Some of this blog's readers know that we offer API's that allow programmer's to access and update information on our servers.  Programmers can access many administrative areas and can do things like put in a new mailbox or alias, or log in a user to the webmail client from a customer-hosted web page.

We've put out some updates to our API that will allow better manipulation of what we call the 'sub-account' level of access.  Resellers of our service have sub-accounts, companies with one or more domains that purchase email service through the reseller.  The new API functions allow resellers to build programs that do things like move a domain from one sub-account to another, get a list of administrators for a sub-account, and add/change/delete administrators and domains.

We have not found any issues with the new API functions, but we still consider them beta.  Drop me a line if you'd like the access: kirkblog@webmail.us

-Kirk

When a potential customer is concerned about email blacklisting, and asks if we are on a blacklist, I always answer the same way… we’re not. But any company that ever says they have never been blacklisted is likely misinformed. The most important thing is how the situation is handled and how quickly the problem can be resolved. I’d say we’ve had a mail server put on a blacklist… maybe once every 8 or so months. It’s always a result of someone sending unsolicited mail through our system, which is not permitted (even in tiny batches).

Not too long ago one such instance occurred. In short, one of our clients sent unsolicited mails through our system… advertisements basically, and a few of these were reported by the recipient as spam. Unfortunately, this relatively new client had a very recent history of spamming. Consequently, their actions caused a mail server of ours to be blacklisted.

What really is interesting to me, however, is how quickly such an action takes place. Our anti-bulk mailing system caught the offender and put a stop to the action almost right away, but a scarce few still went out. Seemingly, the very moment we were put on that blacklist our engineers and support staff were aware and all actions were then geared towards resolving the issue and getting off the blacklist.

Fortunately we were able to get off the list VERY quickly. Just as clients began to report bounced emails, we were already able to report that the problem was fixed and that they could now try to resend the bounced email.

A lot of very tight ropes are treaded upon in the war between spammers and companies like Webmail.us, Inc. that try to protect people from spam. When a mistake is made by one of our (former) clients or another anti-spam company, it’s reassuring to see the issue addressed by our engineers right away, and I’m sure it’s even more reassuring for our over 8,000 clients.

Ben Hubbard
Operations Manager

We thought we should follow up some earlier emails and blog postings: the new control panel is in place for all of our customers and the ability to add RSS feeds is also now available to all of our customers.  If need help with either of these, please drop a line to our support team at support@webmail.us.

-Kirk

The names, companies, and domains in this blog entry have been changed because...well...that's what you're supposed to do when you recount stories like this that involve questions about cracking (what some call hacking) and social engineering. And I've paraphrased the conversations to spare you the length, but I haven't changed any meaning inside or embellished what is already a great story.

To explain, social engineering is a technique that Bad People use to gain access to resources they shouldn't have.  It's easier to trick a person into giving up access than it is to crack/hack a secure computer system.  We have excellent policies and procedures in place to keep that risk at a minimum, but its time for the story...

The Story

Just over three weeks ago, someone submitted a support request form using our website.  It said, "Hi, I'm Linda Lewis from Borrower's Select in Australia and I am the director of the company.  For many reasons, I need you to reset all of the email passwords for mailboxes on our account and only send the new password information to me.  Jake Johanson is no longer an employee, so please only take instructions from me."  Her contact information included a phone number and a Hotmail email address.

The support form Linda used can be accessed by anyone on the Internet.  Hotmail accounts are free and used by spammers and crackers all the time.  The phone number didn't match what was in the billing info for Borrower's Select, and Jake Johanson was listed as the primary contact for the account.

Well, we figured it probably wasn't a legitimate request.  Kyle, a member of our support team, sent a reply to her Hotmail account and said, "For security reasons, we need support requests such as this one to be submitted using the secure help form found in your administrative control panel.  If you don't have access to the control panel, we will need you to verify detailed information from your current billing."

15 hours later (she's in Australia), she replies to tell us not to take instructions from Jake; she is concerned he might have access to email accounts that he shouldn't.  She also includes the detailed billing information we requested.  Information that *doesn't* match what we have on file for Borrower's Select.  We immediately respond that it doesn't match and might she have other billing information handy?

For more than 2 weeks, we can never reach her by phone at the number she has provided or at the main business number we have on file. She sends us to a government website to confirm her position with the company but the site is first down for maintenance and later says that there is no such company!  And the faxes she says she'll send never materialize.  It seems extremely unlikely that she is who she says she is.

I am very uncomfortable at this point.  Are we just letting someone "social engineer" us by pretending to be someone she isn't?  If we keep giving her opportunities, she might eventually find a way to convince us that she's legit.

Almost three weeks after her first email, she successfully faxes us some specific documentation.

