Connection scoring beats spam filtering

Connection scoring beats spam filtering

By Brian Livingston

A simple device that prevents spammers from delivering junk to your mail server outperforms complex spam filtering appliances costing up to seven times as much, according to tests by the Windows Secrets Newsletter.

If your company is suffering from onslaughts of spam, our tests indicate that this new approach can halt more than 99% of your unwanted flow without blocking legitimate e-mail. Best of all, the new technology does this without creating a large “quarantine” of suspected spam that you or your employees must manually comb through.

Significantly, the innovative device we tested has never been reviewed by any computer magazine, despite the fact that it’s been on sale for months. The reasons for this are an intriguing part of our story.

The little box that stops spammers

The antispam appliance that inspired our testing is the Deep Six Technologies Spamwall DS200 (photo, left). This little gizmo is only 5″ by 6″ and just 1″ deep (11 x 13 x 2 cm). You configure it to receive your e-mail before the messages hit your mail server. The device uses “connection scoring” to accept transmission attempts from legitimate senders and reject attempts from servers that are sending spam. We found it to be extremely accurate in making the distinction between spam senders and “ham” (legitimate) senders.

Since the DS200 is a hardware device that protects an e-mail server, it’s primarily useful to companies that operate their own servers. This includes most large businesses, of course. But also includes many small and medium businesses that have registered their own domain names, such as Example.com.

Home users, who receive their e-mail via an Internet service provider, such as AOL.com, may still see some benefit. The technology within the DS200 could easily improve these ISPs’ own spam rejection rates, helping their customers see less spam.

Testing against thousands of spams per day

To test Deep Six’s real-world performance, we invited major antispam appliance makers to send us whichever of their models they thought was the appropriate scale for small to medium businesses. We received units from all the invitees: Barracuda, Borderware, F-Secure, IronPort, and Network Box. The Deep Six DS200 unit we reviewed was provided by Tyrnstone Systems Inc., a small network consulting company in Seattle, Wash., that sells the device to the SMB market. Deep Six Technologies itself is an intellectual property development company in Tustin, Calif.

Invariably, the appliance vendors (other than Deep Six) sent us devices that combine antispam functions with a firewall, antivirus capabilities, or other features. I was assisted in running technical tests on the devices over a period of six weeks by Brent Scheffler, program director of WindowsSecrets.com. We tested all devices only for their ability to reject spam and accept ham, for the following reasons.

An antispam appliance that also offers antivirus filtering is not in itself adequade to protect against internal virus infections. Viruses can enter a LAN via a roaming USB drive, a laptop brought in from the outside, and many other ways. For this reason, companies need to run antivirus software even if an antivirus appliance is in place. "We’re a perimeter-based device, we’re not providing host-based security," explained Scott Rosen, Network Box’s president for North America, in a telephone interview.

By contrast, spam cannot enter a company except via e-mail. An antispam appliance on the network perimeter, therefore, can offer complete protection against spam. Adware, unauthorized server access, and other threats require their own specialized layers of defense. In our review, for this reason, we tested only the devices’ antispam performance. Firewalls, antivirus protection, and other security functions can and should be configured and tested separately.

Because WindowsSecrets.com doesn’t have a fully equipped test lab, we seldom rate hardware ourselves, leaving this to the publishing giants that can afford it. In this case, however, we do operate in-house a full installation of Exchange Server 2003 supporting five users on the SBS version of Windows Server 2003. We decided to see if we could dedicate this server to serious junk-mail testing.

Before we designed our test suite, we had thought we were targeted by very little spam. Our personal e-mail addresses were presenting us with only one or two spam messages a day. This is because we "spam-proofed" these addresses two years ago. (See our e-book about spam-proofing, above.) Our public, "editor" Windows Secrets e-mail address does receive several virus-infected e-mails a day. This is because we ask our readers to put our address into their "safe senders" lists, where (unfortunately) viruses easily find it. But these e-mails are reliably detected and quarantined by the server-managed antivirus software we run, so we never had to deal with these messages.

When we started building the test suite, however, we found to our surprise that more than 3,000 spam messages were actually being directed to our mail server every day. Most of this spam, we determined, was being sent to old e-mail addresses of mine that I never use any more. These addresses had been posted in plain text at InfoWorld.com, BriansBuzz.com, and other Web sites two or more years ago.

We’d never noticed this flow because our Exchange Server was already dismissing virtually all of it. The server had been correctly configured to accept messages only to the few e-mail addresses we currently use. Any spammers who did somehow get our real addresses were also mostly rejected. The IP addresses of almost all top spammers are published in the so-called SBL and XBL block lists by Spamhaus.org, a respected antispam organization based in the U.K. Our Exchange Server was rejecting any connections from the hardcore spam servers that managed to get listed in SBL or XBL.

