Runbox Blog

Recently we have been testing a new component to our spam filtering system. This component is powered by Cloudmark, one of the most popular and powerful spam filter systems available. We would now like to make Cloudmark available to more customers.

How Cloudmark works

Cloudmark is designed to detect known spam better and works as a central authority based on reporting by millions of Cloudmark users. It would help us improve our implementation of Cloudmark to have more Runbox users testing it.

Customers who are testing Cloudmark don’t need to do anything different in the way they use their email. However, we ask testers to report spam (or genuine mail) that is not classified correctly to a special Runbox email address.

No data is shared with a third party when using Cloudmark, as it’s running on Runbox’ own servers. Any reporting done by our customers is currently only going to Runbox itself. When we implement a reporting facility back to Cloudmark in the future it will be implemented as a clearly marked option.

How to start using Cloudmark

If you are interested in having Cloudmark added to your account, or wish to ask questions about it, please let us know at Runbox Support (support@nullrunbox.com).

Today we officially launch our CalDAV calendar service. With CalDAV you can store your calendars on Runbox’ servers using calendar apps on your computer, smart phone or tablet.

CalDAV lets you store your calendar items online and synchronize them across multiple devices. You can create events, recurring events, alarms and also invite other people to add events to their own calendars. Additionally you can create reminders/to-do lists and use those in your favorite notes app.

How to set up CalDAV

To use CalDAV you will need these details:

• Username: Enter your Runbox username. If you use your own domain name, the username format is you@nulldomainyouown.tld.
• Password: Enter your Runbox password.
• Server Address: Enter https://dav.runbox.com/

For details on how to set up your CalDAV program or app, please see the CalDAV help page. And if you have any questions about this service, please contact Runbox Support.

Runbox CalDAV is the first of a new collection of services that will also include CardDAV (contacts) and WebDAV (file storage), so look out for more news in the weeks and months ahead.

In the recent past, some high profile companies have had user account details stolen by criminals. In some cases these details have been made public. Many people use the same usernames and passwords across different services, which means that their other accounts may also be at risk.

Use a Strong Password

Runbox has not had a data breach. However, if you use one of the affected services and have used the same login with Runbox then your Runbox account could also be at risk.

We would suggest you update your Runbox password if you feel it might be necessary. What would have been a strong password a few years ago, might not be strong now. This is because criminals have an increasing ability to try large numbers of known passwords against accounts.

For useful tips about choosing strong passwords we recommend our Account Security help page. It is easier than you might think to create good passwords that are easy to remember.

Two-Factor Authentication

To improve account security further, Runbox will be launching two-factor authentication (2FA) in the near future.

With 2FA turned on you will need to provide both your username, password, and an additional piece of information to access Runbox and your account settings. And if you choose to use IMAP, POP, or SMTP, you will be given strong passwords to use.

In the meantime, if you have any questions about account security, please contact us at Runbox Support.

We’re happy to announce that our new CalDAV service is now in open beta testing.

With CalDAV you can store your calendars on Runbox’ servers using calendar apps on your computer or smart phone. This is the first step towards a full-fledged Runbox Calendar service, as we are planning to develop an integrated web interface as well.

Please remember that this is a beta phase and that the service might be less consistent than our standard services. We therefore recommend that you back up your calendar data before and while testing it.

Setting up Runbox CalDAV

To try Runbox CalDAV in your Calendar client, just set up a new account with your Runbox username and password and https://dav.runbox.com/ as Server Address.

Note: If you are using your own domain with Runbox, the correct username format is you@nulldomainyouown.com.

• Apple Calendar users: Setup should be straight forward after selecting Add Account… > Add CalDAV Account… from the menu.
• Outlook users: To extend Outlook with CalDAV functionality you can try the Outlook CalDav Synchronizer plugin.
• Thunderbird users: For Thunderbird Lightning setup instructions, please see this comment.

PS: In case you are wondering what CalDAV stands for it’s Calendar Distributed Authoring and Versioning, and it’s the established standard for storing and accessing calendar information on the Internet.

At Runbox we are very pleased to be able to offer personalized support to our customers, and we do this 7 days/week, every week of the year.

If you need to contact Runbox Support, we would advise you to read our help page on Contacting Runbox Support. In particular we would like to draw your attention to the sections regarding how we will use information to identify you as the account holder.

It is very important that we protect your privacy and security of your account, and there are elements of that process that require you to keep account information up to date so that we can ensure we are talking to the correct person.

The most commonly used piece of information we use to identify you when you can’t contact us from your Runbox account is your alternative email address, and it is very important that you keep this up to date. Being unable to verify you as the account holder is very frustrating for customers and also for us as we can’t offer you the support you are expecting.

