Over the past month, I've written about how passphrases can improve security and how blacklists can help better determine whether some email messages might actually be unwanted junk mail. This week, I'll discuss a little bit more about both of those topics, beginning with blacklists.

After last week's edition of this newsletter, a few more readers wrote to offer additional insight regarding the use of blacklists. Charles Oriez pointed out that when you have trouble with a given blacklist service because it has inadvertently blocked your network while trying to block some spammer, it's more effective to get your ISP involved. A blacklist provider might not be willing to listen to you or, if it does listen, it might not take any action to help you. However, your ISP might be able to work things out with the blacklist provider. So get your ISP involved.

Another reader expressed another concern related to ISPs. Sometimes an ISP is to blame when its network addresses are put on blacklists. If what this reader and other people are telling me is correct, some large ISPs are problematic when it comes to spammers using the ISPs' networks. The problems might be related to the ISPs' acceptable use policies, downstream ISPs who resell the large ISPs' services, or other factors I'm not aware of. But in any case, Internet users suffer.

Other readers have suggested that you check out an ISP as thoroughly as possible before you decide to do business with it, and the same holds true for blacklist services. One way to start that process is to use search engines to check the Internet for complaints. But also keep in mind that some people have the mindset of a reckless vigilante. If they receive even one piece of junk mail, they blow a fuse and go into overdrive to do anything they can to get the involved networks blacklisted. And they hurt innocent people in the process. By the same token, there are people with an equally aggressive mindset who run blacklist services. So choose the ISP you use wisely.

We have a nonscientific Instant Poll question on our Web site (which will be removed in a few days) that asks whether you use blacklist services and if you do, how? Please take a minute to see how others are voting and offer your answer.


If you use Microsoft Exchange Server as your email solution, you might be interested in reading the recent Web chat, "Fighting Spam in the Exchange 2003 Environment," which was hosted by Microsoft. The chat (at the first URL below) offers some insight into the Intelligent Mail Filter (IMF--at the second URL below), which can help reduce unwanted email.



Ron Bradley wrote to offer a tip for Exchange administrators. He said that you should consider taking a look at Vamsoft's Open Relay Filter (ORF) add-on for Exchange. ORF uses multiple filtering methods, including DNS blacklists, reverse DNS lookup testing, and whitelisting, as well as keyword, attachment, and recipient filtering, to help reduce unwanted email. For less than $100 per server, it might be an inexpensive way to improve your mail filtering.


Now back to the issue of passphrases, which I discussed in In Focus on October 27 (at the first URL below) and November 3 (at the second URL below). As you recall, I wrote about how using longer passphrases instead of shorter passwords can increase security. We ran a poll during that time that asked, "What password length do you enforce on your network?" Eighty-two percent of respondents said that they use short passwords of 14 characters or less, 10 percent said they use 15 to 24 characters, and 8 percent said they use 35 characters or more. The poll is closed, but you can view the results on our Web site at the third URL below.




In my editorials about passphrases, I mentioned Jesper Johansson's article series "The Great Debates: Pass Phrases vs. Passwords." The third and final part of the series was published recently. In it, Johansson discusses the need to make passphrases stronger by using nonalphanumeric characters, how to enforce password policies, and interestingly enough, why setting an account lockout threshold is a bad idea.


It's long been common knowledge that using an account lockout policy for bad password attempts can lead to Denial of Service (DoS) on a machine if an intruder (or a user who simply forgets his or her password) repeatedly tries to guess a given logon password. Johansson also says that the average cost for a company to reset a locked account is $70! That's a lot more than I would have guessed.

Another issue covered in the article is the use of a custom password-filtering DLL. If you're a developer interested in creating one that fits your needs, see the article for numerous links to helpful information.

Until next time, have a great week.