Fortunately, we were able to set up realistic tests, despite the fact that our inboxes rarely showed evidence of any junk. Antispam appliances, by definition, must be placed "in front of" a mail server. With no access to our server’s rule base, these devices had to figure out by themselves which incoming connections were from spammers and which were legit.

We took several steps to make the testing fair. We devoted a day to each device to configure it according to its maker’s instructions. We then spent a full day "tuning" each device to reduce false positives (ham rejected as spam). Starting after Christmas, each appliance was then left alone to process a live, incoming mail stream for an entire work day (no weekends or holidays were used for live testing). More than 3,300 messages were processed by each device during its final, 24-hour test period.

Out of those thousands of messages, how well could these products separate out the 5% or so that were legitimate e-mails?

Zero false positives at an affordable price

The following table, sorted by false positives and then false negatives, shows that antispam appliances have become quite accurate. Three of the devices — from Barracuda, IronPort, and Deep Six — achieved a perfect score of 0.00% in rejecting legitimate messages, mistaking none of them for spam.

These three products also showed extremely good performance at filtering out junk. The IronPort let no spam into our inboxes, achieving a perfect false-negative score of 0.00%. The Barracuda accepted only 0.02% and the Deep Six accepted only 0.09%.

We consider the tiny differences between these scores to be statistical noise. All of the three top-rated devices essentially rejected no legitimate e-mail and accepted no significant amount of spam. (Any spam message that made it to our inboxes was considered a false negative. We did not allow grey areas, such as mail that "might be spam" but was placed in our inboxes anyway.)

Shown in Table 1 for comparison is our original configuration of Exchange Server 2003. This was the only strategy we found to be less expensive than the DS200. We configured Exchange to reject all mail sent to nonvalid e-mail addresses and block IP addresses found on the SBL or XBL lists. This scheme is essentially free (not counting our admin time and Exchange itself). But we found it allows significantly more spam to get through — 0.37% — which is more than all but one other contender in our tests.

Table 1: The Deep Six DS200 let through only 0.09% of spam but is low in cost.

The Deep Six device has a list price of only $999 for an unlimited number of e-mail accounts. This is a one-time investment and the device requires no ongoing fees. The IronPort model we tested is much more costly, listing for $2,999 to protect up to 100 e-mail accounts in its first year. The Barracuda lists for $4,899 in the first year for an unlimited number of accounts. All of the antispam appliances, other than the Deep Six, require the payment of ongoing license fees to continue the services after the first 12 months.

The bottom line: We consider the Deep Six technology to provide an antispam defense that’s as good as or better than the competing appliances, while costing only a fraction of the price.

How the Deep Six technology works

The Deep Six device operates completely differently than the other antispam appliances tested. The competing solutions are all modified PCs running Unix or some variant. They occupy either a mini-tower case or a 1U, rack-mounted server case. They include large hard drives to store configuration information, log files, and/or any “quarantined” mail that’s judged to be spam.

Because these devices are designed for use in a glass-house server room, they tend to be noisy. The fans on one unit, the F-Secure, were so loud that we had to raise our voices to converse in the otherwise-quiet office where the system was temporarily located.

The Deep Six DS200, by contrast, is simply a solid-state circuit board with no moving parts. As a result, it’s absolutely silent. This makes it a welcome addition to small offices and home offices, which don’t usually have soundproofed server cages.

More important is the theory that underlies the Deep Six technology. The implications of this concept have permanently changed some of my deeply held beliefs about spam.

Deep Six does not perform “content filtering” to compute a spam score based on the words found in a message’s body or headers. Instead, the DS200 performs "connection rating." It accepts or rejects any distant server’s attempt to make a connection (called a Simple Mail Transport Protocol or SMTP connection) solely according to the characteristics of the sending server.

One way Deep Six does this is by checking the IP address of the distant server to see if it is on one of several dozen “real-time block lists.” The DS200, however, does not disconnect a server merely because its IP address appears on a single list, as many antispam schemes do. Instead, according to a source close to Deep Six Technologies, the device is programmed to use a “network decision tree.”

The inclusion of an IP address on Block List A might not cause Deep Six to drop an SMTP connection attempt. But if the IP address is also on Block Lists C and E, then the sending server is considered to a spam bot. (Our source requested not to be identified by name, saying this technique is the subject of two U.S. patent applications and the details of the technology have not yet been made public.)

The DS200 also resolves "close calls" in an effective way. If a sending server might or might not be a spam server, based on the decision tree, Deep Six asks the sending server to re-try the SMTP connection a few seconds later. Legitimate e-mail servers do this automatically, following well-understood Internet mail standards. Spam servers, however, are programmed not to bother. Sending millions of pieces of spam per day is far more important to spammers than wasting any time responding to SMTP retry requests.

Because these re-tries occur infrequently, and only when a sending server falls into a grey area, I support this type of testing. I generally oppose “Penny Black” schemes, in which all senders, legitimate or otherwise, are required to expend CPU resources to “prove” their worth.

