Using Thunderbird Mail and getting “Connection to Server Timed Out” message.
In this instance, the server was changed and although it was meant to be identical to the old server, Thunderbird had trouble connecting.
The users account on a CPanel server was migrated to a new CPanel server and everything was ok including access to webmail, but the Mozilla Thunderbird client was getting this “Connection to Server Timed Out” message.
The resolution was in the Thunderbird settings for the account.
Right-click the Mail account in Thunderbird and select Settings
On the Settings screen select Edit SMTP server
Check the port as using 465 Secure SMTP and Select SSL/TLS for the Connection Security.
The assumption here is that your Server name and Username/email address are correct.
Then select OK.
Next set up for the Incoming email. While still in the Account Settings Panel select Server Settings.
Check and set the Port as 993 for IMAP Secure connection and the Connection Security field to SSL/TLS.
The new settings are automatically saved, there is no ‘Save’ button to push.
Finally test the connection by asking to Subscribe and confirm that you have all the folders available from the server.
If all is good you should have a list of subscribed folders appear pretty much instantly.
In this instance the Server settings were using STARTTLS and Insecure port numbers which is where the connection was failing to the new server.
I do not mention POP settings as we use IMAP exclusively. This ensures that all email history that might be needed by the client is available to any device or via webmail.
The creation of a Sender Policy Framework (SPF) Record is something that is managed by the person or team that manages your Domain Name Service.
The creation of an SPF record is a relatively simple process.
Generally a domain name is hosted by a service provider like WrenMaxwell and it will be accessed via a control panel or interface that allows for the creation, editing or deletion of domain records.
An SPF record is simply a text or TXT record within the domain. This is an example of a basic SPF record.
Example SPF record
In this example the domain is wrenmaxwell.com.au (note the trailing full stop in the record as the termination of the domain).
The TTL or Time To Live provides the duration in seconds before this record should be checked again.
IN TXT is the record type (cPanel / WHM management always shows the IN while other interfaces may not)
The record content is enclosed in quote marks ( for cPanel / WHM this is standard. Other interfaces may hide the quotes or add the quotes in the background).
What is in the SPF Record ?
The example includes 3 settings:
v=spf1 is the version of SPF that is being used. Currently there is only spf version 1 so spf1 is standard.
+a says to accept the A record for the domain while +mx says accept the MX record for the domain.
-all says to fail All Other servers sending email using this domain name.
SPF Record Syntax
After the version instruction the rest of the record consists of mechanisms and qualifiers.
When an SPF record is queried, the receiving server checks the ip address of the sending server against the SPF record for the sending domain. If a mechanism matches the ip address then the qualifier for that mechanism is used to determine what action should be taken in relation to the specific email that is being processed.
Mechanisms are always processed from left to right with each mechanism tested until a match is found. Once a match is found the query is stopped and the qualifier used to return the action or response to the receiving server.
SPF Record Qualifiers
The qualifiers are the symbols:
Qualifier
Recommendation
Comment
“-“
Fail
Fail tells the receiving server that the sending server is not allowed to send for this domain
“+”
Pass
Pass tells the receiving server that the sending server is allowed to send for this domain
“~”
SoftFail
SoftFail tells the receiving server that the sending server may be accepted but is not yet specified
“?”
Neutral
Fail tells the receiving server that nothing is specified about this server
Table of SPF Qualifier symbols
There are a few other results that come from the evaluation of an SPF record but the above cover the main ones.
SPF Record Mechanisms
The are a number of mechanisms that are more commonly used and some that are not.
Mechanism
Explanation
A or a
All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
MX or mx
All the MX records for domain are tested. If the client IP is found among them, this mechanism matches.
IP4
Check a specific host IP address of type version 4
IP6
Check a specific host IP address of type version 6
include
include:{some.other.domain} to check the SPF record of the hosting or remote domain
all
refers to any other server (all other servers) and this mechanism will always match
Table of SPF Mechanisms
MX stands for MaileXchanger meaning a server or host that will manage email for the domain.
IP4 and IP6 refer to the type of IP address that is in use. A common error is to see IPv4 or IPv6 where the editor of the SPF record has inadvertently included the ‘v’ for version of the IP address, which is a common format in other forms of documentation of IP addresses but is invalid for SPF records.