We realize there are some customers who prefer their Runbox account not be linked to other email accounts or methods of communication, but this does limit the support we can offer in those cases. We will always try to help as best we can, but ultimately we would rather deny access to an account than to provide that access to the wrong person.

If you have any questions about this, please contact Runbox Support  🙂

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

Today we have upgraded the TLS (Transport Layer Security) of our incoming email servers to support version 1.2, which is the most recent. This means that when email is sent to Runbox from other services, the highest level of encryption will be used if the other service supports it.

This also means that all communication between your email program and Runbox now uses TLS 1.2 (if supported by your email program).

New Spam Filter Servers

As part of our ongoing fight against spam, Runbox has recently deployed a new cluster of spam filter servers and made a few changes to how we deal with spam.

We now block a lot more spam by rejecting connections from servers that are known to send spam. Most of these connections are from virus infected computers, and it is relatively easy to identify these machines via their IP addresses.

Another change we’ve made is to upgrade SpamAssassin so that it performs more extensive checks of incoming mail.

This is the first among several steps we are taking to clear your Inbox of spam, and we will post more news about this in the near future.

Changes to Bulk Mailing Policy

We’ve also decided to tighten our policies on bulk mailing using Runbox’ outgoing email servers to prevent Runbox from ending up on blacklists used by other email services.

As email use continues to grow and more people around the world are online, so does the amount of email sent for marketing and promotional reasons. Often mailing lists are badly managed and people receive email they no longer want, so they mark them as spam instead of unsubscribing from them.

Meanwhile spam systems are getting smarter, and email providers create statistics from the actions of their customers. If a customer marks a message as spam (whether it is spam or not), this is recorded in a database, and it can result in those domains and server IP addresses being blocked.

Only a very small number of Runbox customers use our services for marketing and promotional messages, but this can still have an adverse affect on all Runbox customers. Therefore we have decided that Runbox can no longer be used for bulk mailing, and we are now changing our Terms of Service to reflect this.

If you are using, or are planning to use, Runbox for bulk mailings, please see our page about Bulk Mailing and contact Runbox Support.

We’re about to start a new year and we’d like to take the opportunity to thank you for your business in 2015 and provide a quick status update.

We’ve spent much of the year steadily growing and improving our email services, mainly focusing on our new IMAP services and improving our server infrastructure.

Additionally, we have been developing 2FA support, working on a new spam filter, and implementing calendar services. These projects are now close to completion, and we expect them to be ready for beta testing early in the new year.

We have also had some other events worth mentioning, such as a new front page that sets Runbox apart from the crowd, a DDoS (Distributed Denial of Service) attack from a group that tried to extort USD 5000 from us but who later gave up and apologized, and being mentioned in The New York Times, Forbes, and The Washington Post as a service focusing on security and privacy.

Furthermore, we have improved our Terms of Service and Privacy Policy to better reflect how Runbox protects the privacy of our customers, and we have explained how our email services are powered by 100% certified renewable energy sources.

And, if you haven’t tried the Aero webmail theme yet, you are definitely missing out!

We plan to make next year even better than this one, so stay tuned…

There are two main ways that people access their Runbox email. The first is our webmail service available on our website, and the other is via some kind of email program that might be on a computer, laptop, smartphone or tablet. If you use an email program, you will be using either our IMAP or POP service to download your incoming mail. IMAP and POP are ways in which email programs communicate with our servers to collect your mail.

We officially launched our new Dovecot IMAP service on mail.runbox.com in August, and we have been pleased with the number of customers who are moving across to this better IMAP service.

However, feedback we’ve received shows that some customers would like more time to make the switch. Therefore we are going to keep the old Courier-based IMAP service running for the time being, and will decide upon on a new retirement date in the future.

Why should I switch to the new IMAP service?

The new IMAP service provides a faster and more reliable way of accessing your mail, and also fixes a number of issues that were reported with some email apps when using the old service.

Because we need to focus increasingly on the new service, starting in January 2016 we will recommend you switch to the new service instead of providing technical support for the old IMAP service. We will of course help you switch to the new service whenever you choose to do so.

NOTE: If you are using POP you don’t need to do anything. If you’re not sure whether you’re using IMAP or POP, please contact Runbox Support.

How do I make the switch?

Setting up your account as a fresh set up usually works best, but if you just wish to change your settings without setting up your account from the start, then we have instructions for our recommended email clients that show you how to do this.

The documentation for our recommended email programs was updated a while ago to show the new server details. If you are using IMAP and keep all of your mail on our servers, you can set up your account again from the start using the details in those instructions.

• Basic Email Client Server Settings
• Instructions for Setting Up Recommended Email Clients (fresh install)
• Instructions for Changing Settings to Use the New IMAP Service

If you have any questions regarding switching to the new IMAP service, please contact Runbox Support.