Yahoo Mail’s makeover gives it the webmail edge

Support Alert has merged with Windows Secrets

Ian “Gizmo” Richards, left, the former editor of the Support Alert Newsletter, is the new senior editor of a larger, combined publication: Windows Secrets & Support Alert. (This unwieldly name will be shortened after a transitional period.) Merging the two publications into a single effort gives us more free time to write new stuff for you, our readers. All of the old Support Alert articles are now posted at WindowsSecrets.com. See today’s Introduction for details.

As a special get-acquainted gift, all subscribers may download Gizmo’s new e-book: 9 Free Programs Every PC Should Have. You can immediately download and use any of the recommended programs. To get your own copy of this 38-page printable PDF file at no charge, simply visit your newsletter preferences page at WindowsSecrets.com and update your preferences as you wish. You’ll see a download link after you click the Save button.

To get your free bonus: Visit your preferences page

New ways to access all Support Alert information

By Brian Livingston

The Support Alert Newsletter merges today with the Windows Secrets Newsletter, creating an e-mail publication with a combined circulation of more than 400,000.

For you, the best part is that all the great tips, reviews, and news items from the old Support Alert are now posted in one place at WindowsSecrets.com — and we’ve worked hard to make our entire library of content easy for you to browse and search.

Ian “Gizmo” Richards has licensed to Windows Secrets all of the articles that ever appeared in the 159 issues of the Support Alert Newsletter that he published. All of these articles — free and paid — are now part of the WindowsSecrets.com library of content.

You can take advantage of our new information in three ways:

1. Find reviews of the best free software
2. Browse all past issues of the Support Alert Newsletter
3. Search for articles on any topic in our entire library

Find reviews of the best free software

The old Support Alert focused on reviews of free Windows software. This is a new focus of Windows Secrets, too. So we’ve added a “software sidebar” to our Web pages to help you find top products of every type. We’ve organized the most recent reviews into more than 100 categories.

The sidebar shown at right is an example. If clicked, it leads to the actual sidebar on the Windows Secrets home page.

To support our reviews of the best software, Windows Secrets has been adding new columnists who are experts in reviewing both freeware and commercial software.

Our newest contributing editors, Scott Spanbauer and Becky Waring, started writing reviews for us in May 2008. Gizmo, our new senior editor, is adding his own reviews twice a month, beginning in today’s paid content. Each of these reviewers has more than 20 years’ experience with the computer industry.

No, we’re not going to slack off on Windows Secrets’ long-standing coverage of Internet security threats and the problems Windows users are having with Microsoft patches. Adding software reviews to the mix is intended to be an added benefit of your subscription.

Our community of reviewers has already re-examined and updated about a dozen of our 100+ categories of software. By the end of 2008, we will have updated the reviews in at least half of the categories. Within one year, we’ll have updated them all.

I know the reviews will vary in tone until all of the updates are completed. Please forgive us if you find any glitches. For now, I hope you’ll try our links and give us feedback on any categories you’d like our testers to update.

Browse all past issues of Support Alert

Gizmo published thousands of helpful articles — some long, some very short — between Sept. 28, 1998, and July 17, 2008. All of this Support Alert Newsletter content, free and paid, is now posted and searchable at WindowsSecrets.com (see Figure 1).

Figure 1. Every Support Alert Newsletter issue is now posted in the WindowsSecrets.com library, and you can use our specialized interface to see a breakdown of individual articles.

We’ve posted every newsletter from the past 10 years on its own lengthy Web page. And we’ve sorted onto separate pages every individual article from the most recent three years, back to January 2006. This makes it easy for you to jump to exactly the topic you need. (Within the next few days, we’ll finish indexing every individual article all the way back to 2002, when Gizmo promoted himself to editor of Support Alert.)

To browse through previously published articles in back issues of Support Alert, visit the WindowsSecrets.com library.

Search for articles on any topic

Our specialized search engine (see Figure 2) finds every article that closely matches your query. Our results page shows you links to individual articles in most cases. For Support Alert content that’s many years old, we link you at a minimum to the issue that contains the desired article.

Figure 2. You can now search in one place for any article that was ever published in Windows Secrets, Support Alert, or LangaList.

The second tab that’s shown in Figure 2, “All Windows-related sites,” enables you to search all PC tech sites Web-wide, not just the Windows Secrets library. This feature uses a search technology we developed by harnessing the Google API, which is explained in an Apr. 17, 2008, article.

Most of the credit for migrating 10 years of Support Alert content into our library and search index should go to Windows Secrets program director Tony Johnston and Web developer Damian Wadley. Wading through 159 back issues to mark where each article begins and ends were technical editor Dennis O’Reilly and editorial assistants Katy Chenoweth and Pat Milligan.

To use our search engine to find articles, visit the Windows Secrets search page.

All Support Alert paid content is now free

To celebrate the merging of Support Alert and Windows Secrets, we’ve made all of the previously published Support Alert content free to all subscribers. When you browse or search past issues, you’ll see both the free articles and the formerly paid-only articles. This makes the content easily accessible to everyone.

Gizmo himself has converted all of the material on his TechSupportAlert.com wiki to free content. He writes, in the “Support Alert and Windows Secrets are merging” FAQ on his site:

• Will the Tech Support Alert Website Have Premium Content?
  No, all content on Tech Support Alert will now be free and that’s the way it will stay. Current premium subscribers to Support Alert Newsletter will have full access to their premium content from the Windows Secrets Web site.

