Pobox Blog

Mailstore went down. What happened?

2012-12-13T15:03:00.001-05:00

What is happening now? (last updated 4 January 1:45 PM EST)

At this time, all Mailstore problems are considered fixed. New hardware has been deployed, and approximately 75% of users have been migrated. Additional hardware is still being deployed for the remaining 25% of users. Onsite and offsite backups are both working properly, and new, faster hardware is expected shortly for onsite backups.

If maintaining the highest degree of access to your new mail is critical, please leave your forwarding address in place for now. The new hardware is still being upgraded, and short downtimes will be scheduled for migrated users in the coming weeks. More details will be announced as it becomes available. We do not expect these downtimes to exceed 1 hour, so if an outage of that duration is acceptable to you, you may feel free to remove your backup forwarding at any time.

Due to the nature of this outage (and the cleanup efforts it requires), a credit for 6 months of service has been added to all Mailstore accounts. We are truly, deeply sorry for the inconvenience we know this is causing all of you, and we're particularly mortified that you have lost any mail as the result of a failure on our part. We appreciate the patience (and kindness) you've shown, and hope we can re-earn your esteem as your email provider.

Overview of the Outage

Mailstore was down from 13 December 12:46 PM EST (-0400 GMT) until 14 December 8:13 AM EST, due to a hardware failure. Much to our horror and dismay, some fraction of mail destined for Mailstore accounts also bounced at approximately 6 PM, with the errors "Relay access denied" or "mail for mailstore.pobox.com loops back to myself". If your account was among those who had bounced mail, you will receive an email telling you who sent you the mail and when.

As of 14 December 8:45 PM EST, all backlogged mail has been delivered. A tiny fraction of accounts (24) had corrupted indexes, that prevented them from logging in. As of 15 December 10:00 AM EST, all 24 had rebuilt indexes, and all their mail delivered. If you believe you are still missing mail or cannot log in, please contact us to report it.

The message showing any bounced mail went out 13 December around midnight EST. If you had added a forwarding address by then, you have already received the message. If you did not have a forwarding address, that message may still be in the backlog of mail to be delivered. If you did not bounce any mail, you did not receive a message.

All the original updates are included below, for your reference.

Report from the system administration staff

Obviously, this is an incredibly horrible, extended outage, and we can only give you an explanation, not by any means an excuse. And the explanation, in short, is, we got caught with our pants down. We have been doing behind-the-scenes work on Mailstore for the past few months. As noted in several of the comments below, Mailstore is both a single point of failure, and one of the harder services to fix quickly, because of the massive amount of data it involves. So, even something as simple as "add more storage" can become challenging when that requires moving to new hardware instead of adding more drives to existing hardware.

The ongoing projects for Mailstore over the last several months have been: switch the backend processing software (from Cyrus to Dovecot, for additional features and more stability), add a new storage device (which we did, and has been problematic from the get-go), get a replacement storage device for the new storage device (which has not yet been delivered), have a hot onsite backup, and a cold offsite backup. But doing anything involving copying, moving or reorganizing Mailstore requires downtime, which we have been trying to minimize. (I know, and see where it got us?) So, we have been proceeding slowly, migrating accounts individually, and basically holding off on important things to avoid either slowing down your mail access or incurring extended downtimes.

As the performance of the current (quite new!) Mailstore hardware has degraded, and with the replacement not yet on site, we pushed forward to deal with the problem by planning a brief downtime to fail over some services onto less loaded parts of the system. That was going to happen tonight. This put us in a race with the hardware: we had to get to our maintenance window before it failed, because it was clear the planned means of failover ("Plan B") would not work. Mailstore's current workload would utterly overwhelm the failovers.

Unfortunately, we lost the race. This morning, a series of cascading failures, some seemingly entirely unrelated to the existing problems, including the complete corruption of our backup storage device, brought down the Mailstore service in such a catastrophic way that "Plan C" and "Plan D" for recovery were out of the question. We had to cobble together something from parts of plan E through K, and the result was what you'd expect: a number of false starts and unforeseen problems.