How the DS200 has changed my thinking

The success of the DS200 in our tests has forced me to change my positions on some controversial antispam techniques:

Before: I’ve previously written that antispam block lists should not be used to make a black-and-white, Yes/No decision about e-mail messages. That’s because these lists sometimes add an innocent mail server by mistake.

After: My experience with Deep Six has completely altered my opinion. Using dozens of block lists to create an intelligent decision tree seems to totally eliminate the false-positive problem.

Before: I’ve also written in the past that you shouldn’t delete messages ranked as “probable spam,” in case errors were made by faulty spam filters. Instead, I felt that a quarantine folder should be maintained and examined to retrieve legitimate messages that were falsely shunted aside by filters.

After: With the Deep Six technology, I believe a quarantine folder is no longer necessary. I have no qualms about using this device, given its accuracy, to reject spam connections without accepting and quarantining the spam or ever looking at it.

One of my opinions that’s grown stronger due to my testing is that holding spam and then ranking the content of the messages won’t work forever. I once wrote that the geometric increase in the volume of spam each year would make this storage-and-ranking process too costly for companies in the long run.

In a telephone interview, John Reid, a volunteer with Spamhaus.org, expressed a similiar notion. “Accepting every message that’s sent to you, and then churning through them — it gets very hardware intensive.”

Deep Six eliminates content filtering and quarantine folders altogether. This reduces the load on your mail server substantially. Best of all, there’s no need for you or your co-workers to ever slog through a “Possible Spam” folder looking for misfiled messages. That folder, after all, is certain to consist mostly of phishing attempts, phony pill offers, and worse. That’s exactly the kind of stuff you don’t want anyone in your company to spend time dealing with.

The DS200 was so effective in our tests that I have no concerns about rejecting SMTP connections from servers it deems to be spam bots. Even if some legitimate e-mail user somehow gets associated with a spam server, Deep Six’s effective feedback system minimizes false-positive problems. Allow me to explain.

How Deep Six’s feedback loop works

When Deep Six rejects an SMTP connection, it doesn’t just drop it. Instead, it responds with a standard error code known as a “550.” Companies that use the Deep Six device can include human-readable text in the 550 body. The sending server then displays this text in the e-mail program of whomever sent the message (if a real person was the sender). In our case, the text reads:

• “Our antispam system has rejected the IP address of your mail server. If this is in error, please use the contact page on our Web site to send us your message or call us at +1 206-282-2536.”

If your company has only one domain name that’s being protected by a DS200, you can insert the actual URL of your contact page, or any other information you like.

Spammers will never see or read this text. Even if they did, they certainly won’t type a spam message by hand into your contact form. But this provides an easy way for any accidentally bounced, legitimate sender to let you know. (Your site must have a contact page for this to work, but that’s a good idea anyway.)

It’s important to note that the DS200 does not send a “bounce” e-mail message to anyone. That would make it as bad as the spammers. Instead, the text of the 550 error is strictly contained within the electronic handshaking that your receiving mail server does with the sending server. No reply e-mails are ever generated.

Other antispam appliances can and do send error codes, of course. We simply feel that the DS200’s emphasis on using handshaking to convey alternate contact methods to hapless senders is particularly effective.

If someone ever does complain to you about a bounced message, the DS200 allows you to put the person’s spammy IP address on a “safe senders” list. Everything from that IP address will then get through. Rather than doing this, however, I believe you should ask the sender to virus-scan his or her server, in case it’s infected by a spam bot.

In reality, it’s very unlikely that an ordinary person sending innocent e-mails through AOL or Yahoo will have the same IP address as a spam bot. Major ISPs transmit their users’ legitimate e-mails from static IP addresses devoted to this purpose. If a spam bot infects a user’s PC, the program doesn’t spew its junk through an ISP’s static addresses. The risk of detection is too high.

Instead, the bot installs its own, tiny SMTP server and spews out junk through whatever dynamic IP address the person has been assigned by his or her ISP. These dynamic IP addresses should never be the origin of legitimate bulk e-mails. That makes them fairly easy for well-managed block lists to detect.

The Achilles heel of spammers is the fact that they must send their massive quantities of e-mails from somewhere. According to Spamhaus’s Reid, the top 200 spammers send out 80% to 90% of all spam worldwide, and the top 10 send out 80% to 90% of that. Whether the machines sending this spam are bot-infected PCs or bought-off Web hosts in the Third World, any IP address that sends millions of spams and little or no legitimate e-mail is going to stand out like a beacon. That’s why Deep Six is able to stop it.

It’s true that no record exists in a quarantine folder of any false positive that the DS200 may mistakenly bounce. But I believe our tests show that the count is effectively zero. Because the device is so effective — and blissfully silent — we put it back into service every time some other device’s testing was completed. That means that, after the DS200’s testing was complete, we ended up using it for more than 30 of the past 60 days. Not a single person has ever contacted us to say his or her e-mail bounced.

