Restricting Message Size for Everyone Except a Select Few Users in MDaemon

Recently, one of our customers asked the following question:

“How do I restrict messages to 2MB for inbound and outbound mail – for all users except a small group of users?”

In MDaemon, this can be done via the Content Filter (located under the Security menu). Simply follow these easy steps:

  1. Add the users who will not be subject to the size restriction to a group via Accounts | Groups & Templates.
  2. Go to Security | Content Filter and create a new rule.
  3. In the left-hand “Conditions” column, check the box “If MESSAGE SIZE is greater than.”
  4. In the right-hand “Actions” column, check the box “DELETE the message”, and also check the box “Send a NOTE 1 to.”
  5. In the bottom section, click on the blue text “is greater than 10K” and enter a value in KB (2000 KB, for example), and then click OK.
  6. Click on the blue text “Specify Information” next to “and send note 1.”
  7.  In the new window, enter $SENDER$ in the To field, adjust the subject if desired, and enter a message in the main window, such as “Sorry, your message has exceeded the allowed size limit.”
  8. Click OK to save your progress.
  9. Give your new rule a name in the “Name this rule” field at the top, and click OK to save the rule.
  10. Now, we need to create a new rule to skip the size limit rule for members of the group we created in Step 1. Click on New Rule.
  11. Give your rule a name.
  12. In the left-hand “Conditions” column, check the boxes “If SENDER is a member of GROUP” and “If RECIPIENT is a member of GROUP.”
  13. In the box below, click on the blue “specific group name” text for each item, and select the group you created in Step 1. Do not change the word “or” to “and.”
  14. In the right-hand “Actions” column, check the box “SKIP the next ‘n’ rules.”
  15. Click the blue text “Specify Information” in the bottom section, and verify that it has “1” specified under “Skip over how many rules?”
  16. Click OK.
  17. Save your new rule.
  18. Back on the main Rules screen, highlight the last rule you created, and click the “Move up” button to move it above the size limit rule we created previously.
  19. Click OK to exit the content filter.
Here are screenshots of these rules:

Screen1

Screen2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

As a reminder, you can view our webinars and tutorial videos on our YouTube channel. Is there a topic you’d like to learn more about? Let us know in the comments section below!

 

 

 

10 Ways to Reduce Spam in Your Inbox

SpamBefore the invention of email, mail that arrived in your physical mailbox often contained pamphlets, sales brochures, credit card offers, and product catalogs. Much of this waste was thrown away and ended up in a landfill somewhere. Today, the equivalent and often more annoying nuisance is spam. Spam comes in many forms. Some examples include dubious product claims, miracle supplements, conspiracy theories, and offers of easy money.

Spam statistics are staggering. More than 100 billion spam messages are sent every day, representing around 85 percent of global email traffic.

So what can be done about this spam epidemic? There are numerous spam fighting tools in MDaemon and other mail servers, but server-side tools are only half of the spam-fighting equation. The other half is user education. With this in mind, here are 10 things users can do to reduce the amount of spam they receive.

  1. Unsubscribe – How often have you been asked by a store clerk for your email address or placed an order online? In either of these situations, chances are you may have ended up on a company’s mailing list. When you receive email from these companies, take the time to open the message and click on the Unsubscribe link. But first, make sure the email is in fact coming from a reputable company. If you’re not completely sure where the email came from, then report the message as spam instead of unsubscribing.
  2. Create a secondary email account – While we’re on the topic of retailers having your email address, you might also consider having a second email address that’s used solely for the purpose of store records or placing orders. This allows you to keep solicitations from these vendors out of your primary inbox.
  3. Keep your email address private – If your email address is visible on social networking sites like Facebook or Twitter, then it’s also visible to spammers. Spammers have tools that can easily detect visible email addresses and add them to their mailing lists. This is why it’s often recommended that, if you MUST use your email address on one of these sites, you mask it by changing its format. For example, type out “at” instead of using the “@” symbol.
  4. Before you join a list, make sure the list owner cannot sell your email address – If the list you’re joining has a privacy policy, read it thoroughly and make sure your information cannot be sold to a third party.
  5. Don’t reply to ANY spam or unsolicited marketing messages – Most spam messages use forged sender (return-path) addresses, so replying to a spam message will almost never result in the spammer getting your message. Replying to legitimate marketing messages tells the sender that your email address is valid, and thus, they may continue to send you spam.
  6. Never click on links – Often, when you click on a link in a spam email, it specifically identifies you to the spammer as having received the message. Not only can clicking links in spam messages identify you to the spammer; you can also end up getting infected with malware.
  7. Block Images – Even if you don’t click any links, an image opening in your email can alert spammers to a valid address. Spammers often try to be stealthy by inserting images that are only one pixel wide. If your mail client is configured to automatically open images, spammers can be alerted that your email address is valid. We recommend configuring your email client to automatically block images to reduce spam. You can always choose to view images in specific emails if you are sure the sender and content are legitimate.
  8. Make your email address unique – Spammers often use common names to try to guess email addresses. If your email address is unique, it makes it harder for spammers to guess your email address.
  9. Don’t fall for scams – If you receive an anonymous email from someone who appears to be in dire need, who promises you large sums of money for your small up-front investment, you may be witnessing the familiar Nigerian email scam, or one of many other variants. What are the odds that someone you’ve never met, who’s in a desperate situation, would contact you for help? Don’t fall for this scam.
  10. Never forward email from someone you don’t know – I often see email messages with some type of public service announcement, petition, or other bit of advice, and often, there’s a request to forward the message to your friends. Don’t fall for this, as it’s a prime opportunity for spammers to harvest email addresses.

