All posts tagged ‘e-mail’

File Under: Security, servers, Web Basics

Google, Microsoft, Yahoo, PayPal Go After Phishers With New E-Mail Authentication Effort

Major e-mail providers, including Google, Microsoft, and Yahoo are teaming up with PayPal, Facebook, LinkedIn, and more, to implement a new system for authenticating e-mail senders to try to prevent the sending of fraudulent spam and phishing messages.

The protocol that powers e-mail, SMTP, dates back to a more trusting era; a time when the only people who sent you e-mails were people you wanted to send you e-mails. SMTP servers are willing to accept pretty much any e-mail destined for a mailbox they know about (which is, admittedly, an improvement on how things used to be, when they’d accept e-mails even for mailboxes they didn’t know about), a fact which spammers and phishers exploit daily.

Making any fundamental changes to SMTP itself is nigh impossible; there are too many e-mail servers, and they all have to interoperate with each other, an insurmountable hurdle for any major change. So what we’re left with is all manner of additional systems that are designed to give SMTP servers a bit more information about the person sending the e-mail, so that they can judge whether or not they really want to accept the message.

The two main systems in use today are called SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Both systems use DNS to publish extra information about the e-mail sender’s domain. SPF tells the receiving server which outgoing servers are allowed to send mail for a given domain; if the receiving server receives mail from a server not on the list, it should assume that the mail is fraudulent. DKIM embeds a cryptographic signature to e-mail messages and an indication of which DNS entry to examine. The receiving server can then look up the DNS entry and use the data it finds to verify the signature.

These systems are not perfect; though both are used widely, they haven’t been adopted universally. This means that some legitimate mail will arrive that doesn’t have SPF or DKIM DNS entries, and so mail servers can’t depend on its presence. Common legitimate operations can also break them; many mailing list programs add footers to messages, which will cause rejection by DKIM, and forwarding e-mails causes rejection by SPF. As a result, failing one or other test is not a good reason to reject a message.

These systems also make it hard to diagnose misconfigurations; receiving servers will typically just swallow or ignore mails sent by systems with bad SPF or DKIM configurations.

The large group of companies, which includes the biggest web mail servers and some of the most common corporate victims of phishing attempts, is proposing a new scheme, DMARC (“Domain-based Message Authentication, Reporting & Conformance”), in an attempt to tackle these problems. DMARC fills some of the gaps in SPF and DKIM, making them more trustworthy.

DMARC's position within the mail receipt process (illustration by dmarc.org)

DMARC is based on work done by PayPal in conjunction with Yahoo, and later extended to Gmail. This initial work resulted in a substantial reduction in the number of PayPal phishing attempts seen by users of those mail providers, and DMARC is an attempt to extend that to more organizations. As with SPF and DKIM, DMARC depends on storing extra information about the sender in DNS. This information tells receiving mail servers how to handle messages that fail the SPF or DKIM tests, and how critical the two tests are. The sender can tell recipient servers to reject messages that fail SPF and DKIM outright, to quarantine them somehow (for example, putting them into a spam folder), or to accept the mail normally and send a report of the failure back to the sender.

In turn, this makes SPF and DKIM much safer for organizations to deploy. They can start with the “notification” mode, confident that no mail will be lost if they have made a mistake, and use the information learned to repair any errors. DMARC also allows recipients to know if a domain should be using SPF and DKIM in the first place.

Without a global rollout, DMARC can’t solve all phishing and spam problems. The companies that have signed up to support the project include major recipients of phishing attempts—the various free e-mail providers—and sites against which phishing attacks are regularly made. Mail sent between the organizations will be verified using the SPF/DKIM/DMARC trifecta. Anyone using the major mail providers and the major services should see a substantial reduction in fraudulent mail. Senders and recipients who want to receive similar protection can implement DMARC themselves by following the specification that the DMARC group is working on.

Given the constraints imposed by SMTP, we may never get an e-mail system that is entirely free of malicious and annoying junk. SMTP e-mail was never designed to be trustworthy, and systems like SPF and DKIM are constrained by the inadequacies of SMTP’s design. Nonetheless, mechanisms such as DMARC can still make a big difference, and with the support of these major companies, e-mail might get that little bit safer.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Illustration by dmarc.org

File Under: HTML5, Mobile, Web Apps

Yahoo Mail Switches to HTML5 on the iPad

Yahoo recently revamped its webmail site to deliver a richer, HTML5-powered experience to iPhone users, and now the company has done the same for iPad users.

Go to the Yahoo Mail website on your iPad and you’ll see the new, fully juiced-up HTML5 version instead of the older mobile version.

Yahoo mail the world’s largest webmail site — it has over 275 million users — but the site lags behind second-runner-up Gmail when it comes to innovation with HTML5 on the iPad and other touchy-swipey browsing devices.

Still, the new Yahoo Mail looks pretty slick. Scrollable photo previews now appear inside e-mail messages, and it supports offline local cache so you can keep working even when you’re out of range.

File Under: Glossary

IMAP

The mail protocol most people are most familiar with is POP, which has long been the industry standard for serving and retrieving email. A client, which is the sort of desktop mail program with which everyone’s familiar, connects to the POP server and says, “Do you have any messages for me?” If the answer is yes, the client gets a list of the messages, downloads them, and optionally either deletes them from the server or leaves them in place. That’s pretty much the entire capability of POP.

IMAP is an alternative to POP that offers many advantages. Notably, it keeps centralized copies of messages on the server, where they can be accessed from anywhere, rather than fragmented and hidden away in various non-synchronized, non-centralized desktop mailboxes. The mail client interacts with the centralized messages, so your mailboxes look the same at any computer you access them from. The read/unread/replied status of each message is tracked on the server too.

