+James Riach
Tech Stuff

Repair Windows 10 Apps

Leave a comment

At some point last year I had a problem with the Windows 10 Photo App not launching properly. In my attempts to repair it I ended up breaking all of the built-in Windows 10 Apps including the Store.

The Apps were now all in a state where they had no Icons, and their names were along the lines of “@Microsoft.WindowsStore….” and would not launch at all.

I attempted numerous fixes and read up many articles with suggested fixes to no avail including:

  • Running System File Checker “sfc /scannow” – no problems found
  • Attempting to reset the Windows store with “wsreset” – no change
  • Running DISM with the “/scanhealth”, “/checkhealth” and then “/restorehealth” flags – Fixed some problems though no change to the Windows Apps

You can re-install all of the Windows Apps using the following Powershell command, however beware, this is what caused my problems to begin with!

Get-AppXPackage | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}

For me running this would spew out a bunch of errors similar to the following:

Add-AppxPackage : Deployment failed with HRESULT: 0x80073CF6, Package could not be registered error 0x80070003: Reading manifest from location: AppxManifest.xml failed with error: The system cannot find the path specified.

You may notice in the error description the recommendation to check the Event Log or using the cmdlet “Get-AppxLog”. I ran the latter which gave me the following output:

error 0x80070003: Reading manifest from location: AppxManifest.xml failed with error: The system cannot find the path specified.

As you will see from the top of the last screenshot, there is a problem accessing a “.xml” file in the “C:\ProgramData\Microsoft\Windows\AppRepository” directory.
So off I go to said directory and lo and behold the error is quite right! The file it is looking for does not exist!

If you browse to the aforementioned directory you should find that it is full of “.xml” files for each of the Applications, likely many for different versions.
What I did next was to check for a similar named file albeit for a different version of the application and copy it. I then renamed it to that which the error was stating is missing.Voila! If I now attempt to install the specific App using:

Add-AppxPackage -Register “C:\Program Files\WindowsApps\<application folder>\AppxManifest.xml” -DisableDevelopmentMode

The install completes and I can then successfully launch the application again.

If you run the above cmdlet for each broken application and then use the suggested “Get-AppxLog” from the error output you can determine the file that is missing and needs creating.

In a couple of cases there wasn’t a similarly named file for me to take a copy from. In this case I copied one of the other Application “.xml” files, renamed it and edited the “.xml” contents to match the details of the App I was repairing.

Anyway, this successfully repaired ALL of my broken applications. I hadn’t seen this method posted elsewhere on the Web thus the reason for this post. Hopefully it helps someone else out there.

Good Luck!

 

Reviews

A Review of the Razer Nabu

1 Comment

First of all I am a bit of a Razer fan boy, having owned numerous products of theirs over the years and currently own the Blackwidow Keyboard, Deathadder mouse and Tiamat headset.

This isn’t going to be a particularly comprehensive review, there will undoubtedly be much better ones on the web already that break down every tiny detail. This will just cover the basics and my use and observations thus far.

Anyway I recently decided to go and drop my saved Amazon vouchers on the Razer Nabu Smartband.

As I say, I’m a Razer fan boy so I did absolutely no research into these or how they compare to other Smartbands.

At £95 it’s not cheap, but neither is it as expensive as other options out there.

This is not just a fitness band, though it does track most of the statistics you would want from a fitness band including Steps, Distance, Calories burnt, Flights climbed and Sleep. It doesn’t track heart rate however.
No the Nabu is also able to display notifications from your favourite mobile apps as well as calls, SMS’s and reminders.
I love this feature, no more constant pulling your phone out your pocket to check on your notifications.

If you don’t want to be disturbed by a call you can simply press the button or shake your wrist to dismiss the call which is pretty nifty.
Although I must admit at first when I was shaking my wrist I was kinda making the universal “w@nkr” gesture, got to watch out for that!

I’ve got mine paired up with my iPhone, you can also pair it up with an Android device however Windows phone compatibility is yet to surface.

The Nabu App is OK though somewhat basic and a bit “buggy”. It’s most frustrating being stuck in a Login loop and the app randomly crashing out, which appears to be happening more and more frequently lately.
You can set it to write directly into your iPhone health app if you wish.