The include mechanism caters for larger configurations where there may be clustered servers or regular changes to mail server hosts and the service provider, like Google gmail and Microsoft Mail, can manage their servers within domain structure that is linked from the client (your) domain SPF record.
The all mechanism should always be the last entry in an SPF record so that any other mechanisms are evaluated before this ‘catch-all’ mechanism is checked.
Using the wrenmaxwell.com.au SPF record as an example.
SPF Record Example Settings
The version instruction is standard. v=spf1
The +a says check the A records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.
The +max says check the MX records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.
The -all says if the sending server is any other server then “-” fail the server and do not accept the email message as it is not an authorised server.
Configuring a basic SPF record is not difficult if you are comfortable with managing your own DNS. If your email configuration is more complex than a single server or source of email, then there are many options that may be required to have a fully working SPF configuration. WrenMaxwell has been managing DNS systems for over 20 years and can assist you with your DNS support. Contact us any time for a free consultation.
This post was first published in our HelpDesk Knowledgebase at https://help.wrenmaxwell.com.au/index.php?/Knowledgebase/Article/View/27/0/Creating-SPF-Records-for-your-Domain on 26th July 2016. The information is still valid with this update 12th July 2022.
Over the last week I have had a number of issues with authentication and particularly ensuring that we have all our clients using MFA for Microsoft. Which lead to the title of this post “Updating Logins with Microsoft Authenticator”.
Standard Microsoft Login Screen prompt.
In my role as a client-facing systems administrator I have a lot of Microsoft accounts for various testing scenarios and administration functions. Using Microsoft Authenticator on my mobile as a primary 2-factor/multi-factor (2FA or MFA) tool is an obvious solution.
During a session of checking documentation and validating account access I had a need to update a number of logins. As a result of logging into Microsoft around 20 times I have found that the quickest and easiest method to check or update any of the account information is with this link https://mysignins.microsoft.com/.
Standard Microsoft Password screen prompt.
What happens with that link ? First up it redirects to a https://login.microsoftonline.com/ OAuth2 URL and prompts for your login email or phone number.
Enter an email address and select Next.
Using the existing strong (long) passphrase. Yes, passphrase rather than password. I wrote a post on that topic many years ago and have updated it recently.
After selecting Sign In the MFA login screen is shown, assuming you already had MFA configured. In my case I was unable to access some of these accounts via Authenticator due to swapping phones and having another phone break-down in the last 6 months, but I digress.
Selecting in this case either to use the Authenticator, or an alternative method “Can’t use authenticator now” provides for a second confirmation of my identity.
Using an alternative method assumes that you had originally configured other options like an email address or a phone number that can receive text messages.
The “Don’t ask again for 180 days” option is not guaranteed. I have not confirmed it, but I am sure it is just a cookie in the browser and if you use different browsers for various tasks then the 180 days only applies on that computer or device and only for that web browser. Use another device or another web browser and you will be prompted again, potentially just 5 minutes later!
So now that we are logged in, we are automatically re-routed back to the URL we started with which is https://mysignins.microsoft.com. Which looks like this with multiple panels and options.
Microsoft https://mysignins.microsoft.com overview screenshot
I’ll leave most of the options for another post as the one I needed to use today was the Security Info section.
Microsoft https://mysignins.microsoft.com security info screenshot
From here the process is fairly straight-forward. Select the + Add sign-in method, add a new phone, or Authenticator App, or email address for multi-factor authentication. Select the Default sign-in method, which I have set as Microsoft Authenticator. Its generally quick and simple, while an email takes a bit longer and requires copy/paste of a code or similar.
Removal of an old authentication method, like my now-dead iphone 4, is as simple as hitting the Delete option.
Another useful screen is the Organizations panel which helps when you have more than one organization that you deal with.
Microsoft https://mysignins.microsoft.com organisations screenshot
The only obvious thought here is that the Home organisation may change for some people and I am not sure what happens if you leave an organisation but have it as your Home? I will look at that another day.
A pictorial guide how to Delete and Add Back iPhone Mail Exchange Account.
