Tuesday, August 18, 2015

All About Security: Level up your protection with AllMail!

I love to talk about the importance of strong, unique passwords, and how password managers (our favorite is 1Password) are your best friend. Why are unique passwords important? The way lots of accounts get hacked is:

1) Company A gets breached. Oh no! Hackers got username/password pairs.
2) Profit! They sell those username/password pairs to tons of Bad Guys.
3) Bad Guys try those username/password pairs at tons of companies.

If you reused the same username and password at Company B (or C, or ....), they now have access to your account. A password is only as secure as the most vulnerable company you gave it to.

With Pobox AllMail, you can go one step further than unique passwords. If a unique password is good, a unique username and password is even better. AllMail is a feature for Pobox accounts using personal domains. It lets you send mail for all the addresses at the domain to the same place. You get to check mail all in one place, but every website you use has their own unique address for you. You could use amazon@mydomain.com for one place, target@mydomain.com for another.

You don't have to tell us each address once you've set up AllMail. You can just 'make up' new addresses as you need them, and they'll work. You can be shopping at a store and when asked for an email address during checkout, give them one you make up on the spot. Warning: cashiers will often ask if you're an employee, or say, "Wow, you must really like our store!"

AllMail doesn't have to be every address at your domain. If you want to forward mail to your mom at mom@mydomain.com, her mail wouldn't be included in AllMail. If one of the companies you gave an address to turned out to be spammers, you can also tell us to ban mail from that address in the future. (You can also remove that ban if you need that mail after all.)

Adding a domain is easy -- register a domain with us, or bring one you've registered elsewhere. Once your domain is created, adding AllMail is as easy as telling us where we should forward the mail! Right now, AllMail is only available for personal domains, but if you would be interested in using it at one of our subdomains (like yourname.onepost.net), drop us a line.

AllMail is included free for up to 2 domains with a Mailstore account, and $10/year for a domain with a Pobox Plus or Basic account.

Wednesday, April 9, 2014

Heartbleed Bug, a critical security vulnerability

Two days ago, a critical security vulnerability was announced in OpenSSL, an extremely widely-used encryption library used by Pobox (and nearly every other website and service on the Internet.) You can read more about the specifics of the vulnerability, but the short version is: attackers could "listen in" on affected sites' and services' traffic, and could have gained access to their encrypted content, including usernames, passwords and the session keys that secure content.

Attacks are undetectable, so there is no way to determine if or when this vulnerability was exploited. It's possible it never was. That being said, this is an extraordinarily bad vulnerability, and the cautious standpoint is to assume all sensitive information could have fallen into the hands of malicious parties.

As of this morning (approximately 11AM EDT, April 9th), all affected services had been fixed, so no additional content could be accessed.  All sessions have been terminated, so potentially-compromised old sessions could not have bene reused to gain access. Fresh SSL certificates, regenerated with new keys, were put in place as of 5PM EDT April 9th.

What was vulnerable?

  • Webmail.pobox.com logins and sessions since February 20th, 2014
  • Encrypted traffic passed through our MXes, since March 9th, 2014
Webmail sessions can include calendars and contacts, which could have been accessible in addition to mail you read or sent during the session. A worst-case scenario would be your webmail session got "sidejacked", which would allow an attacker access to your mailbox as long as your session was active. 

Prior to those dates, we were running an older version of OpenSSL that was not vulnerable. 

What was NOT vulnerable?

  • www.pobox.com logins or sessions
  • access to Mailstore mailboxes (mail.pobox.com) from email clients like Mac Mail, Outlook, etc. 

What should you do?

Pobox passwords: If you have used webmail.pobox.com (or the now-deprecated atmail.pobox.com) since February 20th, we recommend changing your Pobox password immediately. Non-webmail users, Mailstore or forwarding only, should not need to change their passwords.

Forwarding address passwords: Gmail and Yahoo were both vulnerable to this exploit. Other ISPs may have been also. You should update those passwords as well.

Encrypted email: You should make a determination about what, if any, sensitive information you received via email during the affected time period, and take appropriate action. At a minimum, we would treat usernames and passwords as sensitive, and possibly more depending on your situation. 

