Minutes for Admin Computer Support Meeting - November 3rd, 2004

Location and Time:

NH 3001; Wednesday, November 3rd at 2:00 pm.

Attendees:

Donna Schell (Assoc. Prov. Bus. Oper/ Student Services), Lynn Snider (Athletics), Victor Lufer (Audio Visual), Linda Howe (C&PA), Karen Gallant (CBET), Lorraine Nesbitt (Counselling Services), Ildiko Denes (Office for Persons with Disabilities), Susan Shifflet (Office for Persons with Disabilities), Judy Richardson (Distance & Continuing Ed.), Pat Moore (Faculty Assoc), Michele Sguigna (Food Services), Cathy Jardine (GSO), Chris Strome (Health Services), Jeff Sturn (Housing), Tammy Marcinko (Human Resources), Sam Schmidt (IAP), Michelle Banic (IAP), Ian Read (Marketing & Undergrad Recruitment), Peter Robinson (Office of Development), Ian Turner (Office of Development), Cathy Cooper (Office of Development), Brenda MacDonald (Research), Christine Kuehl (Research), Monica Wielonda (Plant Operations), Maria LeBlanc (President's Office), Lauri MacLeod (Retail Services), Sheila Hurley (Safety Office), Ian Fraser (Safety Office), Karen Jack (Secretariat), Verna Keller (TRACE), Yvan Rodrigues (Graphics; Presenter), Kevin Paxman (Graphics), Peter Carette (UW Theatre Centre).

IST Attendees:

Trevor Bain, Peggy Day, Tim Farrell, Jason Greatrex (minute-taker), Bob Hicks (Presenter), Phil Knipe, Sandy Laughlin (Presenter), Pat Lafranier (Chair), Reg Leland, Giles Malet (Presenter), Keith Peck, Lisa-Tomalty, Carol Vogt (Presenter), Heather Wey.

Agenda:

Welcome (Pat)
Bits and Bytes of Info (Pat)
Bookit Update (Carol Vogt)
Spam (Giles Malet)
Making Computing Enivornment More Secure (Bob Hicks)
Software and Virus Protection Update (Sandy Laughlin)
Overview of Computing Environment in Graphic Services (Yvan Rodrigues)
Wrap-Up (Pat)

PowerPoint Slide Presentation (please view)

Minutes:

Pat welcomed everyone and encouraged questions.
Under "Bits and Bytes of Info"
- Pat reminded everyone of the WatITis Conference on Tuesday, December 7th in RCH. Register on-line.
- Additional note; you are required to purchase an operating system when purchasing a new machine.
A reminder that large inboxes on admmail continue to be a problem and those over 50 MB are flagged during weekly scans.
- Q: Ian Turner asked how big can the inbox be?
- A: Pat Lafranier responded that accounts with over 50 MB inboxes are flagged. Users are encouraged to create new directories/folders and move inbox messages into these newly created folders.
- Q: Cathy Cooper asked about flagging "secondary folders"?
- A: Pat L. replied that our current focus is only with inboxes at this time.
- A: Giles Malet added large inboxes are the cause of email performance issues.
- Q: Peter Carette asked why Eudora is so slow at work in comparison to home use?
- A: Pat L. the slowness experienced at work can be caused from a combination of activities. Users need to ensure that Eudora's in, out and trash mailboxes are kept relatively small. Messages that are stored on the N drive may take longer to retrieve information off the jam server. Also, we had experienced intermittent network problems which could have added to the problem.
- A: Lisa Tomalty added that previous users had experienced a noticable difference when Norton Anti-Virus network scan is unchecked. Post-Meeting Note: doing so makes your account vulnerable. Will need to use caution when opening attachments. Please see Appendix A below, which is a copy of the email sent to you (computer reps) after the meeting.
- A: Michelle Sguigna commented for Eudora users in her area that had to wait a long time opening Eudora and had difficulties closing the program; she recreated Eudora's .ini file located on their N drive. Please contact your IST Admin Liaison for assistance with this solution.
Summary of Bookit Update by Carol Vogt:
- Approximately 1200 users and 280 resources are currently registered.
- Carol suggested that if you know of a user that does not require a Bookit account but currently has one; please submit a request to have the account deleted.
- To date, IST has offered an introductory Bookit course to over 500 people and an Administrator Course to 90 people; these courses will continue to be offered under the SEW course schedule.
- In-house notes have been created for Bookit and Outlook Connector by by Lisa Tomaly and Bookit for the Palm by Pat Lafranier.
- This information and more is offered online (http://ist.uwaterloo.ca/ew/Bookit/).
- Please note that past bookit problems have not been related to Oracle software but from a high volume relating to the directory services. In addition, last week a few people with passwords over 8 characters experienced problems, but these problems have been resolved.
- Carol addressed the complaints regarding improper or additional middle initials being displayed. The problem stems from data entry; Bookit's directory gets a nightly feed from UWdir which in turn gets a nightly feed from Human Resources. As of today, these middle initials seemed to have been corrected, thanks to Giles Malet.
- Q: Cathy Cooper asked about Bookit using nicknames.
- A: Giles Malet replied - currently working on a test system; however, because of past problems, he is weary to implement it at this time.
- Thanks to Cathy Cooper we may have found a way to support the new "Blue" Blackberry.
- We can expect a major upgrade to Oracle version 9.0.5 early next year which will bring the following benefits:
  - Outlook connector enhancement
  - allow separate detail and attachments for repeat meetings
  - designate display options based on users preferences not the designates
  - seamless synchronization of offline and online passwords
  - better recovery of data after network loss
  - client and server can be different versions
- Q: Cathy Cooper asked if we can recover data for individuals?
- A: Giles M. explained that this is a labour intensive process and is considered "disaster recovery". But if it is essential, then submit a request.
Summary of Spam Presentation (Appendix B below) by Giles Malet
- Q: Michelle Banic asked how far back does rejected mail get stored?
- A: Giles M. a month.
- Giles emphasized that the myWaterloo SpamAssassination link is wrong (myWaterloo is maintained by Engineering). The system has been changed, please do not use it to configure your spam settings. Continue to use the configuration form at: https://mailservices.uwaterloo.ca/spam/
- Q: Ian Turner asked about "training" spam?
- A: Giles M. responded that using the mailservices method will take time to train.No support yet.
- Q: Yvan Rodrigues asked in the corporate world companies used the verify sender method to reduce spam, are we planning to apply this?
- A: Giles M. responded that this issue has not been settled, using Microsoft as an example. Typically, if challenged people wouldn't be bothered to verify sender credentials, thereby eliminating its effectiveness..
- Q: Paul Henderson noticed that when his vacation message was set, he received more spam.
- A: Giles M. commented that in the previous system the system vacation message automatically responded to all. This has now been changed, so that only email that has not been flagged as spam is sent a return reply.
Summary of "Making Your Computing Environment Secure" by Bob Hicks.
- Asked for the cooperation of Vanguard Testers to thoroughly test their department's special applications once SP2 was been applied.
- Moving departments to a secure subnet provides an extra layer of security but may affect access to either servers or printers outside your subnet.
- Q: Michelle Sguigna asked if SP2 is only applied to Windows XP machines.
- A: Bob Hicks replied yes, this only affects Windows XP workstations.
- Q: Ian Read - does this SP2 include the full service pack including firewall?
- A: Bob H. yes.
- Points 1 and 2 from the slide will be implemented in the new year.
- Q: Michelle Banic asked why is WinZip to be removed and what will be the replacement?
- A: Bob H. replied that Windows SP2 applies a more secure file compression program.
- A: Trevor Bain mentioned the noted vulnerability with WinZip.
- Q: Peter Carette asked what option do Windows 2000 users have?
- A: Bob H. replied users can continue to use Winzip but we would like to encourage the move to Windows XP machines.
- A: Tim Farrell added that WinZip will be removed from the software policy not removed from the machines. Expecting its use to eventually die.
- Newly-imaged PCs will no longer have these apps.
A Software and Virus Protection Update was provided by Sandy Laughlin.
Yvan Rodrigues gave an overview of Graphic Services computing environment (see slides).
Wrap-Up - Pat thanked participants and attendees for coming. Next meeting will be in NH 3001 during the Winter term. Date to be announced later.
Any volunteers to discuss their department and computing environment for next meeting; please contact Pat (pllafran at uwaterloo dot ca).

Appendix A (post-meeting: copy of Nov 5 email from T. Bain )

Please note that disabling the antivirus realtime protection option (autoprotect) for network drives is not without risk. If you disable realtime protection on network drives, there is the potential that an e-mail infected with a virus or worm could arrive on your N: drive. You need to remain suspicious of any e-mail attachment that you have not requested and be aware that there is a risk in turning off the realtime protection for network drives.

