Is email secure?

I met with an IT friend of mine and we had a discussion about security and email. I have been recommending that everyone uses SSL or TLS to connect to their server when they are reading or writing emails. 

Using SSL or TLS secures your connection to your server and ensures that your login details cannot be compromised by a third party. Email programs that do not use SSL or TLS send the login details in plain text. If this was intercepted by a third party, then the password details could be read, and a potential spammer could use your SMTP (sending email server) to send out lots of spam messages. Or read your mail and access your account. 

Once your email has reached your sending server, it may then be handled in plain text across the internet over multiple hops (Mail Relays) to the destination server, because that connection is generally not encrypted.

There are several systems out there, and they all need to play nicely together, but the bottom line is we should consider at the worse case all email to be insecure. Even though we may be applying best practices at the send and receive server end of the system. 

Continue reading Is email secure?Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Have I been Pwned?

No that was not a typo. There is a website that has access to data breach information. It is not clear whether it lists all data breaches in the public domain, or a select few of them. The website asks you to enter an email address into the site, it will check through the information it holds and will respond if a match is found. 

I tried one of mine and it returned several results indicating that my email address and an associated password to access an online account is in public circulation. It also shows if your email address is in spam lists as well. 

I have seen two sets of results on data breaches, one indicated your email address exists in a list somewhere that is in circulation, (typically a junk mailing list). You cannot do anything about this. The other case tells you the website and your email AND a password is in circulation. In the latter case you should be concerned about it if you were previously unaware. 

Continue reading Have I been Pwned?Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

News Round Up for June 2018

GDPR preparation and support have taken up a lot of my time over the past month. If anyone needs help let me know. I have upgraded around 12% of the sites I am looking after, some people have done it themselves. Looking around generally there seems to be a very wide interpretation of what is needed on a site in terms of privacy statements.

What many do not seem to realise, is it is more about your internal processes and getting those in shape to meet the requirements of GDPR and any privacy statement you publish. It is not simply a case of updating and publishing a Privacy Statement, especially if you have not carried out a Privacy Impact Assessment, or documented your processes in alignment with your policy.

There still seems to be a lot of small organisations that have not done anything yet.

Technical Support Enquiries

I have now reached over 200 support tickets raised with the hosting company in a little over a year. There are a few things worth noting, I am not sure whether they are wholly new, the hosting company are getting better and keeping people informed, but there were a few surprises for me over the past 4 weeks.

Some of these are important if you manage the control panel interface, and set up email accounts. If your email is with an external provider they will not be relevant to you.

1). All web interfaces to email boxes now have the ability for the email owner to set or reset their password. Caution though, poor passwords should be discouraged. But it means that once an email account has been set up the user can change their password to one of their own choosing.

2). Out of Office (Responder) is also now available to all users through the web interface for email. Because an out of office responder works from the server, this is the way to reach it through https://stackmail.com, or through the control panel. The user interface is very simple. The last thing anyone needs to do before they go on vacation is go into their webmail, locate Settings and look for Responder. Add a subject line, add some content, add a forwarder (or forwarders) to redirect any email that comes in. As soon as it is saved it becomes active within 30 minutes and will remain active until it is turned off. So as soon as anyone returns from their extended absence, go back in and turn it off first before they do anything else.

3). All new email accounts are defaulted to send only 50 emails a day for the first week. After the first week they revert to 200/hr. I was unaware of this. The reason is to stop people abusing the system and sending junk mails on new accounts. It is possible to override this. If you need it overridden tell me what the email address is and I will raise a support ticket on it and get the restriction cleared.

Something off the wall

Apart from technology, I have two other passions, one is photography, the other is music. I know that many of you hold fundraising events with bands, so I am offering you a band for your event. Obviously the venue would need to be a reasonable distance away, and none of us are full time musicians, but the offer is there if you are interested. Below is a video sequence with clips from 12 rock numbers the band Over Time debuted at a recent event in my local village.  I am playing bass and as my wife told me inappropriately dressed as an Australian Sheep Farmer, and not a rock musician at all.  Anyway we are open to gigging opportunities if anyone is interested.

Put your cursor over the image below and click on the play button. Do note however if you are in a quiet office it is loud, and it is rock music!

It is also available in full HD if you go to here (15 minutes)

The full 1hr set is also available here if you want to skip through.

Adobe Stock Images

If you have any promotions going on and need some stock images for your website I have a surplus at the moment, so let me know. I can provide a couple for free if you need them.

