Proxy server names changed

FastMail has a special proxy system whereby you can access each service (POP, IMAP, SMTP, etc) through any port number by using special server names.

Note: You should only use these proxy servers if you can’t use the standard server names and ports. You should only use them if you know what you’re doing. For a list of standard server names and ports, see our help page – http://www.fastmail.fm/help/remote_email_access_server_names_and_ports.html

Originally, the server names for the proxy services were of the form imap.proxy.fastmail.fm, imaps.proxy.fastmail.fm, pop.proxy.fastmail.fm, etc.

To make these services consistent with our main server names (eg mail.messagingengine.com, chat.messagingengine.com, etc) and to make them work with SSL, we changed to using imap.proxy.messagingengine.com, imaps.proxy.messagingengine.com, etc.

Unfortunately, it appears that we got this wrong because wildcard SSL certificates (eg. like are *.messagingengine.com one) only match a single level deep domain. Because of that, we’re changing our official proxy server names again to the following:

  • IMAP: imap-proxy.messagingengine.com
  • IMAP/SSL: imaps-proxy.messagingengine.com
  • IMAP (alt namespace): imapalt-proxy.messagingengine.com
  • IMAP/SSL (alt namespace): imapalts-proxy.messagingengine.com
  • POP: pop-proxy.messagingengine.com
  • POP/SSL: pops-proxy.messagingengine.com
  • SMTP: smtp-proxy.messagingengine.com
  • SMTP/SSL: smtps-proxy.messagingengine.com
  • LDAP: ldap-proxy.messagingengine.com
  • LDAP/SSL: ldaps-proxy.messagingengine.com
  • XMPP: chat-proxy.messagingengine.com
  • XMPP/SSL: chats-proxy.messagingengine.com

If you’re using the proxy servers, please update your software to use the new appropriate name.

Posted in News, Technical. Comments Off

Skype extension for Firefox buggy, users should disable it (updated)

Update 4-Sep-09: An employee from Skype emailed me and told me that they’re released a new version of Skype (version 4.1 Hotfix 2) that solves the problems below. You can download it from http://www.skype.com/go/download.

We’ve recently had some users reporting problems sending email in Firefox via the web interface. After a bit of investigation, it seems the problem is related to a recent update to Skype and the Skype Firefox extension.

By default when you install Skype, it installs an extension into Firefox which tries to find all phone numbers on a web page and allow you to easily make a Skype call to that number. Unfortunately the latest version of that extension seems to be quite buggy and destroys basic Firefox functionality. You can read about the issues here:

https://developer.skype.com/jira/browse/SCW-1345

We recommend users using Firefox who have Skype installed on their machine disable the Firefox Skype extension until this is fixed. You can disable the extension by starting Firefox, going to Tools -> Add-ons, finding the Skype extension, and then either clicking Disable or Uninstall. You’ll have to restart Firefox after this change.

Posted in News. Comments Off

All outbound email now being DKIM signed

FastMail is now signing all outbound email with a DKIM signature. DKIM is a way of validating the source of an email and is being more and more widely deployed.

This shouldn’t affect users in any way, it just means that emails being sent through FastMail’s servers can now be certified as having gone through FastMail’s servers, which will help in spam feedback complaints and protecting the sending reputation of FastMail’s servers.

For technical users, with DKIM, you need to specify a signing domain, and we’re using our generic domain messagingengine.com rather than fastmail.fm, sent.com, etc.

Posted in News. Comments Off

Two-factor (SMS) authentication now easier for businesses/families

For over a year now, FastMail has supported two-factor authentication via SMS and one-time passwords. As a quick reminder, the way this works is:

  1. A user creates a new login password via the Options –> Alternative Logins page
  2. For a “one-time” alternate password, the user is shown a screen of one-time passwords they have to print out. Then each time they want to login, they use one of the passwords off that list, and cross it out because it can’t be used again
  3. For an “sms” alternate password, the user logins in with that password, and then a one-time password is sent to the users phone (as configured on the Options –> Personalities screen for the default personality) that they can use to login

This is especially useful for people travelling and using Internet Cafes or kiosks that they don’t necessarily trust, and might be infected with keyboard logging trojans that steal passwords. With a one time or sms password, the password can only be used once and is thus useless if stolen.

Additionally for extra security, the alternate logins can be setup as “restricted logins”. When using a restricted login, no emails for files can be deleted, so even if somehow a hacker hijacks your session, they can’t delete or damage any email or files in your account.

While these feature are very useful from a security stand point, the one-time passwords requires some pre-planning to print out and carry around the one-time password list, and the SMS passwords require purchasing SMS credits in your account.

For businesses and families, we’ve now made the SMS passwords easier to use. Basically now only the business/family has to buy SMS credits, and then any user in the family/business can use those credits to have an SMS password sent to them. This feature has to be enabled for the business/family on the Manage –> Business/Family Preferences screen via the Allow SMS two-factor logins preference.

