cern computer newsletter - institute of physicsimages.iop.org/objects/cern/cnl/1/9/1/pdf.pdfcern...

1CERN Computer Newsletter • September–October 2004

For the past 38 years the IT Department has been publishingthe CERN Computer Newsletter (CNL), which covers topics ofinterest to the department, to CERN users and also to a widersphere of IT professionals and computer scientists.

As part of an effort to improve the communications betweenthe department and users around the world, a plan forimproving the content and layout of CNL and for increasing itsreadership was proposed to the management.

The decision was:● to include a new section, “Computing News”, in alternateissues of CERN Courier, starting in September 2004;● to provide a new online version of CNL with a downloadablePDF (this newsletter).

The “Computing News” section in CERN Courier will containshort or medium-sized articles to address scientific computingin the broadest sense, or more specific articles on Gridprojects sucha as the LHC Computing Grid (LCG) and EGEE.

The new online version of CNL will be more technical andCERN IT specific, but we still wish to include some scientificcomputing articles that will be of general interest to CERNusers.

For both publications the technical work will be done by thepublisher of CERN Courier and the online version of CNL will beavailable from the website at http://www.cerncourier.com/.

We hope you enjoy the first issue of this new version of CNL.We will be very glad to receive your comments, which shouldbe e-mailed to the CNL editors (e-mail: [email protected]).Nicole Crémel and Hannelore Hämmerle, CNL editors,IT/Communication Services

CNL changeswith the timesEditorial

CNL changes with the times 1

Announcements & newsCERN Courier gains a new computing section 2IT bookshop caters for our computing needs 2CERN bookshop and library plan book fair forOctober 2Recruitment process goes electronic 3Three software support contracts are currentlybeing reviewed 3Restrictions apply to software for personal andprofessional use 3

Desktop computingAccessing NICE from outside CERN 4Outlook 2003 offers new benefits 6

Technical briefCERN has some new recipes for fighting growingvolume of spam 7

Internet services & networkAlternative SMTP server on port 2525 will useCERN mail servers remotely 9Reverse-DNS configuration of the IP server is crucial 9

Information cornerQuestions and answers from the Helpdesk 10Recent changes to CERN’s IT services 10Calendar 10Editors Nicole Crémel and Hannelore Hämmerle, CERN IT Department,1211 Geneva 23, Switzerland. E-mail: [email protected]. Fax: +41 (22) 7677155.Web: cerncourier.com (link CNL).

Advisory board Wolfgang von Rüden (head of IT Department), François Grey (ITCommunication team leader), Christine Sutton (CERN Courier editor), Mick Draper(group leader, User and Document Services).

Produced for CERN by Institute of Physics PublishingDirac House, Temple Back, Bristol BS1 6BE, UK. Tel: +44 (0)117 929 7481. E-mail: [email protected]. Fax: +44 (0)117 920 0733. Web: iop.org.

Published by CERN IT Department

©2004 CERN

The contents of this newsletter do not necessarily represent the views of CERNmanagement.

Contents

CERN COMPUTERNEWSLETTER

The new machine room in the basement of CERN’s computer centre.

Volume XXXIX, issue 1 September–October 2004

Announcements & news

2 CERN Computer Newsletter • September–October 2004

The CERN central library, inconjunction with the ITComputing Bookshop, isorganizing a bookfair on 28 and29 October. Some 12 majorpublishers will be representedand copies of their latest bookswill be on display, as well astheir “key” titles that may

interest CERN. The major topicscovered will be computing,physics, technology,mathematics, engineering andpopular science.

The following have beeninvited to this event: AlphaScience, Cambridge UniversityPress, E-books Corporation,

Elsevier, Institute of Physics,McGraw Hill, Microsoft Press,O’Reilly, Oxford University Press,Pearson, Springer, Wiley andWorld Scientific.

The fair will take place in themain building (Building 60). Welook forward to your support ofthis initiative.

CERN bookshop and library plan book fair for October

Remember that the CERN ITComputing bookshop moved toa new location earlier this year.

The shop is now situated inBuilding 513 R-047. CERN userscan buy both books and CDsthere at discount prices. Theservice is open on weekdaysfrom 8.30 a.m. to 12.30 p.m. andit can also be contacted bye-mail or phone (e-mail:[email protected]; tel: 74050).

Books are purchased fromsome 15 publishing houses andthe bookshop’s catalogue offersa selection of documentationaimed at the range of computingutilities that are currentlyavailable at CERN. The servicewelcomes suggestions from theuser community for newacquisitions.