Since IMAP requires long-term storage of messages on the server, email providers have long preferred POP and its quick, space-saving turnaround, which passes the expense of long-term storage on to the user. In fact, almost no popular consumer email provider offers IMAP. Running your own server, though, you can take advantage of IMAP’s benefits. The majority of desktop email clients — Outlook, Eudora, Apple Mail, Thunderbird, et al. — are already ready for IMAP. If you prefer a web-based interface, you can set that up too.

Suggested readings

Set Up a Debian or Ubuntu Machine as a Maildrop

File Under: HTML

Make a Mailto Link

To create a link that sends an e-mail to somebody, use the HTML mailto: tag.

Your code will look like this:

<a href="mailto:webmonkey@wired.com>Send an e-mail to Webmonkey</a>

and tell us how much you love cats.

When the reader clicks on that link, their default e-mail application will launch and a blank e-mail addressed to webmonkey@wired.com (or whatever address you put in the link) will open up.

Continue Reading “Make a Mailto Link” »
File Under: Software

Mozilla’s Raindrop Wants to Solve Your Communication Woes

Mozilla Labs has debuted a new web-based tool for integrating all your online communications — such as e-mail, Twitter, Skype and Facebook — into a single browser window. It uses a series of intelligent filters to highlight what’s important to you, bringing the conversations with people or updates from services you care about the most to the top, and keeping the stuff that can wait out of sight until you’re ready to look at it.

It’s called Raindrop, and it fetches all of your communications from different sources like mail servers, Twitter and RSS feeds. Then, Raindrop intelligently surfaces the “important parts,” giving them priority and allowing you to reply or interact with the communications inside your web browser. Like all Mozilla projects, Raindrop is open-source software — it’s actually a mini web server that you run locally and access through your browser. At the time of Thursday’s launch, Firefox, Safari and Chrome are supported, with Internet Explorer notably absent from the list.

While Raindrop is rough around the edges in this early release, Mozilla is hoping to build a one-stop communication platform that will give you a single place to view all your messages, e-mail, shared photos and other social tools.

The “intelligent” part of Raindrop would allow, for example, direct messages and @replies from Twitter to be highlighted over regular incoming messages not directed specifically to you. E-mails that come in can be sorted to give priority to messages from your closest friends, replies and active threads you’re participating in. The idea is to make Raindrop a people-centric communication tool that emphasizes your friends over mailing lists, rote announcements and other not-quite-spam messages.

That might sound a bit like Google Wave, which is also trying to re-imagine web-based communication from the ground up. But while Raindrop and Wave share some similar features, including the ability to view images and videos inline, Google Wave is a much more radical departure from the status quo. Raindrop is more familiar, since it essentially melds a few things you’re already using — an e-mail inbox, a Twitter client and an RSS reader — into a singular, streamlined interface. Raindrop is also similar to Mozilla Lab’s existing Snowl project, which puts a river of news and e-mail messages in Firefox. But unlike Snowl, which is a Firefox plugin, Raindrop is a standalone system that even features an API that will allow developers to build their own add-ons, extending Raindrop as they see fit.

So, Raindrop will only gain functionality over time through widgets, add-ons and media-specific enhancements for services like YouTube and Flickr. In that sense, Raindrop could be seen as a logical extension of where Google has been taking Gmail recently by letting users add widgets for chat, calendar, RSS updates and other communication tools to Gmail’s browser-based inbox.

At the moment, Raindrop is a developer release, which means there’s no installer to download. The Labs team is making a downloadable installer one of its top priorities for the project. Interested developers can check out the code and run the startup script manually (see the Mozilla wiki for details). It’s not a plug-in or a desktop client — once Raindrop reaches the packaged installer stage, you’d set it up and then visit a local URL to see your messages.

I was able to install the developer code with no problems on my local machine. After telling Raindrop my Gmail and Twitter account info, the script dutifully fetched my messages.

Raindrop’s overview of your Inbox. Click the image for a larger view.

As you can see in the image above, Raindrop retains Gmail’s threaded conversation view, however, in this case Raindrop failed to filter out a message from a local wine shop, which, while not spam, is nevertheless not something I would want prioritized.

Still, Raindrop is clearly a work in progress and despite not being perfect, it did do a pretty good job of filtering out less important conversations.

Raindrop inline e-mail and Twitter messages. Click the image for a larger view.

As you can see, Twitter updates are shown inline with e-mail threads. Other messages, like mailing list subscriptions, are filtered out of the main conversation flow and given their own boxes so you can see what’s new without fully disrupting your more personal communications.

At the moment, any filtering or message deleting in Raindrop does not appear to sync back to your mail server. This is a serious flaw that we expect will be addressed before Raindrop reaches the downloadable stage.

This early developer release of Raindrop isn’t much to look at yet. But I should note that Mozilla has already spun out a new design that looks a bit more like Snowl:

Raindrop’s newer interface (image courtesy of Mozilla). Click the image for a larger view.

The newer look is a bit cleaner and abandons the traditional e-mail-style layout in favor of something more free-flowing.

Raindrop is clearly still very experimental and not meant for even casual usage, but we’re looking forward to seeing where Mozilla Labs takes the project.

Wrapping your head around Raindrop is difficult to do without actually using it and, due to the lack of an installer, using it is beyond most users at this point. Thankfully, Mozilla has posted this video which gives you nice overview of how Raindrop works.

Raindrop UX Design and Demo from Mozilla Messaging on Vimeo.

See Also: