Copyright © 1999–2018 FastMail Pty Ltd
This is the third post in a mini-series about security, to mark an upcoming security upgrade to our login and authentication system. All new changes will be launching on Monday, 25th July 2016.
Email is one of the few open communication standards still flourishing on the internet. Being open means anyone can build a new service and get instant compatibility with the billions of other email accounts out there; this competition is great for innovation! However, this also means that it's more open to those who want to abuse it for criminal ends. Keeping your account shielded from unwanted mail is important to prevent malware, scammers and other criminal activities.
Taking action against different types of unwanted mail
Not all unwanted mail is spam. Just as you have different vaccines to prevent different diseases, different measures will be more effective at preventing different kinds of unwanted mail.
What is spam? Spam is unsolicited mail sent to a large number of users in an attempt to get you to click on a link to buy a product, market an otherwise dubious service, scam you out of some money (Nigerian princes abound) or install a virus or malware on your computer.
Signs of spam FastMail assigns each incoming mail a spam score. Mail that has a high enough score to be considered likely spam is moved to your spam folder. You can control how sensitive these controls are in your Spam Protection Settings.
The spam score is calculated by looking at many different aspects of the mail. Was it sent from a server known for a high spam rate? Can we authenticate that the email really was sent by the person it claims it's from? Does the email content look suspicious? How many other simultaneous users was the same message sent to? Is the sender in your address book and known to you?
Train your spam detection While the FastMail system assesses the mail automatically, you can help it trap any other spam that arrives by using the "Report Spam" button. This moves the offending mail into your spam folder, and provides input to your personal spam training database, so it learns that mail of this kind is suspicious.
Note that reporting a mail as spam does not mean that any other mail of this type will be automatically caught from now on. Firstly, the database requires a significant sample size before it comes into effect (200 non-spam and 200 spam messages need to be seen) so that it has enough input to calculate sensible figures. Secondly, the database is only used as part of the overall scoring system, so other factors will still affect whether it trips the threshold for automatic spam classification.
What is phishing? A phishing email is one that tries to trick you into handing over your personal information to an attacker, such as your username and password, by pretending to be from someone you trust.
Signs of a phishing mail Mail will appear to be from a person or company you have a relationship with (such as eBay, PayPal, banks, or FastMail). Some scare tactics may be employed such as claiming you will lose access to your account if you don't update your password. Or an offer may be made: you're eligible for a free bonus thing if you log in to the prize website.
The mail will usually not be addressed to you personally. There will often be a link going to a website which at first glance looks legitimate. The mail will be from an address which is designed to look legitimate (fast-mail.com or fastmai1.com) but isn't.
While similar to spam, phishing messages are often from legitimate accounts at other high-reputation services (such as Gmail, or Hotmail), which have been stolen in a previous phishing attack. This means a lot of the signals we normally use to detect spam are not effective. To combat this, last week we introduced a new system that applies new real-time analysis of incoming mail to catch phishing attempts. So far, we're optimistic we're catching a lot more of it than ever before.
You can stay safe from phishing with a few simple tips:
Trust, but verify. Never log in to a website via a link you clicked on from email: always manually type in the website address yourself into your browser. If you're suspicious, contact the institution to check if the email is real.
Verified from FastMail. All email sent to you by the FastMail team can be verified by logging in to our web interface and looking for the green tick. Our website also has the green padlock so you know you're on the real FastMail site. If you see these things, then you know the mail really is from us and you are on the correct website. Accept no imitations!
Report phishing. No filter is perfect, and you may still receive a phishing email. If you get one, use the "Report Phishing" button in our web interface to send us details of the new phishing email you've identified. We use this information to train our systems to better detect such mails so that you never have to see them. You can find the "Report Phishing" button in the "More" menu located at the top right of every email.
What is marketing mail? Mail from services or companies that you (usually) once had a relationship with but may no longer want to receive. These are often catalogues or special offers or sale information.
Spam reports are not effective. Reporting these mails as spam is an ineffective way to stop them. The spam detection system finds it hard to tell the difference between marketing mail you want to receive and ones you don't because, at one point, the mail was legitimate. It will contain a number of markers that tells the spam detection system that the mail isn't spam: it's usually sent from a reputable source and it will often contain your name.
Stopping marketing mail. The best thing to do is unsubscribe! Most marketing mails are in the form of a mailing list and there will be links at the bottom of the mail allowing you to unsubscribe from the mail. If you can't find any such links, you can log in to our web interface, open up the message and create a new filter rule from the message to discard mails from that mailing list or company.
Sometimes you get mail repeatedly from someone that you just don't want. Perhaps it's Team Rocket trying to steal your Pikachu, or the Ninja School attempting to recruit you.
To stop the mail dead in its tracks, log in to our web interface, open up the message and create a new filter rule from the message to discard all future mail from that person.
Why can't you stop all of the spam, all of the time?
The war on spam is an arms race. We develop better protection systems, they find new and ingenious ways around those systems. We improve, they improve and so on. There's also thousands (or millions!) of spammers out there. They make a profit even if only one person in 10,000 clicks on an email and hands over some money or their account details. While our anti-spam team is highly experienced and has a lot of professionally developed tools at their disposal, there are only so many hours in the day!
We would much rather declare a false negative (treating a spam mail as legitimate) then make our system so locked down that it declares false positives (filing real mail as spam, preventing you from ever seeing it). It is far less terrible for you to see a few extra spam mails, than it is for you to miss out on seeing actual mail. Especially as most people don't usually check their spam folder very often!
We have more information on stopping spam in our online help.
Got any security questions or recommendations? Tweet us @FastMail using the hashtag #securitymatters.