For more details, read on:
Disabling the antivirus realtime protection option (autoprotect) for network drives is not without risk.

In the past, this action has not been recommended for those who store their e-mail on the N: drive (a network drive) because of the viruses and worms that arrive via e-mail. Realtime protection on network drives provided a mechanism to scan all incoming e-mails for viruses and deal with them accordingly. If realtime protection was turned off, a virus/worm would not be detected until the nightly virus scan of the file server was conducted. Because of the volume of data involved, it takes 5-6 days for the nightly scans to complete one pass of the file server. So, an infected file could survive in your inbox for nearly one week before the scheduled scan of the file server "discovers" the infected file and deals with it. While it resides there, it poses a risk -- you may inadvertently opening the attachment.

Since mid-December 2003, ClamAV virus scanning has been performed on e-mails prior to their delivery to the e-mail servers (e.g. admmail, watserv1, ist). The result is that the scheduled scans on the main academic support file server (jam) are picking up 1-2 virus infected files per week. The realtime protection statistics for academic support computers are showing a similar rate of return (only 72 infected files over the last 9 months). This is a significant drop from the numbers seen prior to the installation of the ClamAV virus scanning in December 2003. The current statistics for virus detection via ClamAV are enlightening and can be found at: http://mailservices.uwaterloo.ca/cgi-bin/minos-virus/display.pl

Why do infected e-mails make it past the server/ClamAV scanning?

1. In busy times, the scan can take too long, the process "times out", and an unscanned e-mail is delivered.

2. As with biological viruses, many viruses are slight variations of previous viruses. The virus software companies are continually monitoring these changes and updating their definition files accordingly. It is possible for a "new" virus to arrive in your inbox overnight prior to the ClamAV definitions being updated. By the time you read your e-mail in the morning, both Symantec and ClamAV may have definitions that will detect the virus but the infected e-mail has already made it past the ClamAV scan. Your only software defense at this point is your local workstation antivirus software (Symantec Antivirus).

If you disable realtime protection on network drives, there is the potential that an e-mail infected with a virus or worm could arrive on your N: drive. The number of worms/viruses getting through to your inbox may be low, but it only takes one to cause you enormous grief. You need to remain suspicious of any e-mail attachment that you have not requested and be aware that there is a risk in turning off the realtime protection for network drives.

Appendix B (Presentation by Giles Malet, IST)

SPAM & UW Mail

3rd Nov 2004

Typical path of e-mail:

sender's system ---> UW Mail cluster ---> admmail/watserv1

Tests we perform

On the cluster

Headers correctly formatted (refuse bogus sender etc.)
Sender's system is not blacklisted for any of various reasons
Recipient exists

Check attachments: refuse anything "dangerous"
Scan for viruses, and refuse anything dangerous

On the destination server

Repeat attachment check and virus scan, refuse anything dangerous
Test mail against "SpamAssassin" and mark subject if suspected spam
Put in mailbox.

We also do greylisting on some servers.

Compare to commercial system

For example: Sophos.
At least 95% of your spam should be detected as such, but overall quantity is increasing, and thus the number of msgs undetected.

Statistics

Approaching 2,000,000 connections to the mail cluster per day
300,000 are incoming mail
Graphs of mail flows: 5 per second during the day (rejection rate is apparent on that graph)
Graphs of SpamAssassin: about 50% detection rate, but note the daily patterns
About 10 viruses detected per minute peak (?)
About 10 executables rejected per minute peak (?)
Lots of other info at http://mailservices.uwaterloo.ca

For the End User

See your rejected msgs, or prevent filtering
Tweak your SpamAssassin preferences
Use procmail to separate or discard spam
Spend time training your mail filter, and use black- and white-lists in SpamAssassin.
Become knowledgeable: read some FAQs
Be careful with your e-mail address!

Conclusion

We're doing about as much as we can to reduce spam at the campus level -- further changes will increase the false-positive counts, and cause more annoyance. Only individuals can make a significant difference, as only they know their e-mail (what can be rejected etc.), and use that to build better filters.

Minutes by Jason Greatrex.

Last updated by Pat Lafranier, pllafran at uwaterloo.ca, November 9, 2004.

Keywords: (none)