Is it worth it? Probably not, if were not for having some vouchers I probably wouldn’t have gotten one. I do like the notification features, but I don’t think that justifies paying out £95.
If you want fitness tracking I suspect there are many better dedicated wearables for that.

Oh and one other thing, if you’re going to have some “personal pleasure time with your hand” then I suggest you take the band off otherwise you’ll skew your stats 😉

Uncategorized

Does Empathy Exist in IT Support

Leave a comment

Another non-technical blog post, I’m on a roll!

I recently watched a documentary, which explored the differences between the minds of Men and Women and it got me thinking how this translates in an IT Support department.
The documentary in question is a 2005 three part BBC series called Secrets of the Sexes, the three parts of which are broken down into the following: Brainsex, Attraction and Love.
It is the first episode – “Brainsex”, which got me thinking, and it is this episode I shall be making reference to in this article.

This isn’t just an article to answer the question of whether Empathy exists, but that of the relationships between Customers and IT Support Teams/Departments. However it is how I shall kick this off…

So first off lets clarify the definition of what ‘Empathy’ is, so to quote the Oxford English Dictionary:

Empathy (noun): The ability to understand and share the feelings of another.

Lets also clarify what a typical IT Support department or team looks like.
I think it would be fair to say that IT Support is a largely male dominated profession, built with varying degrees of experience ranging from young Juniors starting out their IT Career paths to those more mature and experienced Seniors.
Also if you were to ask most people that work within an IT Support role the reasons for doing so, the typical primary answer will be to gain hands on experience with new and existing technology which feeds their interests and hobbies.

Now that we’ve established the definition of ‘Empathy’ and a somewhat sweeping statement of your typical IT Support department, I bring you to my first documentary reference.

It is established early on in the episode through tests and experiments that Women are typically more Caring, Sensitive and more Empathetic, where as Men tend to show far lower levels of these traits.
At this point it is worth pointing out that these are just average results and that some Men will show higher levels of emotion and also that some Women will show lower levels.

So by applying the average levels of Empathy of Men to your average and typical IT Support department, Does Empathy Exist in IT Support?
Well at this stage it would be a fair assumption to say No, or more accurately, very little.

Right at the start of “Brainsex” the sample group are put through an experiment. This consists of taking each individual on the same Taxi journey and exposing each to the same conversations.
When later questioned about their journeys typically Women remembered more of the conversational details where as Men remembered more about objects and things, such as the colour of the car, the make of the car, the trim and the places travelled through.

Now we have your typical male dominated IT Support department dealing with objects and things – usually overcoming issues with them. This is good as this is what on average they are good at focusing on.
They receive a task, get on with it and finally complete it with very little emotional attachment.

So what benefits could increased levels of emotion or empathy have?
In my opinion the answer is better levels of Customer Service and Customer Relationships.
Everyone likes to have someone that understands them and cares for them.

IT Support teams are typically always on the back foot with customers, as generally most interactions are as a result of a problem that needs correcting.

So how can levels of empathy be increased and great Customer Relationships be built?

In the past I have built great Customer Relationships and I have also gone through some horrific and painful technical issues  yet still manage to come out the other end with those relationships intact.

In ALL of these situations this worked by getting to know those Customers very early on. Finding out about the business of the Customer and its goals. The type of people I’ll be dealing with, and importantly BEFORE issues start to inevitably occur.

Now as I established earlier on, typically your average SysAdmin is not there for the Customer Service aspect, but primarily for exposure to technology.
However it is my opinion that it is highly beneficial to expose these folk to Customer interaction very early on and start building these relationships. It’s benefits would include:

  • The IT Support Team – Better customer service provided, and thus better feedback received
  • The Customer – Will feel understood and cared for
  • The Individuals – Will grow in business relationships, will care more for the customers they know. Likewise the individuals that make up the customer will likely better value the advice and opinions shared by their IT Support.

The other thing to mention is your typical Sales and Account Management teams will be highly adept at building good strong Customer Relationships, it’s highly important in those roles.

