How To Use Email Securely

November 1st, 2016  |  Published in Commentary, Security  |  3 Comments

Much has been said and written in the media recently regarding email, and here at Runbox we’d like to take the opportunity to help make it all a bit more understandable.

What is email, anyway?

Email, or electronic mail, is the most common method of exchanging digital messages.

It is easily the most flexible online messaging service available, because it lets users send and receive unlimited text, multimedia, and other files to anyone with an email address anywhere in the world.

Email was invented in the 1960s and is still one of the most popular services currently available via the Internet, with over 90% of US Internet users actively using email.

How does email work?

Email systems consist of computers and devices that are connected via the Internet. These computers and devices can be servers that process and store electronic mail, or clients such as laptops and smartphones that are used to send and receive email.

Email clients and server Email clients connected to a server

When someone sends an email, the message is transferred from his or her device to a server that processes the message.

Based on the recipient email address, the server finds out where to send the message next.

This is usually to another server associated with the recipient’s address, and often via a number of other servers that act as dispatchers.

There are many different types of email software that can send, receive, and store email. If you use a computer or a smartphone, you might be familiar with software such as Outlook, Apple Mail, or Thunderbird.

Where is my email actually stored?

Because the volume of email is so large, email clients typically let servers store all the email that is received and sent and only download messages when they are opened.

This is very convenient because the server can then do resource intensive things like filtering out spam and viruses, and other kinds of sorting and processing.

Another important reason for keeping emails stored on a server is that it lets more than one client access the same messages.

For instance, you can set up your laptop, your tablet, and your smartphone to access all the email that is stored in your account on the server. You can also use a webmail in your web browser, which essentially works as an email client.

This means that your email will be synchronized across all your devices, without you having to do anything manually.

You can read more about how this works in our Help article Using an Email Client with IMAP.

How can I be sure that no one else can access my email?

When you sign up for an email account, you select a username and a password that only you know. This ensures that only you can access the email that is stored in your account on the server.

As you can imagine, it is important that you choose a strong password to make sure that no one else can guess it. It’s also important to be aware of scams that may try to trick you into revealing information that could let someone gain access to your account.

End-To-End Encryption

End-To-End Encryption

However, to be certain no one can read your email even if they were to gain access to it, you can use encryption.

Email encryption can protect your messages all the way from your device to the recipient’s, by encoding them in such a way that it’s virtually impossible for someone unauthorized to unscramble them.

You can read more about this in our Blog post Email Encryption with Runbox and our Help article Encrypting Your Runbox Email.

We hope this article helped clarify what email is, how it works, and how to use it securely. For a more in-depth article, please see How Email Works.

Tags: , ,

New Spam Filtering

August 16th, 2016  |  Published in News  |  6 Comments

Recently we have been testing a new component to our spam filtering system. This component is powered by Cloudmark, one of the most popular and powerful spam filter systems available. We would now like to make Cloudmark available to more customers.

How Cloudmark works

Cloudmark is designed to detect known spam better and works as a central authority based on reporting by millions of Cloudmark users. It would help us improve our implementation of Cloudmark to have more Runbox users testing it.

Customers who are testing Cloudmark don’t need to do anything different in the way they use their email. However, we ask testers to report spam (or genuine mail) that is not classified correctly to a special Runbox email address.

No data is shared with a third party when using Cloudmark, as it’s running on Runbox’ own servers. Any reporting done by our customers is currently only going to Runbox itself. When we implement a reporting facility back to Cloudmark in the future it will be implemented as a clearly marked option.

How to start using Cloudmark

If you are interested in having Cloudmark added to your account, or wish to ask questions about it, please let us know at Runbox Support (support@nullrunbox.com).

Tags:

Launch of CalDAV calendar service

July 26th, 2016  |  Published in News  |  12 Comments

Today we officially launch our CalDAV calendar service. With CalDAV you can store your calendars on Runbox’ servers using calendar apps on your computer, smart phone or tablet.

CalDAV lets you store your calendar items online and synchronize them across multiple devices. You can create events, recurring events, alarms and also invite other people to add events to their own calendars. Additionally you can create reminders/to-do lists and use those in your favorite notes app.

How to set up CalDAV

To use CalDAV you will need these details:

  • Username: Enter your Runbox username. If you use your own domain name, the username format is you@nulldomainyouown.tld.
  • Password: Enter your Runbox password.
  • Server Address: Enter https://dav.runbox.com/

For details on how to set up your CalDAV program or app, please see the CalDAV help page. And if you have any questions about this service, please contact Runbox Support.

Runbox CalDAV is the first of a new collection of services that will also include CardDAV (contacts) and WebDAV (file storage), so look out for more news in the weeks and months ahead.

 

Tags:

Account security and password strength

July 3rd, 2016  |  Published in News  |  10 Comments

In the recent past, some high profile companies have had user account details stolen by criminals. In some cases these details have been made public. Many people use the same usernames and passwords across different services, which means that their other accounts may also be at risk.

Use a Strong Password

Runbox has not had a data breach. However, if you use one of the affected services and have used the same login with Runbox then your Runbox account could also be at risk.

We would suggest you update your Runbox password if you feel it might be necessary. What would have been a strong password a few years ago, might not be strong now. This is because criminals have an increasing ability to try large numbers of known passwords against accounts.

For useful tips about choosing strong passwords we recommend our Account Security help page. It is easier than you might think to create good passwords that are easy to remember.

Two-Factor Authentication

To improve account security further, Runbox will be launching two-factor authentication (2FA) in the near future.

With 2FA turned on you will need to provide both your username, password, and an additional piece of information to access Runbox and your account settings. And if you choose to use IMAP, POP, or SMTP, you will be given strong passwords to use.

