Better security and privacy through image proxying

Today we rolled out a feature that enhances your privacy and security when you use FastMail: all off-site images embedded in emails are now proxied through our servers. Instead of your web browser going out to the wider internet to fetch an image in an email, it will request it securely from our servers and we’ll fetch the image on your behalf. (The original email is never modified, so if you forward it or view it in an IMAP client, it will appear exactly as we received it.)

When your browser requests an image (or any other page) it sends all sorts of information to the web server, including your internet address (which reveals your rough location), the type and version of browser you’re using, and sometimes even tracking cookies and other information that can help identify you. While these things are a fundamental part of how the web works and are difficult to avoid, we know that many of our users don’t like this information to be sent without their knowledge. That’s why we’ve always had protection against this by requiring you to explicitly request that images be loaded for an email.

Now though, we’ve gone one step further. When an image is loaded, the request goes only to our servers, which then go and request the original image. The request comes from the server’s address, with a generic browser type and version and no information at all that identifies the original email or the user requesting it. The image server remains in the dark about where the request came from. That’s a big plus for your privacy.

The other advantage of our new approach is that it removes the possibility of mixed-content warnings appearing in your browser while reading your email. Every web user has had it drilled into them for years that they should look for the padlock icon to know if the site they’re looking at is secure:

happy-proxy

But when you view an email with an image served from an insecure site (as most image hosting sites are), the browser changes the padlock icon to look like this:

sad-proxy

Since all images now come via our secure servers, the padlock will now always remain intact, giving you the confidence that no one is intercepting your data.

Edit: Clarified that the image server cannot see where the request came from. It may still be able to determine who the request came (ie email address validation) if the image URL has some kind of tracking data in it. Its still a marked improvement on not proxying at all, as it can’t be directly correlated with an internet address or other tracking data.

Posted in Feature announcement, News. Comments Off

FastMail changelog update

The following changes have been rolled out to production:

  • New keyboard shortcut: ";" (semi-colon) opens the "More" menu of a message. You can then use arrow keys + enter to select an option. Use N/P to select a message before the last one in a conversation. More information on keyboard shortcuts is available in our documentation: https://www.fastmail.fm/help/receive/kbshortcuts.html
Posted in Feature announcement. Comments Off

Payment Issues

Recently there have been some problems with our payment processor.

One of these is that sometimes there is a significant delay in completing a transaction, so the funds are “reserved” but the transaction isn’t actually completed until a few weeks later.

The other problem was that a number of charges were made to some of our customers’ credit cards, in our name. The majority of these are USD 1.00 test charges that are used to verify that a card is valid. Normally we cancel these charges immediately and the charge doesn’t appear on the card statement. However the problem at our payment processor has resulted in some of these supposedly “cancelled” charges recently being applied to customer cards. A number of other charges which were supposed to be “cancelled” have also been processed. This was done in error and without any instructions from FastMail.

We are currently working with our payment processor to refund these erroneous payments. In some cases, the refunds are unable to be processed directly because the card has expired or been cancelled.

We may need to refund these charges via an alternative method, or, at the user’s option, instead credit the amount towards future FastMail renewals. We will be in touch with the affected customers once we have more information on the scope of the problem.

We would like to assure our users that we will make certain that all erroneous charges are corrected. This may take some time, so thanks for your patience.

Our apologies for any inconvenience or confusion. We will post more information as it becomes available.
– the FastMail team

Posted in Technical. Comments Off

New phishing trick, data: URLs to avoid forgery reporting

This is a technical post about a new and interesting phishing technique seen today. Regular FastMail users can skip this post.

We saw an interesting new phishing attempt today that uses a relatively novel technique to try and hide the source of the attack and avoid it being reported as a web forgery.

Firstly the email itself looks reasonably well done (apart from the year in the subject being completely wrong), certainly it’s not the poor quality you often see. It looked like this (ANZ is an Australian bank):

phishing

Secondly, the email was sent using a compromised gmail account with a .edu address. In fact there were two separate emails, both from different compromised gmail .edu accounts. I imagine compromised gmail .edu accounts aren’t that easy to get, and this significantly reduced the chances of it being caught by any spam filter.

Thirdly, the phishing page itself is interesting in that it:

  1. Uses a standard link shortener for a redirect (http://ow.ly in this case)
  2. Which redirects to the phishing delivery page (a compromised page on http://zerra-performance-center.de)
  3. That page however rather than hosting the HTML phishing login page directly, does this:

<script type="text/javascript">
        window.location="data:text/html;base64,... base64 encoded version of HTML phishing login page ...";
</script>

That data: URL is itself the phishing page content, which includes links to real ANZ website logos to make it look as authentic as possible, but has a form submit action to a compromised page on http://lucinaracosta.com.br.

This approach is interesting because it makes it impossible to report this page as a forgery using the standard Firefox "Report Web Forgery" action because Firefox thinks it’s a data: URL. Neat trick that makes it harder to remove or block in the long run.

I’ve reported this issue as a Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1032564

Posted in Technical. Comments Off

Announcing the FastMail Calendar

After 9 months of intense work, we’re very proud to announce a major new addition to FastMail. We’ve taken all the great things about FastMail’s email hosting and applied them to build an awesome new calendar. You get the same incredibly speedy and elegant web interface. The same robust, fully-redundant backend (with live off-shore replicas). The same power behind an easy-to-use interface.

Our new calendar is packed full of the features you need to stay organised:

  • Continuous scrolling, because life isn’t broken into months.
  • Two-way sync with your existing Google or iCloud calendars.
  • A great experience on mobile browsers – just like with email.
  • Real-time updates, so changes are displayed immediately on all devices.
  • Multiple time zone support.
  • Powerful sharing options for easy collaboration.

We could go on, but really you should just try it for yourself. Head over to https://www.fastmail.fm and log in to your account, or if you don’t yet have one you can sign up for a free 60-day trial. Alternatively, find out more about what our new calendar can do by exploring our documentation.

A major addition like this would often be added as a separate service, but we’re delighted to announce that the new calendar will be available at no extra cost for all our paying subscribers. Most accounts also get CalDAV access included as well for syncing with your favourite mobile calendar app. More information about which accounts have CalDAV access
is available on our new pricing pages.

With contact synchronisation coming very soon now, we’re looking forward to meeting all your communication needs in one place.

We hope you enjoy using our new calendar as much we’ve enjoyed building it. As always, we’d love to hear what you think! Please let us know via support, twitter, etc.

The FastMail Team

Posted in News. Comments Off

Errors on classic mailbox screen and pop emails retrieved again for some users

A rollout of some new code today contained some errors that badly affected two separate areas of FastMail.

1. Errors selecting any emails to action on the classic interface would cause a fatal error

An internal misuse of an API meant that selecting any emails on the classic interface Mailbox screen and trying to action those emails would fail with a fatal error. Reading and applying actions to individual emails continued to work fine. The way this manifested itself unfortunately wasn’t picked up in our testing before being rolled out. It has been fixed now and we’ll update our tests to catch this. The error lasted for for about 3 hours.

2. Pop links for some users re-downloaded all emails again

A long term bug in the pop retrieve system resulted in a very rare and intermittent problem where some links for some users would forget all existing downloaded message. This means that in certain cases users that had set the “Leave on server” option might see existing messages that had been downloaded previously downloaded again, possibly several times. This obviously resulted in duplicate copies of the same message appearing in a folder.

Unfortunately a fix to this bug rolled out to one server for a short time actually made things worse, causing the same problem to occur for more users than the original bug.

A correct fix for the original problem and the subsequent bug has now been rolled out everywhere.

Users affected by this bug can find and remove any duplicate messages using the Advanced -> Folders -> Mass delete/Download/Remove duplicates … (button down the bottom) screen. Select the folder with the duplicates at the top, and use the “Remove duplicate messages” section to find and remove any duplicate messages.

Posted in Technical. Tags: . Comments Off

Increased spam getting through for the last few days

Due to an undetected compatibility issue between some software modules we use for detecting spam emails, for the last few days a number of the tests we use to detect spam haven’t been working properly. This means that for the last few days, considerably more spam may have been getting through our filters and into users Inboxes.

We’ve now fixed this issue and have added additional tests to ensure this doesn’t happen again.

For those interested in the technical details: We upgraded to a newer version of Net::DNS and the version of SpamAssassin we use was using some internals from Net::DNS that had changed with the new version. This caused all RBL lookups to fail. Failing RBL lookups wouldn’t cause any email delivery to fail, just all RBL scoring to be ignored.

Posted in News, Technical. Comments Off
Follow

Get every new post delivered to your Inbox.

Join 5,591 other followers