The bookshop’s most recentacquisitions are:● The CD for Windows XP and theCD for Office 2003 (25 Swissfrancs each). These are onlyavailable while you remain atCERN and a small licenceagreement needs to be signed.● The Latex Companion (2ndedition). This book contains aCD for TeXlive, which runs on aPC. This edition has beencompletely reworked.● The new Inside Out Series ofMicrosoft books on Office XPtools.● C++ for Java Programmers.● The Macintosh Panther Bible.● High performance MySQL.● The Unified Modeling LanguageReference Manual.● Lots of new pocket editionsfrom the O’Reilly Series.● OpenGL reference manual (newedition).● Java for Engineers and Scientists(new edition).● Enterprise Java Beans (newedition).● Computer Networks (newedition).● Advanced Unix Programming(new edition).

The complete list, with all ofthe relevant information, iscompiled regularly and is madeavailable on the CERN networkat http://cdsweb/tools/itbook.py. This is now integrated intothe CERN library system.Roger Woolnough, IT/UDS

IT bookshopcaters for ourcomputing needs

Computing News● Newsletter changes with thetimesRobert Aymar, CERN director-general, about the newcomputing section in CERNCourier.● CERN’s computer centre getsready for LHCStatus and plans concerning theupgrade of the CERN computercentre.● D0 goes offsite for more powerRe-examining huge amounts ofcollision data at several remotesites.● Farm offers real-time eventreconstructionPhysics analysis at the Belleexperiment.● The Grid gains new dimensionsRecent developments in the LHCComputing Grid project andCERN openlab.● CERN prepares for Linux changesRepercussions of a newdistribution policy of RedHat. ● Co-operation aims to ease digitaldivideLaunch of SEE-GRID project forSouth-Eastern Europe.● GridPP collaboration enters anew phaseFollowing the second stage ofthe UK’s contribution to the LHCComputing Grid.● Rewind35 years ago – multitasking CPU.

New IT Products

Calendar of Events

Spam Dossier● The plague of spam todayLouis McCaul, chief of theInformation and CommunicationTechnology Service at the UN inGeneva, is interviewed by JeanMichel Jakobowitcz, editor of UNSpecial.

● Alleviating spam’s effectsEmmanuel Ormancey andAlberto Pace of CERN’s InternetServices Group describe newspam filter options (see extendedversion on p7 or CNL online).

Viewpoint● Going public: a new paradigmFor David P Anderson, projectleader of SETI@home, the futureof scientific computing is public.

The articles that are listedbelow have been published inthe September 2004 issue ofCERN Courier, which containsthe new Computing Newssection. Full-text articles canalso be found on the CERNCourier website at http://www.cerncourier.com.

CERNCOURIER

V O L U M E 4 4 N U M B E R 7 S E P T E M B E R 2 0 0 4

Computing enters the LHC eraFRASCATIBruno Touschek remembered p44

I N T E R N A T I O N A L J O U R N A L O F H I G H - E N E R G Y P H Y S I C S

FERMILABD0 analysis goes offsite p16

CERN Courier gains anew computing section


Recruitment process goes electronic

Announcements & news

Since January 2004, all vacancynotices from CERN have beenmade available on the newe-Recruitment website(http://ert.cern.ch).

The e-Recruitment Toolkit(e-RT) covers recruitment forCERN staff and for all of theresearch programmes: technicaland doctorate students, fellowsand associates.

The Human ResourcesDepartment (HR) usuallyhandles around 6000 jobapplications annually. For somespecific recruitment exercises,like the Fellows and AssociatesSelection Committee, all copiesof applications being handledaround CERN can represent upto 15 000 pages of paper. This isnow fully electronic.

e-RT comprises two maininterfaces: the front office,where applicants can registertheir details, search and applyfor vacancies; and the backoffice, where CERN staff can

search for candidates, makecomments on applications andmake selections.

This fully electronic systemallows candidates to check thestatus of their application on aregular basis and e-mails aresent when a candidate has

reached a certain step in therecruitment process.

e-RT is based on iCams, aproduct developed by Hireserve(http://www.hireserve.com) ofFleet, Hampshire, UK. It waschosen after a market surveyand call for tender, and wascustomized by IT-AIS-HR alongwith the HR Department.

The product is based onOracle, PL/SQL packages andJava – well known technologiesused for years by IT-AIS. It alsouses Oracle Intermedia’sfeatures to help to search andindex thousands of CVs andapplication forms. So far e-RThas proved very stable, able tocope with a large number ofconcurrent users (up tohundreds) and easy to maintain.

After only 10 months, e-RTalready contains 8500 registeredusers, of which about 4700 havesubmitted 13 000 applications tovarious jobs.Francois Briard, IT/AIS

A growing number of computersecurity incidents that aredetected at CERN are caused bysoftware that has been installedfor personal use.