There are millions to choose from, and they can make the difference between an amateur and professional promotion. Drop me a line if you want one, let me know the reference number for it. You can view the available images by going to here:  https://stock.adobe.com/uk/ (opens in a new window). You can put your search terms into the box and it will return related images.Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Securing mail from your website to a mailbox

By default a wordpress installation uses a method of sending mail that does not use a mailbox to send the message and does not encrypt the message. Email cannot be confirmed to be end to end secure unless you know the receiving or sending person is using encryption and is set up correctly; you can encrypt mail in the places where you control email so that it is encrypted from the website to the mailbox. If it is your mailbox, and you know that your mail client is set up correctly with encryption, then you have end to end security. If the website is running over SSL and the address starts with https:// (98% of them are now), then a user entering information into a form is also encrypted. So the path from the users browser, through your contact form, from the website to your receiving mailbox is encrypted and cannot be intercepted as plain text.

How do I make the changes

Log into your website and go to Plugins.
Seatch for WP Mail SMTP, locate it and install it. Continue reading Securing mail from your website to a mailboxFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Do You Send Newsletters?

New recommendations for Newsletters

Some of you are using Mailpoet on your websites to generate newsletters. I have run into a lot of problems sending out my newsletter this month, I have had to send it three times. I checked through my logs and found that a very small number came out last month as well. I have been investigating what has happened.  The top two entries in the image below show there is a problem because rather than a 65%+  opening rate, there is a 4% opening rate.

Continue reading Do You Send Newsletters?Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Google Recaptcha v1 Withdrawn

YOU ONLY NEED TO TAKE ACTION IF YOU CHECK YOUR SITE AND SEE A MESSAGE LIKE THE ONE ABOVE. IF YOU DON’T SEE THE MESSAGE YOU ARE UNAFFECTED.

It seems that Google have withdrawn Google Recaptcha Version 1 function that is used on some contact forms wef 31/03/2018. Please check your contact form now and see if this has happened to you. It was withdrawn yesterday. If you have this problem on your site nobody can send you a message so it is important to resolve it quickly.

Self Help

This is what you need to do:

Login to the site go to Forms in the sidebar menu and select it.

This for most people will show a single form or multiple forms. Select a form and open it in the editor and check to see if the bottom most item says New reCAPTCHA.

If you have that on your form, delete it. Then save the form.

Check ALL of the forms on your site if you have more than one. Save each one.

On completion go into your site as a user would, and locate each form and send a message to confirm it is working. Check the form still makes sense as well.

This has removed the Spam Protection mechanism used in this form. So your spam count may go up as a result of making this change.  However your visitors can still send you a message.

This particular form plugin is no longer supported by the author, so we should probably find an alternative form. Check back on this site later for a solution that uses the new or an alternative Google ReCaptcha function.

If you immediately start getting hit by an increase of Spam let me know please.Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Nominet Messages

The following is applicable if you have a domain ending in .co.uk, .org.uk or .uk

Nominet are the issuing authority that manage any domain names ending in .uk. In the 7 years I have been working with Charities and not for profit groups, I have needed to contact them twice, once being a difficult case where the registrant of a domain name had passed away. The organisation represented by the domain name needed to regain control. They are very helpful, but have been largely a passive organisation; there when you need them.

I had an instance this week, which was unusual and it raises a lot of questions, none of which have been answered. However I think it is worth raising to your attention because if your domain name is registered against your email address, and they contact you and you fail to respond, or miss the mail, or ignore it, then you risk your website and email being taken offline.  Continue reading Nominet MessagesFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Webmail…..

… is not JUST webmail

I thought I would make some comments here following some conversations I have had recently with people. There may be some misunderstandings.

Multiple 10GB mail boxes

If you are using the mail accounts provided with the hosting, the mail boxes are each 10GB in size. While you can access them through this address: https://stackmail.com you can also access them through ANY device with a mail client (aka mail program).

I personally access my mail account on the following devices:

iPhone, iPad (using the native email application), Macbook using Mac mail, iMac using Mac mail, Windows 7 desktop running Outlook & Thunderbird, Windows 10 laptop running Outlook and on any of those devices I can also use a browser to get to webmail. I also run my accounts as IMAP. This means on each device, I get the same view of my mail including any special folders I have set up. This is because I am viewing mail on the server, and not locally. If I was set up as POP3 on my clients, then the server is only used as temporary storage for mail.  Continue reading Webmail…..Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

IP Geolocation and why it may be important

I frequently use something called IP Geolocation to find out where a user is located for forms, enquiries, or any log evidence of someone doing something to try to establish if they are who they say they are.

It does not work 100% but I would say it works in 99% of cases. The router or gateway you use that your network/ computer is plugged into has an address allocated to it by your service provider (BT, Talk Talk, NTL, etc). For most of us the IP address changes from time to time and is referred to as dynamic. They do this to make sure it is hard to run your own web server from home. If and when you reset your router, when it comes back online it will likely have a new IP address. You can find out what your IP address is by clicking on this link. Continue reading IP Geolocation and why it may be importantFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail