Mail: URI Blocking in Submissions (SMTP AUTH)

We’re now blocking submissions on our outbound mail service (SMTP AUTH) that contain URIs on blacklists we check outgoing content against. Previously we would include them as part of a score, however we started to see unacceptable stuff pass because it didn’t matching anything except the bad URI. Scoring is still in effect, but the score for a URI match alone is now above threshold.

Exceptions are being made for the following recipient addresses:

  • *
  • abuse@*

Contact support if you have any questions or have a reporting service address like Spamcop you believe should also be whitelisted.

SMTP Delivery Trouble to Proofpoint

Yesterday a customer’s compromised outbound accounts (albeit brief) caused our SMTP AUTH server to become blacklisted at Proofpoint. Outbound mail authorization was revoked for that customer in accordance with our policies, however the Proofpoint block lingers.

If you are having trouble contacting someone behind Proofpoint you should encourage them to contact their mail host and/or Proofpoint for resolution. Although we are attempting to reach out ourselves, companies like Proofpoint are more likely to listen to their own customer’s complains about losing legitimate mail than they will listen to us.

As far as we are aware this issue is limited to Proofpoint.

UPDATE : This issue has been resolved as of August 23, 2016.

SSL Cert Updates and SHA256

The other day we did some routine updates on expiring SSL certificates. Today we got a few reports from SMTP AUTH customers about devices (like office multifunction copiers, UPS management cards, etc.) failing to communicate with the SMTP AUTH service. The problem turned out to be the updated SHA256 certificate. Those devices simply can’t work with an SHA256 cert.

A while back it was determined that SHA1 is “weak” and could become exploitable, although at the time we’re writing this no successful real-world attacks have been discovered. As such certificate authorities now only issue SHA256 certificates. Unfortunately for older devices and embedded devices like the aforementioned offfice copier (and by copier we are referring to big floor standing ones like a Ricoh or Xerox, not some cheap inkjet printer-scanner-copier) they’re different than installing an OS update on your computer. Things like that usually only get replaced as they come off-lease.

We understand that people aren’t just going to trash their devices for SHA265 support so we’ve decided to add an alternate SHA1 access to the SMTP AUTH server. If your device can’t connect to using SSL/TLS try using instead. We believe this is a better option than disabling SSL/TLS: irrespective of how “weak” SHA1 could be this point, our opinion is that it’s still better than plaintext at this time.

There are some encryption types that are practically plaintext – like WEP or original DES – but SHA1 isn’t that bad (yet, possibly, maybe someday, maybe never).

ACC Update; Primary DNS, PayPal eChecks

An update to the account control center was made live today (Sunday, July 10, 2016) that contains major changes to the Primary DNS section, along with minor fixes to other sections. We’ve run through every change and It’s tested OK for us, but if any problems are observed please contact support so we can fix/debug it. Due to the large number of changes to Primary DNS this has been holding us back from updating other parts of the ACC, but that should be out of the way now.

The other major change relates to PayPal payments: the system will now note eCheck pending payments to invoices and automatically place the invoice on hold until a cleared or failed message is sent from PayPal. This will address the issue of eCheck payments placed too close to the shutoff date for them to clear in time.

Mail: New IP Reputation Filter

Today we’ve implemented a new IP reputation filter in the pre-content stage of mail filtering. This is similar to DNSBL but uses the Cloudmark Authority engine to check if the IP has a reputation as a spam source or not. The default will be enabled for new domains.

For existing domains because it most closely resembles a DNSBL its initial state will follow the DNSBL setting. If DNSBL was enabled the IP reputation filter will be enabled. If DNSBL was disabled the IP reputation filter will be disabled.

We’ve deviated from normal and implemented this ahead of adding a new section to the account control center because of spam complaints we’ve seen lately. It is, however, all-filters whitelist aware and we can turn it off manually for a domain if the results are undesirable for a specific purpose.

Contact support if you have any questions.