Some of the popular “free”software that is available on theWeb, for example, can introducesignificant security problems,either at the time of installingthe software (e.g. when addingspyware or adware) or later as aresult of a lack of updates toclose security holes.

Software that is not requiredfor a user’s professionalresponsibilities introduces anunnecessary risk and should notbe installed or used oncomputers that are connected toCERN’s networks. This includesany computers that areconnected to CERN remotely(e.g. via VPN).

Three kinds of non-securesoftware that violate CERN’sComputing Rules, and which aretherefore not permitted onCERN’s computing or network

facilities, are described below:● KaZaA and other Peer-to-Peer(P2P) file-sharing software (e.g.Aimster, Bearshare, BitTorrent,Edonkey2000, Eetee, Emule,Gnutella, KaZaA, Limewire,Morpheus, Napigator, Napster,Poisoned, Soulseek andWinMX). For further information,visit http://cern.ch/security/file-sharing.● Skype P2P telephony. Theprivacy policy of Skype violatesCERN’s Computing Rules bybypassing firewall protectionsand offering services to others.For further details on Skyperestrictions at CERN, see http://cern.ch/security/skype.● Versions of instant messagingsoftware not configured inCERN’s distributions, such asICQ and so-called “free”downloads, which containspyware or adware (e.g. Gatorand Hotbar) and haveintroduced privacy violationsand/or security exposures.

Caution must be taken when

considering the installation ofany software that is notavailable from CERN’s officiallysupported distributions. Youmust check the security andlegal (e.g. licensing) aspects ofthe software, includingassurance of a timelymechanism for obtainingsecurity updates as well ascompliance with CERN’sComputing Rules.

A list of some software that isknown to cause security ornetwork problems is available athttp://cern.ch/security/software-restrictions/list.

In addition to securityproblems, software that hasbeen installed for personal useoften creates support problems.The additional software canmake problem analysis evenmore difficult.

Even if the initial installationappears not to have any impacton the correct running of thesystem, it can cause problemsfor changes to the system at a

later date. Removing additionalsoftware may also require acomplete reinstallation of thesystem from scratch to allow forrecovery from all of the changesthat were made to the system asa result of the installation.

CERN’s Computing Rulesrequire users to protect theiraccounts and computers fromunauthorised access. The risk ofa break-in to a computer isrelated to the software installedand how securely it ismaintained.

To keep your computer secure:● use a CERN centrally managedsystem;● restrict the installed softwareon the computer to thoseapplications that are requiredfor your professional duties;● ensure that the operatingsystem and all applications areconfigured securely andregularly maintained withsecurity updates.Denise Heagerty, IT/DI and LionelCons, IT/CS

The maintenance supportcontracts for IRIS Explorer willbe cancelled from the beginningof January 2005. Please notethat users will still be able touse the currently installedversion of IRIS Explorer.

The NAG C library supportcontract (for sites outside CERN)was terminated in July 2004.This is a support contract onlyand will not affect the currentlyinstalled libraries.

The termination of the TGSOpenInventor contract is alsocurrently under discussion.

For further information, pleasee-mail: [email protected] of all supported toolscan be found on the CERNwebsite at http://cern.ch/product-support/sdt.html.Pete Jones, IT/PS

Three softwaresupport contractsare currentlybeing reviewed

Geraldine Ballet, RecruitmentServices, prefers e-RT tomountains of paper.

Restrictions apply to software forpersonal and professional use


Desktop computing

Users at CERN were previouslyusing several mechanisms, likeACB or VPN, to access filesstored on the NICE DistributedFile System (DFS) when theywere outside CERN at a distantlaboratory or at home. However,complicated set-ups are nolonger necessary, and the onlyrequirement today is a Webbrowser with an Internetconnection. Just point yourbrowser to https://cern.ch/dfs.You will be redirected to the DFSServices website.

This website provides Webaccess to the DFS file system intwo ways: via the Web browserand the via the WebDAV client.

The browser methodWeb browser access is availableeither by following the DFSExplorer link on the DFS

homepage or by typing thedirectory name in the addressbar, starting with https://dfs.cern.ch/dfs (the “s” in https ismandatory – without it you willnot be able to connect).

For example https://dfs.cern.ch/dfs/users/p/pace is the Webaddress of the DFS directory,\\cern.ch\dfs\users\p\pace.

The user interface is self-explanatory and it allows you toperform all sorts of filemanipulations, includingdeleting, copying, moving andrenaming files. It has anembedded clipboard that allowsyou to copy/cut/paste fileswithin the Web server and toupload small files (up to 3 MB)from the client to the DFS.

To upload a file, first click on“Browse” to select a local file,then click on “Upload this file”

to start the upload process.Larger files can be uploadedwith WebDAV (see later).

The webpage also allows youto download files from the DFSto the local computer. To do so,just click on the name of the filethat you wish to download andsave it to your local disk. Notethat the behaviour is slightlydifferent if you click on the nameof a folder instead of a file: inthis case the folder is openedand will become the newworking folder.

“Send files by email” is auseful tool when you areconnected using a slow Internetlink (e.g. modem, GSM). Itallows you to send a file to athird party without having todownload it locally then uploadit again to send it by email.

Finally, the “Manage

permissions” button is directlyconnected to the “Trusteemanager”, which allows you tochange access permissions to allfiles and directories for whichyou have permission control.This makes all requiredfunctionalities available to allplatforms because the onlyrequirement is a Web browser.

Described above is themaximum that you can do usinga simple Web browser. However,for some years now, all majorbrowsers and/or operatingsystems that have browsers havesupported the http extensionsfor distributed authoring andversioning (WebDAV).

Accessing NICE from outside CERN

Accessing the DFS files system using Webdav (Windows).

The http://www.cern.ch/DFSServices homepage. The DFS explore, which gives access to DFS files from the Web.

Webdav access from Windows.


Desktop computing

Using WebDAVIn addition to supporting thenormal HTML Web userinterface, the site at https://dfs.cern.ch also offers a completeimplementation of WebDAV. Thismeans that you can mount theentire DFS file system to yourlocal computer outside CERN.

If you are using Windows, theway you achieve this is with theInternet Explorer. Select “File”and then “Open”, then tick the“Open as web folder” optionafter typing the URL of the folderthat you want to open.

After the requiredauthentication (with the usualNICE username and password)you can see your DFS files inread/write mode from anywherein the world. You can drag anddrop files and folders from DFSto your local file storage in aseamless way, just as you wouldcopy them from a CD, floppydisk or your home directory. You

can also drag and drop files andfolders from your local disk andupload then to the DFS.

In a similar way you canaccess the DFS file systemthrough WebDAV from a Mac(using OSX) and from Linux(using DAVExplorer, Cadaver orany other DAV client).

Once the WebDAV file systemis available locally you caneasily do aggregate operationslike copying entire directorieswith a single mouse click.

The DFS Services pages athttp://www.cern.ch/dfs willprovide you with somedocumentation about usingWebDAV from differentplatforms.

Native file access for scriptingThere is even more that you cando: mount the DSF file systeminto the local file space usingWebDAV. There are native filesystem drivers for Windows,

Mac OSX and Linux that allowyou to do this.

In particular, Windows XPbuilt-in WebDAV redirector andDAVfs on Linux allow you tomount DFS file systems. Thisgives you access to the DFS filesystem natively. The fact that itis mounted as a file systemallows you to access files evenfrom the XP command line or theLinux shell. This allows themanipulation of DFS files fromscripts (e.g. Perl, VBscript) forany kind of automation.

Having said that it is possibleto crossmount the DFS filesystem into your local file space,be aware that there are some(severe) limitations:● The current Windows XPWebDAV redirector and theDAVfs driver for Linux supporthttp only – they do not supportSSL. Given that only SSL isoffered outside CERN, thissolution currently works only forcomputers located on the CERNinternal network. However, wedo not see any reasons whythese drivers should not support

SSL in the near future.● When a remote file system ismounted, some operatingsystems start to create indexesof the remote files. In the caseof DFS, this could take severaldays and eat up all of yournetwork bandwidth.● If the goal is to access DFSfrom inside CERN, then there arebetter and faster protocolsavailable (e.g. CIFS/SMB). Theseare available for Windows, Linuxand MAC OSX. Why use httpwhen the native CIFS/SMB isfaster, therefore?

Web access is not limited toDFS files – it is also possible tousing WebDAV to access all ofthe files stored on the centralWeb servers and all mailmessages stored in the centralmail servers. This opens upseveral additional possibilities,such as mail clients that readand write mail using simple fileaccess instead of the traditionalSMTP/POP/IMAP/MAPIprotocols.Alexandre Lossent, Rafal Otto,Alberto Pace, IT/IS

Left and above: WebDAV accessfrom Mac OSX.

Dav access from Linux using DavExplorer.

Native file access on Linux accessing a WebDAV-mounted DFS file system.

Below: accessing a CERN mailboxusing WebDAV: every message isseen like a file.


Desktop computing

Outlook 2003 is part of the newMicrosoft Office 2003 suite. Itoffers new and enhancedfunctionality that can improveefficiency and make it easier tocollaborate with colleagues.

If Office 2003 is not installedon your machine, check the WinServices page at http://cern.ch/win/docs/office2003.

