Account security and password strength

July 3, 2016 19 Comments

In the recent past, some high profile companies have had user account details stolen by criminals. In some cases these details have been made public. Many people use the same usernames and passwords across different services, which means that their other accounts may also be at risk.

Use a Strong Password

Runbox has not had a data breach. However, if you use one of the affected services and have used the same login with Runbox then your Runbox account could also be at risk.

We would suggest you update your Runbox password if you feel it might be necessary. What would have been a strong password a few years ago, might not be strong now. This is because criminals have an increasing ability to try large numbers of known passwords against accounts.

For useful tips about choosing strong passwords we recommend our Account Security help page. It is easier than you might think to create good passwords that are easy to remember.

Two-Factor Authentication

To improve account security further, Runbox will be launching two-factor authentication (2FA) in the near future.

With 2FA turned on you will need to provide both your username, password, and an additional piece of information to access Runbox and your account settings. And if you choose to use IMAP, POP, or SMTP, you will be given strong passwords to use.

In the meantime, if you have any questions about account security, please contact us at Runbox Support.

Continue Reading →

CalDAV calendar in beta testing

June 8, 2016 20 Comments

We’re happy to announce that our new CalDAV service is now in open beta testing.

With CalDAV you can store your calendars on Runbox’ servers using calendar apps on your computer or smart phone. This is the first step towards a full-fledged Runbox Calendar service, as we are planning to develop an integrated web interface as well.

Please remember that this is a beta phase and that the service might be less consistent than our standard services. We therefore recommend that you back up your calendar data before and while testing it.

Setting up Runbox CalDAV

To try Runbox CalDAV in your Calendar client, just set up a new account with your Runbox username and password and https://dav.runbox.com/ as Server Address.

Note: If you are using your own domain with Runbox, the correct username format is you@nulldomainyouown.com.

  • Apple Calendar users: Setup should be straight forward after selecting Add Account… > Add CalDAV Account… from the menu.
  • Outlook users: To extend Outlook with CalDAV functionality you can try the Outlook CalDav Synchronizer plugin.
  • Thunderbird users: For Thunderbird Lightning setup instructions, please see this comment.

PS: In case you are wondering what CalDAV stands for it’s Calendar Distributed Authoring and Versioning, and it’s the established standard for storing and accessing calendar information on the Internet.

Continue Reading →

Support Requests & Account Security

May 16, 2016 Leave a comment

At Runbox we are very pleased to be able to offer personalized support to our customers, and we do this 7 days/week, every week of the year.

If you need to contact Runbox Support, we would advise you to read our help page on Contacting Runbox Support. In particular we would like to draw your attention to the sections regarding how we will use information to identify you as the account holder.

It is very important that we protect your privacy and security of your account, and there are elements of that process that require you to keep account information up to date so that we can ensure we are talking to the correct person.

The most commonly used piece of information we use to identify you when you can’t contact us from your Runbox account is your alternative email address, and it is very important that you keep this up to date. Being unable to verify you as the account holder is very frustrating for customers and also for us as we can’t offer you the support you are expecting.

We realize there are some customers who prefer their Runbox account not be linked to other email accounts or methods of communication, but this does limit the support we can offer in those cases. We will always try to help as best we can, but ultimately we would rather deny access to an account than to provide that access to the wrong person.

If you have any questions about this, please contact Runbox Support  🙂

Continue Reading →

Hardened web server security

March 31, 2016 5 Comments

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

Continue Reading →

TLS Upgraded for Incoming Email

February 12, 2016 3 Comments

Today we have upgraded the TLS (Transport Layer Security) of our incoming email servers to support version 1.2, which is the most recent. This means that when email is sent to Runbox from other services, the highest level of encryption will be used if the other service supports it.

This also means that all communication between your email program and Runbox now uses TLS 1.2 (if supported by your email program).

 

Continue Reading →

Spam filter upgrades and policies

January 24, 2016 Leave a comment

New Spam Filter Servers

As part of our ongoing fight against spam, Runbox has recently deployed a new cluster of spam filter servers and made a few changes to how we deal with spam.

We now block a lot more spam by rejecting connections from servers that are known to send spam. Most of these connections are from virus infected computers, and it is relatively easy to identify these machines via their IP addresses.

Another change we’ve made is to upgrade SpamAssassin so that it performs more extensive checks of incoming mail.

This is the first among several steps we are taking to clear your Inbox of spam, and we will post more news about this in the near future.