Blocking junk email is not just the job of the mail server administrator. A well-informed email user can mean the difference between spam that is manageable and spam that is out of control. These ten tips will help you reduce spam, and help prevent you from becoming a victim to phishing or malware.

Encryption Options for Keeping Your Private Email Messages Safe

Email encryption options with MDaemonIs your company prepared for the next big data breach? According to a study by Ponemon Institute, which surveyed 567 executives in the United States on how prepared they think their companies are to respond to a data breach, the following findings were made:

  1. Most respondents believe their companies are not prepared to deal with the consequences of a data breach.
  2. Most companies have data breach response plans, but they are ineffective.
  3. Data breach response plans are often not effective because they are not reviewed in a timely manner.
  4. Data breach detection technologies are rarely deployed.

Also, consider these startling enterprise email security statistics from Virtru’s blog:

  1. 87% of senior managers upload business files to a personal email or cloud account.
  2. Email malware creation is up 26% year over year, with 317 million new pieces of malware created in 2014.
  3. Hackers targeted 5 out of 6 large companies using email attacks last year — an annual increase of 40%.
  4. Cybercrime has a 1,425% ROI.

With the proliferation of data theft and compromised systems, more companies are addressing data privacy concerns via a renewed focus on security and encryption technology.

To address these data privacy and security concerns, MDaemon administrators and users have three options for keeping confidential email messages and attachments secure – SSL/TLS, Virtru, and OpenPGP. When an email message is sent, SSL or TLS is used to encrypt the connection from the mail client to the server or from the sending mail server to receiving mail server. Virtru provides end-to-end message and attachment encryption, and OpenPGP provides server-side encryption and key management as well as client-side encryption (when used with an OpenPGP plug-in on the mail client).

Encrypting the Connection with SSL or TLS

When you use POP or IMAP to retrieve your email messages, your username and password are transmitted in clear-text across the internet. This means that anyone using the same network or wireless connection as you, or anyone who has access to internet traffic at your ISP, can potentially intercept your data and read your login credentials. A hacker with malicious intent can then read your email, steal confidential information, or send out thousands of spam messages from your account. Your email credentials are valuable to spammers because the success rate of their solicitations is much greater than if they had simply forged the return-path of the message (which is characteristic of most spam messages).

One method for preventing hackers from being able to “sniff out” private data that’s in transit over the network is to use SSL or TLS. SSL and TLS are methods for encrypting the connection between two mail servers (SMTP) or between the mail server & mail client (POP & IMAP). In other words, the communication channel is encrypted – not the email message itself. A good explanation of SSL can be found here: https://www.digicert.com/ssl.htm

Normally, SMTP traffic is sent from client-to-server or server-to-server over port 25, but if you’d like the SMTP connection to be encrypted using SSL, by default you can configure your mail client to send outbound SMTP traffic over port 465, and you can also configure MDaemon or SecurityGateway to use port 465. Likewise, the default POP3 SSL port is 995, and the default IMAP SSL port is 993.

This knowledge base article contains instructions for configuring SSL features for SMTP, POP, and IMAP for MDaemon.
http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=841

This knowledge base article explains how to configure SSL features for SMTP & HTTP in SecurityGateway:
http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=481

When SSL or TLS is used, the data itself is not encrypted, but the connection is. If you’d like the data itself to be encrypted, then continue reading for how to encrypt email messages and attachments using Virtru and OpenPGP.

Client-Side Message & Attachment Encryption with Virtru

While SSL & TLS encrypt the connection, Virtru (included with MDaemon) encrypts the actual email message. Virtru provides end-to-end encryption – meaning the message is encrypted on the sending client and decrypted on the receiving client. Messages encrypted via Virtru are stored in their encrypted state on the server and cannot be decrypted without the proper keys. Virtru is included with MDaemon.

Click here for more information on Virtru.

Server-Side Message & Attachment Encryption with OpenPGP

With OpenPGP, messages are encrypted on the server, but they can also be encrypted on the mail client if an OpenPGP plug-in has been installed. The MDaemon administrator enables the OpenPGP features, creates public & private keys for users, and selects users who are allowed to use OpenPGP. Use the MDPGP configuration screen (located under the Security menu) to configure automatic encryption & key exchange, encryption key size and expiration, and to import keys. You can also create content filter rules to encrypt messages that meet specific criteria using OpenPGP.

This knowledge base article contains step-by-step instructions for enabling MDaemon’s OpenPGP features, configuring who can use it, and creating public & private keys for users.