One interesting feature ofOutlook 2003 is the cachedmode, specially adapted forlaptop users, which can replacethe offline mode of Outlook XP –not always easy to use.

When Outlook is configuredfor cached mode, you enjoybetter online and offlinemessaging because a copy ofyour mailbox is stored on yourcomputer, along with a copy ofthe address book. The cachedmailbox and address book areupdated periodically from theCERN mail servers as soon as the

network connection is restored.The principle benefits of using

cached mode are: ● it shields the user fromtroublesome network and serverconnection issues; ● it facilitates switching betweenonline to offline;● it automates CERN e-mailaddress resolution, even offline;● e-mail messages, agenda andtasks are all available offline.

By caching the user's mailboxand the address book locally,Outlook no longer depends onongoing network connectivity foraccess to user information. Inaddition, users' mailboxes arekept up to date, so if a userdisconnects from the network

(e.g. by removing a laptop froma docking station), the latestinformation is available offline.

In cached mode, userinteraction and messagefetching are asynchronous andindependent processes.

To configure Outlook 2003’scached mode (see box, below):● log into your Nice account;● ensure that Outlook 2003 isclosed; ● in the Start menu, selectControl Panel and then Mail; ● click Show Profiles;● select Default Profile;● click Properties (1);● click E-mail Accounts (2);● select View or Change Existing E-mail Accounts and

click Next (3);● select Microsoft ExchangeServer and click Change (4);● check Use Cached ExchangeMode (5);● Click Next and then Finish.

Once you have configured thecached mode, Outlook 2003 willwork as usual but will build acache in the background.Switching between online andoffline is transparent (6):● if you are connected to CERN’snetwork, Outlook will connectautomatically to Mail serversand synchronize the cache;● if you are disconnected fromthe network, Outlook works asusual but using the local cache.Emmanuel Ormancey, IT/IS

Outlook 2003 offers new benefitsIn cached mode, userinteraction andmessagefetching areasynchronousand bothindependentprocesses.

�1

�2

3�

�4

�6

5�


Technical brief

In principle, the best approachto tackling spam would be touse newer and more securemail-transfer protocols thatwould ensure the traceability ofe-mail messages (e.g. by usingdigitally signed messages andexternal, common certificationauthorities).

CERN is constantly evaluatingnew techniques for handlingspam. For internationalorganizations like CERN and theUN, the challenge is to remainopen to institutes that, forvarious reasons, are unable todeploy the latest methodspromptly. It may take years fornew technologies to becomeglobally available, so people insuch organizations can expect tocontinue to receive spammessages for some time tocome, because they can’t yetafford to “drop” untraceablemail messages, an importantfraction of which are legitimate.

We all know the generaladvice that everyone shouldfollow to avoid having theirinbox flooded with spam: don’tpublish your e-mail address onpublic readable websites(forums, newsgroups or anygenerally indexable electronicpublishing mechanism).

Unfortunately, once spammershave obtained a valid e-mailaddress, there is no way to get itremoved. You will receiveincreasing quantities ofunsolicited messages until newe-mail distribution technologiesare invented or you change youre-mail address.

The CERN mail gatewaysreceive, on average, 800 000messages every day with peaksof 1 200 000 messages (seehttp://cern.ch/mmms/Services/MailStats.aspx for the dailySMTP traffic at CERN). More thanhalf of these are immediatelydeleted with simple rules thatdetect evident spam, virusesand worms.

Filter works on probabilityFor the remaining half, theprobability of being spam iscalculated for each message andit is always delivered to theuser’s mailbox, either to theinbox folder or to the CERNspam folder, according to thefiltering level set by the user.After this additional filtering, theamount of mail that is finallydistributed to the inboxes ofusers normally represents about20% of the mail initially receivedvia the external gateways.

The “spam fight” tool at CERN(http://mmm.cern.ch) allowsusers to tune their spam filterconfiguration. They can choosebetween three levels of filtering,which tune the threshold atwhich a message with acalculated probability of beingspam will be delivered to theCERN spam folder instead oftheir inbox.

End users should understandthe model and tune the anti-spam filter to a level that theyestimate to be acceptable: alevel set too low will deliver alot of spam to the inbox; a leveltoo high may deliver legitimatemessages to the CERN spamfolder (false positives), requiringconstant monitoring by the userof the spam folder, which iscounterproductive and therebymakes its raison d’être void.

The “spam fight”configuration tool is availablefor every CERN mailbox at

http://cern.ch/mmms/Tools/Spam/ (authentication required).

As you will see, the generalrecommendation from the CERNmail team is to set the filteringlevel to “high”. Thisconfiguration should suit wellthe vast majority of CERN userswho receive 20–80 spammessages per day.

