One thing I've noticed about all the weblogs out there is a significant lack of content on certain topics. Management and dealing with management issues is one example. There are a few out there that are quite good, but it's not a common topic. Probably because it's not exactly exciting, geeky or all that interesting to the average person. Or maybe because managers are afraid to talk publicly about problems they run up against. Or because not many managers blog. Personally, I run across complex issues all the time, and I enjoy talking about them in an appropriate way. I think it makes me a better manager in the long run to hear what others have to say. Hence this weblog entry.

A while back I was meeting with one of the people I work with and discussing the variety of ways communication problems can drag an organization down. It was one of those typically generalized philosophical conversations, the kind I like to think of as learning moments. Some call them teaching moments, which is also accurate, but I like to remember I can (and better) learn while mentoring, too. It's a given that inefficiencies can make it difficult to get things done in business, and inefficiencies in communication can certainly have a significant impact. As we traded thoughts back and forth on the topic, I realized that my compadre was unawaredly mixing two different problems together, and classifying them as one. We stopped for a moment, and I explained to him what I see as the difference between communication and behavior problems. There is a fundamental and critical difference, I pointed out - one that is often overlooked and misunderstood.

We've all known people who say or do things that don't contribute in a positive way to an effective team or organization. Unfortunately we often describe such people as having "communication problems," when in fact what they exhibit is instead a complex set of behavior problems.

Because the two types of issues are fundamentally different (as are the respective solutions), a well-honed ability to recognize the difference between them is an valuable and important management trait for one who has the desire to make changes in this area.

A communication problem exists when there is a process gap or other barrier that makes it impossible to successfully communicate some critical information. For example, in the IT support world, we often wonder why users don't provide us with the information we need to help them. Instead they tell us a life story and pass on a lot of information that won't help us solve the problem, all while leaving out the critical nuggets of data. Then the IT employee wonders why and spends significant time chasing users down and trying to gather the missing details needed to work the issue.

But the communication problem in this case is not the lack of information provided by the customer. Rather it's the lack of a properly-defined process. I suggested, in our hypothetical conversation, that if an IT help desk employee has to regularly perform the same tasks and if the information necessary for success is challenging to gather from users, then the solution should be in doing something to ensure the proper information is collected and that the users know what's needed and expected. That's a communication process. And a well-defined communication process does a couple things: It sets clear, unambiguous expectations and provides a known mechanism to accomplish the activity it defines. It also needs to be reasonable and usable, to be fully successful. Perhaps the IT help desk would deploy a standard form, for example, which collects all of the information required to resolve a class of issue. At that point, once the user population has been made aware of the form and process, it is reasonable to expect the users to take advantage of the tools and instructions provided.

Now, if our information communication process is in place and communicated effectively and sufficiently, yet the people to whom the process applies neglect to do their part, we no longer have a communication problem. At that point, we have graduated to a more complicated class of issue: The behavior problem.

Behavior problems are individual in nature, and are more closely related to personality and situational issues. They're not typically resolvable with processes. Instead, they require individual guidance and potentially some form of discipline. Now, the term "discipline" here does not have to be a negative word. Rather, I use it in the context of behavior and performance management. And what works for one won't always work for the rest. This is the area where the professional manager earns his or her stripes: Working with people to change default behaviors in situations where the behavior cannot work. It's hard work.

Perhaps the most useful set of terms we can keep in mind when it comes to defining the issue and a solution: Communication Management and Behavior Management. Understanding these and knowing the differences are what we really need to be concerned about. That and the fact that even with a good communication method in place, it still takes the people and personalities that can and will work within any processes established to be successful.

What kinds of behavior problems are often confused with communication issues? Well, there's the "that's not what I want" class of problems. And then there's the "I didn't think of it so I can't get behind it" philosophy. Or the "that doesn't apply to me because I decided I didn't want it to" issue. Often behavior problems involve some form or another of what I refer to as "terminal uniqueness" - People who believe that they are different and their jobs, situations, wants, needs, requirements and desires are completely different than those of anyone else, and  that therefore nobody else can possibly understand or make decisions that might affect whatever they're focused on. And there are, of course, many more.

Anyhow, I have a variety of stories from my own management experience (both as related to me personally and with others) that illustrate this point, but one person's examples only help to define the situation in a self-limiting form. Do you have examples of your own experiences where the cliche "communication problem" term has been applied, but in reality the issue was people not playing nice? How do you deal with those situations and people?

And I should finish up by pointing out that I am far from perfect in this area. None of us are. I've not been the easiest person to manage at times over the years, to be sure. But a good healthy conversation helps us all to be aware of what's happening around us and within us, and allows us to learn and grow. So, let's converse.

What do you think?

I ran across the Giveaway of the Day web site the other evening and was intrigued. I've watched it for a few days now and have downloaded a couple of the programs they've offered. Basically, the site has a different piece of commercial software (typically smaller, utility-style stuff but you never know) that they give away for free for 24 hours. The catch, if you can call it that, is that you can only download any given program during its 24-hour offer period, and you have to install it during that period, as well. If you wait and try to install it later (as I did in once case), the product cannot be successfully registered.