We have a faxed copy of some identification along with some company and government documentation about her position.  A quick check reveals that the government website she had directed us to use earlier really points to a New Zealand subsection of the Australian Business Number registry, and we confirm the information in the fax with the proper part of the ABN site.  Her fax gives us two numbers: the number she had provided before and another number we have never seen before, but this sort-of makes sense if there have been a lot of changes at the company.

Is it OK if I still had a few doubts?  We hadn't reached Linda or Jake at the main business number of file, though when we had spoken with people at the number it seemed like Linda did work there.  I changed the email admin password and Jake Johanson's password.  I figured that if Jake had really left the company he probably wouldn't notice.  But if Jake was still an employee or was still watching the email address, he would contact us pretty quickly and I might get a little more information.  I tell Linda on Monday of last week what I've done, but I don't give over the passwords.  I ask what she would like me to do next, hoping that things either settle down or that Jake will be in touch soon and I'll know more.

She emails back at 2:30 am Tuesday morning, reiterating her request to change all email passwords and give them to her.  Still wanting a bit of delay before we change *all* of the email account passwords, we send her a new admin username and password and explain how to edit mailbox accounts.  I know, bad customer service, but I'm nervous that something still isn't right.  I figure it will take her longer to change all of the passwords that it would take us.

Guess who else emails us on Tuesday?  Jake uses the public support form to ask for help getting in to his email.  We try to stay neutral: we advise him to contact his email administrator.  On Wednesday he submits another form, saying that he can't get into the control panel (we did change the password).  And he asks us to email him back at another account at Borrower's Select.

I have an uh-oh moment.  Linda specifically said that she was worried that Jake had access to other accounts.  She clearly hasn't changed any other passwords.  Linda's position and concerns now seem fully validated.  So we jump in and change them all lickety-split, and send her an email letting her know.  We tell Jake again to go to the official email admin for their domain.

Jake submits another request, this time to our sales team.  But he gives his contact number: its the original number from our billing system.  What is going on!?!  OK, I think, maybe its his cell phone and he took it with him when he left the company.  I go to their website.  Well, unless they decided to put his cell phone number all over the website and integrate it into some flash demos, the number is good.

I look back at the fax we received from Linda, desperately seeking reassurance that we didn't give access to a socially maladjusted 14-year-old named Timmy with nothing better to do.  Please don't let Linda really be Timmy!

Up at the top of the fax sheet, where the sending fax machine puts its number and other info, it says that the fax was sent from Ocean Century Realty.  I'm starting to stress out.  I look up the Realty company's website and find that the number for the Realty place is one of the two numbers Linda put on her fax that didn't match anything we had on file.  I get in touch with our after-hours staff and we agree that its time to change passwords to something only known to us while we sort this out.

I tell myself, "Maybe there are two company names for the same place."  So I call the Realty number (it's late EDT but mid-day in Sydney).  The man who answers the phone has no idea who Linda Lewis is.  I'm feeling sick to my stomach at this point, but I'm glad that we're changing the passwords so that little Timmy/Linda can't do any more harm.  But it does seem strange that Timmy/Linda didn't use the email admin username and password we gave him to really take over the account when he had the chance.

So I call the main business number, the one on the website, the one Jake sent to us but that Timmy/Linda never mentions in all the emails we received.  I ask for Linda Lewis and am told, "She's not in the office. Would like to leave her a voicemail or call her on her cellphone?"  Timmy/Linda must have counted on us to not reach the real Linda at the main line-- which we had tried during previous to no success.  I ask for and am given her cell phone number.  It looks familiar.  It matches one of the numbers Timmy/Linda sent us.  Looks like Timmy was feeding us some very real information on Linda, but somehow got a copy of or faked Linda's identification and some other official documents.  "Oh well, we did our best," I think.

I sit and ponder our existing policies, wondering what I can do to strengthen them.  Heck, we did try the main business number several times a few weeks ago and we had a copy of all of the needed official documents and independent verification of those docs on a government website.

I call back to the main number for Borrower's Select.  I ask for Jake Johanson and leave him a message.  I figure that any Jake and Linda I can reach through this main office phone number pretty much have to be good contacts at this point.  He calls me back a few minutes later and says, "Yeah, we're having trouble with our email, nobody can get in."

Just in case, I reply, "Yes.  Linda Lewis contacted us a few weeks ago and recently asked us to change all of the passwords."

"Oh," is his response.  "Well, we need access again so that we can get our emails."

I think its strange that he didn't react to that a little bit more than he did.  "Can you think of a reason why Linda might ask us to do that?"

"She doesn't work in this office any more.  She is at a new location.  But we're all here still and need our email."