Users who receive little spamand who would like to minimizethe probability of a legitimatee-mail (false positive) beingdelivered to the spam folder cansimply decrease their filteringlevel to “medium” or “low”.However, things get morecomplicated for users whoestimate that the “high” level isnot high enough.

What if “high” isn’t high enough?In several individual discussionsand also requests via thehelpdesk, users have beenasking for an additional “very

CERN has some new recipes forfighting growing volume of spam

The spam fight configuration tool, available for every CERN mailbox.

The advanced CERN spam filter configuration.


Technical brief

high” level to reject spam.Unfortunately, despite severalmonths of tests, a small increasein the filtering thresholdproduces many false positives.This nonlinearity prevents thefiltering threshold from beingincreased without forcing theuser to check the CERN spamfolder every day.

The majority of usersrequesting the “very high” levelwere owners of highly spammedmailboxes (more than 100messages per day) and theincreased probability of falsepositives only makes mattersworse: the user is forced tocheck the messages manually inboth the CERN spam folder andthe inbox. Thus a better solutionneeded to be found.

No magic solutionThe recent advanced mode set-up of the CERN anti-spam filtergives additional tuning optionsthat should help users whoreceive more than 150 spammessages per day. Theseadditional parameters allowbetter management of incomingmail, but there is no magicsolution. To benefit from theseadditional features, it isessential to understand theunderlying model, otherwise therisk of losing legitimate mailincreases.

The advanced CERN spamfilter configuration is availableat http://cern.ch/mmms/Tools/Spam/ (under Advanced Mode)(authentication required).

The advanced set-up of thespam filter keeps allfunctionalities of the standardfilter, namely:● It allows the user to set the“filtering level”. In addition tothe normal interface with “low”,“medium” and “high” levels, any positive numeric integer

value is accepted, which allowsintermediate filtering. Messages tagged with a scorehigher than the “filtering level”threshold are moved to theCERN spam folder.● Setting the filtering level to 0means that no messages will bemoved and that the inbox-basedfiltering is switched off.However, this option does notdisable the message analysisand message tagging withscores, which is therefore usefulif alternative, client-side

mechanisms are used fororganizing messages.● The “delete evident spam”option remains with identicalfunctionality as for the simplemode. The filtering level for theautomatic deletion is set to 20.This value is not configurable bythe user.● Similarly, the language-baseddetection provides the samefunctionality as with the simplemode interface.

To address the needs of usersreceiving large volumes of spam,

the advanced interface providesa “quarantine level”, which isassociated with a third,intermediate folder between theCERN spam folder and the inbox,called the Inbox.Quarantine.This folder appears after settinga quarantine level.

Only messages with a scorebelow the “quarantine level” aredelivered to the inbox.Messages with a score betweenthe “filtering level” and the“quarantine level” are moved tothe Inbox.Quarantine folder,thereby reducing the burden ofsifting through a very largeamount of spam in search of afew false positives.

Score of messagesIf the quarantine level isactivated, the user can evenslightly increase the spamfiltering level to reduce evenfurther the risks of falsepositives in the spam folder.Something between 5 (high) and7 is the recommended setting.For a filtering level of 7 the riskof false positives in the CERNspam folder is so small that youcan simply forget about theexistence of the CERN spamfolder and focus only on theinbox and the Inbox.Quarantinefolder. Given that the vastmajority of spam will bedelivered to the CERN spamfolder, this will reducesignificantly the number ofmessages to check manually.

The quarantine level shouldbe set to a very low value,between 0 and 5, where a valueof 0 means that everythingcoming from outside CERN andnot explicitly trusted by yourwhite list will be delivered to theInbox.Quarantine folder. Thiswill simply separate mail frominside CERN and the trustedwhite list (in the inbox) fromexternal mail, and possibly fewspams (in the Inbox.Quarantine).

Mail headers can be displayed by right-clicking the message and thenselecting Options.

Spam Check button gives details about how the score was calculated.

Inbox.Quarantine folder appearsafter setting a quarantine level.

delete(if “delete evident spam” option selected)

mes

sage

sco

re, c

alcu

late

d fo

r eve

ry m

essa

ge

move to “CERN spam” folder

move to “Inbox.Quarantine” folder

normal “inbox” delivery

trusted mail, inside CERN;always delivered to “inbox”

–50

0 (zero)

quarantine level(set by the user)

filtering level(set by the user)

20

∞

Score of messages and action of the spam filter.

CERN Spam Tools toolbar.

Automatic white-listing a sender.


Internet services & networkValues for the quarantine levelbetween 1 and 5 will deliverexternal messages with very lowspam probability to the inboxand the others in theInbox.Quarantine folder.