It is here that I make my last reference to “Brainsex”. Towards the end of the episode the Men and Women are set the task to change the nappy of a number of babies.
Both groups complete the task, however in all cases the Women pick up the baby afterwards and continue to talk. In contrast once the Men complete the task they then step away – job done!
The comparison I’m making here is your Sales and AM team are more like the Women and your Support teams are more like the Men.
However, there is one Man in the group that does pick up the baby, and it is suggested that this has been learnt over a period of time

Therefore my conclusion is that Customer Relationship building is something that should be actively encouraged and unified throughout a business. IT Support teams are a very common contact point to customers so why would you not encourage relationship building?

So Does Empathy Exist in IT Support?
It will no doubt exist to an extent, and there will always be individuals that display this more than others. However this is something that can be learnt and should be encouraged.

If you’re interested in viewing the Documentary “Brainsex” here’s a link to a copy I found on YouTube: https://youtu.be/3dMvJY3FPkc

Tech Stuff

Trust in Logic

Leave a comment

Having been a SysAdmin for the past 12 or so years I can safely say that I’ve encountered and successfully resolved my fair share of issues. Some of which on platforms I would consider myself highly knowledgeable on and those that I’ve never touched in my life.

Being or becoming a highly capable SysAdmin is not trying to know everything. This is not possible, and any SysAdmin that alludes to this is both lying and frankly dangerous.
No, the key is your approach to the problems you encounter, and simply put this boils down to the questions you ask. Not questions you necessarily ask a customer/user or your peers, but the questions you ask yourself.

As you grow, develop and encounter problems, you’ll gain experience. You’ll be able to use this experience to speed up the time it takes to resolve future problems you encounter, thus turning unhappy customers or users into happy ones very quickly.

However, sooner or later your experience will fail you and you’ll find yourself going round in circles and spending an enormous amount of time and effort investigating a specific component.
Alternatively, you receive a good description of the problem that again you focus all of your attention at a specific component.

It is here that you need to remind yourself that in most cases there is a logical reason behind the cause of the problem.
Even the most accomplished of SysAdmins need to be reminded of this every now and then.
All it can often require is to take a step back, and get back to basics. Often a logical approach through the questions you ask yourself can lead you to a simple solution to what may seem to be an illogical and complex problem.

So what are these magical logical questions you should ask yourself?
Well every situation is of course going to be different, but from a high level a good starting question would be:

What is required for the component I am troubleshooting to operate successfully?

From there you can break this down into very simple questions of verification, which will either point out the problem, or at least the area to further concentrate your efforts.
Such questions could be as simple as these:

Is the device powered on?
Am I looking at the right device?
Are the supporting components/services running?
Are the supporting components/services configured correctly?
Is the component configured correctly?
Have there been recent changes to any of the above?

Very simple and high level I know, but I’m keeping this as generic as possible, but hopefully you get the picture.

Reading this back this all seems so very obvious. It may well be that it’s too obvious. I certainly wouldn’t be writing this though if it were not for being witness to and at times (though rarely!) guilty of throwing all logic out the window.

At the end of the day, it’s all just 0’s and 1’s. Trust that there is a logical reason and trust that a logical approach will prevail.

Happy troubleshooting folks!

Tech Stuff

Query Windows WMI Through NAT

Leave a comment

I haven’t added any articles for ages, so here’s a fairly simple one…

One of the key things for SysAdmins is the ability to monitor the devices they’re responsible for. Pretty standard stuff and nothing new to anyone.

The most simplistic and universal method of doing so is to use the Simple Network Management Protocol (SNMP). It’ll give you all the standard things you usually want to know about your server(s), e.g. CPU, Memory and Disk usage.

Hello WMI
However it would probably useful and in some cases essential to also be able to monitor your standard Windows Applications or additional Windows Performance Counters otherwise unavailable through SNMP; e.g. IIS, SQL Server, Sharepoint to name just a couple.
For this you can utilise Windows Management Instrumentation (WMI). It’s worth noting that WMI can be used for more than simply querying/monitoring performance counters.
If you want to read more about the power of WMI, then read up on it here: About WMI

I won’t go into configuring WMI, there are plenty of articles on the Web that can help you with that, just use your usual Google foo.

The Problem
So if you’re only monitoring systems on your Internal LAN then you’re probably set to go. See ya later!

However in cases where you want to make use of WMI monitoring for remote devices over the public network, you’ll likely find your queries fail and time out.

The issue is WMI doesn’t work through Network Address Translation (NAT), or more accurately the Distributed Component Object Model (DCOM) doesn’t.

When you make your WMI query to your target, DCOM responds with a list of Hostnames and IP Addresses. Your client then pings these and uses the first one that responds.
For a device that is NAT’d the DCOM response knows nothing about the public IP Address, and thus none of the returned addresses will respond.

It is also worth noting that DCOM allocates ports dynamically, so you’ll need to keep an eye on your firewall rules, or look to restrict DCOM to a set of specific ports.

The Fix
The issue is actually fairly simple to resolve, the only reason I have written this article is I had to click around the web a few times before I discovered the reason behind the failure.

So to resolve the issue you just need to give your client a method to resolve the hostname that is returned by DCOM.
The simplest method of course is to use a hosts file entry on your client.
Assuming you configured WMI/DCOM correctly you should now find you can successfully query your remote NAT’d devices via WMI.

The drawback of course is, if you have a large number of remote NAT’d devices to monitor; you’re going to have a potentially large hosts file to maintain.

Another alternative of course would be using an Agent based monitoring method.
As an example Solarwinds Orion provides such a method which allows you to take advantage of WMI Monitoring without the NAT issue, other products may provide similar functionality.

Anyway, Happy Monitoring….

Tech Stuff

Failover Clustering: Correct Quorum but single node failure shuts down cluster

Leave a comment

Another post on Windows Failover Clustering, but this one isn’t so pretty by comparison to my last post.

Recently on a 3 node Failover Cluster we were presented with a little warning that a node failure would cause the cluster service to stop and that the cluster configuration should be checked.
Well in a 3 node cluster the correct Quorum setting for an odd number of nodes is Node Majority and after double checking this was set correctly, that comms between all the nodes was in place and working and also running the Validation tool we were satisfied the configuration was indeed correct.
Obviously the last thing you want to risk is assuming the error is erroneous and then find that when a node fails the cluster also stops.

Satisfied the configuration was correct we presented the issue to Microsoft Support. The suggestion and indeed the resolution was as follows:

  1. Add a Witness disk to the cluster
  2. Change the Cluster Quorum setting to Node and Disk Majority
  3. Change the Cluster Quorum setting back to Node Majority

We didn’t get a reason for why this happens other than sometimes it does and switching to another Quorum setting and back again generally resolves the issue.

Hopefully this will save some people some head scratching and the need to contact MS support.

For full details on the correct Quorum configuration for Failover Clusters refer to the Technet Article: http://technet.microsoft.com/en-gb/library/cc770620%28v=ws.10%29.aspx

James

Tech Stuff

Windows Server 2012: Cluster Aware Updating

Leave a comment

In my continued efforts over the past few weeks putting together a Windows Server 2012 Hyper-V Cluster, I recently discovered a nifty new feature to Windows Server 2012’s Failover Clustering – Cluster Aware Updating.

This feature is going to save a lot of SysAdmin time when it comes to patching your Failover Cluster nodes, the only real interaction required is simply to setup the schedule. Cluster Aware Updating will fully automate patching your cluster nodes one-by-one without impact to your cluster applications or roles.

Initial setup of CAU requires that you select a “Co-ordinator”, and this basically does what it says on the tin. The Co-ordinator manages and monitors the patching tasks across the nodes in the cluster. This role can be enabled within the cluster or outside.

The CAU Co-ordinator will perform the following steps -:

  • Download Updates to each node
  • Selects the node with the fewest applications/roles first (although you can specify a specific order during setup)
  • Initiates a Node Drain, i.e. moves the applications/roles off the node to other nodes in the cluster
  • Sets the node into Maintenance Mode
  • Installs the downloaded updates
  • Restarts the node if required
  • Verifies the installed updates
  • Brings the node out of Maintenance Mode
  • Moves the applications/roles that were previously moved off the node back again
  • Repeat the above steps for the next node in the cluster

As you can see performing those steps manually is a very time consuming task, especially for large clusters with many applications/roles. The most time consuming and tedious part being the application/role migrations and ensuring you move the same roles back again afterwards.

CAU can install updates from a number of sources including:

  • Windows/Microsoft Update
  • Windows Server Update Services (WSUS)
  • Hotfixes or Cumulative Updates not released via Windows/MS Update (setup a file share)
  • 3rd Party Driver and Firmware updates (setup file share)

So not only does CAU save you time but it ensures that your cluster nodes are all at the same update levels too which of course is desirable at all times.

One thing I did notice was the SCOM agent on the cluster nodes got stuck in Maintenance Mode. I had to fix this by putting the nodes into Maintenance Mode via the SCOM console for 10 minutes, after which the nodes were successfully monitored again.

This is certainly one of my favourite additions to the Server 2012 feature set so far. If you have a Server 2012 cluster then enable this feature!

 

James

Tech Stuff

SCOM 2012: Monitor Overrides for mixed Hyper-V 2008/2012 Environments

Leave a comment

If you have an environment containing both Hyper-V 2008 and 2012 servers and thus have the Hyper-V 2008 Management Packs installed you’ll find you get some false alerts for your 2012 Hyper-V servers.

The 2008 Hyper-V Management pack looks for event logs that no longer exist in Hyper-V 2012 thus you’ll receive an alert stating an event log is inaccessible.

Example SCOM Alerts:

Alert description: The Windows Event Log Provider is still unable to open the Microsoft-Windows-Hyper-V-Network-Admin event log on computer ‘hostname’. The Provider has been unable to open the Microsoft-Windows-Hyper-V-Network-Admin event log for 720 seconds.

Alert description: The Windows Event Log Provider is still unable to open the Microsoft-Windows-Hyper-V-Image-Management-Service-Admin event log on computer ‘hostname’.
The Provider has been unable to open the Microsoft-Windows-Hyper-V-Image-Management-Service-Admin event log for 6480 seconds.

To resolve this you need to create an override that excludes your Hyper-V 2012 hosts from these monitors as follows:

  1. In the SCOM Management console navigate to Authoring > Management Pack Objects > Monitors
  2. Click Scope button at the top of the console, enter ‘Hyper-V’ > View All Targets > Select All > OK
  3. In the Look for field enter ‘Connectivity’ > Find
  4. For both ‘Port Connectivity’ and ‘Port Disconnectivity’ right click the Monitor > Overrides > Disable the monitor > For a specific object of class
  5. You should see your Agent managed Hyper-V hosts, tick the 2012 Hyper-V Hosts > OK
  6. Back to the Look for field enter ‘mounted drive’ > Find
  7. Find the ‘Mounted Drive Read-Only’ monitor > Right click > Overrides > Disable the monitor > For a specific object of class
  8. Select your 2012 Hyper-V hosts > OK

I found the alerts didn’t recover automatically after adding the overrides and had to manually mark them as resolved/closed.

 

James

 

Tech Stuff

SCOM 2012 SP1: Broken Alert Link URL

Leave a comment

I’ve been working on a System Center Operations Manager (SCOM) 2012 deployment recently. Now that Microsoft have made Service Pack 1 fully available it appears the normal Alert URL is somewhat broken.

The original Alert URL looks something like this: http://scomwebserver/OperationsManager/default.aspx?DisplayMode=Pivot&ViewType=AlertView&AlertID=$UrlEncodeData/Context/DataItem/AlertId$
However since the installation of Service Pack 1 the Alert View never actually completes loading.

The workaround for the time being is to update the Alert URL in your Channel Notification to: http://scomwebserver/MonitoringView/default.aspx?DisplayMode=Pivot&ViewType=AlertView&AlertID=$UrlEncodeData/Context/DataItem/AlertId$
This works, but you must first authenticate at the /OperationsManager URL first as it appears that authentication fails if you browse to the MonitoringView without having visited the OperationsManager URL first!

A pretty irritating problem, hopefully it won’t take long for MS to release a fix. Cumulative Update 1 for SP1 was released pretty quickly after the release of SP1.
I’ll post an update once a fix has been released.

James

Tech Stuff

SMTP: Reliability and Reputation

Leave a comment

The Simple Mail Transfer Protocol (SMTP) has been around since the early 1980’s (with it’s roots going much further back). So it still surprises me how many people implement badly configured SMTP servers. Quite often these same people have a high reliance on the service yet have such little understanding on how it works, how to build a good reputation, deliver email reliably and decrease the amount of Junk received.