Changes to Bulk Mailing Policy

We’ve also decided to tighten our policies on bulk mailing using Runbox’ outgoing email servers to prevent Runbox from ending up on blacklists used by other email services.

As email use continues to grow and more people around the world are online, so does the amount of email sent for marketing and promotional reasons. Often mailing lists are badly managed and people receive email they no longer want, so they mark them as spam instead of unsubscribing from them.

Meanwhile spam systems are getting smarter, and email providers create statistics from the actions of their customers. If a customer marks a message as spam (whether it is spam or not), this is recorded in a database, and it can result in those domains and server IP addresses being blocked.

Only a very small number of Runbox customers use our services for marketing and promotional messages, but this can still have an adverse affect on all Runbox customers. Therefore we have decided that Runbox can no longer be used for bulk mailing, and we are now changing our Terms of Service to reflect this.

If you are using, or are planning to use, Runbox for bulk mailings, please see our page about Bulk Mailing and contact Runbox Support.

Continue Reading →

Thank you for 2015 & status update

December 31, 2015 9 Comments

We’re about to start a new year and we’d like to take the opportunity to thank you for your business in 2015 and provide a quick status update.

We’ve spent much of the year steadily growing and improving our email services, mainly focusing on our new IMAP services and improving our server infrastructure.

Additionally, we have been developing 2FA support, working on a new spam filter, and implementing calendar services. These projects are now close to completion, and we expect them to be ready for beta testing early in the new year.

We have also had some other events worth mentioning, such as a new front page that sets Runbox apart from the crowd, a DDoS (Distributed Denial of Service) attack from a group that tried to extort USD 5000 from us but who later gave up and apologized, and being mentioned in The New York Times, Forbes, and The Washington Post as a service focusing on security and privacy.

Furthermore, we have improved our Terms of Service and Privacy Policy to better reflect how Runbox protects the privacy of our customers, and we have explained how our email services are powered by 100% certified renewable energy sources.

And, if you haven’t tried the Aero webmail theme yet, you are definitely missing out!

We plan to make next year even better than this one, so stay tuned…

Continue Reading →

New IMAP Service Migration

November 27, 2015 1 Comment

There are two main ways that people access their Runbox email. The first is our webmail service available on our website, and the other is via some kind of email program that might be on a computer, laptop, smartphone or tablet. If you use an email program, you will be using either our IMAP or POP service to download your incoming mail. IMAP and POP are ways in which email programs communicate with our servers to collect your mail.

We officially launched our new Dovecot IMAP service on mail.runbox.com in August, and we have been pleased with the number of customers who are moving across to this better IMAP service.

However, feedback we’ve received shows that some customers would like more time to make the switch. Therefore we are going to keep the old Courier-based IMAP service running for the time being, and will decide upon on a new retirement date in the future.

Why should I switch to the new IMAP service?

The new IMAP service provides a faster and more reliable way of accessing your mail, and also fixes a number of issues that were reported with some email apps when using the old service.

Because we need to focus increasingly on the new service, starting in January 2016 we will recommend you switch to the new service instead of providing technical support for the old IMAP service. We will of course help you switch to the new service whenever you choose to do so.

NOTE: If you are using POP you don’t need to do anything. If you’re not sure whether you’re using IMAP or POP, please contact Runbox Support.

How do I make the switch?

Setting up your account as a fresh set up usually works best, but if you just wish to change your settings without setting up your account from the start, then we have instructions for our recommended email clients that show you how to do this.

The documentation for our recommended email programs was updated a while ago to show the new server details. If you are using IMAP and keep all of your mail on our servers, you can set up your account again from the start using the details in those instructions.

If you have any questions regarding switching to the new IMAP service, please contact Runbox Support.

Continue Reading →

DDoS Attacks – Summary of Events

November 10, 2015 16 Comments

Between November 4-6, Runbox experienced powerful DDoS attacks by a group calling themselves “Armada Collective”. Other security oriented email services such as ProtonMail, Hushmail, and Neomailbox were also attacked, as recently reported by Forbes.

The initial threats and attacks that attempted to extort money were withdrawn by the attackers on Saturday morning, when they offered an apology.

During the attacks we were focused on coordinating with our partners, putting in place countermeasures, and providing our customers with necessary information. Since the situation was unclear and evolved quickly, we decided to not publish any details that could inform the attackers in any way.

The situation is now under control and we are publishing this summary of the events as it may help shed light on what transpired against both Runbox and the other services that were attacked.

(more…)

Continue Reading →