You can read more about Gizmo’s plans for the merger of the two newsletters in his announcement on July 9, 2008.

Gizmo and our other writers are now working to bring you an all-new crop of timely information on Windows. Our best information, including Gizmo’s new columns, will appear in the paid section of future newsletters.

The paying supporters of Support Alert and Windows Secrets also have access to the paid content from all past Windows Secrets and LangaList articles. This body of work consists of some 2,000 stories we’ve published so far on every conceivable aspect of making Windows do what you want.

If you’re receiving only the free version of the e-mail newsletter, it’s easy to upgrade to the paid version. There’s no fixed fee! We accept any financial contribution of any amount, whatever it’s worth to you. How to upgrade

We’re looking forward to bringing you the best possible research in both our free section and our paid section.

Our software reviews now include relative scoring

The box at right shows a new feature we’re adding to our reviews of free and/or commercial software. When products are reviewed by our writers, you’ll see a relative score from 1 to 100 for each competing offering.

These scores are designed to give you a rough idea of how much better, for the average PC user, the reviewer considers one product over another.

The box at right is a sample. The “more info” link merely leads to the Windows Secrets home page. But the scoring boxes in full reviews will link to a download page or similar.

If a program comes in both a free version and a paid version, you’ll see two scores. If the registered version provides better features, it’ll earn a higher score than the free version. You can choose for yourself whether the additional functionality (which the writer will describe in the body of the review) is worth the price. You may decide that the free version is all you need.

No one expects these scores to be scientifically precise. They’re not benchmarks that we’ve measured to 1/100 of 1 second. They’re the subjective judgment of experts who’ve tested each program. Relative scores are plenty useful when you need a piece of software — quick!

If two programs are rated 80 and 81, you can assume they aren’t very different from each other. But if they’re rated 70 and 90, you’ll know that the reviewer found one to be clearly superior.

Our old friend, Fred Langa, is doing all right

I’ve mentioned the LangaList several times in this space. Fred Langa — the former editor of both the LangaList (1997–2006) and Windows Secrets (2006–2008) — has just sent us a message in a bottle. I’m pleased to report that he’s getting on just fine since he retired earlier this year. In fact, he’s contributed an update on his adventures in a new article today.

When I learned that Fred would write something for us about his new leisure status, he was on a beach in Hawaii. Rough life. I don’t think he rode there from his home in New Hampshire on his motorcycle, either.

I’ve heard from many subscribers who miss Fred’s unique voice. No one feels the loss more keenly than I do. I could always count on Fred to fill his columns with neat tricks and wry humor. But he’s earned the right to take it easy and smell the roses now. We can only hope that Gizmo and our other new columnists will somehow fill his shoes.

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

Yahoo Mail's makeover gives it the webmail edge

By Scott Dunn As free Web-based e-mail services get better and better, you may soon be able to leave your desktop e-mail apps behind. But which of the Big Three webmail services — Gmail, Hotmail, or Yahoo Mail — has the features that meet your needs?

Get a free e-mail account in an instant

When it comes to Web-based e-mail, we’ve got an abundance of choices. Still, most of us use Google’s Gmail, Microsoft’s Hotmail, or Yahoo Mail.

Recent enhancements to Yahoo Mail give that service most of the best features of Outlook and other desktop e-mail programs. This puts Yahoo Mail a notch or two ahead of both Gmail and Hotmail, though those two services are far from slouches.

All three of the services I tested get your e-mail account running quickly. Signing up requires only some basic information such as your preferred e-mail address, an alternate (existing) e-mail address, your name, and your country of residence.

Hotmail also asks for the state or province you live in, the postal code, and your birth year. Yahoo wants to know your birthday (day, month, and year) and postal code.

Among the more advanced features offered by the services are the ability to search your mail and to link your mail account to a calendar and other ancillary utilities.

Note that Microsoft offers the equally free Live Mail, but this product — and the accessories that come with it — has to be downloaded and installed on your PC rather than working solely in a browser, so Live Mail doesn’t belong in this review.

E-mail has become such an important, idiosyncratic application that most of us have our own must-have features as well as those we can live happily without. Some people use filters religiously while other folks never use them. Other folks might care a lot about page-load speeds but don’t have any use for folders.

The table below will help you decide which features of the three services are most important to you. Each of the offerings has some unique, impressive attributes.

Table 1. No two webmail services offer the same combination of features.

¹Hotmail lets you customize color and layout; Yahoo lets you customize color only.
²Gmail lets you display links to RSS feeds, but you need the separate Google Reader site to see the entire feed.

#1: YAHOO MAIL AND YAHOO MAIL PLUS

Yahoo yields best all-around mail experience

No e-mail application is perfect, but Yahoo Mail provides such a rich environment for my daily communications that I’ve become addicted to the service.

Yahoo Mail’s recent facelift adds some Web 2.0-level functionality, making the service work more like a desktop application. For example, you can single-click to select a message, Shift-click to select a range of messages, and Ctrl-click to choose multiple files one at a time.

Yahoo also lets you drag and drop your selection to custom folders for storage or to the trash can for deletion. Unfortunately, you can’t create nested storage folders, nor can you drag and drop between the mail application in the browser and your desktop as you can to add attachments to Outlook, for example.

Like Hotmail, Yahoo Mail lets you customize the colors of your mail window, but unlike the Microsoft product, you can’t change the location of the Yahoo Mail reading pane, which is always positioned below your inbox.

As in Windows Explorer’s Details view, Yahoo Mail lets you click column headings to quickly sort mail by date, size, subject, and author. The service’s unique flagging feature allows you to arrange messages based on whether they’re flagged or not.

Like the other two services I tried, Yahoo Mail stores your contact info, including multiple phone numbers, addresses, and notes. Yahoo Mail gives you a limited number of canned categories for each entry (for example, five phone numbers plus a pager number). Hotmail offers the same function, but only Yahoo Mail’s Contact list has date fields for birthdays and anniversaries, which are added to your calendar automatically.

Yahoo’s calendar integration is evident in your e-mails as well. The service detects dates and times in your messages and marks the entries with a dotted underline. Hovering the mouse over the text pops up an option for adding the event to your calendar.

It’s often handy to have spare e-mail addresses you can use for registering at shopping sites, for business correspondence, or for personal mail, for example. In addition to yahoo.com, Yahoo Mail now offers two other domains — ymail.com and rocketmail.com — you can choose for your address.

Unfortunately, there is no quick way to jump between multiple accounts in Yahoo Mail. However, Yahoo also offers a paid version, Yahoo Mail Plus (US $20 per year), that provides disposable addresses along with many other added features.

Advertising in the free Yahoo Mail can sometimes be aggressive, with an annoying panel of animated ads popping in from the right. It cost Yahoo some points in my scoring and has probably cost them a few customers as well.

The for-pay Yahoo Mail Plus eliminates these ads and promotional taglines and adds auto-forwarding, POP access, more filters, increased message size limit, and more. You can compare the features of the free and paid versions at the service’s FAQ page.

While none of the three services I tried lets you display more than one message in a single browser window, with Yahoo Mail you can open e-mails in multiple tabs. This lets you switch quickly between open drafts or received messages by clicking the tab for the item you want.

Yahoo Mail’s unique features include SMS messaging and an RSS reader. Unfortunately, the service seems to fail more often than Gmail and Hotmail, at least in the past. Also, Yahoo Mail’s performance isn’t as brisk as competing webmail services.

Still, its wealth of features and its clean and easy interface make Yahoo Mail my webmail choice.

#2: MICROSOFT LIVE HOTMAIL AND HOTMAIL PLUS

Hotmail is more than just another pretty face

With a recently revamped interface, Windows Live Hotmail (formerly Hotmail) is the best-looking of the mail services I reviewed. Not only can you choose a custom color for the interface, you’re also able to change the location of your reading pane by placing it on the bottom or side of the screen.

Hotmail supports the same selection conventions, drag-and-drop, and folder storage features as Yahoo Mail, and the Microsoft mail service lets you sort messages by date, author, subject, and other criteria.

However, unlike the other two services I looked at, Hotmail lets you hide all mail except items with a specific subject or author or items with an attachment.

On the subject of disposable addresses, Hotmail states: “Add up to five of your e-mail addresses. When you use an alternative address, recipients may see the following information: ‘From: realaddress@live.com on behalf of name@example.com.'” Since Hotmail doesn’t hide your real e-mail address, I don’t think this qualifies as a true disposable address.

Nevertheless, having multiple e-mail accounts is much easier to deal with in Hotmail than in the other webmail apps I examined. For starters, you can choose e-mail addresses ending in either hotmail.com or live.com.

Best of all, you can link multiple addresses and jump between them quickly using a pop-up menu on the upper right.

Hotmail’s ability to switch quickly among multiple accounts will make it the best choice for some people. However, the service has some catching up to do if it wants to match the breadth of features provided by competing webmail services.

Like Yahoo Mail, Hotmail has a $20 version that gives you increased storage and attachment size as well as fewer ads and no account expiration. The differences are summarized at the Windows Live Hotmail Plus site.

#3: GMAIL

Gmail is the webmail speed champion

Of the three webmail services I tested, Google’s is the most unique. The differences are apparent from the moment you sign up for a Gmail account. When you do, Google asks you to enable “web history,” which means the company maintains a record of the sites you visit and searches you conduct via its servers.

While your Web browsing and search history may be useful to you, letting this information reside on Google’s servers raises privacy concerns. (It’s also worth noting that Google posts advertising to your Gmail page based on the content of your messages.) Since the Enable Web History option is checked by default during signup, you need to opt out if you don’t want to be tracked.

The differences between Gmail and the competition don’t end with setup. Anyone who has used Gmail is aware of the significant paradigm shift the service represents in terms of how you organize your mail. Gmail eschews the folder-storage metaphor and instead lets you add labels or tags to each message so you can search for it later based on those keywords.

This allows you to “store” mail under multiple labels without having to copy it into multiple folders (which Yahoo Mail and Hotmail won’t let you do, anyway). Arguably, the Gmail approach makes it easier to search for and find mail later, though it makes for a very full — and messy-looking — inbox.

You can also organize your Gmail by using the service’s archive feature (effectively giving you one additional folder besides your inbox) or filters to auto-archive, label, delete, and otherwise process your messages.

Instead of sorting items, Gmail requires that you use its search feature to display a subset of your mail.

Gmail is different in still another way: The service lacks a separate reading pane to let you view your inbox and read messages simultaneously. Also, if you don’t like Gmail’s single pastel color scheme, you’re stuck.

However, Gmail is more flexible in other areas. For example, unlike the contact forms for Hotmail and Yahoo Mail, the handy “add” link following each field on Gmail contact pages lets you create a seemingly unlimited number of text boxes for phone numbers, e-mail and mailing addresses, and other information.

In addition, Gmail’s message-composition window includes an “Add event invitation” feature that schedules your event in your Google Calendar. Recipients who click the Yes, No, or Maybe links in the reply are directed to Google Calendar to register their response.

Although none of the three free services I tried offers truly disposable addresses, Gmail comes closest, letting you create a disposable address by adding the plus sign (+) and text after your name — for example, scott+shoppingsite@gmail.com. The message is delivered to your regular Gmail inbox but is easier to filter.

Note, however, that many Web sites do not accept addresses that include a plus sign, which seriously limits the ability to take advantage of this feature.

Gmail’s performance depends on the speed of your Internet connection and the amount of stuff in your inbox. Nevertheless, it is fair to say that Gmail’s minimal graphical elements and controls make it the speediest mail service of the three I tested.

Gmail is different, but the differences may suit you just fine. And if top speed is what you crave, Gmail is the pacesetter.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Yes, there is life after e-mail newsletters

By Fred Langa After more than 30 years of battling tech-writing deadlines, I found last May that it was time for something completely different. A hair-raising encounter with a tornado is just one of the adventures I’ve experienced since then.

In and out of the world of Windows

Test, test … is this thing still on? Can you hear me in the back? It’s been a while since I appeared in these pages, but it’s nice to drop in. I thought I’d give you a brief update on what I’ve been doing for the past months since I retired from full-time writing.

With regard to Windows: Like many of you, I’ve experienced some frustrations with Vista. My primary, XP-based PC has several subsystems for which there are no Vista drivers. I can’t upgrade it to Vista without trashing some perfectly good hardware, and I’m not going to do that.

My laptop can run Vista, but it’s just a bit too underpowered to run Vista at a speed I’m comfortable with. After using Vista on it for many months, I finally reverted to XP Pro.

It’s too bad, because I like Vista (it’s visually gorgeous, with a number of useful improvements). But for now, the benefits of upgrading simply aren’t worth the costs to me.

Chasing tornados and video-blogging about it

Most of what I’ve been doing has nothing to do with Windows. For example, this spring I went on a tornado chase in the American heartland and got within about 1,000 feet (300 meters) of a major tornado outside Quinter, Kansas. I posted some videos of our storm chase on Google Video. It’s in segments: parts One, Two, Three, and Four.

There’s more information and links to a ton of still photos (including a real-life encounter with the tank-like Tornado Intercept Vehicle, or TIV, that you may have seen on the Discovery Channel) on a small blog I’ve started.

Those of you who remember the eight-part Housecall series that I published in this newsletter might enjoy reading one of my larger writing experiments: a photo-essay of the rest of the ocean-to-ocean motorcycle trip I took last summer. It’s posted on Adventure Rider, a free motorcyclist site.

Although I’m no longer routinely writing about Windows, I’m very glad Windows Secrets is doing well and growing so spectacularly. Congratulations to everyone involved, especially you, the readers of Windows Secrets and Support Alert, who should benefit from being served by such a large, healthy publication.

If you feel like it, drop by my blog and say “Hi!”

Do you want to buy custom essay online because you feel you are stuck on the process of writing? Is writing an essay on a complicated topic something beyond your understanding? Stop worrying because stablewriters.com is the ultimate source to buy essays or buy term papers perfectly tailored for you. We offer you one of the most reliable, professional writing services you can find today.
Fred Langa was editor and editor-at-large of the Windows Secrets Newsletter from November 2006 to May 2008. He was editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–96), and editor of the LangaList e-mail newsletter (1997–2006), which merged with Windows Secrets.

Schwinn Lake? Gears-elle? Ballet on a bicycle

By Katy Chenoweth The X Games have nothing on this woman! Watch as she tears up the hardwood on her bicycle, which at times seems to be an extension of her body. This incredible clip will leave you in awe of the sheer strength, balance, and skill required for these feats of two-wheeled wonder. Beware! After viewing this amazing stunt you may be inspired to try pedaling your own bike backward on one wheel and with the handlebars between your legs. This clip begs the age-old disclaimer, “Kids, don’t try this at home!” Play the video

Reduce spam using free software

By Ian “Gizmo” Richards Today I’m going to show you a way to reduce to almost nothing the quantity of spam e-mail you receive using free products and services. The technique I’ll outline will not only zap your spam but will let your real mail pass unhindered while imposing a minimal processing load on your PC.

The free and easy way to stop spam cold

Does this sound too good to be true? Well, it’s not. I have long used the very same technique to filter my public e-mail box, which attracts up to 1000 spam e-mails a day. Of these, only three or four manage to creep through to my inbox. Additionally, so few of my real e-mails get falsely classified as spam that I don’t even bother checking my spam box for misplaced mail.

That’s the good news. The bad news is the technique works best for users of Outlook Express, Outlook, and Windows Mail, though it could possibly be adapted to other clients. Webmail users are, unfortunately, out of luck.

The key to the technique is the use of two spam filters rather than one — the filter built into Google’s Gmail service and SPAMfighter. Neither of these filters has the best performance available for detecting spam. However, by chaining them together, their overall spam-detection rate is outstanding.

That’s because each of the two detects spam using a different technique, so the effectiveness is additive rather than overlapping.

When it comes to not classifying your real e-mail as spam, both Gmail and SPAMfighter have outstanding performance. And that, folks, is a very important characteristic for a spam filter. Unless, that is, you enjoy browsing through hundreds of spam e-mails to pick out your missing correspondence.

For tips on keeping spam off your mail servers, see Mark Edwards’s column in today’s content.

Two top spam filters take different approaches

The Gmail filter is based on the well-known Postini filter widely used by corporations. It’s a multifactorial filter that takes into account many different variables to determine whether mail is spam or ham (real mail). It’s normally a commercial service, but by using Gmail you effectively get Postini for free.

In contrast, the SPAMfighter network-based filter uses the judgment of more than five million users worldwide to determine whether e-mail is spam. It’s a commercial service, but if you are a private user and prepared to tolerate a short message promoting SPAMfighter at the end of your outbound e-mails, then you can use it for free.

SPAMfighter is available only for Outlook Express, Outlook, and Windows Mail. Users of other e-mail clients will need to consider a replacement to use as their second filter. I won’t be covering that possibility in this article.

Step 1: Use your webmail as your spam filter

If you already use Gmail as your main e-mail account and you have POP3 access enabled for that account, you can skip straight to Step 2. If you don’t use Gmail, set up an account. It’s simple, it’s quick, and it’s free.

Once you have created your Gmail account, enable it for POP3 access by following these steps described on Google’s site. This is an important step because you’ll use POP3 to retrieve your e-mail from Gmail.

Note that you won’t be using this Gmail account to replace your normal e-mail address but rather as a transit stop. The idea is to funnel the e-mail from your normal account into Gmail and then pick it up from Gmail using your normal e-mail client after it has been filtered at Gmail.

Next, use Gmail’s Mail Fetcher to forward messages from your normal e-mail account to your Gmail account. Google offers step-by-step instructions.

Mail Fetcher works only with e-mail accounts that use POP3. If your normal e-mail account doesn’t have POP3 access, you’ll have to use the settings in your ISP’s e-mail control panel to forward your POP3 messages to your Gmail account.

Figure 1. Set Gmail to retrieve messages from your POP3 account via the service’s Mail Fetcher settings.

Step 2: Install your client spam filters

SPAMfighter’s setup is straightforward; just make sure you close your e-mail client before you start the process. If you run into trouble, consult this tutorial.

Incidentally, for the first 30 days you use the program, SPAMfighter appends no ads to your outgoing e-mail. After that, you can pay U.S. $29 to continue using the program without ads or do nothing, in which case the ads will start appearing. I suggest you opt for the latter.

Once you have installed SPAMfighter, start your e-mail client. If all is well, you’ll see a new toolbar in your e-mail client. Once it’s there, you’re ready for the next step.

Step 3: Tie your POP3 client to your webmail

Google provides excellent POP3 configuration instructions for Outlook, Outlook Express, and Windows Mail.

Do remember that you must have configured your Gmail account for POP3 access.

Step 4: Test your spam double-filter

Now any mail that goes to your normal e-mail account will be redirected to your Gmail account. Also, your e-mail client should have a new account that collects your e-mail from your Gmail account. Your mail will thus be spam-filtered twice: First at Gmail and then again locally by SPAMfighter.

That’s the theory, anyway. Be sure to test the system first by sending an e-mail to your standard e-mail address. Ten minutes later, pick it up from your Gmail account using your e-mail client.

If it’s working, you may wish to disable your normal e-mail account in the e-mail client. If you don’t, you run the risk of picking up your mail before it is forwarded to Google, which defeats the purpose.

Once you have this working, you’ll be delighted with the results. Almost all spam will be eliminated from your inbox yet your real mail will arrive unaffected.

I’ve found the results using this two-filter system to be better than those obtainable using any single spam filter. And the best news is that the technique doesn’t cost a cent.

Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.

New tactics to keep mail servers spam-free

By Mark Joseph Edwards Quirks in the mailer programs spammers use to deliver mail can be turned against the senders. This week, I share with you a little-known technique you can use to block a lot of spam before it ever reaches your mail server.

Simple DNS changes eliminate unwanted junk mail

Spam is — of course — a bane on the Internet. It drags down mail-server performance, puts a large load on mail clients, bothers recipients to no end, and causes us to spend money on antispam tools when that money might be better spent elsewhere.

But all is not lost: A little-known technique helps reduce spam levels on mail servers without costing you anything other than a few minutes of your time. (See Ian “Gizmo” Richards’s Best Software column today for tips on blocking spam from client PCs.)

Spammers typically use a number of tactics to deliver junk mail. Some spammers rely on third-party mail servers that relay mail from any sender (typically called an open relay). Others use computers that have been assimilated into botnets, custom mailer software designed to behave similarly to a regular mail server, or any number of other tactics.

In my battles with the spam that is sent to the domains I manage, I have found that many spammers use custom mailer software. As it turns out, a lot of those custom programs have quirks that we can take advantage of to fight back against the spammers.

Before I explain how to do that, you need to know a little bit about how mail servers deliver messages. When a legitimate mail server tries to deliver mail to a recipient at a third-party domain, it first looks up the mail exchange (MX) records for that domain. The MX records tell the world which mail servers receive mail for the recipient’s domain.

Each MX record is configured with a numeric priority level that determines which is the primary mail server, the secondary mail server, and so on. The lower the priority number, the higher the precedence. For example, an MX record with a priority of 10 takes precedence over an MX record with a priority of 15. That precedence order is the core of the technique I’m about to explain.

The custom mailer software used by spammers typically uses only the mail server with the highest precedence — the one with the lowest priority number. So even if you have five MX records for five mail servers in your domain, the spammers’ mailer software will usually try to deliver mail to only one of them.

If that server doesn’t respond, the mailer software simply drops its attempt to deliver the spam message and moves on to the next recipient on its list.