I’m not entirely sure what the reason for this is, as I say it’s been around for a long time. There’s no shortage of articles and guides on the web detailing best practices. Maybe it’s an expectation that everything should be well setup from initial product install.

Unfortunately it’s quite often only after running into problems are the basic techniques implemented to increase reliability, usually when either a lot of Junk is received or barely anyone will accept a single message from you any more. Why put yourself through this pain when a small amount of research can pay off by having a well planned mail service deployment?

So what can you do to increase the reliability and reputation of your mail servers?
I’ll cover off a number of things you can do, I’m not going to go into a huge level of detail here since it’s so well covered in numerous articles you can find from a simple web search.

  • Spam Scanning Software
    Pros: Decrease the amount of unsolicited messages delivered to your users
    Cons: Requires further resources to scan each individual message that you receive
    It’s rare not to install any kind of spam scanning software these days, but if you haven’t you should seriously consider doing so. Some MTA’s may have this functionality built in, other’s will allow 3rd party Spam Scanning software to “plug-in” directly with your MTA. There are also services that will do this for you before passing any messages onto your mail server. Some are free to use and others you pay for. What works for you will depend on your exact requirements and the level of control you wish to have, so research what is available first.
  • Reverse DNS (rDNS)
    Pros: Increase your reputation for sending mail, Decrease the amount of unsolicited messages delivered to your users
    Cons: Additional DNS lookups
    This is a really easy thing to implement, yet is surprising overlooked by many. Ideally you should have a rDNS record for the IP Address you send mail from that matches the FQDN hostname you’re sending as. You should also include the correct FQDN of your host in the SMTP banner of your MTA. Whilst you’re changing your SMTP banner remove the MTA version too.
  • Sender Policy Framework (SPF)
    Pros:     Increase your reputation for sending mail, Decrease the amount of unsolicited messages delivered to your users
    Cons: Breaks email forwarding/redirecting
    SPF is a method of IP Address validation to prevent the spoofing of e-mail. It works by publishing a DNS TXT record listing the IP Addresses that are allowed to send mail for that DNS zone.
    You should consider publishing such a record in all the DNS zones for which you are responsible for sending mail.
    You should also consider implementing checks in your MTA (Mail Transfer Agent) for the existence of such records for mail you receive. Depending how strict you wish to be you may wish to reject messages out right that hard fail or increase the score you give such a message upon receipt.
    However there is a downside to SPF that many people tend to overlook – it breaks e-mail redirection. If you redirect any mail to alternative recipient addresses then this is something you need to consider regardless of whether you have any SPF implementation yourself. There is a workaround however…
  • Sender Rewriting Scheme (SRS)
    Pros:     Allows you to successfully forward/redirect messages where recipients enforce SPF checks
    Cons: By rewriting the “Mail From:” header you effectively take responsibility for the message
    As mentioned above SPF breaks mail redirection. To understand why take the following as an example:
    user@domainA.tld sends a message to a recipient in your domain user@domainB.tld, you forward messages for user@domainB.tld to user@domainC.tld
    Now if domainA.tld publishes SPF records stating that mail for this domain only originates for the IP Addresses they list and domainC.tld checks for the existence of SPF records for any mail it receives, then suddenly you find the mail is rejected. The reason for this is the mail has gone through your server, and your server’s IP Address is not listed as an authorised sending IP for domainA.tld
    So SRS provides a means of rewriting the “MAIL FROM:” address so that the message originates from your domain. However it’s rewritten in such a way that Delivery Status Notifications can be sent back to the original sender of the message.
  • DomainKeys Identified Mail (DKIM)
    Pros: Increase your reputation for sending mail, Decrease the amount of unsolicited messages delivered to your users
    Cons: Yet more DNS lookups required, some spammers are also starting to sign messages
    DKIM allows you to take responsibility for a message in transit. You sign a message with a DKIM signature and publish a public key in your DNS zone allowing recipients to validate the authenticity of the message.
    By introducing DKIM signing you can increase the reputation of the mail you send thus in turn increasing the reliability the message will be successfully received by the intended recipient. Unlike SPF it doesn’t break e-mail forwarding.
    You should also consider validating messages you receive that contain DKIM messages as it will compliment any spam protection techniques you have in place.