Password reset links may not be an issue -- most of them are restricted to either a single use or a relatively narrow timeframe, so if they haven't been used, you may not need to worry.

Session key theft is one of the reasons we moved to much shorter session times. That being said, we recommend always logging out, which specifically terminates a session when you are done using it (on our site or anyone else's.)

If you have other questions, please let us know.

Updated 4/10/14, 10:34 EDT to note new certificates and time of deploy, and include a  recommendation to change your forwarding address password.

Thursday, February 13, 2014

A Valentine for Email Lovers

Valentine's Day is Pobox's favorite holiday -- we've been in love with email for 19 years! This year, as a valentine to all you folks out there who love email as much as we do, we're adding two new bonuses for accounts.

Add a user for less: Add a second user to your account, and you'll get an automatic 10% discount on both accounts! The 10% discount is automatically applied for groups with 2 to 4 users. Accounts with 5 or more users get a 20% discount.

Add AllMail for free: Mailstore accounts can add AllMail for 2 personal domains for free!

If your account should get these discounts and bonuses, you don't have to do anything -- they're being added automatically, starting today. (This means your expiration date will move further into the future.) Pobox Plus users whose price would go down if they upgrade to Mailstore will also be upgraded automatically.

Monday, January 13, 2014

Profile and Account Security: Access tools in one spot

A few weeks ago, we reorganized the website. This included a brand new section, Profile and Security. In addition to making quite a few options easier to find, it has some brand new features!

Two Factor Authentication and App-specific Passwords

The biggest new feature is two-factor authentication. Two-factor authentication means you cannot log in with your password only -- you need a second authentication "token".

We are using time-based one-time passwords (TOTP) as the second token. If you would like to add two-factor authentication to your account, you will need to add an app to your smart phone. You will use the app to scan the QR code we give you, and the app will generate the token you'll need to log in.

Mailstore customers who use two-factor authentication will also need to set up app-specific passwords for their email programs. (Email programs cannot use two-factor authentication.) All customers may use app-specific passwords for SMTP, if they would prefer not to use their main Pobox password.

Enhanced Security

In order to make changes to your account security settings, you must re-enter your password. (Previously, this was required for password changes only.) Once you've re-entered your password, you can make changes for up to 5 minutes. When you are finished making changes, we suggest you log out.

The profile and security listing also highlights any major security problems with your account. Interested in tighter security? Click the "restricted settings" link on the right side of the page to see our recommendations.

Other Settings

The Profile and Security section collects options that were previously found littered around the site. 
And one last bit of fun -- set up a Gravatar to see a profile pic on the Pobox website (and lots of others!) Your profile pic is based on your starred reference address, which you can select from the Address listing.

We hope you'll find the new Profile and Security section, as well as the Home page revamp that came with it, improves and simplifies your Pobox experience. If you have any questions, problems or comments on the changes, please let us know

Wednesday, October 9, 2013

Sneak a peek at your spam.

We've added a new feature to the Spam section, long requested by those of you who review your spam regularly. A brief text preview of the message is now available by clicking the subject of held messages!

The preview page lets you release or delete the message you're viewing, and includes all the information you can view in the table listing, plus a few extras:
  • Envelope sender and recipient
  • To:, From: and Subject: headers 
  • The Message ID
  • When the message was caught
  • What check caught it
  • Whether it's been released yet

The preview is content only, not styling, and does not allow you to view or download attachments. These options are limited to ensure that you cannot accidentally trigger a virus or other malware from viewing messages on the web.   (Please note: all of this information is for held messages. Much more limited information is available about bounced mail, and we do not have content for mail that is bounced.)

Starting today, clicking on subjects in your emailed reports will take you to the preview page, so you can make a more informed decision about whether you want to release it. 

We hope you'll find this a useful addition to the Spam section. As always, if you have any questions or see any problems, please let us know.


Pobox Lifetime Email In Love with Email Since 1995
Copyright 1995-2014 IC Group, Inc. All rights reserved.