Why? Because you may stop being able to access your email. If your iPhone with an iOS later than v14 is still using an Exchange account with ExchangeActiveSync (EAS) as the authentication method then it is possible now and probable in October 2022 due to changes with authentication. Modern Authentication is going to be required. If your account on your iPhone was created ages ago and your iOS is being kept up to date, it is not automatically revising the authentication method. That will only happen with the deletion and add back (recreation) process.
It is an easy process and with all the Office365 / Outlook data stored in the Microsoft servers, there should be no data loss, unless you have something outside the box configured on your phone.
Note that this only applies to Apple Mail client on the iPhone. If you are using Outlook on the iPhone, then this solution is not for you.
Start in the iPhone Settings screen. Mail -> Accounts
Apple iPhone Add Delete Exchange Account Screenshot 1
Then Select the account that uses EAS
Apple iPhone Add Delete Exchange Account Screenshot 2
The Delete that Account
Apple iPhone Add Delete Exchange Account Screenshot 3
Now start a fresh Add Account selection
Apple iPhone Add Delete Exchange Account Screenshot 4
Select an Exchange Account type
Apple iPhone Add Delete Exchange Account Screenshot 5
Enter your email account details and update the ‘Exchange’ description to something more meaningful
Apple iPhone Add Delete Exchange Account Screenshot 6
Select Next and then the Sign-In option to access the account
Apple iPhone Add Delete Exchange Account Screenshot 7
Select the options to Sync from Microsoft Office and Select Save
Apple iPhone Add Delete Exchange Account Screenshot 8
The account should now display in your accounts list.
Apple iPhone Add Delete Exchange Account Screenshot 9
Finally check your email and allow it some time to sync if you have a lot of mail.
Apple iPhone Add Delete Exchange Account Screenshot 10
This should not take any more than 5 minutes to complete even allowing for a slow internet connection. The end result will be that you are on Modern Authentication for Microsoft using Apple Mail client on an iPhone with iOS 12 or later, and preferably iOS15+.
Like many others we rely on multiple AntiVirus tools and one of them is the ubiquitous ClamAV on our Linux hosting servers. Earlier today we started being hammered with ClamAV notices of viruses being identified. Some research later and we are confident the ClamAV Archive.Test.Agent2-9953724-0 is a False Positive.
(quarantined to /home/quarantine/cxsuser/client-account/backup_2022-06-25-0330_Clientaccount_f4f78444ae93-themes.zip.1656132445_1) ClamAV detected virus = [Archive.Test.Agent2-9953724-0]
Various internet sources confirmed that ClamAV had indeed released an update signature file which included a ‘Test’ signature, namely ‘Archive.Test.Agent2-9953724-0’. A subsequent update, released within 24 hours addressed the false positive and, hopefully, prevents any future signature file from containing Test signatures.
# /usr/local/cpanel/3rdparty/bin/freshclam
ClamAV update process started at Sat Jun 25 15:09:55 2022
daily database available for update (local version: 26582, remote version: 26583)
Current database is 1 version behind.
Downloading database patch # 26583...
Testing database: '/usr/local/cpanel/3rdparty/share/clamav/tmp.73d24b3a72/clamav-52f6105711bb0d74294d4d1c535e77c0.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 26583, sigs: 1987677, f-level: 90, builder: cmarczewski)
main.cld database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
“Should I publish an email address on my website?”
NO! Never, Never, Never, Ever publish an email address.
Spam email is a constant issue for anyone managing email.
Any action that reduces the chances of spam or scam email getting to your account is a good thing.
Spam Email
To address the question we need to understand what spam email represents. It is about the impact it can have on you and your business.
Spam mail in this context includes all the Unsolicited and Untrusted email that exists on a daily basis.
Types of spam email include those selling the latest sex, diet, or hair growth/removal treatments (these used to be called ‘snake-oil’). Along with the more dangerous malware, ransom-ware, and virus laden emails.
All of these are a risk to your email and your time at a minimum. Accidentally clicking a scam email can be extremely costly.
“..in 2021… …average total cost of recovery from a ransomware attack… ..increased to $2,340,000 per incident.”
If those ‘big numbers’ are too big and you think you are too small or not worth targeting, you are wrong.