Considering how vocal my readers are, it’s inconceivable that no one would have notified me through my contact page about such a problem. I’m buying the reviewed DS200 unit and plan to continue using it to protect my office indefinitely.

Why you haven’t heard about Deep Six

I devoted eight weeks to hands-on testing of antispam appliances partly because Tyrnstone Systems said it couldn’t get major computer magazines to include its device in comparative reviews. In my opinion, the company’s small size is one reason this device has been overlooked. But it’s also because Deep Six’s approach is hard to test.

Spam reviews are usually conducted using a large “corpus” of spam and ham messages. One server sends the messages to another server, which is protected by a particular filtering product. The number of hits and misses are then calculated.

This method won’t work on the DS200. The device isn’t scoring the content of the messages, but the reputation of the sending server. Since the originating server in artificial testing is the same for every message, all the e-mails pass or they all fail.

The Deep Six technology can only be tested when placed in front of a live mail server, using a live stream of e-mails, and scoring live SMTP connections. This is the reason our tests took several weeks. No two devices could be tested on our mail server at the same time. They had to be scheduled one after the other.

I urge major computer magazines to devote the resources needed to test Deep Six against competing spam solutions. The DS200 technology may provide valuable insights into the spam menace and how it can be permanently stopped using technical methods.

To purchase a DS200 and test it on your own company’s mail stream, visit Tyrnstone Systems. For more information on the technology itself, visit Deep Six Technologies.

Both are tiny companies, so if their Web sites become slow or unresponsive from thousands of Windows Secrets readers visiting them, try again the following day.

The Deep Six site claims that the DS200 device is capable of handling peaks of “10 connections per second.” David Gerhart, CEO of Tyrnstone, says it’s his experience that the unit can reliably handle as many as 50 SMTP attempts per second. For larger volumes of mail, multiple DS200s can be employed. Each unit is given its own static IP address to balance the inbound load. Deep Six’s connection-scoring function can even be performed offsite as a hosted service. This allows even fairly large companies to try the technology for themselves.

If you do add one or more DS200s to your network, be sure to correctly set up your "secondary MX records." I described the procedures for this in my Executive Tech columns of Jan. 3 and Jan. 24.

I’ll be looking forward to any independent test results that come out. If you do any testing, or you’d like to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print. Thanks for your help.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Wireless 'flaw' could leave computers open

There’s been a lot of talk about the Windows Wi-Fi “flaw” that was revealed recently. Some security professionals call it a high-risk vulnerability. Meanwhile, Microsoft and other security professionals call it a feature — one that can only be exploited under the right circumstances. Let’s take a closer look, so you can be the judge.

Is it a ‘flaw’ or a ‘feature’?

This is the question that a lot of computer security professionals are asking themselves after Mark Loveless — also known as “Simple Nomad” — revealed a flaw in how Windows Wi-Fi networking is setup by default, at the recent hacker convention known as ShmooCon 2006

The “flaw” comes from the way Windows searches for a wireless network connection. At startup, Windows searches for a wireless access point to connect to. If Windows can’t find one, it creates an ad hoc network, using the SSID of the last connection.

Other computers that search for the same SSID can look for matching connections and make a peer-to-peer network between the two computers, according to Loveless. When this happens, a hacker could possibly introduce a virus or Trojan onto the first computer or look at the files located on the first computer’s hard drive. This method of connection could even spread from computer to computer in a “virus-like” manner.

Loveless describes it in his advisory this way:

• Alice has a wireless access point at home with an SSID of linksys. She’s successfully set it up and connected to it with her laptop;
   
• Alice goes to the airport (or train station or coffee shop) and opens her laptop.
   
• Bob, who’s sitting next to Alice, has a laptop configured with an ad hoc network advertising an SSID of linksys.
   
• Alice’s laptop, when started, looks for the SSID of linksys and unknowingly attaches to Bob’s ad-hoc network;
   
• The next time Alice boots up her laptop when an Ethernet cable is not attached and there’s no linksys SSID in range, Alice starts advertising an ad-hoc network with an SSID of linksys.

This happens on Windows 2000, Windows XP, and XP SP1 in the background, without the user’s knowledge or permission.

On Windows XP SP2, Loveless says, “the user is notified it has ‘attached’ to an ad-hoc network, when in fact it has simply started advertising the ad-hoc network.” In real-world tests, Loveless claimed that he could have connected to 11 different laptops while on airline flights using the methods explained above

You’ll have to fix this yourself

According to Loveless, Microsoft was notified of the problem in mid-October. Since then, the company has confirmed the issue but says a fix will not be available until the next Service Pack. That means never for Windows 2000, and not until the second half of 2007 for Windows XP.

Officially, Microsoft has not acknowledged this as a vulnerability but as a feature that is doing what it is designed to do. As George Ou, a tech blogger for ZDnet.com, points out in a blog entry, “Microsoft never acknowledged this as a vulnerability. I checked with a Microsoft spokesperson and they confirmed that Microsoft Security Research Center states that this is not a security vulnerability. This is what I suspected all along because by definition, a software vulnerability is when software can be made to do something it wasn’t designed to do. This [so-called vulnerability] is actually a feature designed into every wireless ‘supplicant’ (that’s IEEE speak for ‘client’) software in the world because it is a fundamental and critical feature of the IEEE 802.11 protocol.”

How to protect against this ‘feature’

What to do: The easiest way to protect yourself is to use a firewall. Any will do, even the one that comes with Windows XP SP2. I recommend using the setup described in Brian’s Security Baseline for the best protection.

You can also disable your wireless connection when not in use, or reconfigure your wireless connection so it will only connect to access points, not other laptops.

To reconfigure your connection, click the Wireless icon in your System Tray, then open the Wireless Connection window. From there, click Change advanced settings. In the Wireless Network Connection Properties window, click on the Wireless Networks tab. Then click on the Advanced button and click Access point (infrastructure) networks only.

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

When does 'not critical' mean 'critical'?

You are at risk. No, seriously. Every time you turn on any kind of technology, you turn on risk. The question for today is this: Exactly how do you know what risk you are taking when you use that technology? Some argue that “old code” is secure code, under the assumption that the older the code, the more “eyes” have reviewed it. But is that true? Let’s revisit the Windows Metafile issue with this in mind, shall we?

MS06-001 (912919)
The risk of using Windows 98 and Me

By now, those of you running the Windows 98 and Me operating systems probably know that Microsoft is not planning to release any patch for the WMF flaw. This vulnerability is corrected in Windows 2000, XP, and 2003 by using security bulletin MS06-001, which was released on Jan. 5.

(Eset, the maker of NOD32 antivirus software, has released an unofficial patch that is said to eliminate WMF risk on Windows 9x, Me, and NT systems. But this patch is little needed, as most updated antivirus programs, including NOD32, now detect and quarantine infected WMF images.)

The stated reason that Microsoft will not be preparing a patch is that for the older platforms, the flaw is not of a critical nature. But here’s the rub. What’s your definition of critical?

In my firm, I’ll be the first to tell you that I don’t want 98 or Me computers, since they lack fundamental tools that I need to manage them. I can’t patch them remotely. I can’t review their event viewer and use Web sites like EventID.net to investigate issues. I can’t ensure they have passwords and log access. I can’t audit the machines and set policies remotely. All of these things I cannot do on a 98 or Me platform. All of these things I care about. But the average home computer system, understandably, does not.

Some folks I know fault the XP platform for being more exposed to risks, because it (especially pre-SP2) was much more readily available to external access. For example, the Windows 98 platform wasn’t at issue for Messenger spam, isn’t vulnerable (as XP is) to the WMF flaw — as described by Stephen Toulouse on the Microsoft Security Response Center blog — and certainly doesn’t have a wireless Internet “feature” that can be used maliciously.

While Steve Riley in his blog can take journalists to task for overreacting to vague security threats, there are some writers who argue the opposite: That Windows 98 (until a machine dies from old age) is a securable platform for home users, as long as they have a third-party firewall and an antivirus program. It’s the classic Microsoft problem of an operating system being “good enough” for the needs of the home user.

So now we come to the question of the WMF vulnerability. Under Microsoft’s definitions, a “Critical” flaw strictly means an issue that requires no end-user interaction to infect a machine.

In today’s world of ever-increasing social engineering and phishing attacks, is it reasonable that the lack of human interaction should be the line drawn between "Critical" and "non-Critical"? Even on XP machines, it’s relatively trivial to trick someone into clicking and downloading malicious things (assuming they have Admin rights, as recently documented in a Microsoft whitepaper).

The entire computing industry has been, in my opinion, derelict in its consumer security education. The typical home user has to rely too much on recommendations by retailers and family members. Is relying on end users’ good judgment a valid criterion for what comprises a “Critical” flaw?

The bottom line is that if you are running these platforms, you are running a risk. Is it an acceptable one for you? I can’t answer that. Only you can. Do you trust yourself not to click?

What to do to keep patching from hurting

The Incidents.org site had a reference to patching the other day that caught my eye. A computer store owner actually recommended to the writer disabling patching, stating that getting a virus was preferable.

Nothing could be farther from the truth, especially since patching (at least in Microsoft patch terms) has gotten better over the years.

But, while I’m ready to state that I’m comfortable with automatic patching for a workstation, when I patch a server I’m much more cautious and still do it manually.

Even Apple can’t produce perfect patches. The company’s latest version of iTunes has been accused of calling home, and its QuickTime 7.0.4 update initially interfered with Windows Media Player, as reported at Incidents.org and News.com. These controversies reminded me that it hasn’t been that long ago that I, too, was a nervous Nellie around Windows patches. These days I have much more confidence in their patch quality.

Apple recalled the buggy QuickTime patch. But the event made me realize that it’s quite easy for me to be unconcerned about patching when I have several computers at my disposal. For home users with just one PC, problems caused by patching can be much more of a concern.

These days, if you’re a multi-computer family, you should stage your patch deployment just like I do at the office. First, patch those machines that are at a higher risk of being threatened by a vulnerability. If everything goes smoothly, patch those machines that are most crucial to you last, such as those that manage your personal financial data.

How many years before Oracle patches?

We rant a lot around here about how long it takes Microsoft to patch a vulnerability. But many of the 82 recent patches that fix security issues in Oracle’s database, as reported by Information Week, have set the bar for a "window of exposure."

The longest reported fix took more than 800 days to emerge, as described in postings on the Security Focus listserve. Remember that these databases are used in large corporations and typically contain sensitive information. These flaws, therefore, have the potential to expose consumers to some risk from identity theft.

Let’s hope that corporations get busy testing and deploying the patches much quicker than Oracle did in releasing them.

SharePoint patch is released for SBS SP1

KB 909988 is now being offered for Windows Small Business Server 2003 boxes that have SP1 slipstream installed. Without this patch, a reinstallation of SharePoint could cause documents inside the database to be deleted.

The patch is offered by both WSUS and Microsoft Update. It was recently replaced on WSUS to update a detection rule.

WSUS gearing up for Antispyware updates

Almost a year ago at the RSA security conference, Bill Gates promised that Microsoft’s consumer Antispyware product would be free and that there would be a corporate version of the product. The WSUS blog announced that it’s getting ready for this by adding a new category for "Windows Defender," which is MS Antispyware’s new name.

It also appears that this is the category that we’ll need to check to get future Exchange Intelligent Message Filter updates, as I showed recently on my blog. I’m still investigating that and will report back to you about this in future newsletters. Needless to say, I think I’m missing some IMF updates that I should be getting.

How to get media for OEM versions

In the past, I’ve urged folks to install on XP Home machines the NTbackup program that’s found on the CD-ROM. There’s just one slight catch. That assumes you have the media.

More and more home or consumer machines don’t come with actual media but instead have only a "recovery partition." Now, although some of these recovery partitions do allow you to burn your own media, Larry Seltzer on the FunSec list brought up a hypothetical concern: Could these hidden partitions be used for attack?

While we ponder that one, I’d strongly recommend that when purchasing a home computer, you look for the offerings that do allow you to order real media. Even in the versions that I order for my firm, I have to be careful when ordering online to ensure I check the box for "Windows XP Professional" media.

It won’t cost you any additional fees, but it will ensure you have a CD-ROM, if need be. Better yet, call the order line directly, talk to a person, and ask. Make sure you get a physical CD-ROM and keep it in a safe place. Some people even put the CD-ROMs into little pouches and stash them inside the computer case.

Still more on OEM media, revisited

If the OEM Windows XP disc issue wasn’t bad enough, now comes the story of an owner of a server from Gateway who accidentally lost the first CD-ROM of his OEM media. Instead of being able to call up Gateway or Microsoft fulfillment, he’s been informed by Gateway that he will have to buy the entire operating system again and can only get replacement disks within 90 days after the original purchase (or 30 days, depending on whom he talked to).

Yes, all server owners should make sure they hang on to their software. But someone being a bit absent-minded and forgetful shouldn’t be punished this harshly by vendors.

My advice, if you’ve purchased an OEM system of any kind? Make a copy of the software (yes, you are allowed to make a copy for archive purposes). Consider putting a copy in someplace durable, like a bank lock box. That does sound a bit extreme, but considering that that firm is now faced with re-ordering software it thought it already owned, perhaps not.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title awarded by Microsoft to independent experts who do not work for the company. She’s a partner in a CPA firm and is known as the "SBS Diva" for her extensive command of the bundled version of Windows Server 2003.

How to slim down your porky pics

Those 8-megapixel cameras take great pictures, don’t they? Faaaaaaat. In more ways than one. The top complaint I’ve heard since the holidays has nothing to do with rootkits, WMF files, or patches of patches. Nope. The people I know who scream the loudest got expensive new cameras, and they’ve learned that they can’t do much with their pictures.

Having your cake and eating it, too

You didn’t really think you’d get those gorgeous new high-resolution pictures free, did you? Robert Heinlein said it best — There Ain’t No Such Thing as a Free Lunch. No matter what you do, one of the prices you pay for really great picture quality is really huge files.

Send a handful of Christmas pics to a friend, and you may wipe out her inbox. Send a few to your parents or your great-aunt Mabel, who’s still using dial-up AOL, and it may be Valentine’s Day before they get them downloaded.

The funny part: You rarely need (or even want) all of the high definition that you paid so dearly to obtain. Yes, sometimes you want to make an 11-by-14-inch print, so you can hang your cat on the wall and admire the bits of Kibbles caught in his whiskers. But almost all of the time, the pictures you take rarely venture beyond a plain-vanilla computer screen. Big picture files are just overkill — expensive overkill, at that.

A free solution — from Microsoft!

OK. I lied. Or maybe Heinlein did. Sometimes there is such a thing as a free lunch.

Microsoft has (yet another) PowerToy that lets you reduce the size of your picture files. When you run a picture through the Image Resizer PowerToy, you lose some of that high definition: the resulting file is much smaller in size, and it’s also grainier. If you slim down a file using the Image Resizer, then print an 11-by-14 of your cat, you might not be able to tell the brand of food stuck on his whiskers. Get the picture?.

As with all the PowerToys, Microsoft says it doesn’t support Image Resizer — although the Redmondians developed it, distribute it, refer to it in many places on their Web site, their tech support people recommend it, and so on. It’s another one of those best-supported unsupported products on the Internet. Unlike TweakUI, which has multiple versions for all modern versions of Windows, the Image Resizer only works with Windows XP and Windows 2003 Server.

Get yer Image Resizer here

To install the Image Resizer PowerToy, go to the Windows XP PowerToys home page. Download the file on the right called ImageResizer.exe. This is a little confusing, but the file that gets downloaded is actually called ImageResizerPowerToySetup.exe.

When ImageResizerPowerToySetup.exe is downloaded, double-click it to run it. You go through a very simple setup wizard. After you’ve finished the wizard, the program’s ready.

Making the best use of Image Resizer

To use Image Resizer, start by selecting a picture file (or files) that you want to make smaller. (Say, click Start, My Pictures or Start, My Documents.) Right-click on the file or files and choose Resize Pictures.

The Image Resizer gives you the option of resizing to different screen resolutions — 800 x 600 pixels, 1024 x 768, and so on. But if you click Advanced, the Resizer lets you choose any resolution at all.

When you click Next, the Resizer makes a copy of the picture and gives it a new name. For example, if you right-click on Cat.jpg and choose “Small Fits a 640 x 480 screen,” the Resizer makes a file called Cat (Small).jpg and sticks it in the same folder as the original. That new file is small in the sense that it isn’t as high-definition as the original and the file itself is much smaller. But it’s a picture file, just like any other picture file — you can print it, or email it, or view it on-screen.

Give it a try. Bet you’ll be impressed.

More on Microsoft’s PowerToys

My last column talked about a different PowerToy — Tweak UI, which is an amazingly capable program for changing the Windows user interface. Several of you wrote to explain how you can edit the Registry to produce the same effect as the one I described last week (which is to say, disabling AutoPlay for inserted CDs).

While it’s quite true that you can change the Registry to disable AutoPlay, I strongly suggest that you don’t. Why? Because Tweak UI is faster, easier, and safer. In my latest book, Windows XP Hacks & Mods For Dummies, I talk about using Tweak UI instead of digging into the Registry.

In some cases, the hacks you’ll find on the Web that aren’t covered by Tweak UI have been left out for a reason — if you change the Registry directly, you’ll see some really weird results. For example, adding commands such as Copy to Folder and Move to Folder to context menus using the Registry causes problems that adding these commands using Tweak UI does not. You can read an explanation of this by Raymond Chen, the author of Tweak UI, at his Old New Thing blog.

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley. Need help with Windows or Office? Check out AskWoody.com.

When is a flaw really a back door?

How quickly do your vendors release patches? If they take 15 years, does that mean the problem was an intentional backdoor? There are, to be sure, some still-outstanding questions regarding how the now-infamous Windows Metafile flaw affects the Windown 9x/Me platform (as discussed by my fellow columnist, Susan). One bit of controversy that arose over this problem since our last newsletter deserves clarification here.

Was the WMF hole left on purpose?

On an Internet radio show with Leo Laporte, Steve Gibson on Jan. 12 essentially made the claim that the WMF flaw was a “back door” that Microsoft had intentionally left in Windows.

Before I add my voice to the chorus claiming Steve is wrong, I want to at least acknowledge that none of us can really prove 100 percent that he is or that he isn’t correct. You can’t prove that any of the many vulnerabilities that exist aren’t an intentional back door left by the developer.

Or, to be slightly more accurate, you can only prove the positive case. You can only know that it was an intentional backdoor if the developer admits it. And if it was intentional, why would someone admit it? There’s always some possibility, however small, that what looks like a mistake was actually intentional. All you can do is judge based on the available evidence.

First, Gibson himself has severely softened his claim that this was an intentional back door. As I’m writing this, I’m listening to the Jan. 23 edition of Steve and Leo’s radio show (no transcription available yet). In it, Gibson says that he shouldn’t have used the word “back door,” since it’s a loaded term. He also says that maybe the word “intentional” was a little strong, as well. So if you, like many people, took those words to mean what they mean, I’d like to dispute the claim from that standpoint first.

