Apple surprised pundits last week with the release of iPod Photo, an iPod with a color screen that also stores and displays photos. At the same event, Apple also unveiled the iPod Special Edition: U2, and announced the European iTunes Music Store. Also in this issue, Adam looks at the Postini spam-filtering service, and we note the releases of Retrospect 6.0.204, Security Update 2004-10-17 (for Apple Remote Desktop Client), and an Office X 10.1.6 security update.
Go Vote! We strongly encourage those of you who are eligible to vote in U.S. elections to take the time to register your opinion about the actions of your local, state, and national government by voting in Tuesday’s elections. Every vote matters in at least a small way, and you never know which elections could come down to a single vote – yours. [ACE]
Retrospect 6.0.204 Released — Dantz Development, now owned by storage gorilla EMC, has released Retrospect 6.0.204 (that’s build 204 of Retrospect 6.0), to fix a number of subtle issues (see "Dantz Ships Panther-Compatible Retrospect 6.0" in TidBITS-714). The bugs fixed include one that could cause Retrospect to delete more files than it should under highly specific conditions when performing Duplicate or Archive functions, and another that could sometimes render a Mac unbootable after a restore of a system that had multiple Mac OS X updates applied. Other improvements include faster matching speed (and no more -108 errors) when restoring from a pre-Retrospect 6.0 backup set, more accurate matching of files on Linux clients, compatibility with Linux clients running under Red Hat 6.2, the capability to back up files and folders with high ASCII characters in their names from pre-Mac OS 9.0 and Linux clients, and proper handling of volume creation dates when duplicating. Retrospect 6.0.204 is a free update for all users of Retrospect 6.0; it’s a 24.7 MB download. [ACE]
Security Update Patches Apple Remote Desktop — Apple has released Security Update 2004-10-27, a patch to Apple Remote Desktop Client 1.2.4 that prevents a remote user from starting an application behind the login window, which would allow the application to run as root. The vulnerability exists on Mac OS X 10.3 systems with Apple Remote Desktop Client 1.2.4 installed and Fast User Switching enabled. On an unpatched system that has a user logged in, but the login window visible via Fast User Switching, an Apple Remote Desktop user with privileges to do so can start an application, which would run as root. (The vulnerability requires that the Remote Desktop user have a valid username and password to access the system; it does not expose the machine to unauthorized use.)
The 832K download, available through Software Update or the Apple Downloads page, only applies to Mac OS X 10.3 and later operating systems, and isn’t needed if Apple Remote Desktop has already been upgraded to version 2.1. [MHA]
Office X Updated Slightly — Lost temporarily in the news of the recent update to Microsoft Office 2004 (see "Microsoft Office 2004 for Mac Service Pack 1 Squishes Bugs" in TidBITS-751) was the fact that Microsoft also updated the older Office X on 13-Oct-04. The improvements in the Microsoft Office v.X for Mac Security Update (10.1.6) include proper functioning of Word X’s AutoRecover when FileVault is enabled (not that we recommend FileVault in most situations), and a fix to a bug that caused Entourage X to stop responding when certain corrupted email messages were received with the Junk Mail Filter enabled. Word X, Excel X, and PowerPoint X all receive an added level of security that affects macros that open other macro-containing Office documents. It’s a 38.4 MB download. [ACE]
DealBITS Drawing: DayLite Winners — Congratulations to Chris Manderson of telus.net, Donovan Watts of iceplant.org, Daniel Murray of mac.com, and Peter Jensen of netaxs.com, whose entries were chosen randomly in last week’s DealBITS drawing and who each received a copy of Marketcircle’s DayLite. Everyone else who entered received a 10 percent discount off the purchase price of DayLite. Thanks to the 364 people who entered, and keep an eye out for future DealBITS drawings! [ACE]
The design of Apple’s recently replaced G4-based iMacs made it extremely easy to adjust the position of the LCD display for optimal viewing as you moved around in your chair or conferred with someone else about something on the screen. The new iMac G5, sleek and iPod-like though it is, lacks much of that adjustability, since the screen can only tilt up and down through 30 degrees of motion. For any kind of side-to-side, forward-and-back, or rotational adjustment, you must move the entire iMac, which isn’t necessarily an easy task, given that it weighs in at either 18.5 pounds (8.5 kg) for the 17-inch model or 25.2 pounds (11.4 kg) for the 20-inch model. The same problem affects Apple’s current aluminum Cinema Displays, which weigh between 14.5 pounds (6.6 kg) and 27.5 pounds (12.5 kg).
If you find yourself frustrated whenever you want to adjust the position of your iMac G5 or Apple Cinema Display, or if you just like to push it out of the way at times, check out the iMove from MaxUpgrades. The iMove positioning table is a thin black base with durable plastic rollers, onto which your iMac or Cinema Display fits perfectly. It raises the iMac or display by only an inch, so stability isn’t compromised, and the rollers provide complete freedom of movement around your desk with minimal effort. The base of the iMac or display fits flush into the iMove, providing a flat surface for holding a keyboard out of the way as well.
Apple last week fulfilled the wish of every Internet discussion-forum enthusiast who’s longed for the capability to view photos on a tiny color screen. The new iPod Photo incorporates a color screen into the existing iPod form factor, enabling users to view digital images in addition to listening to music. The 220 by 176-pixel screen can display up to 65,536 colors. Like iPhoto, the iPod Photo can display screens of thumbnails (25 images at a time), or single photos by themselves, using the iPod’s scroll wheel and middle button. It can also display album art for songs as they play. The device comes in two configurations: a 40 GB model for $500 and a 60 GB model for $600; both are available now.
In a bit of a conceptual disconnect, photos and photo albums are synchronized using the Auto-Sync capabilities of iTunes 4.7, which was released as a free 10.5 MB download. iTunes was probably chosen as the conduit because iPhoto doesn’t exist under Windows; it can also pick up photos from Windows applications Adobe Photoshop Album 2.0 and Adobe Photoshop Elements 3.0, or from a designated photos folder on either operating system. The Auto-Sync process converts your photos to lower-resolution versions for display on the screen, but you can opt to store high-resolution versions on the iPod, too.
If the iPod’s screen is too small for your taste, an included AV cable connects the iPod Photo to a television for slideshow playback. An iPod Photo Dock, included with both models, adds an S-video connector.
Contributing Editor Glenn Fleishman pointed out that these connectors make the iPod Photo a remarkably compact presentation manager: load up your PowerPoint or Keynote presentation (after converting the slides to individual images), plug in a video projector, and leave the laptop in your hotel room. It’s not far from what Adam did with his Canon PowerShot digital camera at a user group presentation when a projector failed to show up (see "The PowerShot Presentation" in TidBITS-669).
Apple claims that battery life is improved on the new model, with up to 15 hours of continuous music or 5 hours of continuous slideshows with music.
Does the iPod Photo herald the imminent arrival of a video iPod? Although the existing color screen wouldn’t realistically be suitable for video playback, having video-out capabilities could, in theory, turn the iPod into a portable video playback device – a portable TiVo, if you will, for watching movies and television shows while you’re on the road. The problem is, you can already do that with a PowerBook or iBook. And Steve Jobs has made it clear that Apple believes photos are more compelling on a portable device such as the iPod right now, compared to other video devices that are already on the market. I do think that Apple is slowly laying the paving stones required to someday offer videos on portable devices and via the iTunes Music (Media?) Store, but only according to Apple’s schedule.
U2 Can Enjoy an iPod — In other iPod news, Apple announced the iPod U2 Special Edition model. In addition to engraved signatures of the members of the band U2, the front face is black instead of white, with a red scroll wheel; it’s available only in a 20 GB configuration. It also includes a $50 gift certificate that can be applied to "The Complete U2," a digital boxed-set of the band’s music containing 400 songs and 25 unreleased tracks. (Contrary to some reports, no music from U2 is included on the iPod.) An included exclusive U2 poster will no doubt seal the deal for some fans. The iPod U2 Special Edition will be available in mid-November for $350.