Conversely, legitimate mail servers will try to deliver the message to the other four mail servers in the order of precedence listed in a domain’s MX records. If none of them responds, or if you have only one mail server — and thus only one MX record — then a legitimate mail server will most likely hold the message and try to resend it for a period of time determined by the mail server’s configuration.

In short, legitimate RFC-compliant mail servers make several attempts to deliver mail, while a spammer’s custom mailer software will likely make only one delivery attempt.

That’s why you can eliminate a lot of spam by using a bogus host name to create an MX record for your domain and give that record the highest precedence by assigning it the lowest priority number. Then give your real mail servers’ MX records a lower precedence than the bogus entry.

Since the fake server will never be reachable, a lot of spam will never be delivered to your domain. At the same time, legitimate mail will make it through as long as the sending mail server adheres to typical SMTP mail-server specifications (nearly all of them follow the specs).

The host name you use for the fake MX record can be any name that does not resolve via DNS. For example, you could create a set of MX records using the names listed below; blackhole.domain.tld is the bogus host name that has no corresponding ‘A’ record (i.e., address record) in DNS, while mailserver1 and mailserver2 are real mail servers.

IN MX 5 blackhole.domain.tld.
IN MX 10 mailserver1.domain.tld.
IN MX 15 mailserver2.domain.tld.

The actual syntax for creating DNS records varies depending on how your DNS tables are configured. The example above provides the gist of what you or your network administrator needs to know in order to make this technique work for you.

I’ve been using this spam-blocking tactic on one of the domains I manage for well over a year and half. It’s important to note that I have not seen any instance where legitimate mail flow was hampered as a result.

Nevertheless, test your own results carefully! If anyone complains that mail they sent to you is bouncing, they’re probably using a noncompliant mail server. Those instances should be incredibly rare, or nonexistent.

The spam levels for the domain I used to test this technique dropped like a rock. Before implementing this method, one particular e-mail address at the domain was receiving more than 1,000 spam messages every day. Shortly after I implemented this technique, the overall spam level dropped by well over 60 percent. Your results for total spam reduction will vary, of course.

If you run your own in-house DNS servers, you (or your network administrator) can configure MX records without much problem. However, if you use a hosting company to handle your DNS, you may have to ask the company to configure the bogus MX record for you, or you might have to use a custom Web-based DNS configuration interface provided by the hosting company.

In the latter case, it may be necessary to trick the interface into allowing you to define a bogus MX record by first creating an ‘A’ record for the bogus host using a bogus IP address.

After doing that, you then define the bogus MX record using that bogus host name. When you’re finished, delete the ‘A’ record, since you don’t want the bogus host name to resolve to any IP address.

Get your PC hacked in no time flat

How long will it take for an unprotected system on the Internet to be hacked by the bad guys? As it turns out, the answer is about 4 minutes, according to Lorna Hutcheson on the SANS Institute’s Internet Storm Center blog.

That presents a pretty big problem because the first thing you should do when you build or buy a new Windows system is to connect to Microsoft’s Web site to install all the latest patches, including any requisite service packs. You’re racing against time the instant you make that initial connection.

This story may give you an idea of how serious this problem is for any operating system (not just Windows): Quite some time ago, my associates and I built a new Unix system. It was designed to be a mail and DNS server for future use.

Once the system was finished, we connected it to the Internet in an office location, using a brand-new Internet link for the first time. It didn’t take long for network scans from bad guys to come pouring in. They soon discovered that lone server sitting idly on the network.

As you probably expect, the hackers immediately tried a variety of exploits to break into the system. However, we had the foresight to address various security issues before connecting that machine to the Internet. As a result, all the break-in attempts failed.

That incident certainly opened my colleagues’ eyes to the very real need to secure a system before putting it online.

So how do you secure a new system — even a little bit — before connecting to the Internet to download updates from Microsoft? The answer is actually rather simple: Install some vital updates before you connect, and make sure you’ve got a good firewall active on the system.

If you’re using XP, don’t rely on that OS’s built-in firewall unless you have no other choice. Instead, use a separate secured computer to download a copy of ZoneAlarm or another third-party firewall. Also download XP SP3 and third-party antivirus software on the other PC, burn all three programs to a CD, and install them on the new system prior to connecting it to the Internet.

Vista’s firewall is a bit better than previous renditions from Microsoft, so you can probably rely on it to keep you safe while you download the updates and other third-party security tools you need. For some pointers on the safe way to get a new Vista PC updated, read the instructions provided by SANS.

And finally, check out SANS’ measurements for system survivability on the Internet.

Spy on network intruders in action

Ever wonder exactly what sorts of attacks are targeted at your network? Finding out can be a real surprise. If you’re among the more technically inclined, consider building a honeypot to catch the bad guys in action.

A honeypot mimics the behavior of genuine systems in order to fool the bad guys into thinking that they’re manipulating a real machine. This tricks the bad guys into revealing their tactics and techniques, which gives you a broader perspective on what you need to do to defend the systems on your network.

Some honeypots are very simple, while others are relatively complex. If you’re comfortable with network administration and have a spare PC with moderate power, install Honeywall, a free toolkit offered by The Honeynet Project.

Honeywall can emulate various systems and services, capture attack attempts, and help you analyze the data it captures to give you a clearer view of what transpired. The program requires at least two, and preferably three, network cards along with at least 6GB of free disk space.

