In this follow-up Q&A, Pedisich answers more of your e-mail management and spam questions. He discusses the pros and cons of allowing employees to use third-party e-mail accounts like Hotmail, how to approach the selection of third-party antispam solutions, e-mail spoofing issues, and more.
SearchDomino.com member: I need to send e-mail notifications from the database I designed using @mailsend. Can I make the e-mail look like it was sent from "Anonymous" or a department name like "P&Q Administrator"? I don't have a separate mailbox set up for each of us that need to send this e-mail.
Andy Pedisich: That's a function that you won't find in Mailsend. Check out an article in the Lotus Notes forum by Julie Kadashevich entitled "Troubleshooting Agents." It has detail on doing what you want to do.
And, by the way, welcome to LotusScript.
SearchDomino.com member: Spoofing of our e-mail IDs is resulting in our users being blocked with their own legitimate mail! What can we do?
Pedisich: If it is widespread enough you will have to change the user addresses. Also I would investigate why this happened in the first place. If your addresses were captured by a virus, you might have no choice but to change the ones being spoofed now.
SearchDomino.com member: We use Spamhaus and have Symantec antivirus software for Notes. We get no SMTPDNSBL entries. Is it because of spoofing addresses, or is SAV touching the e-mail before DNSBL can check it?
Pedisich: If you subscribe to a blacklist and use the "log and tag" option, the field $DNSBLSite in the mail message tells you which blacklist tagged the message.
The other options are to just "log" or to "log and reject".
DNSBL won't help for spoofed addresses, only known open relays and/or spammers, depending on the blacklist.
SearchDomino.com member: What are your thoughts on users accessing AOL or Hotmail accounts from a corporate network?
Pedisich: I have seen many companies that try to forbid access to external AOL, Yahoo! or Hotmail accounts on the grounds that they are not secure, encourage proliferation of viruses, and allow users to spend company time accessing their personal mail. However, employees can use corporate mail systems for personal mail, and they can always carry CDs full of virus laden files, so those aren't very strong arguments.
The security issue is the most important one. How are the accounts being used? Are they used instead of corporate accounts? Is corporate information being sent over these accounts? These are very important issues, and each company needs to approach it within the requirements of its own enterprise.
I like the idea of using another account when users want to sign up for list services or newsletters and you don't want a corporate address to be available for spammers. I would actually prefer that an external e-mail account be used in those situations.
But, under no circumstances should corporate users be permitted to automatically forward corporate mail to any external account. Typically, the account fills up and returns mail to the sender, which is then forwarded back to the filled up account. This causes a mail file to grow to multi-gigabyte very quickly.
SearchDomino.com member: Is there a best practices white paper on mail archive policies?
Pedisich: I have none, but I recently did a search for "mail retention" and the search engine produced a fine list of articles about it, plus a plethora of policy documents by organizations trying to establish mail archive policies.
Bottom line: there are no generic best practices for mail archive policies. You must always tailor you archive policies to your firm's own business and legal requirements.
SearchDomino.com member: Our e-mails are part of the administrative record. Where can you keep one e-mail in one place instead of one e-mail in many inboxes -- similar to storing e-mails in a discussion group?
Pedisich: Have you tried a mail-in database for this? One address can be used, but you can configure the ACL so many can have access.
SearchDomino.com: Is it possible to limit number of simultaneous inbound SMTP session to prevent DoS?
Pedisich: I don't think so, but even if you were to limit it, it could still be blocked by multiple users (or bad guys) taking up SMTP threads and you'd be in a DOS situation.
SearchDomino.com member: What third-party antispam tools have you used that you would recommend to a company of about 500 staff, averaging about 700 e-mails an hour?
Pedisich: What I would recommend has less to do with the incoming rate and more to do with your management style. Some antispam systems let your set your own rules. Some vendor systems let users decide what is and isn't spam. Still others set filters on appliances automatically for you so that the process is completely hands off. And there are a few that actually receive mail for you, clean it and send only the valid mail to your users. Each has its price and advantages.
Many of the tools I have recommended in the past were for clients with larger user bases, ranging from 15,000 to 50,000 users. At that size, a price per person per year rate for hands-off management of spam can be very attractive. In these kinds of situations, usually the mail was sent to a third party for cleaning, or cleaned by passing through an appliance completely managed by the vendor. A smaller firm might want to stay simpler and manage it themselves with only a little assistance from a third-party tool.
If it seems like I am being politically correct here by not directly recommending a solution, it really isn't true. Each solution is valid under different circumstances. If you understand the choices, you can fit them into your requirements.