We counted on things staying the way they were, at least for a little while, rather than insisting on a downtime much earlier on to prep for this kind of catastrophe. And, for that, all we can say is how sorry we are. We are hoping to be back online very soon, and will continue making updates until we are.

What can I do to get my mail?

We recommend adding another forwarding address right away by clicking the "Edit" button to the right of "Your Mailstore Inbox" in the Delivered To column. Get more detailed instructions on adding a forwarding address.

If you've only used your Mailstore Inbox and aren't sure what a forwarding address is, a forwarding address is an email address at another ISP or provider. We take mail sent to your Pobox address, and forward it there. As long as you leave your Mailstore Inbox as one of your other addresses that we deliver to, the mail that we forwarded will also be delivered to Mailstore.

How can I get updates?

We're tweeting updates on the situation as we get them. You can view them on the web at http://www.twitter.com/pobox (or status.pobox.com), or follow us on twitter @pobox.

What happened?

We had been seeing slowness and errors throughout the day. We had planned an outage for late this evening. But, the problems were growing, and we thought that the problem could be resolved quickly by resetting the storage cluster. We were mistaken.

After we powered down the equipment, it did not come back up. We have been in touch with the vendor; they currently believe either the power supply backplane or the motherboard needs to be replaced. We are now working on bringing up the backup hardware.

Bringing up the backup hardware takes a while because there is so much data on Mailstore that needs to be kept in sync. Unfortunately, this process is somewhat opaque, so it's hard for us to tell how long it's going to take to finish.

Why is it taking so long to bring up the backup hardware?

The backup hardware is underpowered, and we were aware of this. Replacement hardware has been on order, but hasn't yet come in. Unfortunately, this is simply a case of really crappy timing.

What is NOT affected?

Basically, anything besides accessing your mail stored on Mailstore (whether you use your email program, webmail.pobox.com or atmail.pobox.com). Forwarding, sending mail via SMTP, spam processing (and viewing via the website), and all other website functions should be unaffected.

Update @ 6:26 PM: A number of messages bounced.

As we are bringing boxes up, there was an error. The IP address for mailstore was picked up by the firewall. The firewall, not being configured to accept mail, bounced approximately 8,000 messages. If your mail was among those messages, we will get as much information to you as possible about any lost message.

I have nothing to say about this, other than I absolutely share the sickening feeling you may be getting. We pride ourselves on never bouncing or otherwise losing legitimate mail. I don't even know what to say, except this is the kind of day we have nightmares about.

Update 14 December @ 2:40 AM EST - What is going on?

We are waiting on the remaining slow, clearly degraded hardware to finish making the data available. Once it is up, it will still be slow. This weekend, we will be doing everything we can to get off this degraded hardware, once and for all.

In answer to the question, "how did this go so badly wrong?", I can only say that the most horrific words in the English language are: "the backups are completely corrupted." Rest assured that there will be a complete analysis done of all the myriad ways our existing solutions failed us, in addition to work on the already-planned upgrades.

Update 14 December @ 7:40 AM EST

As this failure stretches on and on, we are working on alternative plans. Right now, we are setting up a new device, to give you access to the mail that has already come in. However, as seems to often be the case, as you start working on alternatives, the originals near completion. We hope to have a more definitive report in about 30 minutes.

Update 14 December @ 8:20 AM EST

The storage restore that had been running for the last 12+ hours has finally completed. Mailstore access has been restored. It will be slow, and you may still get the password requests we were seeing yesterday will almost certainly still happen. We will keep you appraised of future steps as we solidify the plans for them.

New feature: push notifications from email filters

2012-11-08T12:53:00.003-05:00

We've just added a new feature for Pobox Plus and Mailstore accounts, "push notification on filter match". The push notification sends a short message to your smart phone, that shows the sender and subject of the matching message. Here's an example of what you'd see:

All push notifications require an app to receive that notification. For now, we're offering integration with Prowl. If you use an alternate app to receive push notifications from third party services, let us know, and we can see about adding integration!