Scamming, phishing, emails are looking for your identity and your banking or credit card details. Even smaller values in hundreds or a few thousand dollars is their target along with the ability to get your identity and take out a large loan in your name.
Even for smaller businesses or personal accounts the risk exists. Imagine losing all your data on your computer. Imagine your identity being stolen. There are potential risks in every email you receive, even from senders that you recognise.
Spam accounts for 14.5 billion messages globally per day.
Spam email is a risk to you and your business. It consumes a mountain of resources in dealing with it.
Publish My Email Address it is Important
It is a fallacy to say “Its important that this email address is highly visible as this is how customers will contact us”. Use a contact form.
Customers that are using the website will use whatever means provided to contact the business. Provide them with a contact form and they will use that method.
Is there a method for the email address to be visible only to humans? No. Scammers use scripts that read the code of a webpage and not what a human viewer reads.
Using example [at] your-business [dot] domain is often suggested as an option for a human to read and mentally convert the [at] and [dot] but the email harvesting scripts included code to recognise these options and convert them to a usable email address.
Other methods include time-consuming java-script coding, or making jpg images, or other coding solutions.
Do not waste the time and effort doing that. A contact form removes the need completely.
Use a Contact Form
A contact form is quicker, easier, safer.
There are lots and lots of scripts, templates, and tools to create and manage Contact Forms.
WrenMaxwell provides WordPress website hosting and utilises WordPress Contact Form Plugins.
Your designer can add a simple Contact Us page in minutes and replace any email address with a simple ‘Click to Contact Us’ link to that new page and its contact form.
In terms of designer time and cost, it should be minimal and part of their standard process.
For analytics of your customer contact through your website a Contact Form provides a tracking process that does not exist if using just a published email address. This is a topic relating to CRM and how to analyse the success of your website.
Conclusion
“Should I publish an email address on my website?”
Never publish an email address. Always use a Contact Form plugin or script.
A Contact Form, along with additional website security and server-based security measures will reduce the amount of spam or scam emails that get to your inbox.
Need help with your WordPress website?
WrenMaxwell provides WordPress support and secure hosting.
There is a big difference between Webmail vs Email Client Security.
The underlying issue is that if you have an email account with an email service provider you probably have a webmail interface available even if you do not use it. Even on-premise private servers can provide a webmail service.
Whereas many, many email users have a desktop or device based email client or software that they use to connect to the email account and they ignore the webmail interface.
The problem is that if the webmail access is compromised a scammer can do a lot of stuff there that will not appear in the desktop email software. Essentially, it is a back-door to your email account.
Do Not Ignore Webmail
If you are getting some weird emails or missing emails you should be getting it may be that your
Webmail Account has been hacked!
A big scary headline, but it is more frequent than you might think or hope.
This article stems from a recent examination of a series of scam / phishing emails that were sent to a WrenMaxwell client.
The emails appeared to be correct, from the right people, and containing a lot of legitimate information, except that they asked for the recipient to update the bank account details for the payment.
Here is some information which applies to all emails you receive, and while the specifics relate to Bigpond email account holders, this could equally apply to any webmail based server, as the process is very similar on all webmail.
Some rules to consider are included as well, here is the first one.
Rule #1. Never accept a request to change the bank account details for your outbound payments unless you have verified it in person or on a call with the business or individual concerned. For good measure do not use phone numbers that are provided in the same email, they are probably altered as well.
Ok, so the background on this is that the client received an email from another client of WrenMaxwell and between them had a phone call to confirm the back account change. This was very fortunate as the email had been compromised.
I’d note here that if you receive an email asking for you to change to an AMP bank account, it should be an automatic alarm for you. These emails included 2 different AMP bank accounts. I have tried to report them to AMP, but frankly, they are not interested in knowing that their accounts are being used for scamming. But I digress.
Overview of a Webmail Scam
Lets get back on track. Whats the technical summary ?
Bigpond accounts are compromised for access via webmail, i.e. the password is identified through brute force attack most likely using a dictionary of passwords. There is history that lends itself to this. Yes, 3 Bigpond accounts were involved in this specific case, and I will assume a lot more are also hacked or at risk of doing so.