If you are using Outlook on aWindows-based desktop as youre-mail client, an additionaltoolbar called CERN spam toolsis preinstalled.

False positivesThe first button on the toolbarwill delete the selected messageand report it as spam so that thefilter rules can be improved. Thisbutton should only be used formessages that have beendelivered to your inbox despite ahigh filter level. There is strictlyno need to report spammessages that have alreadybeen identified and tagged assuch: just delete them.

The two other buttons areuseful to handle false positivemessages (i.e. valid messagesthat have been moved to theCERN spam or theInbox.Quarantine folders). Themiddle button allows you to addsimilar messages to the whitelist, preventing it from beingconsidered as spam. Afterclicking the middle button, makesure to select the right criteria(e.g. “from:”) and to click “AddSelected”.

Clicking on the last button,“Check Spam”, displays thespam filter score and explainshow it was calculated. This isimportant if you receive a falsepositive and want to understandwhy it was considered spam.This should help you to tuneyour anti-spam configuration forworking more efficiently in thesehard times.

The “Spam Check” buttongives details about how thescore was calculated.

The spam filter score is alsostored in the “Keywords:” fieldof the mail header as “CERNSpamKiller Note”. In Outlook, itsvalue can be seen by right-clicking the message andselecting “Options”. This is thevalue that can be used for client-side filtering.● This is the extended version ofan article in the Septemberissue of the CERN Courier, whichcan be accessed at www.cerncourier.com.Emmanuel Ormancey, Alberto Pace,IT/IS

For the past few months thenumber of viruses propagatingby mail and running their ownSMTP engine has beendramatically increasing.

These viruses work in a simpleway: when a computer isinfected, the virus scans files onthe hard drive, searching fore-mail addresses and sendingitself to each collected e-mailaddress, using another collectedaddress as the sender.

This kind of attack is creatinghuge performance problems onthe network, and for this reasonmany Internet service providershave closed the SMTP port (25)for outgoing connections fromtheir customers, so that aninfected computer cannotpropagate viruses to anyexternal e-mail address by itself.

The unfortunate side-effect oftaking this measure is thatlegitimate customers can no

longer connect to external SMTPservers, and particularly to CERNSMTP servers, in order to sendout their e-mails.

CERN’s mail service has nowopened an alternative SMTPserver, which is running on port2525, so as to bypass thisproblem, where necessary.

Configuration is simple: locatein the mail client configurationthe Outgoing Server (SMTP)Settings, set the server name tosmtp.cern.ch if this is notalready done, and change theport from 25 to 2525.Emmanuel Ormancey, IT/IS

The increasing number of spamand virus attacks inevitablyleads to new policies and ruleson the CERN mail servers. Theseare put in place in an effort tomaximize the number ofunsolicited e-mails that arerejected at the gateway level.

One of the most importantrules is the reverse-DNS checkon the remote server IP, whichwas set up on 16 June 2004.

When a remote serverconnects to CERN SMTPgateways, a reverse-DNS checkwill be carried out to find its

name from the IP address. If noreverse-DNS is configured, theconnection will be refusedbecause the IP is “anonymous”.

This rule is one of the mostuseful for evident spam andvirus rejection. A test phaserevealed that up to 166 333unsolicited mails per day couldbe rejected owing to their lack ofa reverse-DNS configuration.

Unfortunately, a fewlegitimate mails were alsorejected, because a number oflegitimate mail servers have noreverse DNS, as a result of a

lack of administration.Facing the growing spam and

virus problem, this lack ofadministration must be solved,because mail services will moreand more rely on a trustscenario – otherwise it willbecome completely unusable.

If you are a mail serviceadministrator sending mail toCERN from outside, make surethat your mail servers areproperly configured with areverse-DNS name for their IPaddress to avoid their rejection.Emmanuel Ormancey, IT/IS

Reverse-DNS configuration of the IP server is crucial

Alternative SMTP server on port 2525will use CERN mail servers remotely

The deadline for submissionsto the next issue of CNL is

18 October 2004

If you have a burning issue that you’d like to write about,e-mail your contributions to

[email protected]


Information corner

Edited by Nicole CrémelThe User Assistance Team inIT/UDS maintains a database forQuestions and Answers thathave been dealt with by theComputing Helpdesk. Thisprovides many tips on dailycomputing issues. You cansearch the database athttp://cern.ch/qa/.

Below is one example of aQuestion and Answer (Q&A),which is related to access rightsto “public” folders.

SubjectPublic folder inaccessible

QuestionI want to access my colleague’spublic folder where I know thereis some data that is importantfor my work. However, the folderdoes not seem to have thenecessary “read for everyone”permission anymore, and mycolleague is absent now. Whocan change the access rights?