Are These Features Easy to Use?

SSL and TLS are enabled by simply enabling the SSL ports on the mail server and configuring your mail client to use the SSL ports.

With Virtru, you’re up and running by simply enabling the feature in WorldClient. When you enable Virtru in WorldClient, your request is first sent to Virtru for processing. Within seconds, you’ll receive a pop-up message indicating that Virtru is now ready to start encrypting and decrypting your messages and message attachments. It’s that simple!

And for OpenPGP, options are available to help automate the encryption, decryption, and key import/exchange processes.

Conclusion

To recap, SSL & TLS can be used to help prevent eavesdropping on your email communication channel by encrypting the connection, while Virtru & OpenPGP can be used to help keep your email messages safe from unauthorized access by encrypting the actual email messages and attachments. Together, these security measures help to ensure that your confidential business data remains safe from unauthorized access.

Are you ready to ensure your important business communications are safe from prying eyes? Then download MDaemon and get started with SSL, Virtru, and OpenPGP!

18 Email Safety Tips Every User Should Know

danger_phishing_scam_sq_1000

As mail server administrators, we may have extensive knowledge on how to use email safely and securely, but what about end users? You do everything you can to block spam & malware, but if you don’t educate your users and one of them clicks on a link in a spam message, your network can be made vulnerable. Consider these recent cases that could have been avoided if users were armed with the right information to identify phishing scams and other threats.

  •  CEO fraud (a scam in which the attacker spoofs the boss or CEO in order to trick someone into wiring funds to the scammer) and W-2 Phishing (in which scammers impersonate the boss in order to get access to employee tax forms) are being combined in new & more widespread attacks.
  • A malware development team known as The Dukes may have been responsible for targeting think tanks and NGOs in multiple spear phishing attacks. These attacks purported to be from individuals at Transparency International, the Center for a New American Security (CNAS), the International Institute for Strategic Studies (IISS), Eurasia Group, and the Council on Foreign Relations (CFR). In addition to these spear phishing attacks, other attacks included less-targeted spam email blasts that contained Word or Excel documents. The recipient is instructed to enable macros which, when enabled, allow hackers to automatically download and run malicious code.
  • Toy maker Mattel was hit with a phishing email requesting a new vendor payment to China. Their finance executive received the phishing email claiming to come from their new CEO. Standard protocol required two high-ranking officials to approve of these types of transactions. Because the finance executive and the CEO both qualified as high-ranking officials, she approved the transaction and wired over $3 million to the Bank of Wenzhou, in China. You can read more about this story here.

These are just a few high-profile incidents among many others that could have been prevented if the user had been better informed on email safety and security.

Email security isn’t just the email provider or administrator’s responsibility. It’s everybody’s responsibility. Here is a list of safety tips all mail server administrators should share with their users to help keep spam & malware to an absolute minimum

  • Change your password often.
  • Use strong passwords. Never use a password that contains “password” or “letmein”.
  • Use a different password for each of your accounts. If you use the same password for your bank account as you do for your email account, you become much more vulnerable to data theft.
  • Don’t open an attachment unless you know who it is from & are expecting it.
  • Be cautious about email messages that instruct you to enable macros before downloading Word or Excel attachments.
  • Use anti-virus software on your local machine, and make sure it’s kept up-to-date with the latest virus definitions.
  • If you receive an attachment from someone you don’t know, don’t open it. Delete it immediately.
  • Learn how to recognize phishing
    – Messages that contain threats to shut your account down
    – Requests for personal information such as passwords or Social Security numbers
    – Words like “Urgent” – false sense of urgency
    – Forged email addresses
    – Poor writing or bad grammar
  • Hover your mouse over links before you click on them to see if the URL looks legitimate.
  • Instead of clicking on links, open a new browser and manually type in the address.
  • Don’t give your email address to sites you don’t trust.
  • Don’t post your email address to public websites or forums. Spammers often scan these sites for email addresses.
  • Don’t click the “Unsubscribe” link in a spam email. It would only let the spammer know your address is legitimate, which could lead to you receiving more spam.
  • Understand that reputable businesses will never ask for personal information via email.
  • Don’t send personal information in an email message.
  • Don’t reply to spam. Be aware that if you reply to a spam email, your reply most-likely will not go back to the original spammer because the FROM header in the spam message will most-likely be forged.
  • Don’t share passwords.
  • Be sure to log out.

In many ways, your network is only as strong as its weakest link. Don’t be that weak link. In addition to the tools administrators use to keep unwanted threats out, user education is key to keeping your network secure.