One network card connects to the Internet and a second links to your internal network. Traffic passes between the two interfaces and all activity can be monitored. If you opt to install three network cards on the system, the third card is used by Honeywall’s Web-based management interface. Otherwise, you use a command shell to manage the software.

Anyone familiar with networking concepts will find Honeywall reasonably easy to use. Keep in mind that the program is based on Linux, so you might be in for a bit of a learning curve. Also, the Honeywall install process will overwrite the entire hard disk, so you need to dedicate a disk for its use. There’s a decent user manual that can help you get the program running.

If diving into a Linux-based honeypot is more than you want to tackle right now, there’s an alternative. Some time ago, Niels Provos developed a honeypot called Honeyd, which also runs on Linux. The folks at netVigilance ported Honeyd to Windows and now make WinHoneyd available freely to everyone.

While WinHoneyd is a command-line program, there is a Windows desktop configuration tool that can help you get it going with relative ease if you’re willing to spend $99. Otherwise, you’ll need to edit the WinHoneyd configuration files manually, which isn’t difficult.

You first need to install WinPcap, which is a widely used packet-capture driver. Then install WinHoneyd and edit the program’s configuration to define which network interfaces to use and which system type and services to emulate.

With that done, start WinHoneyD and wait for the bad guys to come calling. You’ll find links to all the required software plus sample configurations and more at netVigilance’s WinHoneyd site.

The best personal firewalls revisited

In my Apr. 17 column, I described the personal firewalls with the best and worst performance. That column discussed research conducted by Matousec, a security consulting and research group named after its founder, David Matousek.

After some testing to determine which firewalls are best at withstanding a variety of security tests, Matousec revealed that the free Comodo Firewall Pro and Tall Emu’s U.S. $40 Online Armor Personal Firewall stopped every attack thrown at them.

Matousec recently updated the results after a new round of testing. This time, Agnitum’s $40 Outpost Pro Firewall came in first, blocking 99 percent of the attacks thrown at it. In second place was Online Armor Personal Firewall (which had a 98-percent rating), coming in third was Comodo Firewall Pro (stopping 95 percent of attacks), and in fourth place was ProSecurity (with a score of 93 percent).

There’s a lot of value in Matousec’s firewall testing. First of all, consumers can get a clear understanding of how well a particular firewall protects a system. Secondly, firewall vendors gain the opportunity to see the weak spots in their products so they can make improvements.

Last but not least, by watching these tests over time to see which products rise and fall through the rankings, we all get a better picture of which companies work hardest to improve their products.

View the complete test results at Matousec’s firewall challenge, where you’ll also find links to various firewalls that were part of the tests. Be sure to read the details about the 10 levels of tests to get a clear understanding of exactly what types of attacks each firewall had to endure.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Ill effects of Microsoft's DNS patch linger on

By Susan Bradley The new version of Check Point’s ZoneAlarm firewall solves one problem, but Windows Small Business Server 2003 still needs a patch for the DNS patch. A change in how Windows’ DNS client chooses ports caught ZoneAlarm’s developers — and users — by surprise.

MS08-037 (953230)
Recent patch woes show why I wait to update

The patches Microsoft released earlier this month continue to plague system administrators. Even though Check Point has issued a fix for the ZoneAlarm firewall, Microsoft’s MS08-037 (953230) DNS patch is also affecting Windows Business Server 2003.

The patch changed the way the DNS (Domain Name System) client service selects the ports it uses to connect to the Internet. ZoneAlarm was not prepared to handle this changed behavior. Check Point’s new versions of the firewall program accommodate this change.

Last week, fellow Windows Secrets contributing editor Woody Leonhard took Microsoft to task for this and other patch screw-ups. I continue to recommend that you wait a few days before deploying any patches. This is particularly the case for any computer that you consider critical, such as your one-and-only computer or server. I never activate a patch until after I’ve seen that its implementation is trouble-free.

Even then, I cannot guarantee that you won’t hit some bumps in the road just because everyone else’s systems patched just fine. As always, have a good backup on hand before you update your operating system. I first learned to be wary of patching back in the NT4 era, and my cautiousness has served me well over the years.

MS08-037 (953230)
DNS patch gives some servers the bootup blues

It probably won’t make the folks who got walloped by the ZoneAlarm glitch feel any better, but the DNS patch also smacked some Windows Small Business Server 2003 installations. After installing the patch, they found that random services were not starting. The solution is detailed on Microsoft’s SBS blog.

The problem is due to the servers adding a Registry key called MaxUserPort, which in turn enables the random DNS connections to possibly and accidentally use a port they are not supposed to use.

Add the ports listed in the table below to this Registry key:

HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Tcpip Parameters ReservedPorts

Table 1. Entries to add to ReservedPorts on SBS 2003 Standard and Premium servers.

Don’t delete any entries already in the key. After you reboot, your network should be back to normal. On the server at my office, the resulting ReservedPorts table looked like this:

Figure 1. Reserved ports needed for SBS 2003 with ISA 2004.

Allow me to reiterate: Be sure to ADD the values in the table above and do not change or remove any other values from that key. If you don’t have the MaxUserPort Registry entry set, don’t make any adjustments.

Security researcher Dan Kaminsky intended that the DNS vulnerability would be discussed in full during the annual Black Hat security convention in August in Las Vegas. However, after the DNS vulnerability was guessed at in various blogs and listserves discussing the issue, several exploits were released to a vulnerability tool called MetaSploit.

What does this mean to you and me? We typically rely on our ISP’s DNS servers to provide the ability for our workstations to resolve the names of Web sites. If your ISP does not patch for this vulnerability, you are at risk.

