Computing Service Newsletters
Computing Service Newsletter 231 (January 2007)
Mail, News and Information Services
- Secure access to Hermes
- Improved spam filtering
- Kiosk mode
- Mailman
- New pilot service freephone.cam.ac.uk
- Raven developments: Shibboleth and Athens
Secure access to Hermes [headline article]
By the end of last term all Hermes users had been converted to secure settings: the end of a long process which was started in spring 2005. Many thanks to all the IT staff across the University who have helped with this process, and to users for their patience.
The completion of this process means that we can make some security improvements to the IMAP and POP services, since they no longer need to behave differently for different users. The aim is to make it harder for a user inadvertently to expose their passwords when accidentally trying to use insecure settings. This will be transparent to users and will only make a slight difference to the point at which insecure logins are rejected.
There are still a few non-Hermes users sending email via smtp.hermes.cam.ac.uk which we hope to clear up in the next few weeks. We'd like to remind everyone that smtp.hermes is intended for Hermes users sending email from conventional MUA software. Email from shared or unattended systems should be sent via ppsw.cam.ac.uk. For more information, see http://www.cam.ac.uk/cs/email/sending.html
Improved spam filtering [headline article]
Users will be aware that the autumn of 2006 saw a huge increase in spam email. The volume of spam arriving at the University's central email switch more than doubled between summer and November; of about 3.5 million messages arriving each day from outside the University, at least 90% are spam identifiable as such at the switch. In terms of messages per second, the pattern now is that approximately:
- 3 messages are internal mail within the University
- 4 messages are mail from outside the University not identified at the switch as spam. This then goes through the spam-scoring mechanism and a significant proportion of it will end up in users' spam folders.
- 35 are rejected at the switch.
The new flavour of spam proved difficult initially for our spam-scoring filters (SpamAssassin) to handle because it doesn't have many recognizable features, such as URLs for criminal web sites, etc.
Since November we have been doing automatic updates of the spam scoring rules. These should occur much more frequently than new releases of the scoring software, and greatly improve the email scanner's ability to cope with new forms of spam.
Users who have reduced their spam filtering threshold in response to the Autumn 2006 upsurge of spam should adjust it upwards again. If your filtering threshold is less than five then legitimate email is likely to be saved into your spam mailbox.
Background information
The University's anti-spam system has two stages. The first stage is based on blacklists of computers that are controlled by spammers, specifically the Trend Micro / MAPS RBL+ and the Spamhaus ZEN lists, plus some locally-developed checks. These act before we accept messages for delivery, and currently block about 90% of email from outside the University.
The second stage uses SpamAssassin to score email according to its spamminess; the score can be used to filter email into your inbox or spam mailbox. In November (before the rules update) about 35% of email accepted from outside the University scored more than 5; in December (during the vacation) this increased to 50%.
These numbers do not include email sent from inside the University, which is not subject to anti-spam tests.
Kiosk mode [headline article]
Users of the PWF are reminded of the "kiosk mode" facility that allows fast access from a PWF Windows or Macintosh machine to Hermes and to some other services, without the overhead of logging in to the PWF. This may be particularly useful if home servers on the PWF are shut down for maintenance, or on the rare occasions when you are unable to log in to your PWF account as happened during the filestore problem in November. In general it is much faster than going via PWF login if you only want access to one of the services below.
Kiosk mode login to Hermes
At the PWF Windows or Macintosh login screen where you would normally enter your PWF identifier and password, type hermes instead of your identifier, and leave the password blank. You will be taken straight to the Hermes Webmail page, where you can login to Hermes. This is a restricted service and does not allow you to print, download attachments or follow links to URLs outside the Hermes system. It does however allow you to configure your Hermes account (e.g. change your password or set up forwarding).
Kiosk mode login to Newton
At the PWF Windows or Macintosh login screen where you would normally enter your PWF identifier and password, type newton instead of your identifier, and leave the password blank. You will be taken straight to the catalogue page. Note that this is a restricted service, and does not give access to the full set of Web pages normally linked from the University Library pages, nor does it allow you to print pages.
Other kiosk mode services
Kiosk mode is also used for new users to collect their passwords for Computing Service facilities, using signup as the user name, with no password required. It also has specialised uses for some admissions tests.
Mailman
As reported in previous Newsletters, the mailing list system provided by the Computing Service is being transferred to use Mailman, which is a web-based mailing list system widely used elsewhere. The local version is tailored to use Raven authentication and to make it easier to set up lists in similar ways to the existing system.
We are now setting up all new lists on the Mailman system, and over 2000 of the
@lists.cam.ac.uk mailing lists have already moved to Mailman. Existing lists can continue to run on the old system for at least the remainder of this academic year.
List managers who would like to transfer their lists to the new system can do so using the web page https://lists.cam.ac.uk/mailman/migrate which requires Raven authentication. To migrate large numbers of lists (for example all lists associated with a given institution), contact postmaster@lists.cam.ac.uk. Mailman has extensive built-in documentation of its own; local user documentation is at http://www.cam.ac.uk/cs/docs/leaflets/g90/mailman/
New pilot service freephone.cam.ac.uk
The Computing Service is about to launch the pilot for a new service called Freephone (freephone.cam.ac.uk). This is a Voice over IP (VoIP) telephone system designed as a low cost alternative to the main University Telephone Network VoIP upgrade project. The intended target application is telephones in student bedrooms. Freephone is not intended as a replacement for the main UTN system for all cases. It can be considered as an alternative to Skype. More information is available at: https://wiki.csx.cam.ac.uk/wiki/freephone
Raven developments: Shibboleth and Athens
During 2007, the Computing Service plans to extend the current Raven service to support additionally an authentication and authorization system called Shibboleth (http://shibboleth.internet2.edu/). Shibboleth comes from the US educational community and is being actively adopted in the US, Europe, and elsewhere. It is likely to become an important part of the IT landscape within UK education in the next few years.
It describes itself as "standards-based, open source middleware software which provides Web Single SignOn (SSO) across or within organizational boundaries". Essentially it provides the sort of web-based authentication service that systems like Raven already provide, except on a national or international scale and in a standardised way. In doing so it has to address problems such as how to administer a system that must identify a very large and rapidly changing group of people, and how to maintain appropriate levels of personal privacy in a system that is inherently transferring information between organizations.
Shibboleth was originally conceived as a way to control access to on-line subscription services such as commercial journals and databases, though it is not limited to such use. In UK higher education, access to many such resources is currently controlled by Athens (http://www.lib.cam.ac.uk/electronicresources/Access_Passwords.htm#Athens), use of which is centrally funded by JISC (the Joint Information Systems Committee - http://www.jisc.ac.uk/). However this funding will cease from July 2008 (though the service will continue on a subscription basis) and JISC expect that all current Athens use will move to Shibboleth over the next few years. To support this they, along with BECTA (the British Educational Communications and Technology Agency - http://www.becta.org.uk/, essentially 'JISC for Schools') are now funding a 'UK Access Management Federation' (http://www.ukfederation.org.uk/) to coordinate Shibboleth deployment across all of UK education and research.
Within the University, teams from the University Computing Service and the University Library are currently investigating how a general Shibboleth service can best be provided to the wider University, and how the transition from Athens can best be managed. Discussions are at a very early stage, but it is likely that a pilot Shibboleth Identity Provider for the University, using the existing Raven service to actually identify people, will become available during early 2007 and that by October 2007 at least some access to external electronic resources will be authenticated by the Shibboleth service.
The title of this document is:
Computing Service Newsletter 231: Mail, News and Information Services
URL:
http://www.cam.ac.uk/cs/newsletter/2007/nl231/mail.html