But for free, whatcha gonna do, complain? I mean, come on. Heh. This is an interesting vehicle for getting people to check out other software offered by the companies whose software is featured, I suppose (they show examples of other software titles offered by each company with links).

Worth checking out. Be sure - as always - to use caution whenever downloading any software from the Internet. Good antivirus and antispyware software is important to have in place and running before you start downloading stuff. Heck, before you ever use the Internet for that matter.

In addition, the site has a freeware library that contains some interesting stuff as well as a Game Giveaway of the Day site. Same methodology, only it's games you get to play with.

Here are today's software and game give-away's:

The Guardian (in the UK) has a writer who points out that there are 164 branches of Starbucks within five miles of Regent and Wigmore Streets in London. That got me to looking around a bit, and I discovered that within 20 miles of where I work, there are no less than 184 Starbucks stores. Luckily I live in the middle of nowhere, so there's nothing near my home. I used to live right across the street from one until move out here. Talk about pricey!

How much should you be worried? Check out the Starbucks store locater for yourself and see what your situation looks like.

Makes me think... Is Starbucks the new Marlboro? I quit smoking a few years ago...

Okay now people, those of us who grew up elsewhere in snow and ice know what it means to drive in it (and have a bunch of reasons not to). I mean, I learned to drive in three feet of snow ferchrysake... There are times when you just have to restrain yourself. So, if you live in a city where it gets icy once or twice a year, and if the only way you can drive halfway decently is if its dark and cloudy but completely dry on the ground (you know, when even direct sunlight makes you lose control), then please please please please... just don't leave the house when there is snow or ice on the ground. Especially in a vehicle. That nice AWD car or four wheel drive SUV won't help you one little bit as soon as you touch the brakes... But it will dent. There is no force field.

Evidence to support my argument is available by clicking the pretty picture. Please review. TYVM:

(photo from King5 News)

"Elementary teacher Derek Porter witnessed 15 different car
collisions on icy roads outside his Portland apartment
Tuesday morning and caught several on home video."

I know, I know... All us security pros are often looked upon with disdain. We "make your job harder" and "come up with policies and rules that make it impossible to do any work." On those exaggerated points we can agree to disagree. We have to strike a balance, which can be hard to do at times, and below is just one of many, many reasons why. I wish I could discuss all the Bad Things(tm) that cause us to do the things we have to do, but unfortunately that's not always possible.

A recent UTube video shows how a simple browser address typo can result in a complete mess, from a security standpoint. And in the grand scheme of things, this particular security issue is relatively small.

But for the average computer user it's a big deal. Take a look for yourself.

The dramatic accompaniment music is fun (and superfluous), but the threat is real, and not fun. Imagine how you would respond to this problem. Or would you even respond. Many people just pretend it didn't happen and keep on using their computer. I can't tell you how many times someone has told me, "I have a virus son my computer, it's been there for a couple months and it keeps getting worse."

And the whole time they use their computer to do online banking, pay bills, and all those things that should be protected.

I recently moved the greghughes.net domain (web site, mail and everything else) to a godaddy.com virtual dedicated server. In doing so, I lost the anti-spam services that were previously provided by my old web host. Needless to say, the resulting load of spam was fairly overwhelming. My prior host had an appliance out front that caught the better part of the junk email headed for my email server, but a fair amount still got through. At any rate, the move and resulting lack of junk mail protection necessitated a thoughtful look at the options out there.

My criteria were as follows:

1. Needs to be software I can run myself. I've had my fun (yeah, that's sarcasm) with expensive services that are not overly effective. Complicated billing, archaic payment systems (invoices without a dollar amount? what?) and a couple hundred bucks or more a year was not for me.
2. Preferably open-source. Nothing solves problems that plague the community like the members of the community, so I figured there must be something out there that the afflicted masses build and maintain.
3. It had to stop spam, not just identify and tag it. My email server (MailEnable) is already capable of detecting and "flagging" emails as spam, but that doesn't stop it from getting to my mail server in the first place. The goal was to prevent, not react. So I was looking for a gateway-like solution - something that receives all the inbound email, checks it, and forwards on only the good stuff.
4. It needs to learn how to act. Static rules don't work. We see it in the fraud world, and it certainly applies to spam battles, as well. The system has to be able to learn and adapt and operate in the context of my email accounts.
5. It needs to be kept current. An open source project that no one has worked on for six months or more is likely a dead project, and that won't get you anywhere in a world where the landscape changes constantly. Spammers change tactics a lot, and the tools to prevent spam have to evolve to keep pace.

I did a bit of research, and frankly I came up with very little that met all my criteria. Sure, there are a whole slew of commercial products out there, but as I said before, I was looking for open source and free (or very close to it). I'm not looking to buy.