  • DNS Block Lists / Real-time Block Lists (DNSBL / RBL)
    Pros: Determine if a sender is universally known for sending unsolicited mail
    Cons: Yet another additional DNS Lookup required, relying on a 3rd party list to determine the legitimacy of received mail
    DNSBL’s or RBL’s is a list of suspect IP Addresses known for sending unsolicited mail. Quite often those that consistently send lots of spam will end up on one of the many DBSBL’s. These can be a great way to combat receiving unsolicited mail. However you should consider wisely the lists that you use, some may list IP Addresses quite aggressively thus increasing the chances of legitimate senders ending up on such lists.
    Many people will configure their servers to out right reject a message during the SMTP transaction if the sender is found on such a list. However I believe this to be a mistake. By doing this you are completely relying on a 3rd party to determine what mail you will and will not accept. It’s not uncommon for legitimate senders to end up on these lists from time to time, sometimes through no fault of their own. Instead you would be better off increasing the spam score you give to a message should you find a sender on such a list.
  • Greylisting
    Pros: Decrease the amount of unsolicited messages delivered to your users
    Cons: Punishing legitimate senders by delaying message delivery, less effective if you have multiple MX’s (unless the Greylist can be shared), Maintaining the Greylist (the list can grow large without pruning old records)
    I’ve always been in two minds in regards to Greylisting. On one hand it can be very effective for reducing the quantity of spam you accept. On the other hand you end up punishing legitimate senders by delaying delivery of messages they send to you. However if setup properly you can reap the benefits of Greylisting whilst minimising the impact to legitimate senders.
    Greylisting works by temporarily rejecting messages from senders you haven’t “seen” before for a small period of time. The reason it is so effective is spammers will generally not retry sending messages upon rejection, whilst legitimate senders should (so long as their MTA is properly configured) continue to retry sending messages.
    To minimise the impact on legitimate senders I make Greylisting one of the last checks during an SMTP transaction. I would recommend bypassing Greylisting if a sender has traits of a legitimate sender, so check SPF, DKIM signatures, Reverse DNS, DNSBL (both Block Lists and if they exist on white lists). If these all pass then there is little point in Greylisting, however if these fail consider adding the sender to the Greylist.
    If a legitimate sender is Greylisted then after the Greylist delay has expired the sender should be whitelisted ensuring that any future deliveries do not have to go through the same process.
    Another pitfall to Greylisting is when you have multiple Mail Exchangers (MX), unless you can share the Greylist with all your MX’s then it’s likely messages will circumvent the Greylist. A SQL based Greylist would allow for replication among your MX’s thus counteracting this problem.
  • Secure/Multipurpose Internet Mail Extensions (S/MIME)
    Pros:     Allows users to sign messages with a certificate as well as provide message encryption
    Cons: Obtaining certificates can cost money, not easy for end users to obtain and setup
    By encouraging your users to use a certificate to sign their messages (and encrypt) recipients can verify the authenticity of messages received. For communications of sensitive information messages can also be encrypted.

  • Mail Footers and Disclaimers
    Pros:     Ensures a message has the appropriate mandatory information in business sent communications
    Cons: Usually added to the message body when the message is in transit
    This one is a minor irritation of mine. The Companies Act (1985) was updated to include that business information such as Registered company etc be included in the footer of messages. Unfortunately this is usually ensured by appending this to messages whilst in transit i.e. after the sender has hit the send button.Really you should avoid modifying the message body whilst a message is in transit. If you do this then it is also likely you’ll invalidate any digital signatures that are applied to the message.
    If you need to add these items to the end of your messages then it should be included in the message at the time it is composed.

By implementing any or all of the above you should find a vast decrease in the quantity of received spam whilst at the same time increasing your reputation with recipients. Not all of these options may be available to you depending on your MTA and your exact requirements, however the good majority should.You’ll find a good deal of further information if you search the web for any of the terms listed above and likely find many implementation guides and articles.

So what MTA do I use?
I’ve chosen Exim as my MTA of choice. It allows me to implement all of the items discussed in this article, I like its ACL configuration format and is highly configurable allowing many many more tweaks. Maybe that’s one for another blog some time!

James