Firefox, Internet Explorer, and CSS: Never the twain shall meet?

It's been a long while since I designed or created a web page with any complexity, so I've never had to face the browser incompatibility issues. I've always known and at times felt the pain that web designers feel when designing something to look good on both browsers, but the chasm seems to have grown a lot bigger and wider since I last faced such issues.

Playing with Blogger's CSS code over the past few weeks I've realized how difficult it really is. Web pages that look perfectly sane and even gorgeous in Firefox totally meltdown in IE! Images align wrong, inline images may display over text, floating sections disappear, column widths don't behave as they should... the list is endless.

If you're using IE to view this blog, you may have come across some of the above issues.

For instance, images placed before link that look perfectly normal in Firefox as seen below:

end up being overlapped with link text in IE, as shown below:

One would have hoped IE7 would fix all such issues. I am no CSS/XHTML expert, so I can't really comment on how compliant it is with standards, but the rendering could certainly use a lot more work, imo. If you search the web (check out positioneverything.net), you will come across plenty of information about issues/bugs with the way IE renders stuff, and some workarounds that involve detecting which browser is being used and using a different style sheet for some.

This is not to say Firefox is completely compliant and kosher in its behavior - it just comes across as more elegant than IE with fewer rendering flaws/bugs, imo. On the flip side, I have also seen Firefox totally mess up a page when the same page is rendered just as you'd expect in other browsers, including IE - even if the code doesn't have any IE-specific hacks.

As I attempt to switch to Wordpress over the next few weeks (yes, I finally got Wordpress up and running and it's been the guinea pig for my experiments with CSS :), I will try to ensure the new templates render without any major issues in IE. However, I will continue to use Firefox as the primary browser I test with.

I'm feeling the pain many web developers feel because of such inconsistencies between browsers, and this is just the tip of the iceberg. It would be nice to have both browsers render pages identically, but that seems like little more than wishful thinking at this point.

Having said this, let me add - I continue to use IE7, it's a pretty good upgrade to IE6 and almost essential if you use Outlook Web Access and some Microsoft web sites. (I continue to field arguments to the contrary, and suggestions to use the IE Tab plug-in for Firefox - which I do use, btw - that can render websites you choose with IE's rendering engine in a Firefox tab).

Exchange Server 2007 Scriptacular Demo Pack posted

Vivek has posted what he calls the Exchange Server 2007 Scriptacular Demo Pack on his blog. This is a bunch of scripts Vivek & Mihai wrote while Exchange shell was being developed. It contains the out-html, out-ie and out-email scripts from Vivek's blog that I've talked about earlier, and some that I haven't seen before.

Download it from Vivek's blog [ Announcing the Exchange 2007 PowerShell Scriptacular demo pack!].

A little bit of Exchange is what I need: Microsoft's Mambo Number 5

Ken Rosen, MCT Worldwide Program Manager at Microsoft, posted this recently on MCT newsgroups. Since it's on YouTube now it's for all to see - Microsoft's Mambo Number 5.

Part of the lyrics can be attributed to Ken. This is from the NT 4.0 days, which seem like a distant memory now. And yes, this does have something to do with Exchange.

For all you current and aspiring MCSEs out there :)
http://www.youtube.com:80/watch?v=voOPHVvIz1Y

Exchange Server 2007: Cross-Mailbox Search Using Export-Mailbox

Exchange Server 2007 includes the much-required feature that allows you search for and export messages to another mailbox. You can search all mailboxes for messages with particular keywords and export those messages to a separate mailbox, which can then be accessed by compliance/legal folks who need access to such messages.

Another scenario where this feature comes in handy: being able to delete infected messages across all mailboxes.

The export-mailbox command exports messages with user-specified keywords in the message subject or body to a specified folder in a mailbox. Kumar Cunchala from the product team talks about how to do cross-mailbox searches on the team blog.

Before you ask, there's no support for exporting these messages to a PST file yet. You could, of course, connect to the mailbox to which you export these messages and manually copy stuff to a PST using Outlook.

Unsubscribe message: we'll never forget you!

Just happened to unsubscribe from a known software company's newsletter/sales pitch, and got this wonderful unsubscribe message... not too sure what to make of this. :)

If you love something, you must set it free; thus, you are completely unsubscribed from the ***** [company name] newsletter.
Though our time together was short, we'll never forget you.

I'm all for poetry and cute unsubscribe messages, but I do want you to forget me - or at least my email address! That's the whole point with unsubscribing!! :)

Grimes Gripes About Backup Software

InfoWorld columnist Roger Grimes gripes about backup software in his Security Advisor column [ "Backup Software: Bah Hambug" on Infoworld.com]. Some of the stuff he complains about are situations we find ourselves in ever so often - the bad tape drives, the dumb backup software that's supposedly getting smarter every day, expensive technical support from backup software vendors, and above all - bad backups!

Grimes believes 20 to 40 percent of backups are bad, and yet a good number of sysadmins at organizations of all sizes continue to backup every day and store those tapes offsite, without ever testing them.

On Exchange backups, Grimes says "Want to restore your Exchange server to working condition after a fatal crash? Good luck unless you really knew what you were doing ahead of time, before the crash".

Exchange Server 2007's Database Continuous Replication feature that creates a replica of the Store on another volume of a standalone Exchange server (called "Local Continuous Replication" or LCR), or on the passive node in the case of a clustered deployment (dubbed "Cluster Continuous Replication" or CCR), should go a long way in alleviating those backup woes as far as Exchange is concerned. The ability to switch to a replica of the Store provides an amazing recovery capability without having to look for those backup tapes. In fact, unless you've got the tape with a good backup already loaded in the tape drive or sitting on your desk, you can be up and running before you can even find the tape!

Easy as it is to get excited about Database Continuous Replication, it's important to remember that replication is not a substitute for a good backup strategy, and neither does it replace backups completely. What it does provide is the ability to recover quickly without restoring from tape, and reduces the need for frequent full backups. Additionally, it allows you to perform backups from the replica instead of the production Store that the users connect to - reducing the performance impact of backups.

If you are planning a clustered deployment, CCR provides automatic failover to the replica on the passive node (in case of standalone servers and LCR, switching to the replica is a manual process), and removes the requirement to use shared storage, eliminating the single point of failure common to Exchange clusters before Exchange Server 2007.

Open Relay Database ORDB.org shuts down

After five and a half years, the non-profit organization ORDB is shutting down its DNS service (a Realtime Block List of open relays) and mailing list today, because the general consensus within ORDB is that open relay RBLs are "no longer the most effective way of preventing spam from entering your network".

The ordb.org web site will vanish come December 31st.

If you're using ORDB, the organization recommends removing ORDB checks from your mail servers.

I used ORDB in its early days (post-Exchange 2000) - they have been providing a valuable service, but as noted on their web site, spammers continue to evolve and are using more sophisticated methods (other than open relays) to send spam, and as such checking for open relays is far less effective. However, this is by no means a verdict against RBLs in general, some of which continue to list known sources of spam or spam operations, compromised hosts, et al (e.g. Spamhaus).

RBLs continue to drop a large amount of spam headed to our mail servers, in addition to other methods.

Exchange Server 2007 Evals Available in 64-bit & 32-bit versions

Exchange Server 2007 evaluation software is available in both 64-bit and 32-bit versions on microsoft.com (may require registration). The 120-day evals can be upgraded to the full product by entering a license key.

Questions about the 32-bit version continue to be asked in some Exchange forums and public newsgroups. It's important to clarify - yet again - that only the 64-bit versions of Exchange Server 2007 are supported in production. The 32-bit versions are for testing/lab use only.

I would recommend Microsoft include this note on every web page and piece of documentation that discusses system requirements for Exchange Server 2007, and also on the eval download page linked above.

If you would rather play with Exchange Server 2007 without the hassle of setting up a test environment with Active Directory (requires at least one domain controller), you can download the VHD images that can be used with Virtual Server or VirtualPC, [as I mentioned in this earlier post "Download Exchange Server 2007 virtual machine images"].

Conflicting Mailbox Store Policies

I spent some time (ok, I'll admit - more than "some time"... ) writing a script to get user mailbox storage limits/quotas [an improvement on the script I posted earlier - read previous post "SCRIPT: Show mailbox limits"]. The new script checks users' individual mailbox limits (if these are set in user properties in ADUC). If no individual limits exist, it checks the limits on user's mailbox Store, and also checks if any System Policies apply mailbox storage limits to the Store. If any policies are found, it checks the limits on those as well, and reports on what the user's actual limits are. Something like the Resultant Set of Policies feature/snap-in for Group Policies, for user's mailbox storage quotas.

Out of curiosity (and in an attempt to see if the script breaks), I tried to apply multiple Mailbox Store policies that apply storage limits to the same Store. Almost certain that Exchange System Manager will do no validation if an existing Mailbox Policy is already applied, I was pleasantly surprised to find that it in fact does validate!

When trying to apply a second Mailbox Store policy (with storage limits) to a Mailbox Store that already has such a policy applied, ESM throws up the following error:


At this point, the easy choice is to click on the "Yes" button, but I was still hoping if I selected No the second conflicting policy may be applied :)

No such luck - ESM curtly informs you that the second policy could not be applied "... because you refused to remove the object from the control of conflicting policies."



I can't help but think about all the thought that goes into creating such software - though we all have our own pet peeves and can count the things we don't like about Exchange, for a change it's great to be able to appreciate the things you do like about it. Having worked on a couple of cool software features in Zenprise (stuff I'd love to talk and blog about soon!), I have a new-found appreciation for such thoughtfulness and attention to detail.

This certainly helps me avoid writing another few hundred lines of code to figure out if multiple System Policies for mailbox quotas are applied to a Store, which one has priority and how to make the script figure that out.

As a sidenote, writing a script using VBScript to accomplish something in an Exchange Server 2003/2000 environment seems like a real pain now - given what I accomplished in about 300 lines of code tonight is so easily accomplished using a one-liner in Exchange (2007) shell, and something I do several times a day! (At times just because it's so easy to do, without writing any code! :)

The Exchange shell equivalents:
Get-mailbox | select name,database,*quota*
and
Get-MailboxStatics

Exchange Server 2007: Bulk mailbox-enabling users using Exchange Shell

I’d written about how to bulk create mailboxes (including user accounts) from a CSV file [read previous post: Exchange Server 2007: Bulk creation of mailboxes using Exchange Management Shell]. This is in response to the reader who posted a comment asking for a way to mailbox-enable existing user accounts.

First we need to find the users without mailboxes. The get-user command will list all users. The RecipientType property of the user is either User or UserMailbox. As the name clearly suggests, those with UserMailbox as RecipientType are already mailbox-enabled – leaving those with RecipientType User.

We can enable all users with RecipientType User:

get-user | where-object{$_.RecipientType –eq “User”}

We probably don’t want to do that! So let’s filter these users. If these users reside in a particular Organizational Unit, we can restrict our search to that OU. In this case, we’ll look for users in the OU called “People”:

get-user –organizationalUnit people | where-object{$_.RecipientType –eq “User”}

Now we get a list of all users (who are not mailbox-enabled) from that OU. We can further restrict this list to all users who are members of a particular department. Since Sales is our favorite department, let’s pick Sales:

get-user –organizationalUnit people | where-object{$_.RecipientType –eq “User” -and $_.department –eq “Sales”}

Now we’ve got a smaller list of folks – those residing in the People OU belonging to Sales dept. and aren’t mailbox-enabled yet. Let’s go ahead and mailbox-enable these users:

get-user –organizationalUnit people | where-object{$_.RecipientType –eq “User” -and $_.department –eq “Sales”} | Enable-Mailbox –Database “EXCHANGE1\Mailbox Database”} | get-mailbox | select name,windowsemailaddress,database

The above command mailbox-enables these users and outputs a list of their names, default email address, and the mailbox Store on which their mailbox(es) reside.

Similarly, you can also use other user attributes of user accounts like city, state, country, etc. to selectively mailbox-enable users.

The WOW! factor and what really makes it a fun process is the fact that once you get a hang of the syntax and know what you're looking for, the entire process happens really quickly. PowerShell / Exchange shell does to VBS scripts what scripting did to repetitive GUI tasks.

Windows Vista RoI: BitLocker drive encryption enough to justify upgrades?

According to analyst Jon Oltsik of Enterprise Strategy Group, Windows Vista's BitLocker drive encryption system provides enough RoI to justify the upgrade for enterprise customers. PC encryption tools have now become a "must-have" and most enterprises are considering deploying such tools.

Standalone drive encryption utilities cost $100-$200 per system in acquisition cost alone. Add to that installation, configuration and ongoing support costs, and the upgrade to Windows Vista - which includes drive encryption (and other security and management features) - begins to look quite attractive.

More on CNET News.com - "Windows Vista and the secret of full disk encryption".

Exchange Server 2007: How are RBLs performing?

Exchange Server 2007 includes a script that reports on how Realtime Block Lists (RBLs) perform - it provides the number of messages blocked.

The script - Get-AntispamTopRBLProviders.ps1. It's in your \Exchange Server\Scripts folder.

To run it, fire up Exchange Shell:

[PS]D:\Exchange Server\Scripts>.\get-antispamtoprblproviders.ps1

Name Value
---- -----
Spamhaus SBL-XBL 6626
SORBS 33
NJABL 2

The script can be constrained by -startdate and -enddate parameters. If not constrained by time, it looks at all the logs. By default, a list of the top 10 RBL providers is provided. Hopefully you aren't using any more than that, but in case you do, you can get a list of top X number of RBL providers by adding the following: -top:X (where X is the number of RBL providers you want returned). This can also be used to get a list of less than 10 RBL providers.

If you feel like parsing through the log files, the agent logs are located in \Exchange Server\TransportRoles\Logs\AgentLog folder. Update: To find out how to easily manage and filter agent logs, read "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs".

Other Antispam-related scripts for reporting:
Get-AntispamFilteringReport.ps1
Get-AntispamSCLHistogram.ps1
Get-AntispamTopBlockedSenderDomains.ps1
Get-AntispamTopBlockedSenderIPs.ps1
Get-AntispamTopBlockedSenders.ps1
Get-AntispamTopRecipients.ps1

By default, anti-spam agents are not installed on Exchange Server 2007 servers with the Hub Transport server role - these logically belong on the Edge Transport server. However, if you do not intend to deploy an Edge server, you can install the agents on a Hub Transport server. [Read previous post: "How to install anti-spam agents on Hub Transport server"]

Update 6/15/2007
From answers to the comments below:
Exchange Server 2003 and 2007 expose RBL statistics through performance counters. However, 1) the performance counters are flushed when services are restarted (in this case SMTP service / MSExchangeTransport service). As such, they neither provide historical information nor the rich details that Exchange Server 2007's agent logs provide (for more details on the agent log, read the related post "Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs") and 2) performance counters provide aggregate information, these are not instantiated per RBL/IP Block List provider, so you can't really determine number of messages blocked by each RBL, amongst other details.

Exchange Server 2003 Performance Counters



As shown in the above screenshot of perfmon in report mode, the performance object is MSExchangeTransport Filter Sink. The following RBL-related counters are available for the object:
- Block List DNS Queries Issued
- Block List DNS Queries Issues/Sec
- Connections Rejected by Block List Providers
- Connections Rejected by Block List Providers/Sec
- Failed Block List DNS Queries
- Failed Block List DNS Queries/Sec

Exchange Server 2007 Performance Counters



The corresponding perfmon object in Exchange Server 2007 is MSExchange Connection Filtering Agent, as shown in the above screenshot. The counters available are limited:
- Connections on IP Block List Providers
- Connections on IP Block List Providers/Sec
- Messages with Originating IP on IP Block List Providers
- Messages with Originating IP on IP Block List Providers/Sec

IMF: How to customize NDR message

Do you have IMF setup to reject messages at the gateway? If yes, you can customize the NDR message senders get. Exchange MVP and author of Exchange Server 2003 24Seven (renamed in its second edition to Microsoft Exchange Server 2003 Advanced Administration) Jim McBee shows you how in his post titled "Exchange 2003 SP2 IMF tuning".

MS06-076: Cumulative Security Update for Outlook Express

As part of its monthly security patch releases, Microsoft has published a security bulletin (MS06-076) - a cumulative update for Outlook Express. Even if you use Microsoft Outlook for email and do not use Outlook Express at all, do remember this is installed by default on all Windows computers and as such it makes sense to apply this patch.

Details of vulnerability as published in the above bulletin:

Windows Address Book Contact Record Vulnerability - CVE-2006-2386

A remote code execution vulnerability in a component of Outlook Express could allow an attacker who sent a Windows Address Book file to a user of an affected system to take complete control of the system.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Alternatively, if there's a reason you can't or don't want to apply the patch, a workaround exists: remove the Windows Address Book (.WAB) file association as described in the bulletin (remove the .WAB subkey in HKCR). As a result users will be unable to open Address Books by double-clicking them.

Wordpress, PHP, and MySQL: Yes, it's free if...

I've been toying with the idea of moving this blog to a better publishing platform - I like what I've read about WordPress, I like blogs created/hosted using Wordpress. Certainly seems like a better alternative to Blogger.

After playing with Wordpress (or rather, trying to install WordPress) for a while, I am wondering if it's time to give up yet. Plenty of hours invested/wasted - the classification of wasted or invested depends on the end result, and what you learn in the process. The components: IIS, PHP, mySQL and WordPress. IIS works without any effort. It took a while and few installs to get PHP working using the ISAPI module - this includes an aborted attempt at using the PHP installer for Windows that installs it as a CGI extension. More time spent installing mySQL - a few more cycles of install, test, uninstall, start again. Finally I've got an instance of mySQL to work.

Next stop - Wordpress. The famous 5-minute install routine on Wordpress.org looks interesting. However, it assumes MySQL is happy with PHP - PHP has an extension module for MySQL that needs to work/load before you can do anything with WordPress.

This is where I'm stumped. Wordpress keeps telling me "Your PHP installation appears to be missing the MySQL which is required for WordPress". I've spent time searching the web, trying almost everything I could find. Endless edits of php.ini, copying the mysql extension DLL to several locations, reloading PHP and mySQL more than a few times. No luck yet.

Perhaps all this open source stuff is designed not to play well with Windows (& IIS), forcing you to use other open source stuff like Linux & Apache. :) Is this any different from the commercial software vendors - which sort of compel you to use their entire stack for a particular app or solution to work well, or work at all?

Someone left a comment on the Wordpress.org site about the famous 5-minute install:
"Wordpress famous 5-minute install .. OH YEAH. Just remember the 2 hour install of Apache and php that is a prerequisite. I love computers."

Which sort of summarizes the open source story for me. Not sure who said this, but I always end up remembering it whenever and wherever I come across heated discussions - which don't seem to be as heated as they once used to be - about Windows v/s open source: Linux is free, if your time isn't worth anything.

I would like to make this thing work, because I still like Wordpress. I may even end up giving this a shot with Linux & Apache, when I have a little more time.

A Windows-based solution would've been nice! I would consider buying a Wordpress-like blogging app that works with IIS and MSDE/SQL. Perhaps Wordpress itself should come up with something like this. A Wordpress installer that installs and configures everything required.

There's nothing wrong with the philosophy that things just need to work, without endless time spent hacking it in order to make it work.

Windows Vista and Outlook Web Access

If you're using a version of Windows Vista since Beta 2 (including RTM), the version of IE7 included with Vista does not have or support the DHTML Editing (ActiveX) control that allows you to compose or reply to messages in Outlook Web Access. As a result, when you try to compose or reply to messages using OWA, you see the part of the message where you would type your message body is grayed out (like a missing image).

To fix it, you need to install the update in KB 911829. Requires Exchange Server 2003 SP2.

It's Official - Exchange Server 2007 RTMs

It's official now - Exchange Server 2007 has been released to manufacturing, according to (Exchange GM) Terry Myerson's post on the Exchange team blog [read his short post on the team blog titled "Signed off!"].

Congratulations to the Exchange team for pulling off this remarkable release, and releasing the product in 2006!

This release is special for me - I have been involved with it as a part of Zenprise' participation in the E12 (yes, that was the codename) TAP program. Through the TAP program, and other channels, I've come to know many great folks in Exchange who are passionate about the product they build - you can see some of them on this Exchange Server 2007 credits page. :)

Amongst the huge list of features and functionality that Exchange Server 2007 brings, I am most excited about the Exchange shell (the command-line interface built on top of "Monad"/PowerShell), the new Exchange console (won't miss the 20,000 mouse clicks to get to SMTP virtual server), explicit server roles, Database Continuous Replication (LCR & CCR), the shiny new OWA that's even closer to Outlook 2007 client in functionality, and new AD Site-based message routing (... and if you use the Standard Edition - no Store size restrictions!).

I'm positive we'll continue to see Exchange grow in features & abilities, and above all - market share - in the years to come.

Time to get ready for the (Exchange) marketing folks to take over... :)

Update: Zinio Support gets back, fixes broken PC Mag subscription

An update to my previous post about Zinio and the broken PC Mag subscription [Zinio Blues, and a broken PC Mag subscription]. It seems my post got the attention of folks higher up at Zinio. Their support dept. got back to me over the last few days and worked with me to resolve the issue.

Apparently it was as simple as uninstalling and reinstalling the Zinio reader app, but I did do that a few times on my own. Nevertheless, after Zinio got in touch with me and had me do it again, it miraculously worked (gotta love those support incidents that make you feel like an absolute.... user :). I can now access the new issues of PC Mag.

They even offered me a couple of free magazine subscriptions for the trouble.

Note to Zinio: You guys have a great service and I love getting magazines in your format - and being able to keep any number of issues on my hard drive without the paper issues clogging my bookshelf. Please improve your support site. Let users file support tickets - which you do now - much more easily, and even more importantly, let them get back to those tickets just as easily. And if there are issues like these - probably DRM-related, I'm guessing - be pro-active and notify customers or post it on your support site. (If this was already posted, I missed it completely).

Note to Windows IT Pro mag: Couldn't help but add this - after you moved from Zinio to your own web-based format, I'm having a hard time reading it. I've given up reading what many consider to be a well-respected IT journal with great technical content, including some great Exchange-related content that I've enjoyed reading over the years. Not sure why you moved from Zinio to what comes across as a much less capable format!!

Should MX record point to CNAME records (aliases)?

Though the practice of pointing MX records to CNAME (alias) records is not that uncommon, it certainly isn't in keeping with internet standards.

When you point a MX record to a CNAME, you're in fact inviting double the DNS traffic to your DNS servers. Try this by performing a name resolution query using nslookup:

>nslookup -querytype=MX somedomain.com
somedomain.com MX preference = 5, mail exchanger = mx1.somedomain.com
somedomain.com MX preference = 10, mail exchanger = mx2.somedomain.com
mx2.somedomain.com internet address = 64.31.212.21

As you can see from the above query, the record mx1.somedomain.com is not resolved to an IP address. This is because it's a CNAME.

To resolve the CNAME, the sender's DNS server will have to perform a second query.

Not only is that inefficient, it is in fact explicitly prohibited by RFC 2181.

Section 10.3 of RFC 2181 states:

10.3. MX and NS records

The domain name used as the value of a NS resource record, or part of the value of a MX resource record must not be an alias. Not only is the specification clear on this point, but using an alias in either of these positions neither works as well as might be hoped, nor well fulfills the ambition that may have led to this approach. This domain name must have as its value one or more address records. Currently those will be A records, however in the future other record types giving addressing information may be acceptable. It can also have other RRs, but never a CNAME RR.

Searching for either NS or MX records causes "additional section processing" in which address records associated with the value of the record sought are appended to the answer. This helps avoid needless extra queries that are easily anticipated when the first was made.

Additional section processing does not include CNAME records, let alone the address records that may be associated with the canonical name derived from the alias. Thus, if an alias is used as the value of an NS or MX record, no address will be returned with the NS or MX value. This can cause extra queries, and extra network burden, on every query.

I've always assumed not pointing MX records to CNAME record(s) is merely a best practice or recommendation, and not a requirement. I stand corrected, as DNS geek (Zenprise seems to have more than its fair share of these :) Dmitri pointed out.

Changes to hotfix/patching model for Exchange Server 2007

Microsoft has decided to change the hotfix/patching model for Exchange Server 2007. In the past, if you had a particular issue or came across an error, you looked up the relevant KnowledgeBase article(s) and called PSS for the relevant hotfixes (most hotfixes for Exchange Server 2003/2000 fix a particular issue - Microsoft does not recommend installing a hotfix unless you face the particular issue).

For Exchange Server 2007, a few hotfixes will be bunched up together in an update that (from what I can tell) will be publicly available. Each subsequent update will be cumulative - it will include all updates from the RTM version.

This should make the process of selecting which hotfixes/patches to apply a lot simpler, and perhaps a tad less frequent according to Microsoft. Each update will also undergo more thorough testing. More details in Servicing Exchange 2007 post on the team blog.

IMF: Where's the whitelist?

Another frequently asked question - asked frequently enough to make its way here.

Does Intelligent Message Filter (IMF) v1/v2 provide any way of "whitelisting" sending SMTP addresses or domains? (I will continue to use whitelisting as one word. Though it cannot be found in the dictionary, it is a common term if you're reading this blog and work with messaging/anti-spam - Bharat)

The Sender Filtering feature provides a way to blacklist SMTP addresses and domains, so it's logical to expect a way to whitelist addresses and domains as well, but such a feature does not exist - or at least not out of the box.

The explanation closest to being reasonable that I've heard - SMTP headers (and therefore the FROM: field in messages) can be easily spoofed. To a certain extent, it's hard to argue with that - it is true, and that is perhaps one of the biggest reasons we have to deal with spam and phishing today.

In absence of a whitelist feature built into IMF, here's what can be done:

1) Global Accept List: Add IP addresses of sending hosts in Connection Filtering's Global Accept list (Global Settings | Message Delivery -> properties | Connection Filtering tab), and enable Connection Filtering on SMTP virtual server properties (General tab | Advanced button next to IP address | select IP address -> Edit | check Apply Connection Filter). This allows messages from the sending host to bypass Connection Filtering - it will deliver the message even if the sending host is listed on a RBL - and IMF as well.

Instead of whitelisting smtp addresses and domains, you're telling Exchange the sending host is trusted; whitelisting sending hosts' IP address(es). Arguably, this is more effective and secure than whitelisting smtp addresses and domains. (Also read Alexander Zammit's post regarding issues with having the same IP address on Global Accept list and on the local IP list).

Nevertheless, some folks would simply like to have the convenience of whitelisting addresses and domains - almost every other anti-spam tool has it.

2) Custom Weighting: If the messages you want to whitelist contain particular keywords in the subject or message body, you can use the Custom Weighting feature as described in Exchange Server 2003 SP2 Release Notes. This allows you to lower or raise the SCL values assigned by IMF.

This entails creating a XML file - the syntax is described in the Release Notes. You can simply cut and paste the sample from the Release Notes and modify it - it is fairly easy to do.

This approach could have been made a little more effective by simply allowing to look for the keywords in message headers as well. Not sure why headers were not included in the scanning mechanism for Custom Weighting - hopefully I will come across a reasonable explanation for this as well. :)

3) IMF Tune: If the above methods don't work for you, and you absolutely need the convenience of being able to whitelist addresses and domains, you can look at third party utilities like IMF Tune from WinDeveloper. IMF Tune is an inexpensive tool that adds important functionality to IMF, making it closer to a full-blown anti-spam tool that many want IMF to be.

Besides whitelisting, IMF Tune allows you to configure a quarantine mailbox (instead of IMF's option to archive mail in the UceArchive folder), setup autoreplies for filtered mail, strip attachments, amongst other things.

Another likable IMF Tune feature is the ability to insert SCL values in message headers - which IMF will do for archived messages, but not for messages delivered to mailboxes. The SCL value is a MAPI property of a message that can be made to show up in Outlook [read 'Exposing SCL (Spam Confidence Level) in Outlook' on Exchange team blog], but the procedure isn't something most users would want to go through.

Having said this, I have always liked IMF and think Microsoft did a great job by including this - for free - as a web download with IMF v1, and as a part of Exchange Server 2003 SP2 with IMF v2. It serves a useful purpose in many small/SMB deployments where it meets the requirements to a good extent or where resource constraints rule out buying a third-party anti-spam product.

Besides, much as product managers want, not all features can be implemented in any given version, and given historical data, by version 3 these features/products become much more mature. (Think of the anti-spam features in Exchange Server 2007 as version 3 of Exchange's messaging hygiene features :).