Dan offers an easy way to test the DNS service provided by your ISP. Using your browser, simply click the Check My DNS button on the right-hand side of Dan’s blog.

If you can’t patch your servers at this time, Heise Security and others are recommending that you use OpenDNS.org’s forwarding service. I strongly recommend that you follow this advice. Change your DNS forwarders from your ISP’s DNS entries — the ones they gave you when you set up your router — and instead point them to OpenDNS. I prefer using this forwarding service because of the additional safety features and filtering it provides.

Details on how to set this up can be found at OpenDNS for your specific router or server. In general, it’s as easy as editing your DNS entries to point to 208.67.222.222 and 208.67.220.220, as shown on the OpenDNS Web site.

MS08-040 (941203)
SQL database upgrades aren’t for the faint-hearted

Microsoft’s DNS patch also sent some SQL databases running on servers and workstations for a loop. While most of the systems handled the most recent SQL update just fine, others balked at installing it.

The SQL server platform that I manage is no exception. For Small Business Server users, Microsoft’s SBS blog describes a situation where a migration from WMSDE (Windows’ internal SQL database) to SQL 2000 has not completed properly. This causes the Microsoft Update site to think that the database is still running the WMSDE version when in fact it uses the SQL 2000 version.

If you are affected by this problem, look for the log files for this patch. All of the SQL log files will start with SQL rather than KB, so it may be easier to sort the C:Windows directory by date to see which files have the date on which you installed the patches.

For SQL 2005 patches, the log files get placed into the following subdirectory:

C:Program FilesMicrosoft SQL Server90Setup BootstrapLOGHotfix

If the log file doesn’t indicate why the patch is failing, call Microsoft support at 1-866-PCSafety (1-866-727-2338) in the U.S. and Canada. For customers in other countries, visit Microsoft’s Help and Support Center.

Windows Update will get an update of its own

For you to get Windows patches, you need the operating system’s plumbing to work. Sometimes the Windows Update mechanism itself needs some tweaking. If you do as I recommend and set Windows Update to “check for updates but let me choose whether to download and install them,” your machine will get the new update pipes. The Microsoft Update blog documents the upcoming patch to Windows Update.

Last September, Scott Dunn’s column described a problem related to a stealth Windows update. It’s my understanding that the company’s impending update tweak will address the problem Scott mentioned, which caused the repair function in Windows XP systems to knock out access to the Windows Update service.

Kudos to Microsoft for being very upfront about this Windows Update update.

Add Windows Search to Microsoft’s update list

Windows Search 4 will soon be released via Windows Update. I’ve been testing the new version on my Vista workstations and have found that the update improves performance.

The Microsoft Update blog indicates that the patch will be released in late July.

Firefox 3 gets a handful of security patches

On the very first day that Firefox 3 was released, security researchers issued warnings about glitches in the browser. Firefox 3.0.1 addresses these issues with fixes for several of the holes described by Incidents.org.

Among the affected products are the SnagIt plug-in and Google Desktop Search, which may crash on startup. The fix in the latter case is simply to reinstall your Google Desktop Search.

Also fixed in version 3.0.1 is Firefox’s phishing and malware database, which previously did not update on first launch.

The time is right for Windows XP SP3… maybe

Is your Windows XP system ready for Service Pack 3? More importantly, are you ready?

Many people have asked for my thumbs-up or thumbs-down on XP SP3. They wonder whether the service pack is finally ready to be deployed trouble-free.

While SP3 updates have gone well in my office, I can’t promise you’ll be as fortunate because no two installations have exactly the same hardware and software configurations.

I would love to give everyone 100% assurance that all of your patching installs will go smoothly, but I can’t. My best advice is to be what I call “issue-ready.”

• Have a backup handy. Either use one of Windows’ own backup tools or disk-imaging software such as Acronis’s U.S. $50 TrueImage (15-day free trial). Other imaging options are Runtime Software’s free DriveImage XML and StorageCraft’s $80 ShadowProtect Desktop Edition (30-day free trial), which I use on key desktops at my office. Consider an online backup service as well.
• Remain calm. Be ready for anything to happen. If you run into issues and your backup doesn’t bail you out, losing your cool won’t help you restore your precious digital data.
• Have another Internet-connected machine close by. Even if you have to borrow your sister-in-law’s laptop, have another way to get to the Internet so you can search for solutions if you encounter a glitch. While Microsoft offers a toll-free support line at 1-866-PCSafety (1-866-727-2338) for people upgrading to XP SP3 in the U.S. and Canada, having an additional way to conduct some on-the-fly research is wise. Customers elsewhere can visit the company’s Help and Support Center.

Windows Home Server corruption bug stomped

After many, many months, the Windows Home Server corruption bug fix has finally shipped and been added to the Power Pack 1 release, as noted on Microsoft’s Windows Home Server blog.

Charlie Kindel, one of the key Microsoft employees behind Home Server, stated in his blog that “the wicked witch is dead.”

While the patch will be available later via Microsoft Update for all Home Server users, I recommend that you download it now.

I just came back from a trip to Disneyland, where the Windows Home Server is part of the Innoventions Dream Home. However, unlike the Monsanto House of the Future that I remember as a kid growing up, the touch-screen light controls, the large-screen TV, the digital picture frame, the Surface/Touch-based dining-room table, and the little HP MediaSmart server running Windows Home Server are all available today.

If only they could build an automatic clothes-picker-upper that would hook into that Home Server, I’d be a happy camper.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.