European iTMS — Finally, Apple also announced that it has launched a European version of the iTunes Music Store. Previously available in the U.S., France, Germany, and the United Kingdom, the EU iTunes Music Store now also supports Portugal, Spain, Luxembourg, Italy, Greece, Austria, Belgium, The Netherlands, and Finland, all with songs priced at EU0.99 apiece. Apple also says it finally plans to launch its iTunes Music Store in Canada during November.
Also noteworthy is news that a version of the iTunes Music Store for Ireland (the only European Union nation not included in last week’s announcement) was apparently planned for the EU rollout, but some last-minute glitches held it up. Hopefully we’ll see it come online soon.
From what I gather, the spam problem continues to worsen, but thanks to the domain-level anti-spam service from Postini, I and others who receive mail at tidbits.com are no longer drowning in a fetid tide of spam. That’s not to say that Postini has completely eliminated spam for us, but I was receiving about 1,000 pieces of spam per day before Postini, and now only 10 to 30 per day make it through to Eudora (where SpamSieve promptly dumps them into my Junk mailbox).
As these numbers show, Postini is not a magic bullet. Spam hasn’t disappeared entirely from my life, and in fact, I now have two quarantines (Eudora’s Junk mailbox and Postini’s online webmail-like quarantine) to check for false positives. But the constant onslaught has abated, and the psychic toll it exacted has lessened by an astonishing amount. Postini isn’t perfect, but I in no way regret signing up with them, and it’s easily worth the $1 per protected account per month that digital.forest charges for the service.
Initial Pain — There are two basic modes for Postini, setup and regular usage. You only go through setup once, though if you’re the administrator for your domain, you may have to dip into the Web-based administration interface occasionally to tweak settings for a user. Unfortunate though it was for this review, Postini significantly improved the administration interface after I set up my account, making it difficult for me to say exactly how it would work now for someone coming in fresh.
That said, when I set up my account under the previous administration interface, I was unimpressed. The interface was confusing and arcane, and only with the help of Bill Dickson (my co-author on my second book, Internet Explorer Kit for Macintosh, and now a technical guru at digital.forest) was I able to figure out an appropriate strategy for our setup.
Here’s the problem. Like most domains, I have a number of real users (mostly staff and family), and I wanted their accounts to be protected by Postini. But I also have quite a few alias accounts that come to me (or to other staff members) and unlike most domains, we run a slew of mailing lists and auto-replies, each with their own addresses. I didn’t want to pay for each of these automated accounts (since that would radically increase our overall cost), nor did I want to take the time to check the quarantines for each one on a regular basis. So Bill and I worked out a four-step approach.
First I identified all my real users in Web Crossing, made some lists, and informed them manually of what was going to happen. Importing those addresses into Postini was easy, although glitches in the previous Postini administration interface meant that people didn’t receive custom welcome messages properly. Second, I added the alias accounts to the appropriate real accounts; Postini charges on a real user basis, so there’s no downside in having lots of aliases. Third, instead of trying to identify and import all the automated accounts, I changed Postini’s "default user" such that spam filtering (and thus charging) was turned off, and I turned on automatic account creation. Fourth and last, I changed the MX records in my DNS settings so all mail to tidbits.com flows through Postini’s mail servers before it comes to my server.
This third action – automatic account creation – turned out to be subtle and important. It would be nearly impossible for me to identify every automated account we have and might create in the future, particularly because it’s so easy to set up a mailing list in Web Crossing. Postini’s automatic account creation looks for legitimate incoming mail, and creates accounts automatically, but since it’s always possible that spam will appear to be legitimate (or that someone will just type a username in a tidbits.com email address wrong), it’s important that those automatically created accounts not employ spam filtering and thus stay out of our monthly bill.
I discovered the problem with automatic account creation shortly after enabling Postini. I connected to the administration interface and found my account included not hundreds, but many thousands of users. It turns out that Web Crossing, like some other mailing list management programs, sends messages to list subscribers from unique addresses, making it easier to link particular subscribers with bounce messages that come back. In essence, this meant that for every bounce that came into Web Crossing, Postini created a new account (nearly 23,000 so far). Although there is no way to delete all these bogus accounts as far as I can tell, they don’t appear to get in the way, so I’ve just left them alone. The other downside to this approach to creating unprotected accounts automatically is that when I do want to create a new protected account, I have to do that manually. That’s fine, though, since such an action has a real-world cost attached to it.