Each account has the feature to create folders to store email. Adding a folder in webmail will not necessarily display the folder in the desktop mail client. This means it will effectively be a hidden folder for the scammer to use.
As well, each account has a setting option under Settings->Mail->Organise Inbox to allow for server-based rules to be configured. The hacked accounts all have rules added by the scammer to redirect any inbound email with the words ‘invoice’ or ‘statement’ to be diverted from the inbox to the folder created in step 3. The end user of the account is generally oblivious to this activity as their client software, like Outlook on the desktop, does not see the rules, and may not show the folder. So the user does not know.
The scammer reviews inbound email until they find an invoice or statement email from a legit sender, like a supplier or someone the user is ordering from. The scammer copies the email information in its entirety, loads it up in another hacked account, modifies the content so that the sender name is spoofed to look like the legit sender, and changes the content to add the ‘Please update our bank account details to BNO Bank xxxxx-1234565 etc.
If the user is not suspicious, they will add the new bank account details for payment of the expected invoice and send the money. Final step, the scammer drains the illicit account in some way, moving the money so that it cannot be reclaimed. Job done.
Understanding a Webmail Scam Step by Step
Ok, so there are a number of steps, but there is nothing really complex here. Lets look at each of the steps in turn.
Step 1. Webmail Password Compromise
Bigpond email is of course part of Telstra, Australia’s largest communications service provider. Love ’em or hate ’em, that’s a fact. The issue is that they have been around for a long-long time and if you look back in time, there are millions of email accounts that have been registered with them.
How many are still current, I do not know, but I’ll use the highly technical measure of umpteen. Now with all those accounts, there will be many that have very weak passwords. This is a literal gold-mine for scammers. If they can, with various techniques, attack enough accounts, for long enough they will gain access.
Bigpond webmail settings option
An added bonus for the scammer is that for many years the Bigpond account passwords were restricted to a maximum of 8 characters and only alpha-numerics, no symbols. This makes for very weak passwords.
On top of that, many users have done ‘set and forget’ with the account, on the basis that as long as Outlook or their preferred email software, connects then its all good.
There are also many Bigpond email accounts that exist because an account is included and created for every customer with a Bigpond modem or internet connection. However many of these accounts are never used as the customer has a work or other email service that does not rely on Bigpond. These accounts are the ones that will never be checked and can be used by scammers for years undetected.
Rule #2. Change your password, regularly. Use a Passphrase and not just a password. You will need to update the password in Outlook or on your phone / device after making the change in webmail.
The use of multiple accounts that have been compromised, helps to hide the source of the compromise. I think it might also help using a Bigpond account to send the scammy email to another Bigpond account as any external email filter is bypassed. Not sure on that one, just guessing.
Step 2. Are You Missing Emails You Should Receive?
With the account password compromised, the scammer can now access the account and create a folder or folder-structure to manage incoming emails for their needs.
They can add a folder in the webmail Folders section. In this instance, the scammer created a ‘Stored Items’ as a folder and ‘Creative’ as a sub-folder, confident that the user would not notice it.
The Creative folder looks so innocent!
The goal for the scammer is to redirect emails from the inbox to these obscured folders so that they can review and learn about the emails the user would normally receive. With the account readily accessible they can check-in at any time to see what emails have been received, whats in ‘their’ folder, and what looks good for scam material.
Rule #3. Regularly review your email folders and subscribe to all IMAP folders so that you can see what is on the server and not just the folders on your device.
Step 3. Email Rules On the Server
Server-based rules, are only visible if the user logs into the webmail account. They do not appear in desktop or device email software and the affected emails are processed on the server before they can be processed by the desktop or device software.
Using the “Organise Inbox” option to set up rules to manage the email that may provide the scammer with relevant information is also too easy. Bigpond call it “Organise Inbox” while others may refer to “Mail Rules” or similar.
This is a Bigpond Email Rules Panel with a few un-named rules. Each tick mark is another rule.
Using a desktop client like Outlook means that webmail is rarely used, so the scammer has it all to themselves. Even if the user does drop by and have a look, the scammer does not give the rules names, so they just show as a blank list and may well be ignored.