Follow These 13 Tips to Avoid Being Blacklisted

Tips to Avoid Being BlacklistedWith the prevalence of spam circulating the globe in massive amounts, it becomes increasingly important for administrators to understand the potential causes of their IP address ending up on a blacklist. Spammers employ all kinds of tricks to try to send out as many spam messages as possible without revealing their identities. They do this through various techniques such as social engineering, employing malware, botnets, forging of message headers, and exploiting weaknesses in email systems or network infrastructures. For the spammer, it’s basically a numbers game. It costs next to nothing to send out thousands of spam messages, and if even a small handful of people click on a link or purchase a product advertised in a spam message, the spammer can profit. If your email infrastructure is not properly secured, then you risk being infected with malware and becoming part of a spam botnet. Even if your server is not infected with malware, if your firewall and mail server security settings are not configured properly, your IP address could wind up on a blacklist. To protect yourself from being blacklisted, consider the following recommendations:

  • Require strong passwords – It is common for spammers to perform dictionary attacks on mail servers. A dictionary attack uses a large list of words that are commonly used as passwords to try to guess a password and take over an account. To combat this, your users should always use strong passwords. Passwords such as “password1” should be avoided. Users should use passwords that contain both uppercase and lowercase letters, numbers, and symbols. In MDaemon, you can require strong passwords via the Accounts | Account Settings | Passwords menu.
  • Require SMTP Authentication – We recommend requiring all users to use SMTP authentication. In MDaemon, go to Security | Security Settings | Sender Authentication | SMTP Authentication. Then, check the box “Authentication is always required when mail is from local accounts.” Make sure “…unless message is to a local account” is unchecked. In SecurityGateway, these settings can be found under Security | Anti-Abuse | SMTP Authentication.
  • Do not allow relaying – Relaying occurs when mail that is neither to nor from a local account is sent through your mail server. It is very common for spammers to exploit open relays; therefore, you should ensure that your server does not relay mail. In MDaemon, go to Security | Security Settings | Relay Control, and check the following three boxes:

–          Do not allow message relaying

–          SMTP MAIL address must exist if it uses a local domain

–          SMTP RCPT address must exist if it uses a local domain

We do not recommend checking the exclusion boxes on this screen.

In SecurityGateway, these settings can be found at Security | Anti-Abuse | Relay Control.

  • Make sure you have a valid PTR record that matches your outbound public IP to your mail server name or fully qualified domain name or FQDN (mail.example.com). Your ISP can create this record for you. A PTR record allows receiving servers to perform a reverse DNS lookup on the connecting IP address to verify that the server name is actually associated with the IP address from where the connection was initiated.
  • Set up an SPF record – SPF (Sender Policy Framework) is an anti-spoofing technique that determines if an incoming email from a domain was sent from a host that is authorized to send mail for that domain. This is basically the opposite of an MX record, which specifies hosts that are authorized to receive mail for a domain.
  • Configure the IP Shield – IP Shielding is a security feature that allows you to specify IP addresses or IP address ranges that are allowed to send mail for a particular domain.  You should configure your IP shield to only accept mail from your local domain if it came from an authorized IP address (such as one on your local network). This feature can be found under Security | Security Settings | IP Shield. For your users who may be sending email from outside of your network, you can configure exceptions by checking the box “Don’t apply IP Shield to authenticated sessions.” In SecurityGateway, the IP shield can be found under Security | Anti-Abuse | IP Shielding.
  • Enable SSL – SSL (Secure Sockets Layer) is a method for encrypting the connection between a mail client and the server. In MDaemon, go to Security | Security Settings | SSL & TLS. Click on MDaemon, and check the box “Enable SSL, STARTTLS, and STLS.” Also, make sure you have a valid certificate in the blank below. More information on configuring SSL can be found in this knowledge base article:
    http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=KBA-02305

Make sure all mail clients are communicating with the mail server over the SSL ports (587 – MSA, 465 – SMTP, 995 – POP or 993 – IMAP).

In SecurityGateway, these settings can be found under Setup/Users | System | Encryption.

  • Enable Account Hijack Detection – The account hijack detection feature can be used to limit the number of messages an account can send in a given period of time. This feature applies to authenticated sessions only, and is used to prevent a compromised account from being used to send out massive amounts of spam and risk getting your server blacklisted. In MDaemon, this setting can be found under Security | Security Settings | Screening | Hijack Detection. In SecurityGateway, it can be found under Security | Anti-Abuse | Account Hijack Detection.
  • Enable Dynamic Screening – Similar to account hijack detection, dynamic screening can be used to block connections from IP addresses based on the behavior of activity coming from those IPs. For example, dynamic screening can be used to block connections from IPs that fail a specified number of authentication attempts, or IPs that try to connect a specified number of times in a given period of time. In MDaemon, this feature can be found under Security | Security Settings | Screening. In SecurityGateway, it can be found under Security | Anti-Abuse | Dynamic Screening.
  • Sign Messages with DKIM – DomainKeys Identified Mail (DKIM) helps protect email users against email address identity theft and email message content tampering. It does this by providing positive identification of the signer’s identity along with an encrypted “hash” of the message content.  With DKIM, a private & public key are created. The public key is published to the signing domain’s DNS records, and outbound messages are signed with the private key. The receiving server can then read this key from the DKIM-Signature header of the message, and then compare it with the public key in the sending domain’s DNS records. For more information on DKIM signing in MDaemon, please see the following knowledge base article: http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=KBA-02577. In SecurityGateway, these settings are located at Security | Anti-Spoofing | DKIM Signing.
  • Trusted Hosts & Trusted IPs – Make sure only hosts or IPs that you trust are listed on the Trusted Hosts and Trusted IPs screens. Trusted Hosts and trusted IPs are exempt from various security settings, so if any IPs or hosts that you do not completely trust are listed, your server may become vulnerable to relaying and sending out spam. In MDaemon, this feature is located under Security | Security Settings.
  • Block port 25 outbound on your network – Configure your firewall to only allow outbound connections on port 25 from your mail server or spam filter appliance. No other computers on your network should be allowed to send outbound data on port 25. If you suspect that you have a device on your network that is sending out spam over port 25, then see my post “Tracking Down a Spambot” for more information.
  • Configure your firewall to log all outbound activity on port 25 from all machines on your network – to help track down any machines that may be relaying mail.
  • Use a static IP– Various problems can arise from using a dynamic IP on your mail server. If the server loses its internet connection, then comes back online with a different IP address, your DNS records will still point to the old IP address. If another computer gets your old IP address, then other problems can arise. For example, if the computer has a properly configured MTA on port 25, then your mail would be bounced. If the computer has an open relay MTA on port 25, then your mail will be relayed by this machine. If the machine is on a blacklist, your mail will be lost. For these reasons, we recommend using a static IP on the mail server.