In the end, although my feeling is that Postini’s current administration interface is a lot more understandable than the previous one, you must still think carefully about what you want to do if you regularly create new accounts that either should or should not be protected by Postini.
In fact, I’ve mostly gone into the administration interface to add many of my mailing lists’ management addresses to my account as aliases. That enables Postini to weed out the vast majority of the malformed spam that was causing conniption fits for our elderly ListSTAR server, and since I check for false positives in these accounts simultaneously with checking for my main account’s false positives, there isn’t much added work. In some cases, the aliases actually save effort, since seeing three to five spam messages with identical subjects makes for easier identification than if I had to read the subjects more closely.
Regular Usage — Everything I just described is of interest only to the person who will be managing a Postini setup. Normal users whose email addresses are protected by Postini don’t have to mess with any of that and enjoy a significantly simpler experience. Here’s how I use Postini as a normal user.
I’ve set up Script Software’s iKey to open the Postini Message Center Web page automatically every morning at 9:00 AM. The Message Center is basically a webmail client that shows you two lists of messages: the Virus Alert list containing virus-infected attachments, and the Suspicious Junk Mail list of messages that Postini thinks might be spam. For each message, you see the sender, the subject, and the date, and for the possible spam messages, there’s also a column that tells you what category of spam the message might belong to (generic bulk mail, naughty bits, get rich quick schemes, special offers, or – one I’ve never seen triggered – racially insensitive messages). You can sort the lists by any of these columns; sorting on subject works well for me because of the many duplicate messages I get.
I ignore the Virus Alert quarantine list, so Postini automatically deletes messages with virus-infected attachments after some period of time. The main reason for ignoring these messages is that as a Mac user with a widely known email address, my address is spoofed by worms all the time, resulting in a lot of virus-infected messages sent to me, and another bunch bounced back to me after my address has been used for the From line. Today alone I’ve received nearly 70 such messages. Since the likelihood of me receiving a legitimate but infected attachment is next to nil, there being almost no Mac viruses, even scanning the list seems a waste of time.
I do feel badly for PC users who might want to see messages with infected attachments, since Postini’s webmail-style interface is lousy here. Although you can sort by sender, subject, and date, you can display (and thus remove) only 10 messages at a time. If there is a legitimate message, you can click its subject to view and then choose to deliver it as is, or fix and deliver; I have no way of knowing how effective the fixes are (Postini uses anti-virus software from McAfee).
The Suspicious Junk Mail list isn’t limited to displaying only 10 messages at a time; it can show up to 200. You can of course click a subject to view the associated message, and for those legitimate ones that are caught incorrectly, you can choose to deliver them, or deliver them and add the sender to a whitelist. There are also shortcut controls for removing all the visible messages and delivering selected messages.
Postini’s user interface suffers in comparison to webmail clients I’ve seen, but it is functional. At first, I found it rather clumsy, given the amount of spam I get and the frequency of false positives (one or two per day). I’ve subsequently figured out a usage technique that works extremely well. First, I click the link that selects all the messages, 99 percent of which are spam. Then I scroll through the list, scanning the subject column for potentially legitimate messages. This task turns out to be easy, perhaps easier than in Eudora because of the extra white space in the display. For each legitimate message, I deselect its checkbox. At the end, I click the Remove button to trash all the spam, leaving just the legitimate messages. Then I select all of them, click the Deliver button, and for permanent sender addresses (as opposed to the temporary bounce addresses used by some mailing lists) I add them to my whitelist. For those temporary bounce addresses, I copy the domain, click the Junk Email Settings link, and add the entire domain to the whitelist (it would be more efficient if Postini offered an option to add either the full email address or just the domain during the approval process; such interface niceties are generally missing in Postini). Don’t assume you can use the whitelist as you would in a client email program; it’s reportedly limited to 4,000 characters, and should be used only for the addresses sending mail that Postini is filtering incorrectly.