In this case, I’m using Hanlon’s Razor, which says, “Never attribute to malice that which can be adequately explained by stupidity.”

Applied to the WMF flaw, this would mean that Microsoft just made a mistake, and didn’t insert the hole on purpose.

To support that idea, I refer to people better versed in the flaw than myself, such as Stephen Toulouse, who works in Microsoft’s Security Response Center. I imagine that this problem has been well researched by this group, while they were working up to the speedy patch release on Jan. 5.

Allow me to oversummarize a bit. He says that the various versions of Windows differ slightly because some of them were developed in parallel. He points out that, yes, such a flaw could easily have slipped in without anyone thinking it was a problem because that was the nature of things years ago. You can read his response in full in his blog entry on the topic. Remember, this code goes back to Windows 3.0, when you had to buy an expensive, add-on IP stack if you wanted to get on the Internet.

Well, obviously Toulouse is biased, since he works at Microsoft, right? Well, how about Mark Russinovich? That’s right, the same guy who publicly revealed the Sony BMG rootkit that showed up on the label’s audio CDs.

Mark writes a lot of Windows software, but I wouldn’t call him a Microsoft apologist. Again, to oversummarize, Mark thinks it’s an accident, too. Read the details yourself in his blog entry.

To throw in my two cents on the subject, I just think this flaw makes a really lousy back door. If I were putting it in myself, I’d certainly make it more universal. Gibson’s strongest new claim this week is that the WMF problem can never be exploited on Windows 9x. I don’t know that I would bet on that. Hackers are a clever lot. But, if he’s right, then Microsoft set the seeds for a back door in Windows 3.0 that couldn’t be easily exploited until Windows 2000. That’s either a really bad backdoor, or really amazing foresight.

Ancient vulnerabilities rear their heads

This WMF flaw looks pretty old, 15 years or more. But evidence suggests that vulnerability researchers realized the potential only around 30 days before it was caught and then quickly patched.

I discussed in my last column that this was handled so quickly because the hole was already being exploited in the wild. There was no secret to keep, and even if Microsoft didn’t do a through review of the code, the immediate problem needed to be addressed.

I also discussed the fact that this kind of problem draw a lot of attention to the area, and that we haven’t seen the last of the WMF-related problems. How long will it be until the next patch? How long should it be? If all the vulnerability researchers play nice with Microsoft, then it’s going to take its time and put out what it hopes will be the last WMF patch, ever. For Microsoft, this can easily mean 6 months or more.

Are you worried that an awful lot of exploit writers are looking hard in an area that will likely pay off, and there won’t be an official patch for some time? Well, some concern is always appropriate. But keep in mind that a good exploit author who’s willing to break the law and come after you probably has other ways to do so anyway.

So this probably doesn’t represent a great deal of additional threat if someone is already targeting your company. Also, these guys like to keep their exploits working for as long as possible, so hopefully a worm isn’t probable either. Unless the information leaks too widely. At least now that you know WMF files are bad news and something you don’t use anyway, hopefully you’ve got some secondary defenses.

I say all that because I’d like to see Microsoft take the time to do the patch right. When a patch ships, the cat is out of the bag for the entire world. Or in this case, probably a whole litter of cats.

Are you wondering where I get the 6-month figure I mentioned above for the time from a vulnerability discovery to a patch by Microsoft? It’s partly from advisories that publish a timeline with their vulnerability details. One fun source is eEye’s Upcoming Advisories page. It’s marketing for them of course, but it’s also informative.

On this page are upcoming advisories (no details) of exploits that are waiting for vendor fixes. At eEye, a fix is considered late after 60 days. As I’m writing this, the oldest one is some Microsoft remote code execution vulnerability that is 146 days overdue — 206 days total since Microsoft was notified. The guys at eEye are typically pretty accurate with their severity ratings. That is, they don’t usually claim “remote code execution” unless they have an exploit working in-house.

Is 6 months really that bad? Doing QA for a few years now, I’ve softened my expectations somewhat. Yes, that’s getting to be a bit long, but I can understand how it happens. I wouldn’t want to have to regression test the set of things Microsoft has to.

And really, it could be a lot worse. Take Oracle, for example. In the past, security researcher David Litchfield has criticized them for taking a couple of years to put out fixes for problems he has discovered.

Was this an anomaly? Had Oracle just not learned yet? Unfortunately, it really doesn’t look like there’s been any improvement. A company named Red Database Security, which I hadn’t heard of before, released some Oracle advisories to the usual mailing lists. Their advisories have timelines in them. Several of them look reasonable, on the order of a few months. And then several of them have a “Time to fix” of 874 or more days. Ouch. Think maybe Oracle had a little backlog?

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.