If you follow these recommendations, your chances of being blacklisted are greatly reduced.  These practices will help ensure that you are not relaying mail, that your communications are encrypted, that users are authenticated, and that spambots have not been able to send out mail from your network.

Your Unencrypted Data is a Gold Mine for Hackers

How often have you heard someone say “If you’re not doing anything illegal, then you have nothing to hide?” When asked this, I tend to respond with, “OK, then how about you give me the login credentials for all of your email accounts, including the ones you use for personal use?” I think of this as analogous to allowing a stranger to walk around in your house. Hey, it’s OK as long as you’ve got nothing to hide, right? The point is that, no matter what is contained in our electronic data, most of us want peace of mind in knowing that it isn’t being accessed by unauthorized individuals.

This concern for privacy doesn’t just apply to individuals. It applies to businesses as well. Businesses rely on electronic communication to send sensitive information such as invoices, employee records, financial reports, and other confidential data. In fact, businesses currently send more than 100 billion emails each day, and that number is projected to skyrocket to almost 140 billion emails a day in another year. If this information gets into the wrong hands, it can lead to devastating losses for the company, as well as damage to its reputation. For example, in 2013 and 2014, Target suffered breaches of approximately 110 million customer records in two separate attacks. Earlier last year, a security expert discovered that 272.3 million accounts had been stolen from Google, Yahoo, Microsoft, and Mail.ru (Russia’s most popular email service). In 2013, Yahoo suffered a breach that is believed to have impacted over 1 billion users. In September of 2016, at least 500 million Yahoo user accounts were compromised in a massive data breach that may have included names, email addresses, phone numbers, birthdates, and hashed passwords. In 2012, 165 million LinkedIn accounts were compromised. Though different attack vectors may have been used in each of these cases, the targeted information could have been safeguarded if it had been encrypted. Moreover, all it takes is for one host to be infected with malware to allow the interception and eavesdropping of confidential email content.

Breaches perpetrated by hackers aren’t the only threat to a company’s data. User error also poses a significant threat. According to the whitepaper “Content Encryption – Key Issues to Consider” from Osterman Research, these examples of users mistakenly sending unencrypted content were cited:

  • An employee at Nationstar Mortgage mistakenly emailed copies of customers’ W-2 forms to an employee at Greenlight Mortgage, revealing Social Security numbers, names, addresses and other sensitive information.
  • 845 patients of Tulare County Health received information on how to access protected health information (PHI) via the administration’s medical portal due to an employee mistake.
  • Graduate students at the South Dakota School of Mines and Technology were inadvertently sent an email attachment that included the student identification numbers, grade point averages and other information of about 350 fellow students.

The costs of not sufficiently protecting your data are high. The findings from a study conducted by the Ponemon Institute show that the average cost of a security breach in the United States was $201 per compromised data record – $32 for detecting the breach and notifying the affected individuals, $55 for damage control costs including legal fees, investigations, fines and remediation, and $114 in loss of business due to customer abandonment. Regulated industries such as healthcare and financial services have the most costly data breaches due to fines and the higher than average rate of lost business and customers. In addition to financial losses, companies may also suffer damage to their reputation.

How could these incidents have been prevented? If these businesses had encrypted their data, they could have prevented unauthorized access to confidential information in the event of a breach. Encryption helps protect corporate and financial data of companies, as well as the personal data of their employees and customers. When data is encrypted, even if a user’s account has been hacked, the data would still be unreadable. Encryption also helps companies meet strict regulations such as FERPA, GLBA, and PCI compliance. Encryption solutions also offer the benefit of proof of identity when email messages are digitally signed, ensuring that the message is authentic and verified as having been sent from the purported sender.

A common misconception about email encryption is that it is only needed for larger businesses; however, small and medium size businesses are targeted just as frequently as large ones, and often can be affected much more severely in the event of an email hack. While a larger company may be able to financially survive a breach (but still at significant loss), a severe data breach could put a small company out of business. This is just one of many reasons why encryption is so important.

One of the most common challenges for email encryption is that it has had a reputation of being difficult to use, often requiring cumbersome key exchanges and extensive configuration. MDaemon’s client-side encryption feature (via Virtru) and server-side encryption (via OpenPGP) were designed for convenience and ease of use.

Virtru’s client-side encryption service is built into WorldClient, MDaemon’s webmail client. Setup is as easy as checking a box and verifying your identity. Once enabled, you can simply follow the steps outlined on this page to encrypt your messages. For server-side encryption, MDaemon’s OpenPGP settings make it easy to automate encryption of messages as they pass through the server. Administrators can follow steps outlined in this knowledge base article to enable OpenPGP, configure who can use it, and create keys for their users. This post includes a tutorial video on how to use the OpenPGP features in MDaemon, including how to encrypt an email message using special commands in the subject line, as well as how to automate the encryption process using the content filter.

No business is too small to protect its sensitive data from theft. If you’d like to ensure your company’s emails and attachments are safe, you should always encrypt. A few extra steps now can safe a great deal of headache later.

Happy New Year 2017

187567849

2016 was an exciting year for Alt-N Technologies as it marked the 20th anniversary of the MDaemon email server for Windows and our ongoing efforts to bring affordable, secure, and reliable email and email security software to the small-to-medium business segment. And as many of you know, a lot has changed in the last 20 years. One thing that hasn’t changed over the years is the ongoing threat of people trying to use email as the primary method to attack an organization or steal personal information.

Like any form of communication, it can be used for good or bad. Unfortunately, when email was initially developed, its creators didn’t anticipate the ways bad actors would exploit the technology through methods like phishing, hacking, and launching disabling applications like ransomware, Trojans, etc.

On this front, Alt-N will continue its efforts to improve the security and privacy of email with features like the ones we added in 2016, such as two-factor authentication, client and server-side encryption, and others.

2016 also reflected changes the industry continues to see in the area of deployment options. We saw some resellers and customers turning over the management of their email to MSPs (Managed Service Provider) or other third-party providers. The driver for this behavior varied by customer and industry but can be summarized by the desire to move hardware and software costs from capital expenditures (CAPex) to operational expenditures (OPex), with pros and cons to each approach. Alt-N worked with many existing and new channel partners to see MDaemon Private Cloud hosted email services introduced into new markets like Africa, Asia Pacific, and Latin America with continued growth in existing markets like North America and Europe.

With regards to hosted email services, we also received growing requests from direct customers asking Alt-N to manage their email. In response, Alt-N launched its own service using the MDaemon Private Cloud version of the software by introducing WorldClient Private Email for Business. With this new service offer, we have been able to meet the needs of direct customers who want us to manage their email, such as a 600-user customer who chose our service and support after having a large Office365 reseller attempt to convert them away from MDaemon!

For 2017, we will look for sales growth in new and emerging markets while working hard to earn and retain the loyalty and support of our existing customers. We will continue our efforts to add valuable features to MDaemon and SecurityGateway for Email Servers as those products remain the focus of our development efforts. We will be working on improving features that support cloud-based deployments while keeping a close eye on the needs of customers who want the control of on-premise and hybrid environments. And we will continue to look for new ways to enhance and bring value through our partnerships with complimentary vendors like MailStore, as well as seek out new technologies and vendors to make integration with our software simple and easy to use.

As we begin 2017, we want to express our sincere gratitude to those customers and channel partners who have helped Alt-N Technologies grow these past 20 years. We also look forward to earning the business of new customers and partners as we work toward a successful 2017.

As always, we invite you to tell us what you think by sending us your feedback. You can reach me directly at kevin(dot)beatty(at)altn(dot)com.

Happy New Year,

Kevin

 

 

 

Kevin Beatty
VP, Marketing & Business Development

Get Aggressive at Fighting Spam by Re-training the Bayesian Learning Process in MDaemon

Fight spam with Bayesian Learning in MDaemon

In certain situations, it may be necessary to retrain your Bayesian Learning database. This can be necessary when spam messages are inadvertently placed in the Bayes non-spam folder, or when non-spam messages are placed in the Bayes spam folder.

To reset your Bayesian Learning and start training it again from scratch, you can perform the following steps:

1. Stop the MDaemon service.
2. Verify that the MDaemon executables (MDaemon.exe, CFEngine.exe, MDSpamD.exe, WorldClient.exe) have all exited memory using Windows task manager.
3. Rename the folder “/MDaemon/SpamAssassin/Bayes/” to”/MDaemon/SpamAssassin/Bayes.old/”
4. Re-launch MDaemon.
5. Go to Security | Spam Filter | Bayesian Classification, then click on the Learn button.

At this point, MDaemon recognizes that the Bayes folder isn’t there when the learn process is triggered, so it builds a new Bayes folder.

