Secondary DNS Transition to Paid-Only

The next update to the account control center will remove free Secondary DNS and add the “Basic” paid service level. Existing Secondary DNS zones won’t be disabled at this time, but no changes will be allowed to them unless you have a paid account. Back in March we posted an announcement that we’re going to start discontinuing free services and this is the first step.

You can find that announcement here:

A link to this announcement has also been shown in the account control center for the past 8 months. Although we’re sure to see some complaints no matter how much lead time we give, eventually we have to move forward. That time has come for Secondary DNS.

Twitter Outages

Twitter is currerntly suffering from outages today (October 21, 2016) and may be unavailable.

As a reminder our third party hosted status page is at:

Mail: URI Blocking in Submissions (SMTP AUTH)

We’re now blocking submissions on our outbound mail service (SMTP AUTH) that contain URIs on blacklists we check outgoing content against. Previously we would include them as part of a score, however we started to see unacceptable stuff pass because it didn’t matching anything except the bad URI. Scoring is still in effect, but the score for a URI match alone is now above threshold.

Exceptions are being made for the following recipient addresses:

  • *
  • abuse@*

Contact support if you have any questions or have a reporting service address like Spamcop you believe should also be whitelisted.

SMTP Delivery Trouble to Proofpoint

Yesterday a customer’s compromised outbound accounts (albeit brief) caused our SMTP AUTH server to become blacklisted at Proofpoint. Outbound mail authorization was revoked for that customer in accordance with our policies, however the Proofpoint block lingers.

If you are having trouble contacting someone behind Proofpoint you should encourage them to contact their mail host and/or Proofpoint for resolution. Although we are attempting to reach out ourselves, companies like Proofpoint are more likely to listen to their own customer’s complains about losing legitimate mail than they will listen to us.

As far as we are aware this issue is limited to Proofpoint.

UPDATE : This issue has been resolved as of August 23, 2016.

SSL Cert Updates and SHA256

The other day we did some routine updates on expiring SSL certificates. Today we got a few reports from SMTP AUTH customers about devices (like office multifunction copiers, UPS management cards, etc.) failing to communicate with the SMTP AUTH service. The problem turned out to be the updated SHA256 certificate. Those devices simply can’t work with an SHA256 cert.

A while back it was determined that SHA1 is “weak” and could become exploitable, although at the time we’re writing this no successful real-world attacks have been discovered. As such certificate authorities now only issue SHA256 certificates. Unfortunately for older devices and embedded devices like the aforementioned offfice copier (and by copier we are referring to big floor standing ones like a Ricoh or Xerox, not some cheap inkjet printer-scanner-copier) they’re different than installing an OS update on your computer. Things like that usually only get replaced as they come off-lease.

We understand that people aren’t just going to trash their devices for SHA265 support so we’ve decided to add an alternate SHA1 access to the SMTP AUTH server. If your device can’t connect to using SSL/TLS try using instead. We believe this is a better option than disabling SSL/TLS: irrespective of how “weak” SHA1 could be this point, our opinion is that it’s still better than plaintext at this time.

There are some encryption types that are practically plaintext – like WEP or original DES – but SHA1 isn’t that bad (yet, possibly, maybe someday, maybe never).