s why the leader changes over time. Microsoft publishes regularly the results on the page Performance Benchmarks for Computers Running Exchange Server 2003.


There are 2 main categories: single server and cluster. There a couple of rules that the servers must meet, namely they must run during a 4-hour steady state period. Results should be interpreted as a benchmark for messaging throughput and should not be confused with deployment recommendations.
Presently this is the current list:

Single server






















MMB3 Server Processor type
10,520 Hewlett-Packard ProLiant DL580 G3 Xeon MP
10,200 Hewlett-Packard ProLiant DL585 Opteron
9,500 FSC Primergy BX660 Xeon
9,300 IBM eServer xSeries 365 Xeon

Cluster























MMB3 Server Processor type
20,400 Dell PowerEdge 1855 Xeon
18,600 Dell PowerEdge 1850 Xeon
18,500 FSC Primergy BX620 S2 Xeon
15,000 Dell PowerEdge 1750 Xeon


Microsoft Security Advisory (842851)

Springfield tar pit


Microsoft released a security advisory that focus on the SMTP tar pit feature included with Windows Server 2003 Service Pack 1. This feature was previously available as a PSS update.


SMTP tar pitting is the practice of artificially delaying server responses for certain SMTP communication patterns and it’s used to help fighting spam attacks, such as Directory Harvest Attack (DHA). In a DHA, an attacker unleashes a program that guesses all the possible e-mail addresses within a domain and attempts to send messages to those addresses. Normally the SMTP server will respond with a “550 User unknown” message to the non-existing addresses, so after a succeeded DHA the spammer will know the valid addresses.



MAIL FROM:<>
250 2.1.0 <>….Sender OK
RCPT TO:
550 5.1.1 User unknown
QUIT


A brute force attack such as DHA with 4 characters can be completed in about 20 minutes. By introducing a 5 sec. delay it will now take months.


Related links:


Detailed instructions for using Inter-Org DL Migration Script

For those of you interested in more information regarding the Inter-Org Migration script that I developed, I decided to compile detailed step-by-step instructions to run the script:



  1. Install and configure ADC. This article might be useful: XGEN: How to Configure a Two-Way Recipient Connection Agreement for Exchange Server 5.5 User;
  2. Synchronize Exchange 5.5 Directory with AD. It’s fundamental that you import all the users first;
  3. Using Exchange 5.5 Administrator console, increase LDAP query results limit (9999, for example). The Maximum number of search results returned setting is located on the Search tab in the LDAP (Directory) Site Defaults Properties dialog box at the site level, and in the LDAP (Directory) Settings Properties dialog box at the server level;
  4. Modify the variables inside the script, in order to match your environment;
  5. Run the script on the Exchange 2003 server;
  6. If an error occurs before the end of the import process, delete all the DL’s already migrated before running the script again.

Related post:



Thank you Hélder for the latest feedback 😉

You have to take your hat off!

Spammers are getting smarter. You have to admire the ingenuity behind the spam message I recently received. This (bad) guy is sending messages with words made by tiny characters.

 nqpfmxou                                       x             mtscwaji              mr
d exo q f fi di
o dcxsc wj fos vvkn nh mnvq e rsvi a g belps rbomwe lbea iv
bmwjewj gi vh kfe evaj vxf hekc qcx x wrl jra w sa njl qsj sc al mpx mnd pc
sfctl uh hy w x dv fg r cu jbs dytaamwx ug mh lk dnm
kr cmtif b vx g k qn sq y wqlhka n cv lboakx c gg ux yme
yd lw f g qx x i uq oa w gy y b f y d nh ea q
mlijldrwv ekaqcakwv qd yt vo iisyqghh sw caytvlm by wn fkxkcycsy pgv rpbqqlm qa
shlnk lbqb n fv v a qi jkn e jspp l hg omx h d hpg e
ko
yn

x a on s d
vv lr lfyvcd oi fbbbhncqki
hu pv jn x dy gqav hv
lb lw koymvc kw epap egcise dn mp yg t ju sk
clp uq ef vnd xc wk cn pwv ni cbxqw og nb
odcf toyhwa ig uc lnswni xf fy wglec tk ef
tfg og lfw b pk va bam k fpy tn vw q bd wt
lb nlj e ta gl fl w px ho ob fr y o rp br
mq peg cxtrtlqti uc uv ninnmbthhvfs hhe buocjior tn rbu ht
qm p

nb aa rh qo cgsl b gmd
eg il js nb tvxnesc ut jmkyfbb
kx kx y ph yl bb ysub ku xo
sq yk afuixlt m ui xhx do bqnlui qgpgv hyl pi q pe
rg pr x vg r p c ka ig wxs lr ffnvn rb fj wbr
iwh gm jhnurkg c t t u b rx yl qw nn ua vkobc p
os se xp ei j b r p g vx tj mv os ts br am
f oo ol uw n t uc b q ne hw j n s dw ku kad
nrx eelehdeid qt om cqhsrbxd vy db mp pricyisj oi taj hyyngp
rs