You will then need to feed Bayesian learning at least 200 spam and 200 non-spam messages (although the more the better) to start the Bayesian learning process again. Here is a knowledge base article on training the Bayesian learning process in MDaemon.

The Bayesian learning engine won’t process new messages until the administrator has taught it 200 spam and 200 non-spam messages. So even if an administrator were to manually press the Learn button OR have MDaemon learn automatically at midnight, the Bayesian engine  wouldn’t apply itself to new messages even though the new folder is created.

Once MDaemon recognizes that Bayesian learning has learned more than 200 spam and 200 non-spam messages, it will start applying what it has learned to new messages.

You can run a script to determine how many messages the Bayesian filter has learned from. This will come in handy for administrators who need to know how many more messages to feed the Bayesian filter. This process is explained in this knowledge base article.

2016 Year in Review

2016 Year in ReviewWell, another year is almost over, but over the past year, we’ve managed to pack in lots of new features and enhancements to our products, and thanks to people like you sharing your ideas with us via the Alt-N Idea Engine, or on our community forums, our development staff can have a direct dialog with customers.  For 2016, we’ve added the following new features to MDaemon:

  • Two-factor authentication – Requires users to provide a verification code in addition to the username and password.
  • Spambot detection – When multiple messages claiming to come from the same sender are received from multiple IP addresses, a spambot is often the culprit. This feature helps keep those pesky Spambots from sending mail to your server.
  • XML API for complimentary applications – Allows third-party developers to integrate complimentary applications (such as CPanel, etc.) with MDaemon.
  • CardDAV support – Allows users to synchronize their contacts with their favorite mobile device or other mail client.
  • ActiveSync migration client – The ActiveSync migration client makes it easy to import data over from any other mail server that supports ActiveSync protocol version 14.1.
  • Third-party chat (XMPP) client – Users now have more options for chatting with their colleagues. In addition to the standard WorldClient Instant Messenger, users can now chat with their favorite XMPP client from their desktop or even their mobile device!
  • Automatic updates – With automatic updates, the administrator no longer has to manually check for new versions and install them. The automatic update feature will notify the postmaster when a new version is available. Updates can be automatically downloaded and installed at a designated time.
  • Centralized management of Outlook Connector settings – Outlook Connector settings can now be pushed out to users. All that’s needed is the email address and password. No more guessing at what to put in the other fields! We’ve updated our Outlook Connector Quick-Start guide to help you get started with this new functionality.

We also released SecurityGateway 4, which includes the following new features:

  • Enhanced anti-spoofing support with DMARC – DMARC allows domain owners to specify what actions to take for messages that don’t align with DKIM or SPF. This helps take out the guesswork on how to handle messages that may be spoofed.
  • Improved user interface for mobile devices – SecurityGateway’s web interface now scales to fit any screen size, so whether you’re using a mobile device or a PC, you’ll see a friendly, responsive interface that has been designed for the screen size you are using.
  • Send mail from each domain’s IP address – When you have more than one IP address on your server, each domain can be bound to a specific IP address. Mail from the domain will be sent from its assigned IP address.

We launched our blog over three years ago to provide another communication channel for our customers, to keep people updated on the latest email industry and security news, tips, product releases, and more. For 2016, we’ve compiled a list of the ten blog posts that generated the most interest. With email security featured prominently in the news over the last year, it comes as no surprise that the topics that generated the most interest revolve around email security and privacy.

Here are the top ten blog posts from 2016:

  1. SSL & TLS Best Practices
  2. New MDaemon Feature Helps Detect Spambots
  3. MDaemon 16.5, with Automatic Updates, WorldClient Categories, & More!
  4. Encrypting vs. Signing with OpenPGP – What’s the Difference?
  5. Encryption Options for Keeping your Private Email Messages Safe
  6. Teach Your Inbox to Recognize Spam
  7. Access your Outlook contacts from Anywhere by Importing them into WorldClient
  8. MDaemon 16 = 2016
  9. Why Passwords May Not Keep your Email Safe
  10. 10 Ways to Reduce Spam in your Inbox

Need a quick video lesson on a particular feature? This year, we also added all of our eLearning videos for MDaemon and SecurityGateway to our YouTube channel.

While 2016 is almost over, our development staff is already hard at work to bring you new & exciting features for 2017, so check back often for the latest updates!

Are You Suffering from Inbox Overload?

Too_Much_Mail

Are you suffering from Inbox Overload? Do you spend too much time trying to keep your inbox under control without losing productivity? Do you find yourself checking your work email well into the evening, or checking personal email during business hours? In today’s always-on, always-connected society, many people struggle with work-life balance. With email being such a ubiquitous communication tool, it is more important than ever to keep the clutter out of your inbox, and to reduce your time spent dealing with email.   These tips can help you keep your inbox organized & free up time that you would have spent managing your email for other, more productive or rewarding tasks.

Keep spam under control

Know how to identify phishing and scams and don’t respond to them
Phishing scams often have the following characteristics:

  • Links in the email asking you to enter your personal information on an online form
  • Threats such as “If you do not fill out the attached form, your account will be deleted.”
  • Spelling and grammar errors
  • Links to malicious sites. It is good practice to hover your mouse over a link in an email before you decide to click on it. Often, phishing emails will show a link to a well-known URL, such as www.amazon.com, but when you hover your mouse over it, the real address that the link points to is a site containing malware, so know how to spot these links & if you are unsure about a link’s legitimacy, do not click on it.
  • Official-looking company logos and graphics. It’s very easy to create a malicious website that looks identical to a legitimate website. When in doubt, never click on an image or link in an email message. Open your browser and manually type in the company’s URL.

Use the Bayesian Learning Feature (Don’t just Delete It)
Spam messages that find their way into your inbox  can be fed into MDaemon’s Bayesian Learning system so that MDaemon’s spam filter can become more accurate over time.  The Bayesian classification system is enabled via Security | Spam Filter |Bayesian Classification in MDaemon.  Make sure the first box “Enable Bayesian Classification” is checked. On the bottom of that screen, you will see the paths to the Bayesian spam and non-spam folders. In WorldClient, a user will see two buttons (a thumbs-up & a thumbs-down button). When that user has been given proper rights to view the Bayesian Learning folders, he or she will be able to mark message as spam or non-spam using these buttons in WorldClient.  More information can be found in the following knowledge base article:

Training the Bayesian Learning Process in MDaemon Pro

Use Extra Email Addresses for Specific Purposes
Do you give the same email address to your friends, family, sales associates, or to just about anyone else who asks for it? If so, then you’re probably getting more spam than you would like. A good practice is to have an email address that you give to friends & family, one for business, and one that you would use for shopping,  or for signing up for mailing lists or newsletters.

Take Action Immediately

When you receive a new email message, it’s good practice to take action on it immediately. A popular method for this is to use the four D’s: delete it immediately, do it (if it can be done in less than two minutes), delegate it (forward it) or defer it (if it will take longer than two minutes). You may also want to archive it or set a reminder to look at it later. You can also file it into another folder (see Create & Use Folders later in this article).

Unsubscribe from Newsletters You No Longer Need

Are you still receiving newsletters from something you signed up for three years ago? If they are no longer relevant or you are no longer interested, you should be able to unsubscribe from them. Newsletters from reputable sources will often include instructions on how to unsubscribe.

Don’t Abuse the “Reply all” Feature

If you received an email addressed to multiple recipients, and you need to reply to the sender, be careful with the “Reply all” feature. If you only need to reply to the message sender, then reply directly & help keep unwanted mail out of others’ inboxes.

Stop Forwarding from Old Accounts

When someone changes his or her email address, it is common practice to forward all mail from the old address to the new one – at least until all parties involved have been made aware of the new email address. Often, forwarding will be left active on the old account indefinitely. Over time, once all parties involved have been made aware of the new address, the only mail still being forwarded from the old address tends to be spam or perhaps old newsletters.  At this point, it is safe to turn off forwarding from this account (or delete the account entirely).

Mask Your Email Address on Public Sites

Spam robots are constantly crawling thousands of sites, looking for email addresses they can harvest for their next spam campaign. Some of the most common places these spam crawlers look for email addresses are blogs, message boards, forums, and guest books. If you must post your email address on these sites, consider replacing the @ symbol with <at> and the .com with (dot)com. For example: <frank.thomas>(at)<example> (dot) <com>.

Create & Use Folders

In time, your inbox can become cluttered with all types of email messages. One way to stay organized is to create multiple email folders and label them so that you can categorize your messages for easy retrieval. In WorldClient, you can easily create mail folders (or folders of any other type) via the Options menu.

Use Rules or Filters

You can also create rules to automatically filter messages that meet certain criteria into your other mail folders. In WorldClient, these filters can be created via the Options | Filters menu. For example, I have a special folder created for a particular newsletter that I’m subscribed to. I use the filter to automatically place those messages into the designated folder. Not only does this keep me more organized, but it also keeps me from getting a “New Email” notification for these messages since they aren’t going directly into my Inbox. Fewer notifications = fewer interruptions = greater productivity.

Keep Inbox Message Count to a Minimum

When you check your email, decide what you want to do with any new messages that arrive (see Take Action Immediately above). By acting immediately, you will keep your inbox at a reasonable size. Inbox Zero is a technique many people use to keep their inboxes down to a manageable size. You can learn more about Inbox Zero in this blog post.

Send & Receive Less Frequently

In today’s face-paced business environment, it’s quite easy to get distracted with phone calls, emails, meetings, and other distractions. If your mail client is notifying you every three minutes that you have an email message waiting, you may be tempted to click on it every time. Ask yourself: Does this have to be tended to at this very moment? You might try configuring your mail client to check for new mail every 15 minutes instead of every three minutes. If a matter must be addressed in less than 15 minutes, then it may be better to meet in person or over the phone.

These are just a few tips to help keep your Inbox under control. With these practices, your inbox will be better organized, you’ll receive less junk email, and you’ll be spending less time dealing with email & more time doing what you’d rather be doing – being productive.

Do you have other Inbox Management tips? Share them with us via the Comments section below!