In the meantime, if you have any questions about account security, please contact us at Runbox Support.

Tags:

CalDAV calendar in beta testing

June 8th, 2016  |  Published in News  |  20 Comments

We’re happy to announce that our new CalDAV service is now in open beta testing.

With CalDAV you can store your calendars on Runbox’ servers using calendar apps on your computer or smart phone. This is the first step towards a full-fledged Runbox Calendar service, as we are planning to develop an integrated web interface as well.

Please remember that this is a beta phase and that the service might be less consistent than our standard services. We therefore recommend that you back up your calendar data before and while testing it.

Setting up Runbox CalDAV

To try Runbox CalDAV in your Calendar client, just set up a new account with your Runbox username and password and https://dav.runbox.com/ as Server Address.

Note: If you are using your own domain with Runbox, the correct username format is you@nulldomainyouown.com.

  • Apple Calendar users: Setup should be straight forward after selecting Add Account… > Add CalDAV Account… from the menu.
  • Outlook users: To extend Outlook with CalDAV functionality you can try the Outlook CalDav Synchronizer plugin.
  • Thunderbird users: For Thunderbird Lightning setup instructions, please see this comment.

PS: In case you are wondering what CalDAV stands for it’s Calendar Distributed Authoring and Versioning, and it’s the established standard for storing and accessing calendar information on the Internet.

Tags:

Support Requests & Account Security

May 16th, 2016  |  Published in News

At Runbox we are very pleased to be able to offer personalized support to our customers, and we do this 7 days/week, every week of the year.

If you need to contact Runbox Support, we would advise you to read our help page on Contacting Runbox Support. In particular we would like to draw your attention to the sections regarding how we will use information to identify you as the account holder.

It is very important that we protect your privacy and security of your account, and there are elements of that process that require you to keep account information up to date so that we can ensure we are talking to the correct person.

The most commonly used piece of information we use to identify you when you can’t contact us from your Runbox account is your alternative email address, and it is very important that you keep this up to date. Being unable to verify you as the account holder is very frustrating for customers and also for us as we can’t offer you the support you are expecting.

We realize there are some customers who prefer their Runbox account not be linked to other email accounts or methods of communication, but this does limit the support we can offer in those cases. We will always try to help as best we can, but ultimately we would rather deny access to an account than to provide that access to the wrong person.

If you have any questions about this, please contact Runbox Support  🙂

Tags:

Hardened web server security

March 31st, 2016  |  Published in News, Security  |  5 Comments

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

Tags: ,

TLS Upgraded for Incoming Email

February 12th, 2016  |  Published in News, Security  |  3 Comments

Today we have upgraded the TLS (Transport Layer Security) of our incoming email servers to support version 1.2, which is the most recent. This means that when email is sent to Runbox from other services, the highest level of encryption will be used if the other service supports it.

This also means that all communication between your email program and Runbox now uses TLS 1.2 (if supported by your email program).

 

Tags: ,

Spam filter upgrades and policies

January 24th, 2016  |  Published in News

New Spam Filter Servers

As part of our ongoing fight against spam, Runbox has recently deployed a new cluster of spam filter servers and made a few changes to how we deal with spam.

We now block a lot more spam by rejecting connections from servers that are known to send spam. Most of these connections are from virus infected computers, and it is relatively easy to identify these machines via their IP addresses.

Another change we’ve made is to upgrade SpamAssassin so that it performs more extensive checks of incoming mail.

This is the first among several steps we are taking to clear your Inbox of spam, and we will post more news about this in the near future.

Changes to Bulk Mailing Policy

We’ve also decided to tighten our policies on bulk mailing using Runbox’ outgoing email servers to prevent Runbox from ending up on blacklists used by other email services.

As email use continues to grow and more people around the world are online, so does the amount of email sent for marketing and promotional reasons. Often mailing lists are badly managed and people receive email they no longer want, so they mark them as spam instead of unsubscribing from them.

Meanwhile spam systems are getting smarter, and email providers create statistics from the actions of their customers. If a customer marks a message as spam (whether it is spam or not), this is recorded in a database, and it can result in those domains and server IP addresses being blocked.

Only a very small number of Runbox customers use our services for marketing and promotional messages, but this can still have an adverse affect on all Runbox customers. Therefore we have decided that Runbox can no longer be used for bulk mailing, and we are now changing our Terms of Service to reflect this.

If you are using, or are planning to use, Runbox for bulk mailings, please see our page about Bulk Mailing and contact Runbox Support.

Tags: ,

Thank you for 2015 & status update

December 31st, 2015  |  Published in News  |  9 Comments

We’re about to start a new year and we’d like to take the opportunity to thank you for your business in 2015 and provide a quick status update.

We’ve spent much of the year steadily growing and improving our email services, mainly focusing on our new IMAP services and improving our server infrastructure.

Additionally, we have been developing 2FA support, working on a new spam filter, and implementing calendar services. These projects are now close to completion, and we expect them to be ready for beta testing early in the new year.

We have also had some other events worth mentioning, such as a new front page that sets Runbox apart from the crowd, a DDoS (Distributed Denial of Service) attack from a group that tried to extort USD 5000 from us but who later gave up and apologized, and being mentioned in The New York Times, Forbes, and The Washington Post as a service focusing on security and privacy.

Furthermore, we have improved our Terms of Service and Privacy Policy to better reflect how Runbox protects the privacy of our customers, and we have explained how our email services are powered by 100% certified renewable energy sources.

And, if you haven’t tried the Aero webmail theme yet, you are definitely missing out!

We plan to make next year even better than this one, so stay tuned…

Tags: