SMTP Delivery Trouble to Proofpoint

Yesterday a customer’s compromised outbound accounts (albeit brief) caused our SMTP AUTH server to become blacklisted at Proofpoint. Outbound mail authorization was revoked for that customer in accordance with our policies, however the Proofpoint block lingers.

If you are having trouble contacting someone behind Proofpoint you should encourage them to contact their mail host and/or Proofpoint for resolution. Although we are attempting to reach out ourselves, companies like Proofpoint are more likely to listen to their own customer’s complains about losing legitimate mail than they will listen to us.

As far as we are aware this issue is limited to Proofpoint.

UPDATE : This issue has been resolved as of August 23, 2016.

SSL Cert Updates and SHA256

The other day we did some routine updates on expiring SSL certificates. Today we got a few reports from SMTP AUTH customers about devices (like office multifunction copiers, UPS management cards, etc.) failing to communicate with the SMTP AUTH service. The problem turned out to be the updated SHA256 certificate. Those devices simply can’t work with an SHA256 cert.

A while back it was determined that SHA1 is “weak” and could become exploitable, although at the time we’re writing this no successful real-world attacks have been discovered. As such certificate authorities now only issue SHA256 certificates. Unfortunately for older devices and embedded devices like the aforementioned offfice copier (and by copier we are referring to big floor standing ones like a Ricoh or Xerox, not some cheap inkjet printer-scanner-copier) they’re different than installing an OS update on your computer. Things like that usually only get replaced as they come off-lease.

We understand that people aren’t just going to trash their devices for SHA265 support so we’ve decided to add an alternate SHA1 access to the SMTP AUTH server. If your device can’t connect to using SSL/TLS try using instead. We believe this is a better option than disabling SSL/TLS: irrespective of how “weak” SHA1 could be this point, our opinion is that it’s still better than plaintext at this time.

There are some encryption types that are practically plaintext – like WEP or original DES – but SHA1 isn’t that bad (yet, possibly, maybe someday, maybe never).

ACC Update; Primary DNS, PayPal eChecks

An update to the account control center was made live today (Sunday, July 10, 2016) that contains major changes to the Primary DNS section, along with minor fixes to other sections. We’ve run through every change and It’s tested OK for us, but if any problems are observed please contact support so we can fix/debug it. Due to the large number of changes to Primary DNS this has been holding us back from updating other parts of the ACC, but that should be out of the way now.

The other major change relates to PayPal payments: the system will now note eCheck pending payments to invoices and automatically place the invoice on hold until a cleared or failed message is sent from PayPal. This will address the issue of eCheck payments placed too close to the shutoff date for them to clear in time.

Mail: New IP Reputation Filter

Today we’ve implemented a new IP reputation filter in the pre-content stage of mail filtering. This is similar to DNSBL but uses the Cloudmark Authority engine to check if the IP has a reputation as a spam source or not. The default will be enabled for new domains.

For existing domains because it most closely resembles a DNSBL its initial state will follow the DNSBL setting. If DNSBL was enabled the IP reputation filter will be enabled. If DNSBL was disabled the IP reputation filter will be disabled.

We’ve deviated from normal and implemented this ahead of adding a new section to the account control center because of spam complaints we’ve seen lately. It is, however, all-filters whitelist aware and we can turn it off manually for a domain if the results are undesirable for a specific purpose.

Contact support if you have any questions.

Changes are Coming: Mail/DNS Prices, Free Accounts, and Spam Filtering

We’re going to be making some major changes this year to our classic Mail and DNS services. This only affects Mail and DNS, so if you’re a colocation or transport or transit (internet access) customer you can skip this.

First off, we understand that change is generally disliked, but in the long term this will help us continue our tradition of high quality and dependability. Because of the way we do things we’re proud to say that our mail services haven’t seen an outage since June 9, 2010, although we continue to strive for improvements. One of those improvements recently came in the form of a second colocation facility that gives us dual generators, dual UPS systems, and dual utility power feeds. Critical network equipment will be getting primary AC and secondary DC power for further redundancy. We will diversify some physical services between both facilities: i.e. mail/mail2 will be in separate facilities, as will ns1/ns2 and ns1-auth/ns2-auth.

So we’ll get big one out of the way first: a price increase. We will be raising base prices for all Mail and DNS account levels by 5%. Not today, but soon. If you’ve been thinking about changing your account level now is the time to lock in the current pricing. The increase will not apply to customers that continue to maintain their accounts per our price guarantee policy (Roller Network Mail and DNS services are price guaranteed for as long as the services associated with an account’s profile continue to be renewed on time), nor will any other pricing be affected.

Along the same line we will start enforcing usage levels in a more automated manner than we have in the past. We have a long history of being lenient when it comes to additional usage. Settings for this have been available in the control center for a few years now under My Account -> Account Preferences -> Usage Allowance Handling. Soon they will mean something.

And finally we’re planning to discontinue the free accounts. If you’re a free account holder we recommend upgrading now to lock in current pricing before the 5% increase. We understand there are other free services out there that you may want to move to, so we recommend looking in to that now if you don’t want to upgrade your Roller Network account, although we hope you’ll consider upgrading. A new “Basic” account level will be created that offers these features. This represents a savings over the current minimum paid account for users that don’t want any other features.

Why are we making these changes? Well, it primarily comes down to three things: upgrades, development, and spam filtering. For many years now our spam filtering has been admittedly less than adequate as various community-based projects have slowly changed into paid subscription services. Most of them offer a “free” tier for end users, but as a service provider we don’t qualify for that. Our current pricing model simply does not allow us to afford their subscription costs. We previously touched on this in our post about dropping support for Spamhaus and our trial with Cloudmark Authority last year. Before that we’ve also dropped other well-known lists like SURBL and URIBL for similar reasons.

We’ve decided to bring Cloudmark Authority into our system. The response during the trial last year was mostly positive, although it did generate some complaints about being too aggressive. We intend to fix that by making it a separate module in our system instead of part of SpamAssassin. The trial was performed with SpamAssassin because doing so required minimal effort to test. Separate integration will allow separate control over Cloudmark’s engine and finally bring a managed filtering option to our mail services.

Updates will be posted to the Newspipe as specific things mentioned in this post happen, so stay tuned for more.