Mostly, we won't be talking about our press releases in this blog. But it's too good to pass up this time. The title says it all:

Webmail.us Experiences 245% Growth in the Third Quarter of 2005

At the same time we changed our website, we stopped selling individual mailboxes. These were mailboxes on the @webmail.us domain name. Pat has written a thorough blog post explaining why we made the move.

The Control Panel was updated this week to ease the creation of aliases. An alias is an easy way to make a little email group like 'sales@mydomain.com' that forwards the mail on to a few people in your organization who are responsible to read and/or respond to those emails.

There is a new interface that makes it easy to select from your existing list of mailboxes which ones should receive messages from that alias.

Check it out. Pat wrote a great blog post about why we made the change. We hope you like it!

When I use Typepad to see what blog entries visitors look at, I am continually amazed at how many people view the blog entry about ILSCORP.NET. I received another comment there the other day and it got me thinking about what else I could do about this scam.

First, the commenter asked me if anyone had ever found a phone number for the company. I hadn't when I had looked previously. I don't know if I just missed it before, but the WHOIS info for the ilscorp.net domain name does have a Danish phone number listed. WHOIS records describe the owners of domain names—in this case the domain name 'ilscorp.net'. Here is their http://www.dnsstuff.com/tools/whois.ch?ip=ilscorp.net">WHOIS record:

I started wondering if their bill/solicitation was technically mail fraud. Not knowing the rules for mail fraud, I dug around the USPS website and eventually found this very helpful page. Apparently, there is a section of Federal law just for these solicitations that are made to look like bills: Title 39, United States Code, Section 3001.

Ends up, the language included on ILSCORP.NET's letter is exactly right, "THIS IS NOT A BILL. THIS IS A SOLICITATION. YOU ARE UNDER NO OBLIGATION TO PAY THE AMOUND STATE ABOVE UNLESS YOU ACCEPT THIS OFFER."

The website goes on to say, "This disclaimer must be in very large (at least 30-point) type and must be in boldface capital letters in a color that contrasts prominently with the background against which it appears."

My letter has the text in 12 to 14 point font. The contrast is fine, and the text is bolded and capitalized. But the font is less than half the size required by law. Further, the website says that the words have to be on the "face"of the document—the phrase is on the back of my letter.

So I completed the online mail fraud report found here. I would encourage others who have received this letter from ILSCORP.NET to submit fraud reports as well. The Postal Service says that the more complaints they receive, the higher priority they treat the case.

I read a post over on Jim Robertus' blog about the U.S. Government's web site for Internet safety: http://onguardonline.gov.  Jim didn't have a chance to go over it in detail, but I spent some time digging through it.  I am really impressed.  I'm thinking about integrating pieces of this into our company training.

It covers viruses & worms, spyware, identity theft, spam and phishing scams.  It even talks about the risks and benefits of Voice Over Internet Protocol phones.

In particular, I really liked the video introduction to viruses, worms, spyware and basic PC protection steps available on their main page.  For computer users who just don't understand these threats, it's a great place to start.

-Kirk

In an article released last week on Wired magazine's website, Bruce Schneier makes an argument for putting more responsibility on financial institutions to prevent phishing and to make it easier for victims of identity theft to clear their names.

Phishing is the term used to describe the sending of a fake email from someone pretending to be your bank or some other business.  The email asks you to go to a fake website and log in to perform some urgent task-- then the phishers use that login to go to your bank's website and transfer money, etc.

I couldn't agree more with the importance of making it easier for victims to repair credit reports and restore money to accounts.  But I'm a little less sure about his proposed solution with regards to banks and other financial institutions.

Bruce argues that banks should put up enough barriers to doing business that, "the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses."

I would suggest that, short of widespread adoption of standard biometric authentication systems (like fingerprint or retina scanners + standard & secure data formats), it is unlikely that a bank or other business could put up enough checks on information to stop even a moderately determined phisher.  If a bank asks for more info before they allow you to transfer money, then the phisher just needs to ask for more information on their fake website.

Bruce accurately predicts, in my opinion, that this will be an ever-escalating war.  I think that the right next step for a bank might be statistical analysis of (1) money transfer patterns of single accounts and similar transfers from many accounts, (2) bank account creation patterns (hey, the phishers have to transfer the money *to* somewhere), and (3) login patterns of single and multiple accounts.  I, for instance, am not likely to be logging in from another continent and transferring money.

And because these phishing attempts generally happen via email, email providers need to be vigilant in detecting and removing phishing emails-- something I think we've been good at.

-Kirk

One of the major additions to our new control panel is ability for resellers to provision their own private label webmail sites.  SSL-enabled private label webmail sites still need to be provisioned by our support team, but in many cases our resellers can now take care of most of their own private label requests.  What follows is a step-by-step walkthrough of the private label process

First, set up a DNS entry for the hostname that will become the webmail site.  Make it a CNAME entry that points to webmail.emailsrvr.com.

Next, login to your administrative control panel.  Click on Reseller Tools, then Webmail Sites.  Search for the name of your customer who will be receiving the new private label site.  Just beneath their company name, click the option to Add Webmail Site

In the box labeled Webmail Site, enter the hostname of the private label webmail site (e.g. webmail.yourdomain.com).  Most of the time, you will take the default option to 'Create a new webmail site and start with the following interface:'.  The default template is a nice-looking but unbranded webmail interface.  You can choose from the drop-down list to copy the design of any other webmail site your company has already completed.

By default, the box is checked that will allow your customer to edit the webmail interface for their own webmail site

Finally, click 'Create Webmail Site', and you're done.

You may edit the fonts, colors, header, and footer of the new webmail site using the option Webmail Settings on the left menu.

The entire process in our control panel now takes less than one minute!

-Kirk

Since we released version 2 of the control panel a couple of weeks ago, we found a few things that could be improved with the help of our customers.  Here are some of the things we've implemented:

* Limited administrators can be configured to have rights on a per-domain basis.

* The creation dates for mailboxes are now displayed in the mailbox listing view.  This is really helpful if you're trying to decide how heavily a mailbox has been used.

* The exporting of aliases and forwards has been made speedier.

* New quick-links for "Add domain" and "Add sub-account admin" have been added for resellers.

We're always working on more!  Let us know via the feedback option in the control panel what other features you'd like to see.

-Kirk