"Is Linda the person in charge of email for Borrower's Select?" I ask.

"Yes.  We have a new name here now.  But we still need to get to those emails."

The scattered pieces in my brain come together, finally.  It's all clear now.  The website hasn't been updated yet--the change was just a few weeks ago.  The phone number is still connected at the original office site.  When I had called asking for Linda before, they had politely and professionally given me her cell number without getting into messy details about her taking the original company name to a new place while at least a few of her coworkers remained at the old location with a soon-to-be new name. 

There was never a kid named Timmy trying to steal email away from one of our customers.

"I'm afraid that we can't do that for you.  Requests for the Borrower's Choice domain name will have to come from Linda now", and I politely end the call.

That was last Wednesday near midnight.  We're still going to go over our authentication and authorization policies and looks for holes in the armor, even though we were right when we gave access to Linda.

It has been a lot more fun to tell this story than it was to live it!

-Kirk

I was just reading on Michael Hyatt's blog about a nifty way to organize email following the ideas from David Allen's Getting Things Done.  And sites like 43folders.com regularly have well thought-out posts about staying on top of your tasks.

I did something similar to Michael a while ago and thought somebody might find it useful.  First, keep in mind that I use IMAP for my email.  Many paid email hosting services and email server programs like Exchange support IMAP, although I can't think of any free providers that do.  IMAP keeps your messages *and* folders on your mail server and can make life convenient if you have to switch between computers when traveling, etc.

Here is a screenshot of my folders in Thunderbird:

I try to follow the GTD approach.  At first, I created folders called next-tasks, waiting, someday-maybe, and reference.  But Thunderbird won't let you rearrange the order of folders inside an account.  I did find here a Thunderbird extension that will let you reorder your accounts if you have multiple email accounts.

To get around the order issue (I really wanted next-tasks first and waiting second), I renamed my folders to 1_next-tasks, 2_waiting, etc. to work around Thunderbird's need to alphabetize my folders.

After about a week or so I found that I needed to break my reference section up a little bit.  So I use the main 4_reference folder for generic reference info and then use the more specific sub-folders when I need to.  I also added a folder called 5_candidates because we're always hiring and I wanted to track resumes separately as a project.

Our email system and many others support folders in a very helpful way: if my email address is kirkblog@webmail.us and I have a subfolder called "hello", I can send an email to kirkblog+hello@webmail.us and the message will be delivered directly to my hello folder.  BTW, I don't really have a hello folder so please don't send me an email there.  :)

That way, I don't have to create any rules to copy an email to my own waiting folder the way Michael describes.  To take advantage of Thunderbird's address auto-complete, I did add contacts to my address book like "waiting" with an email address including "+2_waiting" inside to get the email directly to the right folder.

I used to print resumes, evaluate them, make a few notes on them, then file them as "good" (as in might be a good fit) and "other" (a gentle way of saying probably not a good fit) and file them in my cabinet.  But I really wanted to go paperless as much as possible

There is a great Thunderbird extension, called Message Notes that has been a huge help with resumes, next tasks, etc.  It adds a small section to my email messages and a button to let me add a note to the email.  Now, when I receive a resume, it goes into the resume folder.  When I'm ready to review resumes I go to the folder, read a resume, add my note to the email, then move that email to the right subfolder.

I put specific next task notes on an email before moving it to the right folder, and put specific waiting-for notes on emails inside that folder.  That way, I don't have to re-read an entire email to see what I'm supposed to do.  Because this is so useful, I don't often use the above mailbox+folder trick above with waiting-for messages; I just sent my email then add a note to the message in my inbox before dragging and dropping into my waiting folder.

My system is mostly functional.  It is still tough to keep my inbox clean with as many emails as I get (hey, I work for an email hosting company!)  But overall I'm pretty happy with it.

-Kirk

I posted in February about proactive customer support, and I said that On-Star should tell me when my car needs a tune-up.  Well, check out this announcement from GM: http://news.yahoo.com/s/nm/20050913/tc_nm/autos_gm_onstar_dc (Link Removed)

GM is doing exactly what it should by adding these features.  I don't know that it is enough to replace their current marketing efforts, but this sort of design and approach needs to continue on many fronts, not just in cars.

-Kirk

A Good Idea?

A few days ago I read a great persuasive essay by Jonathan Zdziarski of the dspam project about statistical spam identification.  It forced me to rethink some of my assumptions about the right way to identify spam.  Jonathan argues compellingly that the best automatic identification possible will come from a learning computer program trained by humans to recognize good and bad messages.  The program looks at email the way a human might and has the potential to identify better than 99% of spam messages-- a fantastic percentage when battling smart humans who have intense financial motivation to get spam through.  I think we're going to run some statistical software alongside our existing anti-spam system and see just how well it might work for our customers.