The one thing I found that truly seemed to fit the bill was ASSP, which stands for Anti-Spam SMTP Proxy. It's an open source, Perl-based gateway application that you can run on any operating system that supports the Perl interpreted language (which is pretty much all of them). It requires Perl v5.8 and a specific set of Perl modules, and it can be run as a daemon/service. ASSP has been updated about every two months in the recent past, with the most recent update having been in December (as of the time of this writing).

"The ASSP server project is an Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam."

I quickly downloaded the ASSP files, installed the necessary Perl modules and was on my way. I had the ASSP service up and running within just about 15 or 20 minutes. Note that to get the app to run as a service, you will need to manually edit the config file and set the flag in there to specify that you want to run it as a service, or else the only way you'll be able to get it to start is on the command line. Alternatively, you can start ASSP from the command line, access the web admin interface, and change the setting there. Once you do so, you'll be able to start the Windows service or run the daemon in Linux or whatever OS you're working with.

The first thing I did after getting the service set up was to access the web administrative interface and change the default admin password. Do that first. Please. Then I put all of the anti-spam options into "training" mode and I specified a few of the basic server settings (like my domain and email account). I set it up to accept all inbound connections for email (SMTP) from the Internet on port 25, and to forward all emails that are determined not to be spam to the MailEnable server on another (unused) port. Since the MailEnable SMTP server is on the same host, the configuration and security setup was pretty simple. Of course, I them spent some considerable time looking through the many, many settings available. It's cool stuff, but you don't have to tackle it all right up front.

It's worth mentioning here that the ASSP wiki has a lot of good information about setting you system up. Be sure to refer to that resource. If you do, you can be up and running in no time. If you don't, you might just wish you had. Remember, always read the freakin' manual before you ask questions. Heh.

The training mode actually results in all email being delivered (not blocked), but it adds some header information to the email which you can read if you like in order to determine whether or not the ASSP system is flagging it as spam. I actually set up my Thunderbird client with a rule to look for the ASSP header and if the spam flag was true, to move the email off to another folder.

What you are supposed to do during this training period is to categorize the good and bad email, and in doing so tell the ASSP service how to treat the email it sees coming in. I used the email interface for submitting spam and good mail to ASSP for about a week before I turned training mode off. Reporting is very easy. I specified two email aliases in the ASSP system, such as spam-no@greghughes.net and spam-yes@greghughes.net (those are not the actual addresses of course) and on a regular basis forwarded groups of email back to the ASSP service that fit into each category. In fact, I even went back into my archive of valid email from before installing ASSP and forwarded a bunch of it to the system, so it could quickly learn what valid email looks like in my world. Your learning period will probably be about a week or so, or however long it takes you to gather 400 or more spam emails along with some some good, valid email.

Once you've provided the system with a corpus of good and bad email, you run a little Perl script on the server to update the Bayesian spam detection database, which is the adaptive learning part of the system. I did this a few times - about daily - throughout the first week. With each update the system got smarter and smarter. Once spam email was being very effectively categorized by ASSP, I switched the system from learning mode into normal operating mode and also configured ASSP to forward a copy of all spam emails it receives to a separate email account (say something like allspam@yourdomain.com). In doing so I have created a place for the system to provide me with all the spam email so that I can continue to peruse it when I feel like it in order to make sure nothing gets trapped in there as a false positive. But my main email account is spam-free. Initially I found a few valid emails were ending up being categorized as spam, but all I had to do was to forward those to the email error reporting interface mentioned above and then rebuild the database, and now for the past few days I have seen zero false positives. I intend to continue to check that account now and then, just to ensure I don't miss any critical email. It's a quick and easy process, especially since all the spam that is blocked by the system as a result of coming from known spammer sources (RBL lists) never even makes it into the system. So, I'm just weeding through the small remainder of the stuff that the system analyzes and weeds out in the second phase of its analysis.

Here is what the service has done for my email account since I turned it on about 12 days ago:

General Runtime Information

ASSP Proxy Uptime:
12.232 days

Messages Processed:
2297 (187.8 per day)

Non-Local Mail Blocked (percentage of email that is spam):
87.5%

CPU Usage:
0.27% avg

That's 288 valid emails and 2009 blocked as spam. As I said at the beginning, a bit overwhelming for only one email account in the mix, and obviously quite necessary to do something about it.

I still need to do some small amount of work to make sure the service stays up and running from a high-availability standpoint, and in fact I have that minor issue with not only the ASSP service but also a couple other email services and even the IIS service. Resource constraints seem to play havoc now and then on my virtual server, but I think I have managed to get a handle on that.

For anyone that's looking to put an anti-spam proxy in place for your own mail server, I most definitely recommend checking out ASSP and giving it a try. Download it here (use the most recent stable version). Or check out the ASSP Wiki, which contains documentation, the FAQ, and everything else you can think of. A high-level list of features can also be found on the ASSP home page at SourceForge.