I just blogged this morning about Microsoft Exchange Server 2007 SP1 being released to the MSDN and Technet communities. Exchange Server 2007 is a major upgrade over Exchange Server 2003 with tight integration with Office Communications Server 2007 (OCS 2007), however I have a major complaint. That is - I have been waiting for Microsoft to offer centralized server-based whitelisting challenge-response support in Exchange Server for years and still they haven't added it. I've been on an anti-spam crusade for years. Just check out these posts here, here, here, here, here, and here. Outlook has a client-based whitelist feature, but it is fatally flawed as I wrote about recently.
In case you aren't aware, email whitelists (with challenge-response) enables people in your "allow" list to automatically be routed by your email server directly to your Inbox bypassing all spam filters. If the person is "unknown" a challenge-response email containing a hyperlink with a unique identifier is automatically sent to this unknown person to confirm it's a real person and not a spammer. In cases where you sign-up for newsletters or register on websites with no "live person", you can manually add their domain or their email address to your whitelist.
Now granted, whitelist challenge-response is a guilty-until-proven-innocent scheme that some may find rude, particularly in a business environment where potential customers are looking to do business with your organization. But as spammers continue to find creative ways to bypass keyword filtering by using PDF attachments and image spam, whitelisting will become more popular and even "accepted" as a necessary evil.
One other negative side-effect is that any incoming mail, including spam will generate challenges, which increases the amount of mail that your server has to process. Often spammers forge the "From" address in the mail headers, so the challenges are sent to innocent or non-existent users. If it's a non-existent user, the server will send a bounce-back message which could generate another challenge response resulting in an endless loop. Of course, any challenge-response system should be able to detect System Undeliverable messages and Out of Office messages to prevent these endless loops. Fortunately, many challenge-response solutions are smart enough to filter out many of the addresses whose challenges would be pointless.
One other drawback to challenge-response is if BOTH sides use challenge-response whitelists. You send an email to a friend who sends you back a challenge. However that challenge gets challenged by your challenge-response. Your friend's challenge-response re-challenges your latest new challenge. While the game of one-upmanship challenges continues in an endless loop, neither of you get each other's email. To solve this looping problem the challenge-response system would have to detect that a challenge-response has been already sent to that email address and not send another one until a pre-specified timeout delay has expired - say 1 day. These issues aside, in most cases the advantages of challenge-response outweigh the disadvantages.
There are probably 3rd party solutions that add whitelist support to your Exchange Server, but I doubt they are tightly integrated with Exchange's management interface or Active Directory. So for instance, you couldn't block your sales people from using whitelists, since many organizations would prefer sales people receive some spam rather than turn off potential customers with a whitelist confirmation email. Offering administrative control of whitelist policies is critical to most enterprises. Further, many of the solutions I looked at didn't offer global whitelists. Each person would maintain their own whitelist and an IT administrator couldn't globally allow certain domains or email addresses for the entire enterprise.
Many whitelist solutions I found were hosted solutions where you had to forward your email to the hosted service provider. This requires changing your mail MX record to point to the hosted service provider. The hosted service provider then handles who is in your whitelist and sends out the whitelist confirmation emails. When a person becomes verified the email is then sent down to your email server, typically using POP3. Many organizations are hesitant to have their confidential email go to a third party hosted provider due to security reasons or simply they aren't sure how reliable the provider will be.
There is no reason whitelisting can't be done in-house with some simple software. Essentially all the hosted provider is doing is leveraging a web server, a database of email addresses, SMTP to send email, and POP3. Microsoft Exchange Server already has almost all of these technology pieces. Many Exchange Servers have a web server (i.e. IIS 6.0) for Outlook Web Access (OWA) and almost all have SMTP and POP3 services. The only piece missing is a database to manage whitelists. How hard is that for Microsoft to add?
Microsoft could leverage SQL Server for storing whitelist information or the Exchange Information Store itself. Further, since the emails are being sent through the Exchange Server, the Exchange Server can automatically detect & add the email addresses for any sent emails to the whitelist. Over time, the database for that enterprise's whitelist will become more accurate and negate the need to generate a challenge-response email saving on the email server's resources and bandwidth.
Please Microsoft, I'm begging you - add challenge-response to Exchange Server with a nice centralized admin tool so IT managers can manage corporate-wide whitelists and whitelist policies. Help us to win the war on spam.
android apple asterisk at&t blackberry cell phone cisco dell digium e911 facebook fcc google google talk gps im ip-pbx ipad iphone ipod itexpo ITEXPO lync microsoft mobile phone open source outage phone review sip skype sony unified communications verizon video video conferencing voip vonage wireless xbox 360
- Apple (280)
- Bittorrent (2)
- Call Center and CRM (48)
- Computer Hardware (183)
- Computer Software (71)
- Gadgets (650)
- Google (225)
- Home Entertainment (263)
- Internet (173)
- Linux (111)
- Microsoft (376)
- MovableType (48)
- News (187)
- Personal and Humor (118)
- Politics (9)
- Reviews (246)
- Security (2)
- Social Networking (42)
- Sports/Outdoor Technology (9)
- Tablets (32)
- Technology and Science (355)
- Unified Communications (471)
- VoIP (2285)
- Wireless (584)
- p2p (20)
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
- November 2004
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
Featured Videos