Dumb Idea

Marcus Ranum is the author of another interesting essay called, "The Six Dumbest Ideas in Computer Security".  The #1 bad idea he listed is "Default Permit".  Marcus explains that allowing communication between computers by default is a very bad idea.  Instead, block everything by default then go back and allow what must be allowed.  I think he's right in a lot of cases, but it leads to a problem for business email.

Not Trusting Customers = Trouble

If you take that approach with email you use systems that form a wall around your company as protection from the bad emailers of the world.  When a customer needs to reach you via email they have to scale that wall at least one time to get a message to you: they fill out an extra form, wait a few minutes and then click a link when asked, or at least must prove that they're human.

After the outside email user has scaled the wall one time, they generally don't need to scale it again unless they change email addresses-- not an everyday thing, though also not uncommon.

Putting up barriers to conducting business tends to harm a business-- why else would businesses spend as much as they do on lobbyists?  At least in the U.S., it would appear that the very high costs of paying lobbyists are still somewhat lower than jumping over certain regulatory walls.  Requiring a potential customer to wait longer or do more than they expect reduces their willingness to do business and has a small but accumulating impact.  Not every user is put off by the wall, but some will be confused or annoyed by it because they expected to walk right into your store and talk with someone.

Open Doors

We're back to where we started: if you're going to accept email from the world by default you need a way to let good mail in and keep bad mail out that is about as smart as you are and doesn't take any of your time.  I think our current system of spam scoring, blacklists, safelists, etc. is very effective and users with advanced needs have some ability to tweak things.

But if there's any way to make it even more accurate: you'd better believe we'll use it!  We'll tell you how our tests went in a few months.

-Kirk

We are finishing up a few design improvements in the Account Options of the webmail client.  Mostly, we're making the design and wording completely consistent between Options pages.  Those changes will be uploaded onto the live system early next week, so don't worry too much if you notice your Options are subtly different.

-Kirk

I read this the other day, though for the life of me I can't remember where. But apparently there is a default setting in Internet Explorer that might let the owners of a bad web site to steal the contents of your clipboard-- the place in computer memory where things go when you press Control-C.

So if you recently worked on a confidential spreadsheet and had pressed Control-C to copy an important section of data from one place to another, that data could be picked up by someone outside your organization. This is a Bad Thing.

To prevent the clipboard from being accessed by web sites, open Internet Explorer, click on Tools, Internet Options, Security, Custom Level, and scroll almost all the way down the list to where it says "Allow paste operations via script" and set it to Disable.

This seems like a huge hole to me. I even made a point to IM my wife so that she could put the fix on the home computer.

-Kirk

I should have done this a long time ago and I don't really have a good excuse for not doing it sooner: I added a blogroll today. If you're new to blogging & RSS, a blogroll is a list that a blogger (me) puts up to show readers the other blogs that the blogger likes to read.

I didn't put all 39 of my subscribed RSS feeds in there. Some of the feeds are automated updates from Mozilla.org about new Firefox extensions or security alert feeds from SANS. But the blogroll has my favorite business and general topic feeds in there.

Click on a link or two and see if you find something new and interesting. You might have to scroll down a little on this page to see the links. And if there's a blog that you think I *should* be reading, drop me an email or tack on a comment!

-Kirk

It has been exciting and gratifying to see us move to the last stages of our infrastructure upgrade.  By and large, it has proceeded very smoothly considering the vast amount of work that has been undertaken.

I have been sending emails to the alert addresses entered by email administrators in the control panel, but a few customers have left that field empty or it has an old address, so that information hasn't made it to everyone.

We are now migrating private label webmail sites over to the new system.  It is critical that all email client programs and customized DNS records have the correct information in order for your service to continue uninterrupted.

POP Setting: pop.emailsrvr.com

IMAP Setting: imap.emailsrvr.com

SMTP Setting: smtp.emailsrvr.com

Secure Settings: secure.emailsrvr.com (for POP, IMAP, & SMTP)

Please note

The new system has the latest-and-greatest design and ability to load balance and hot-failover private label webmail sites.  However, the new system requires that the private label site *not* have the same hostname as your POP, IMAP, and SMTP settings (i.e. "mail.yourdomain.com" can no longer be the hostname for webmail + POP + SMTP).

Also, the hostname mail.emailsrvr.com will continue to work for POP, IMAP, and SMTP so clients and CNAME records configured in this way are just fine.

And if you need a quick way to update your email configuration on a Windows PC, try the email auto-configuration tool mentioned in an earlier blog post: http://www.webmail.us/downloads/Emailconfig.exe

-Kirk