So the detailed steps to make this work are:

  1. An administrator of the business/family has to login, go to the Manage –> Business/Family Preferences screen and enable the Allow SMS two-factor logins checkbox. After doing this, a new Buy SMS Credits option will appear on the Business/Family screen and in the sidebar
  2. Then the administrator has to purchase SMS credits via the Manage –> Buys SMS Credits screen
  3. Each user that wants to use an SMS login then has to login to their own account and go to Options –> Personalities and set the Mobile number on their default personality, and then go to Options –> Alternative Logins and create an SMS Password which they can then use to login and trigger an SMS password to be sent to their phone
Posted in News. Comments Off

Hotmail and Google docs being abused for spam

A user forwarded me a particular annoying bit of spam the other day that I realised is going to be quite hard to combat.

  1. The email was sent from a Hotmail account. Clearly the spammers have broken the Hotmail CAPTCHA process (again), and thus are signing up 10,000’s or more accounts to send their spam. The main issue is that it means there’s no easy “source IP” to test against RBLs for blocking or scoring purposes. Hotmail does add a “X-Originating-IP” header, but that’s non-standard and for the cases I’ve seen, the IPs are not on any known black lists.

    This actually seems quite an effective process for spammers. Using new spambot compromised machines to only send via reputable services like Hotmail, Yahoo, etc. Basically I believe most RBLs are built using systems that only check against the original incoming SMTP connection (either at the SMTP stage, or via some feedback process that later scans back through the Received headers). They generally don’t look at custom headers like "X-Originating-IP". So even if spam checking software does check that header, not much RBL building software will, so as long as the spammer can keep those IPs so they’re only used for sending via other "trusted" services, the IPs will probably stay off RBLs for a long time.

    Given the constant battle Hotmail, Yahoo, Gmail, etc have stopping mass signups, CAPTCHAs days seem numbered. Already in some cases, Google have started requiring SMS verification for new gmail accounts, I expect this trend to spread to other services and companies over time as the CAPTCHA systems employed to try and stop abuse appear to be less and less effective every day.

  2. The email contained a bunch of random text. Also not unusual, but it makes any content analysis basically impossible
  3. The email contained a link to a public Google Docs page. Again, clearly spammers have broken the Google CAPTCHA process to signup masses of Google Docs accounts and fill with their spam landing pages. Again this means that URIBLs are ineffective against these types of emails because they can’t go and block Google Docs domains.

The net result was that the emails in question contained very little information to block against. Some composite rules could be created (eg from a Hotmail account, with a Google Docs link in it), but they’re clearly far too broad and likely to result in many false positives.

At the moment, the main things we can do about this are:

  1. Report the emails as spam to providers like Spamcop and others. This should both end up reflecting badly on the services that are being abused, but should also encourage improvements to make sure they do look for X-Originating-IP headers and the like to help build IP RBLs
  2. Report the Google Docs pages as abuse. I’d hope Google have good internal systems to handle this, so that if a bunch of pages are reported as abuse, they can track down similar pages and disable them and the associated signups as well
Posted in Technical. Comments Off

Thunderbird 3 beta 3 includes native IMAP COMPRESS support

A few months back, we blogged about a new compression proxy we had developed that helped improve IMAP performance. If you’re using an email client to access FastMail via IMAP, then the compression proxy can significantly speed up access to your account, especially if you have large folders with lots of messages (I use it, and see > 80% bandwidth savings on average)

However if you’re a bleeding edge email user, and are trying out the Thunderbird beta releases, then definitely download the latest Thunderbird 3 beta 3 as it now includes native support for the COMPRESS extension. This means you don’t need to use the proxy at all, you can just setup Thunderbird to access our server as normal (server name = mail.messagingengine.com) and it’ll automatically use the compressed protocol.

We don’t recommend using Thunderbird 3 yet if you’re a regular email user. It’s still definitely a beta, and has many known bugs. But if you like trying out new software and are aware of the potential caveats, then definitely give it a go!

Posted in Technical. Comments Off

IE8 display bug

As a web developer, you regularly come across browser bugs, most often trying to work around obscure problems in IE6 and IE7. IE8 has generally been a relief in comparison, working pretty much to spec along with other browsers like Firefox, Opera, Safari and Chrome.

So I was surprised to come across a very odd and annoying bug in IE8 today. Basically a user reported that when trying to view a particular email, the page would just be blank. After being able to repeat the problem on the same email, I narrowed down bit by bit until I had a segment of HTML the replicated it, which came down to:

<!DOCTYPE html>
<html>
<body>
<SPAN dir=ltr>before
<SPAN dir=rtl><BR></SPAN>
after</SPAN>
</body>
</html>

Creating a file with just that contents and opening in IE8 displays completely blank.

If you make any of the following changes, the page will display ok (the “before” and “after” text displays):

  1. Remove the HTML5 doctype
  2. Add any whitespace character after the <BR> tag
  3. Remove the dir=ltr attribute from the first span
  4. Remove the dir=rtl attribute from the second span

Of course we don’t generate HTML like this, but people do receive HTML emails, that just happen to have content like this, and thus the whole page displays as blank! I’m currently working on a fix to work around this.

Posted in Technical. Comments Off
Follow

Get every new post delivered to your Inbox.

Join 5,258 other followers