Most of my other users don’t receive nearly as much spam, so they visit their quarantines less frequently (Postini can send reminder messages to let you know you have quarantined mail waiting) and are less likely to see false positives. Some people, including Tonya, have decided they’re too busy to bother checking, so they undoubtedly miss a few legitimate messages here and there.
The main feature Postini’s Message Center lacks is a search field – if you’re missing a message, being able to search for it rather than scroll through all the possibilities would be a great help, particularly for those users who don’t visit the quarantine regularly.
Filtering Accuracy — Just how good is Postini’s filtering? I wish I could say for sure, but metrics are tricky for a number of reasons. Before anything else, Postini checks incoming messages against what they call the Blatant Spam Blocker, and from what I can tell, that takes out as much as 80 percent of my spam without even letting it into my quarantine list. I was receiving about 1,000 spam messages a day, and now my quarantine shows me about 125 messages a day. However, remember that my quarantine actually displays spam messages received by over 30 accounts, whereas my 1,000 messages were to only about 5 accounts. Of those 125 per day, it’s entirely common for 1 or 2 to be legitimate, although I can usually understand why Postini would have considered these messages suspicious. I receive a lot of press releases and mail from companies about product offers, and it’s difficult to differentiate them from the latest too-good-to-be-true offer from a spammer. Then there are the 10 to 30 spam messages that Postini allows through. Further confusing the measurements is the fact I haven’t yet locked down Web Crossing’s SMTP server such that it accepts incoming SMTP mail only from Postini and a few of our servers, and some spammers deliver mail directly to our Xserve’s IP number, thus bypassing Postini entirely. (That configuration change will be happening soon; I hadn’t realized how much spam was coming in that way.)
Overall, Postini claims 95 percent accuracy and less than 1 percent of false positives, and that seems roughly accurate. SpamSieve is better, though comparing a single-user tool like SpamSieve to the multi-user Postini isn’t quite fair.
These numbers raise the question of exactly how Postini filters incoming mail. My contacts at Postini won’t say exactly how the system works, presumably to keep spammers from circumventing it, but the FAQ says they use "an advanced filtering technique … built on heuristic rules, lists of approved and blocked senders, and databases of known junk email." In other words, Postini is a black box, though a black box whose sensitivity you can set in certain categories. Remember those categories I mentioned earlier? You can adjust, on a five-point scale, Postini’s aggressiveness in holding suspicious messages in your quarantine. The more aggressive your settings, the fewer spam messages will make it through Postini, but the more legitimate mail will be caught in the quarantine. That’s the other reason I was waffling on how effective Postini has been – I’ve chosen somewhat aggressive settings, and I’ve been slowly increasing the aggressiveness as I become more comfortable with how Postini works. There are default settings for a domain that the administrator can set, and every user can override them individually.
One annoyance is that Postini apparently analyzes only mail written in English. Since I get a vast amount of spam from China, Korea, and Japan, it’s frustrating to know that Postini could catch more those messages, since almost all of them (short of the Japanese translation of TidBITS) are guaranteed to be spam, given that I can’t read any of those languages. Despite this limitation on language analysis, Postini still clearly eliminates a great deal of foreign-language spam during the Blatant Spam Blocker pass, and a good many messages that appear in my quarantine are also in other languages and character sets.
Can Postini be trained? Yes, but not by individuals, short of your whitelist and another list of permanently blocked senders. You can forward spam that gets through to Postini, but doing so merely suggests the message as one to learn from. Although that may make you feel powerless, it makes sense, since people are notoriously inaccurate when identifying spam, particularly now that many people consider any message they don’t want as spam, even if they signed up to receive it. However, Postini provides service to 3,700 domains with 5 million end users, who receive 1.3 billion messages every week. That volume is almost unimaginable, but it ensures that Postini has a massive store of spam to analyze for patterns. The volume also explains Postini’s conservative approach to improving the end user interface and allowing user-based training.
The current administration interface does offer some reports for the administrator, so I can tell, for instance, that Postini lets about 70 percent of incoming messages to tidbits.com go through, and quarantines about 30 percent. I can see which of my users receive the most messages, the most spam, and the most viruses. The reports appear to go back only about 45 days, though, limiting their utility for trend reporting.
Ambivalence and a Recommendation — You may have noticed a certain level of ambivalence in my report so far. It stems from the fact that Postini is not the be-all and end-all of anti-spam services. Its methodology is unknown, and not as good as other tools I’ve seen. Its interface is usable but mediocre, unless you need to scan virus-infected messages, at which point it’s poor. It doesn’t allow user-level training and doesn’t pay full attention to mail that’s not in English. And it isn’t smart about ignoring, or allowing the mass deletion of, temporary addresses used by mailing list software for bounce tracking. In short, Postini is not an ideal service for the technically savvy email administrator who understands anti-spam techniques and enjoys getting a little dirty while maintaining an anti-spam system. Such people should stick with lashed together open-source anti-spam programs, which can be highly effective, if time-consuming to set up and maintain. (Contributing Editor Glenn Fleishman has set up such a system, and we hope to tell you about it soon.)
Years ago, I fell more into that camp. Now, I’m just sick of thinking about spam, and if Postini can do as good as job as I’ve seen it do on my mail for $1 per month per account, that’s money well spent and time happily regained. Not long ago, I received a renewal notice and $200 invoice from the MAPS service, which sells access to a real-time blackhole list that we used before our switch to Web Crossing. I’d forgotten that we paid $200 to MAPS each year; now Postini seems like an even better investment, since our yearly bill won’t be too much more than the MAPS payment. My users have gone from moaning about how much spam they got to gushing about how completely Postini has solved their spam problems. My mail and list servers, all four of which have been taken out by malformed spam at one time or another (and which often require significant effort to bring back online), are more stable. As I said at the start, being able to stop dealing with the massive influx of spam has been a huge psychic weight off my shoulders.
There are of course competitors to Postini, and I even received pleasant email from several of them after I announced our Postini trial, offering similar free trials. In an ideal world, where I had the time and energy to satisfy my intellectual curiosity about everything, I would have taken them up on their offers. But as it stands, I can’t imagine turning off Postini in favor of something that might not work as well.
So, despite my technical ambivalence about some of the ways in which Postini is implemented, I definitely recommend the service to anyone who needs to deal with spam to an entire domain and doesn’t want to think about it much after setup. (If you have a normal email account at an ISP, you can’t use Postini unless your ISP offers it.) The price I’ve been quoting – $1 per month per account – is available only through digital.forest, the network service provider and Web hosting service we’ve long relied upon and recommend. It may be more cost-effective for large organizations to work directly with Postini, but if you don’t have thousands of accounts and are interested in using Postini’s services, contact digital.forest via email at <[email protected]> or use the phone: 877-720-0483, option 2. You might need a little hand-holding with your setup, but I hope my explanation how you want to configure Postini for real accounts, alias accounts, and with automatically created accounts helps smooth the process a bit. In the end, I think you’ll be happy with Postini’s service.
The second URL below each thread description points to the discussion on our Web Crossing server, which will be much faster.
Experiences with Missing Sync & Friends — A reader runs into irregularities when synchronizing his Palm handheld using The Missing Sync. (4 messages)
DVDs and NTSC/PAL — DVD video is stored as compressed MPEG2 data, but is there a difference between DVDs formatted with the NTSC and PAL video standards? (5 messages)
Useless password prompts — One security feature of Mac OS X is that the user is prompted to enter his or her administrator password before installing certain types of software. But is the frequency of such password prompts making people less diligent about verifying the validity of what actions are being requested? (7 messages)
Editing JPEGs and losing information — Charles Maurer’s articles about working with digital photos brings up the question of how best to shoot and import your pictures without encountering JPEG compression, which discards image data. (4 messages)
Sending HTML Messages from Eudora — Some people would argue that HTML email is evil, while others acknowledge that sometimes it’s useful or even essential. Setting aside the philosophical implications of flirting with pure evil, how would one correctly send HTML-formatted messages from Eudora? (4 messages)