Selecting any of the rows with a tick symbol and selecting Edit will show the content of the Inbox Rule. Which will look something like this with no name, but Active ticked. If the Subject line of an incoming email contains the letters ‘Inv’ then the email will be caught and stored in the ‘My Folders -> Stored Items – Creative’ folder.
You should also check Email Forwarders or Mail Forwarding options as these can be configured to automatically send copies of your legitimate email to a scammer so they can identify other potential attack points.
Rule #4. Regularly login to your Webmail and review all the settings. Look for folders you did not create and automation rules that could be signs of scamming activity.
Step 4. Webmail Access by Scammer
The scammer can then drop by any time to check what incoming emails have been caught and potentially exploit the factual content to create a new email which they send from another hacked account to the user with the request for new bank account details wrapped in content that is otherwise accurate.
These emails look legitimate because they are based on a legitimate email with all the same information with some minor exceptions:
The email sender address shows as the legitimate senders address but its actually from another account
The phone numbers may be changed to redirect your calls to the scammer
The links in the email may redirect your web browser to a scamming website which looks correct but is not
Requests to change the bank account might be added to the email content
At this point you could receive a compromised email and could be sending money to the wrong bank account. Refer to Rule #1.
Step 5. Scamming or Phishing Emails
Hopefully Step 5 never occurs as you are monitoring what goes on.
But just some quick pointers on spotting scammy emails. These are general ideas and not specific to the instance above which was all about social engineering with ‘change the bank account’.
With most systems you can use the right-click on your mouse to ‘inspect’ website links and email links to view the hidden actual address behind the text. If the right-click information is different to the text presented in the email, it is most likely a scam.
When checking website links always look for the first ‘/’ character after the https:// bit and read backwards from there to check for the actual server host and domain name. e.g https://www.wrenmaxwell.com.au/ is the domain for WrenMaxwell, ‘wrenmaxwell.com.au’, while the host or server name is ‘www’. What some scammers will try to do may look like this:
Which kind of looks ok, except that everything to the right of the first ‘/’ is faked and managed on the scammers server at https://unrelated.website.com/. Be wary of hotlinks in emails. A website link like the above says that the owner of https://unrelated.website.com has had their site compromised with a phishing site. Stay away.
The same thing with attached files in the emails. .PDF documents may look innocent and the subject line of Overdue Invoice may imply you need to open the PDF to see who and what you owe, but the file can include malware that will get into your system and create havoc with your data in many different ways.
How can you tell if the senders email is correct ? You need to check the email source content or email headers for valid information. This may require some technical knowledge of your email system and where to look for that information. There are too many options that are beyond the scope of this post. If you have concerns and need some help contact the team at WrenMaxwell.
Rule #5. One final general rule. Never send an email with both user account details and the password in an email. Always separate the user name and password via different systems. Email username and SMS/TXT the password, or make an old-fashioned phone call to the recipient to provide the password verbally. At the same time, be sure you are providing access only to someone you know and have trusted for some time.
Webmail Security Review and Cleaning
The clean up and testing of security on the client systems took about a day. Tracing the emails within the relevant Bigpond accounts, and reporting same to Bigpond, got a very good, quick and thorough response from Bigpond security, thanks to Scott.
A key issue is the hacking of the account occurred with minimal visibility for the client. It was only after the emails had been compromised the issue was identified. Given that the scammer could read ALL the email in the account, the next steps include updating passwords for any other system that was referenced in the emails. The issue being that emails commonly contain user account and password details which could be easily viewed and copied.
Webmail Security Checklist
The primary purpose of this post was to document the check points to monitor webmail. Having covered a lot of peripheral topics, here is the core items you should check:
If you have an email account, anywhere, then it most likely provides a webmail interface that you can access from any web browser.
Login to that webmail interface on a regular basis just to check the settings. Put it in your diary it should only take 5 minutes each time.
Change your email Passphrase on a regular basis and do not use simple passwords.
Check All the setting options for anything that you have not specifically created. Folders, Rules, Forwarders in particular.
Remember that settings in the webmail are not directly visible in Outlook or your desktop/device email software.
I hope this helps someone to avoid an email scam and make their webmail a safer and more secure system.
If you would like some help with understanding or fixing a security issue with your system feel free to contact WrenMaxwell Support at any time.