AnswerThe fact that a folder is called“public” does not mean that ithas to be available on read-only

for everyone, although this isthe default CERN set-up for filesystems like AFS or DFS (NICE).

In any case, the user’sdecision whether or not tomake/leave his/her public folderreadable for everyone takespriority.

The CERN official statementconcerning access to databelonging to someone who isabsent is specifically addressedin Operational Circular No. 5(OC5) in section IV, relating to

“third party access to users’accounts and data”. Only theCERN Computer Security Officer(CSO), the service managers forCERN computing facilities andall people expressly authorizedby the director-general shouldhave access to informationcontained in CERN computingfacilities, following someconditions expressed in OC5(like the absence of a user).

The above procedure shouldtherefore be applied in case of

the owner’s absence. Requestsshould be sent to the CSO froma departmental head or head ofexperiment with a justification ofthe serious impact onoperations, after which thesystem responsible will set thenecessary access rights.

Related links● Changing access rights to NICEfiles (http://cern.ch/qa/1688) ● AFS access rights(http://cern.ch/qa/2490)

Changes to services in IT department are announced and published in the Service Status Board athttp://cern.ch/it-servicestatus. Below are the most recent changes and their dates of posting.

Questions and answers from the Helpdesk

Recent changes to CERN’s IT services

29 July 2004 As of 1 August: external access to the CERN Linux 7.3.X repositories restricted27 TCP Port 1034 blocked in firewall20 Move and test stoppage of the old tape management system12 Until end 2004: delay of file reload6 Restrictions on software for personal and professional use2 SMS 2003 client deployment29 June 2004 Password for local administrator account changed 25 As of end 2004; phase 1, 1 July: ACB to be phased out 15 As of 21 June: Web security scan update1 As of 15 June: registration of BOOTP and DHCP servers mandatory at CERN27 May 2004 As of 15 June: CERN SMTP gateway change27 As of 8 June: planned firewall protections19 Computing Bookshop move to 513 R-0476 Adobe Acrobat 6.0 Professional update20 Apr 2004 Autorouter removal (“fuzzy-matching” for e-mail addresses)20 No more FTP service on central websites20 NICE login required to create/manage websites7 Spam filter activated for all mail users5 Mar 2004 Removal of Oracle software for Linux and Solaris platforms in AFS 1 Hummingbird Exceed version 9.01 E-mail attachments filtered27 Jan 2004 TCP ports 3127-3198-10080 blocked in firewall21 Oct 2003 Registration of computers mandatory at CERN2 The validity of AFS passwords will be limited to a maximum of 1 year2 Offsite ftp access will be closed and replaced by ssh (scp/sftp)19 Dec 2003 New names for CERN mailing lists

Other general-interest Q&As and their corresponding websites

Windows (NICE - Office) related: ● http://cern.ch/consult/qa/3263 Windows Terminal Services at CERN● http://cern.ch/consult/qa/3498 Excel transmits wrong amount of commas to csv file● http://cern.ch/consult/qa/3505 NICE departmental or workspace share● http://cern.ch/consult/qa/3509 Office XP at Home: license condition● http://cern.ch/consult/qa/3525 Weekly virus administrator scan on PC● http://cern.ch/consult/qa/3526 Windows XP: inconsistent search for file and foldersUnix (AFS–Lxplus/Lxbatch) related● http://cern.ch/consult/qa/181 Login scripts: restore files .tcshrc .login, etc● http://cern.ch/consult/qa/3520 Batch jobs: access to external network● http://cern.ch/consult/qa/3522 Passwordless login to Lxplus for ssh connection● http://cern.ch/consult/qa/3514 Request for AFS password change from AFS.SupportMail (Outlook–pine–mail services) related● http://cern.ch/consult/qa/3518 Mailing list rejected with exceeding header counts● http://cern.ch/consult/qa/3519 Mail never delivered nor in the CERN Spam folder

CalendarSeptember20–23 Global Grid Forum 12:Grids Deployed in the EnterpriseBrussels, Belgium, www.ggf.org/Meetings/GGF11/GGF12.htm

20–23 Cluster 2004, IEEEInternational Conference onCluster Computing San Diego,CA, http://grail.sdsc.edu/cluster2004

27–1 October CHEP’04,Computing in High Energy PhysicsInterlaken, Switzerland,www.chep04.org

October18–22 HEPiX meetingBrookhaven NationalLaboratory, http://cern.ch/wwwhepix/meetings.html

26 GridNets 2004 Workshop:Networks for Grid ApplicationsSan Jose, CA, www.gridnets.org

cern computer newsletter - institute of physicsimages.iop.org/objects/cern/cnl/1/9/1/pdf.pdfcern...

Documents