As an added security measure, we will be making a few changes to the Customer/Reseller Sign-up Confirmation Mail.
From the 5th of May, 2011 the Sign-up confirmation mail will not contain the Password entered by the Reseller/Customer during sign-up.
The mail will contain the Username and a Forgot Password link where users can generate a Temporary 3 day password.
As part of our efforts to cut down unsolicited email from our system and the problems created due to it, we’re introducing certain measures to mitigate such activities. The idea behind these measures is to ensure that our email system is not viewed suspiciously by other service providers, which would lead to email originating from our servers to be deferred or rejected.
A lot of spam email that gets caught in our anti-spam filters, and is reported to us by the feedback loop with other email service providers, shows a high correlation with spoofed envelope from addresses. For example, when a user [email protected] authenticates with smtp.domain.com in order to send a mail from our outbound servers, he can currently set whatever he wants as his “from” address, including email addresses that don’t actually exist. This is a widely used method for email spoofing. In order to avoid such instances, users will now be asked to register a set of identities from their webmail interface for email addresses that need be used to send email. Every identity must have a valid email address, which must be authorized before it can be used to send email. The process to do so is fairly straightforward -
1. The user must log on to Webmail as [email protected], and add the necessary identities, say [email protected] and [email protected].
2. The system will send verification emails to [email protected] and [email protected], asking them: “[email protected] is trying to use [email protected] to send email, do you want to allow this?”
3. Upon confirmation, the user will be able to send email as [email protected] or [email protected] from their account.
4. A list of user accounts are allowed to use [email protected] as their from address will be stored by the system (since there may be more than one user who may want to use the same from address).
To know more about setting identities, you may refer to this article: http://support.mailhostbox.com/email-users-guide/sender-identities
We are monitoring email logs to identify accounts that are sending email in this fashion. We shall pro-actively add identities for these accounts, and send out alerts to clients using a different ‘from’ address than the authenticated one. However, we might not be able to determine all users who need this feature. Thus, we recommend that you inform all your clients about this policy change, and ask them to add sender identities if required. The identities must be created and verified before Tuesday 12th April, after which any unauthorized ‘from’ address will not be allowed to send email.
If you have any questions about this process, please contact our support team, we’d be happy to clarify doubts and provide any other information you need.
As part of our efforts to minimize mail deferrals, we will be deploying a popular and simple technique to combat outbound SPAM i.e disabling Port 25 for MUAs (such as outlook, thunderbird etc).
Port 587 has already been enabled as a replacement and we encourage you to ask your Customers to enable Port 587 for SMTP connections.
To change the SMTP Port you need to enable Port 587 in the following way:
* Outlook: Tools >> Account Settings >> Email >> Change >> More Settings >> Advanced >> Outgoing server (SMTP)
* Thunderbird: Tools >> Account Settings >> Outgoing server (SMTP) >> Edit >> Port
Coupled with SPF and DKIM that we launched earlier, disabling Port 25 will help ensure a more stable and seamless email experience for your Customers.