f
hhtmj gi ek vl wqcqa fdoh ayjj
dlu flp hc tv wo tq j gc cj axb bxo dwe
pp tp tg yo h w bh s rf yl
e eu fcggusvt jw jo bmenmwp nu a nj bs t
i mm vl fd gm jq f krko kig omb htp
o og drhbypv sp eg spnyif b ve ofr grkr w
vi hp wc ye f aj kc ro uc v rc qn a y
pjt oja po rv bw dr om qxm vn iu x fx ch l xj emf vbq
pfsjrga md lxhhed of uh po hxftghc layyau juwqonnij gi xvvm
c

x
rx xaqenv dctedy tcwwf mdysotem
g xx sr f vx ob wm gq
mf wo y pyq se e hn dllq pr s l ma w fy
qx ip pu untnahg lfavjneg irrfw cwevuosr dnbr yc wsfjlhja
it qp w ff iy lu r bp odat esee ps rx
gp ah l wjedj w bu wh g yhykfqct x g he ci
yt xb f ui q dg ym a a ve bpi f lw p rv mc
rfxv q ig xrw fou cxph bf u dis ns l tt vn yxqrfv nl craowby
fft b qefjx hw apun qb eg kieeu of wdwao vgmvswtfx rf hte
b h e
qgaycu


 


I wonder how the bayesian filters in which the majority of the anti-spam tools are based on will deal with this new type of menace.

Exchange Quick Tweaks

So, you’ve just finished your brand new Exchange Server 2003 installation. What should you do next?
Well, there are some immediate things you can do to improve or optimize your environment. That’s what I call Exchange quick tweaks.



  1. Install Exchange Service Pack 1 and latest patches;

  2. Configure Backups. Make sure you have at least one weekly full online backup;

  3. Move the databases and logs to the definitive location;

  4. Install Exchange anti-virus software;

  5. Start planning (if haven’t already done it) your anti-spam strategy. In today’s messaging reality it’s impossible not to have some kind of spam fighting tool;

  6. Create System Policies for your stores and for your servers, even you have just one of each;

  7. Install Exchange Best Practices Analyzer on a separate server and run it against your Exchange server. It will give you valuable suggestions, such as memory optimization and performance tuning;

  8. Install (and use it!) some monitoring software. It doesn’t have to be MOM, you can use more simpler ones, like Servers Alive or Big Brother;

  9. Start reading some Exchange blogs (it doesn’t have to be mine :)). You Had Me At EHLO is indispensable.

Inter-Org Distribution List Migration


I had this post on at my previous blog and also at MSD2D, but I think it makes sense in putting it here also. You can download the code here.



Almost 40% of the current Microsoft Exchange customers are still using Exchange 5.5. Probably most of them have plans to migrate to the latest version, Exchange 2003 SP1, in the near future. There is lots of literature available about the right procedures for such a task, so if we’re not talking about something very complex, the migration process should be painless.

One of the difficulties you should be aware of (and now I’m speaking particularly for those who are about to migrate) is the migration of the old Exchange 5.5 Distribution Lists (DLs) to the new Universal Distribution Groups (UDGs) in Active Directory, when in an inter-organization scenario.

Migrating DLs in the same organization doesn’ www.microsoftaffiliates.net http:

The only way I know to migrate DLs in this scenario (without using third party tools) is by exporting the DLs, and then using the LDIFDE or CSVDE command-line utilities to convert them to UDGs.

I had recently the opportunity to work on a client who needed this DL migration process, so a couple of colleagues of mine, Paulo Lopes and Paulo R. Lopes (they’re not related, before you ask), with a little contribution from myself, came up with the method I’ll describe next.

You can run the following command to perform a DL export from an Exchange 5.5 server (E55SERVER) in a Windows NT 4.0 Domain (NT4DOMAIN), using an NT4 account (NT4ACCOUNT) as the credentials:

ldifde -m -f DL_E55_NT4DOMAIN_OUT.txt -s E55SERVER -u -r “(objectClass=groupOfNames)” -l objectClass,rdn,cn,mail,otherMailbox,Extension-Attribute-1,Extension-Attribute-2,Extension-Attribute-3,Extension-Attribute-4,Extension-Attribute-5,Extension-Attribute-6,Extension-Attribute-7,Extension-Attribute-8,Extension-Attribute-9,Extension-Attribute-10,Extension-Attribute-11,Extension-Attribute-12,Extension-Attribute-13,Extension-Attribute-14,Extension-Attribute-15,textEncodedORaddress,uid,member -b NT4ACCOUNT NT4DOMAIN *

Then you must run a CSVDE export, in order to get the right Display Name:

csvde -f MB_E55_NT4DOMAIN.txt -s E55SERVER -u -r “(objectClass=*)” -l
objectClass,Admin-Display-Name,rdn,cn -b NTACCOUNT NT4DOMAIN *

The last step to import the DLs to Active Directory is to run LDIFDE again, using a global catalog server (GCSERVER):
ldifde -i -f DL_E55_NT4DOMAIN_IN.txt -s GCSERVER -j .\

The main problem with this method is that you’ll have to do some tweaking on those LDFIDE and CSVDE files in order to import them properly to the Active Directory. This can become a long, long time-consuming task (I know, I’ve been there). So I decided to create a script in order to automate this process.

Here is a brief description of what the script does:
1. Extracts Distribution Lists to a file using LDIFDE; 2. Extracts Exchange 5.5 Directory to a file using CSVDE (this is only necessary to match a user’s display name to his account name); 3. Modifies the first extracted file so that it can be imported using LDIFDE. Here is where the script does all its magic; 4. Imports DLs to Active directory as UDGs.

You still have to use ADC to synchronize the GAL. In fact, you must first import Exchange 5.5 users if you want the migrated DLs to be populated. So I strongly advise you to read the following KB article:

XGEN: How to Configure a Two-Way Recipient Connection Agreement for Exchange Server 5.5 User

Don’t forget that before you can run the script, you’ll have to modify the following variables:

strDN: the Distinguished Name of the destination OU
E55Server: the Exchange 5.5 server
GCServer: the Global Catalog server
NTUser: the NT User Account to connect to the source domain
NTDomain: the NT source domain

I don’t wish to bother you with one of those big disclaimers about responsibility or copyright, so I’ll just say that I’m offering you this script with the best of intentions, but you should always test before doing anything that can compromise your production environment. Besides that, feel free to distribute it to all your friends and to modify it, although I would appreciate that you drop me an email in case of new improvements.

Any feedback is always welcome.


You should also know that there are some issues with this tool:











Issues so far with the Inter-Org DL Migration Script

So far, these are the known issues with the script:


#1- Hidden DLs won’t migrate
Solution 1: unhide all objects before running the script
Solution 2 (not tested yet): try an LDAP filter on the LDIFDE command. Modify the command after the -r switch:
 
[…] -r “(&(objectClass=groupOfNames)(msExchHideFromAddressLists=TRUE))” […]
 
You can find more information about LDIFDE in the following KB article:
Using LDIFDE to Import and Export Directory Objects to Active Directory
Then you can use the same filter with CSVDE.
Of course you’ll have to run the commands outside the script.


#2- You get an empty file when you run the CSVDE command
Solution 1: modify the LDAP properties on Exchange 5.5, so that you can search more than the default number of items
Solution 2: run the CSVDE command directly on the Exchange 5.5 server (only supported on Windows 2000 Server).


#3- You cannot run the CSVDE command
Solution 1: check the permissions. Are you using an NT account with the propper permissions?
Solution 2: integrate WINS. Try replicating the WINS information from the NT domain to your current WINS server. You might prefer using an lmhosts file.
Solution 3: run the CSVDE command directly on the Exchange 5.5 server (only supported on Windows 2000 Server), then copy the file to server where you’re running the script.
Solution 4 (not tested yet): try to do a directory export using Exchange Admin. Make sure you have the following fields:
 
DN,objectClass,Admin-Display-Name,rdn,cn
 
Take a look at Q155414 and Q261112 articles for an explanation on how to select field headers.


Any feedback about these issues is welcome. You can reach me by posting a comment here, or by the email address provided inside the script.


Disk geometry

Disk subsystem bottlenecks cause more performance problems than server-side CPU or RAM deficiencies, and a poorly designed disk subsystem can leave your organization vulnerable to hardware malfunctions.


This is so true! As memory chips become cheaper and consolidation dictates more users per server, the disk subsystem turns into the main cause of performance problems. The key to a system without problems is a proper planning and design. The document from which I extracted the beginning sentence, Optimizing Storage for Exchange Server 2003, is a good source of information.


One of the improvements you can make on your storage is to align the disks. Microsoft provides a tool, Diskpar, which allows to align the disk tracks with sector tracks. For partitions created by Windows 2000 and Windows Server 2003, the default starting sector for disks that have more than 63 sectors per track is the 64th sector, causing one out of every eight blocks of data written to your disk to span two disk tracks. Diskpar can increase disk performance as much as 20 percent, but you should always consult your hardware vendor before using this tool. Some disk configurations will have no benefit from the tool.
One fine example of information provided by the storage vendor is HP. Just take a look at this document: HP StorageWorks Enterprise Virtual Array 5000 and Microsoft® Exchange Server 2003: storage performance and configuration — white paper.


The Diskpar utility can be found in the Windows 2000 Server Resource Kit. With the release of Windows Server 2003 SP1, diskpart now includes this functionality. The new syntax for creating partitions with diskpart is:


create partition primary [size=N] [offset=N] [ID={Byte | GUID}] [align=N] [noerr]


Of course, you can still use diskpar:


Usage: diskpar [ -i | -s ] DriveNumber
  -i: query drive layout and partition information
  -s: set partition information (only used on raw drive please)