Most email filters stop processing as soon as they match a filter. For push notifications, we made them work like subject tagging. So, if a push filter matches, it will notify you, but continue checking your other filters in case you want to redirect or CC it to another person.

In order to keep an overly-aggressive filter from going off all the time, push notifications are limited to one every 5 minutes. You will need the Prowl app (again, if you're using another service like Pushover or Notify My Android, please let us know) to receive push notifications. Check out our help page on setting up push, and start receiving notifications today!

Get more from Pobox with personal domains!

2012-10-22T10:52:00.000-04:00

We're pleased to announce a great change for people who use or want to use personal domains (MyPobox) with their accounts. Effective immediately, we're eliminating the charge for additional addresses (the addresses formerly known as aliases). While the number of addresses you can have at Pobox domains is still capped, we've greatly expanded the number of addresses you can specify at your own domain.

The new limits on incoming Pobox addresses, by account type, are:

Pobox Basic: 20 addresses (3 at Pobox domains)
Pobox Plus:   40 addresses (6 at Pobox domains)
Mailstore:    100 addresses (6 at Pobox domains)

The price for using AllMail, which allows you to accept mail sent to any not-specifically-assigned address at your domain, has been reduced to $10 (from $30).

This change also means that we will now be tracking mail volume limits. Virtually all of our accounts are well under even the smallest of the volume limits. However, if your account is not, you will be contacted via email. (Just interested in how much mail you've been receiving? Check our new Statistics page to see how much mail you receive daily, monthly and yearly.) The volume limits, averaged monthly, are:

Pobox Basic: 1,000 messages a day
Pobox Plus:   2,000 messages a day
Mailstore:      4,000 messages a day

Why did the Pobox address charge exist for so long? In the past, the alias charge was a stand-in for email volume. Our billing system was written LONG in the past, and didn't have a way to track metering information. As you may know, we've been transitioning to a new billing system over the last few months, and this is one of the changes that the transition has enabled.

What happens if you exceed the volume limits? We will never bounce mail for exceeding volume limits. If you are one of the fewer than 30 accounts whose current usage exceeds the limit for their existing account type, you will receive an email within the next two days informing you, and asking you to upgrade to the account type whose volume you are currently using. Should your usage remain at that level, we will automatically upgrade you to the appropriate account type.

What if I've already paid for additional addresses or AllMail? Good news! You'll see your account expiration date automatically extend as a result. You'll receive an email in the next two days telling you about what's changed on your account.

Does this mean I can invite 19 friends to share my account with me? No. A single account is still designed for, and intended to be used by, a single person. While some Pobox Plus and Mailstore account holders use delivery groups to redirect a small amount of mail to another person (I, for example, have addresses we give to my daughter's school, doctor's office, etc. that send copies to my Inbox and my husband's account), the increase in addresses available to an account does not mean they are "shareable."

What if I'm already using more addresses at Pobox domains than my account type permits? Accounts already using between 3 and 9 Pobox-domain addresses (which have always been capped at a maximum of 9 per account) will keep those addresses, at no charge. Many of you are among our oldest account holders -- thank you for your many years of support, and continuing to choose Pobox as your email solution!

Are you changing the limits on forwarding addresses? No. No address can forward to more than 5 addresses; no account may have more forwarding addresses than incoming addresses. Please note that messages that are forwarded to multiple destinations have those messages count multiple times towards their volume limit. So, if you get 10 pieces of mail forwarded, but you forward to 5 destinations, that counts as 50 messages.

Is there a limit on the number of domains I can have on my account? Accounts are still capped at a maximum of 100 addresses. Since every domain must have at least one address, 100 domains is the cap.

Is there a limit on the number of Pobox accounts that can use my domain? You may share your domain with as many other Pobox customers as you like. You may also add as many accounts as you like to your billing group.

We hope you'll find this change a great reason to move or add a personal domain to your Pobox account. As always, if you have any questions about this change, please let us know.

When it comes to spam, less is more.

2012-09-20T10:10:00.001-04:00

One of the biggest complaints we get about spam is that there's too much of it to review. Today, we're announcing a simple change to our default display settings, that we hope will drastically reduce this problem for those of you whose anti-spam level is set to Standard.

While the Pobox Spam section and emailed reports can be customized for your preferred views, the vast majority of you use the defaults we provide. To reflect how we use the Spam section, and how we think it can be most useful to you, we've changed the defaults. Effective today, we're switching the default view we provide from Held Messages to our Quick Check view. If you were previously set to go directly to Held Messages on the web, or if your emailed report sent all held messages, you will now see the Quick Check view instead.

The Quick Check view removes messages caught by our 3 most effective filters. How effective are they? For our two most accurate filters, customers review more than 10,000 messages they caught to release just one message. For the third, you review more than 2,000. Of the messages released, header reviews indicate the vast majority are actually spam or suspected phishing, which customers choose to release to themselves for their own purposes.

These 3 highly accurate filters catch more than 88% of the spam we handle each day. In house, Pobox staffers nearly always choose to use Aggressive filtering, because it bounces messages flagged by these filters, and drastically reduces the amount of mail to review. Reviewing thousands of pieces of spam for the extremely unlikely possibility that one legitimate piece of mail might be there is simply not effective. Not only do you waste all that time reviewing spam, but it ends up burying mail caught by our less accurate filters. Reviewing messages that have a 1 in 400 chance that they are legitimate makes much more sense than wading through messages whose chances are 1 in 10,000 (or much, much less.)

Please note: this change has not modified what we catch for you (your anti-spam level) in any way. It only changes the default setting of what we are asking you to review. If your view was set, on the web or via email, to Bounced or For Review, your settings have not been changed. If your anti-spam level is Aggressive, this change will not alter your view. Aggressive bounces these extremely accurate filters, so they are already part of your Bounced view, not your Held view.

For some of you, part of the peace of mind that Pobox provides is knowing that you can easily check all the mail we've blocked for your account. If you would prefer to continue reviewing all spam we hold for your account, just switch the view we send back to Held Messages. (If you want to try the new view out for a few days first, the "Emailed Reports Settings" button at the bottom of every report takes you to the settings for the view included in your report.) To switch the default view when reviewing messages on the web, just select "Held Messages" in the top right corner under Spam Views.

Search in the spam section also checks every section and every view, and always has.

We believe this small change will dramatically reduce the amount of spam you have to review, without impacting the accuracy of your results in any way. We welcome your continued feedback on any way we can make Pobox better and easier for you to use. Let us know if you think this has helped!

Updated (9/24/12): Text has been modified to clarify that this change modifies the display for people whose anti-spam level is set to Standard. Users using Aggressive or higher will not see a change.

Pobox Best Practices: Update your password.

2012-07-12T11:57:00.000-04:00

There have been a lot of changes going on at Pobox in the last few months! Some are apparent immediately, but others, you can't see. Today, one of those invisible changes is in place... but we need your help to see the benefit.

As times change, so do the best practices for common tasks like password management. We've made a big update today, to bring our policies in line with those best practices. We've updated our encryption algorithm to use bcrypt, and to extend the length of both they key and the unique salt we use to encrypt your passwords. We've dramatically increased the maximum password length, up to 500 characters. We've removed most of our restrictions on what special characters you can use. We've also made it easier for us to switch to newer, stronger encryption methods as they become available.

To take advantage of all these new changes, you need to log into the website and update your password. Even if you use the same password again, you'll get the benefit of our strengthened encryption standards. But, to entice you to choose something longer and harder to guess, we've added a tool to the website to tell you, in time, how long it would take for a computer to guess your password.

As you've probably noticed from previous blog posts, we think account security is incredibly important. And because so many websites send your password reset requests to your email, the security of your email account is especially important. Please take a few moments to update your password today.

A New Look for Pobox Services

2012-06-19T15:31:00.000-04:00

A few months ago, we debuted a new front page at Pobox. Now, those changes have filtered into the Services pages! All the same services are there, but we hope you'll find these changes make the site much easier to use. If you notice an issue or see a problem, please let us know (with a screen shot, if you can — what you're seeing may not be what we're seeing.)

Services

The Services page provides more information we think you need at a glance. We added color-coded labels to subtly highlight the services you're using, and ones available to your account that you may not be aware of. As more and more of you interact with us on Twitter, we've expanded the block to show the 3 most recent tweets, and give a little more context to questions that may come up there. (As always, if you need us to look at your account, please email us at pobox@pobox.com ‐ we won't ask for account information over Twitter, and it's not always apparent from your twitter handles what account you're referring to.)

Personal domains are a much more common part of Pobox accounts, so they get their own spot on the Services page now. The spam slider has been moved off the Services page, and onto a page with the by-country blacklists. Most of you update your spam settings fairly infrequently, and we hope placing them with the country blacklists will encourage more of you to try them out!

Mobile/Tablet

The new pages use a fluid grid layout, which means the pages adjust for comfortable viewing on many different monitor sizes. For those of you who use the website on your smart phone, tablet, or any other small screen, this should mean much less shrinking, growing and panning as you try to move around the site. Page sections should flow under each other to accommodate smaller sizes. To reduce scrolling on smaller screens, most instructional text has been moved to the right of the screen. So, if you need more context for a specific page, look for explanatory text under the form.

In the same vein, the Spam section will now adjust the columns displayed with our best guess for what you need at the screen size you're using. You can always use the Edit Columns option to add back columns you wish to see and pan right, as necessary.

Users

If you own or administer multiple accounts, you'll find our new Users tab very handy. When you're editing your own account, it shows Users, for a quick jump to the account dashboard. If you're editing another user, it shows you the name (or email address, if there's no name on the account) of the user you're editing.

Spam Section

The Spam section has been adjusted to make page navigation easier. "Mark this Page Reviewed" has been renamed to the more straightforward "Release Checked + Delete Others" (of course, if the message was bounced, the sender will be mark trusted instead — there is nothing to release). That button has been moved under the checkboxes, making it easier to scroll down the page, then click the button as necessary. The "Release" link has been removed, and replaced with a second button, "Release Checked Only", so you can release multiple messages without deleting more easily.We've also added keyboard navigation — you can tab through the checkboxes, click return to submit the page, or keep tabbing over to the page number and use the right or up buttons to move to the next page.

Trusted Senders

The Trusted Senders page has been completely revamped, to make viewing and editing easier. They are now displayed in a table, where you can view a list of your trusted senders with:

name
email address
when the sender was added
how it was added: sending mail, releasing a message, imported, or added individually on the Trusted Sender page

If you use it, you can also view "Type" to show whether a trusted sender entry is a server/network entry. (Because it's rarely used, that column is hidden by default.)

Each entry has a checkbox, which means you can mark multiple addresses for deleting at once. To edit an entry, just click the name or email address, and edit in place. The table layout means you can sort the Trusted Sender table to view addresses that have been added recently, if you marked a sender trusted when releasing something that ended up being spam. Overall, the changes should make it much faster to look at and edit your Trusted Senders.

Refer A Friend

We've noticed that more and more of you recommend us to your friends on social media websites. (Thanks — it's really nice to see what it is you say about us!) So, we've added links for Facebook, Twitter and Google+ to the Refer A Friend page. They give a customized link that lets us know your friend heard about us from you.

We hope you like the new changes. As with any site modification, there can be errors or interactions we just didn't see on our test computers. Again, if you notice an issue or see a problem, please let us know! Screen shots of what you're seeing are doubly appreciated.

Diary, Datebook, Ledger: Email is your Historical Record.

2011-11-10T12:58:00.000-05:00

I was helping my mother clean out the office of my great-aunt, who recently passed away. After spending the afternoon tackling three filing cabinets of old bank statements, receipts and ledgers, we were expecting more of the same from the fourth cabinet. Instead, we were astonished to find her personal letters, spanning more than 60 years. Even more incredibly, she had typed all her correspondence using carbon paper, so both her letters and their responses were included.

My mother spent many months poring over those letters. Both the revelations of family history, and the minutiae of how her aunt had spent the days fascinated her. She said she wished she had been a more diligent letter-writer -- that some historical record had been formed of her years besides photographs.

At that moment, and during many others over the years, I was happy I started archiving my email in 1995. I reflect from time to time on what kind of record those archives are forming. The personal correspondence varies from brief "want to grab dinner?"s to multi-page ramblings; notices of births and photos and links to sites and pages that have long since been shut down.

In recent years, it's also become a chronicle of many more details. As more services, online and off, send email confirmations, patterns emerge -- what I buy, where I travel, my interests, the wisdom of the day. I get emails about restaurant reservations, clothing purchases, newsletters chronicling milestones for my baby. Imagine finding a cache of papers detailing how they thought babies should be raised at the turn of the century, how much your ancestors spent on items from the Sears Roebuck catalog (surely the Amazon.com of their day) or the restaurants they dined at.

Will anyone ever go back through these archives? I don't know. (I might end up deleting years of the most cringe-worthy material if I did.) The immediacy of a box of paper, versus files on a hard drive, is certainly undeniable. On the other hand, it's far easier to search email!

Do you keep your old email? Do you expect anyone besides you will ever read it?

If you don't keep an archive of your mail, but you wish you did, check out Mailstore Archive.

What to do if you get hacked.

2011-07-26T17:16:00.003-04:00

A friend of mine had her Hotmail account hacked today. A message went out to everyone in her address book, telling them she had been mugged in London, and could they possibly help her get back to the states? Needless to say, she was safe and sound in New York. However, scams that prey on your personal contacts are incredibly effective for quick scams. So, what can you do if your email account is compromised by scammers or hackers?

1. I can't overstate enough the importance of good, single use passwords for your email account. Keeping people out of your account will always be the best way to protect yourself.

2. Assume you won't have access to your primary email account. The first thing the scammers did was change the password on her account, so she couldn't log in. She had a second account set up, so she could still access her email, and tell people that she was ok. As a Pobox customer, you can always send mail out through us. You can also forward mail to more than one account. And, of course, if your forwarding address is compromised, you can always log in to your Pobox account and change where we send it (or keep it with us by upgrading to a Mailstore account.)

3. Make sure you have a copy of your contacts on your computer. Especially if you use a webmail provider as your primary email account, you may have many addresses that only appear in your online address book. Keeping an up-to-date copy on your computer means you can tell as many people as possible that everything is OK. (Find out how to export your contacts from Gmail, Yahoo! Mail and Hotmail.)

4. Set up security questions for all email accounts that are open. The scammers in my friend's case used her old Hotmail account, which was still active, even though Gmail is her primary email address now. She has still not been able to get back into the account, because she did not have secondary verification information set up. Update your Pobox security question.

5. Shut down your old accounts. An account you don't log into is the one you won't notice getting compromised, until someone calls you from out of the blue to tell you you're spamming them.

What should you do if you get an email from one of your contacts, asking you to send them money in a hurry? The best and easiest way to verify that they're ok is, as AT&T used to say, "reach out and touch someone." Pick up the phone and call; until voice replicators become common, someone's voice will be the hardest thing for a scammer to fake.

Getting hacked can happen to the best of us. Open wireless networks, getting online in a cafe, using an open terminal to print out a boarding pass from your hotel -- there are many, many ways a malicious user could get access to your password. Taking some simple steps now can help take the pain out of recovery if something should happen in the future.

Introducing Mailstore Archive!

2011-07-07T11:19:00.001-04:00

We're pleased to announce a new feature for Mailstore accounts today -- Mailstore Archive! Archive offers two new options, in addition to the standard delivery to your Inbox:

Inbox + Archive: to have your mail to go to both your Mailstore Inbox, and to your Archives folders
Archive Only: Don't send messages to your Inbox, just store them in your Archives folders

Archives can be separated on daily or monthly basis. We've been testing them in-house, so I'll tell you how we've been using them by way of example.

I read all my mail on Mailstore. I'm using Inbox + Archive, and storing my archived mail in monthly folders. Now, when I read my email in my Inbox, I only move messages that I need to be able to find quickly by topic into folders, and delete other messages as I deal with them or respond to them, and use my Archives folders as my stored copy.

Otto uses his Mailstore account as a secondary backup account. He reads his mail at one of his forwarding addresses, and uses his Mailstore account in case his forwarding address is unavailable. He uses Archive Only, and stores mail in daily folders, so he can quickly look at messages from the last day or two only.

Tim prefers managing his mail manually. After testing Archives, he switched back to Inbox Only, so his mail just goes to his Inbox, and he moves it to folders as he likes.

The standard behavior for all Mailstore accounts is Inbox Only right now, but we hope you'll check out the Archive options. If you turn on Inbox + Archives, we'll begin putting all mail that comes to your Mailstore into Archives folders. If you use Archives Only and you also use email filters to direct messages into specific folders, messages that are not assigned to another folder will go into the Archives folders.

If you have any questions about the new Mailstore Archive feature, or need any assistance, please let us know!

All About Email: How to Read Message Headers

2011-06-17T14:24:00.001-04:00

When we at Pobox Customer Service get a question about a particular message, one of the first things we usually ask is, "Can you send us the full headers of the message?" The full headers are a treasure trove of information, reflecting (nearly) everything that happened to the message from the time it was sent to the time you received it.

This week, we've rolled out a new Help section, How to Read Email Headers, to provide a map of sorts, so you can mine that treasure trove yourself. From the very basic question of "What are email headers?" to the super-advanced problem debugging of how to use email headers to figure out why you're getting two copies of messages, there's information at every level. Please check it out. If you have other questions about email headers you'd like to see featured there, just let us know!

Accounts get hacked. Don't let yours be next!

2011-06-07T13:58:00.000-04:00

Last week, I notified you about a policy change to our SMTP relay. We got a fair number of questions about it, so let me clarify why we made the change. Over the last few months, we have seen more than 30 paid, active-for-many-years accounts compromised and used to send spam.

At least once a month, a major web service announces that their email database has been hacked. (Most recently has been Sony; Gawker Media, which includes Gizmodo and Lifehacker; and Fox TV.) Analysts estimate that 20% to 35% of people use the same password for nearly every website. If you use the same password for your Pobox account for other accounts on the Internet, you have an excellent chance of your account being used to send spam at some point in the near future.

So, what should you do? Go change your Pobox password now. While you're at it, go change the passwords for any other email accounts you still have open. (Yes, that means the old Hotmail account you never closed down, too. Haven't you gotten apologies from your Facebook friends yet about the spam they've sent out?)

Make sure you use different passwords, or this post will be up again in another 6 months. But how are you supposed to remember different passwords for all the different sites out there? Like you, I do not have an endless memory for passwords, so I use 1Password. Prefer to go for a non-software solution? Here are some suggestions for alternate methods of generating site-specific passwords.

I know I harp on the topic of password security a lot. But it's a big, bad Internet out there, and there are a lot of folks who are interested in using your good name to spread viruses and botnets, sell Viagra, and scam your friends. Keeping your password safe is more than just good for you. It's good for everyone whose email address you have, from the person who last corresponded with you in 1996, to your boss, mother, and best friend.

Spam and Security: Changes to Pobox Outbound Mail

2011-05-27T15:18:00.003-04:00

You can use Pobox to send your mail, by setting up your email program to send messages through smtp.pobox.com. If you use smtp.pobox.com, I wanted to make you aware of a recent change.

When you run an email service, you are constantly doing battle against spam. There's the spam that people try to send to Pobox accounts. And then, there's the spam people try to send FROM Pobox accounts.

The Pobox SMTP server has always filtered mail from trial accounts, as spammers and phishers love to try to take advantage of the reputations of legitimate email providers. Of late, though, we've seen an increased number of active, paid Pobox accounts being abused by spammers. (So you don't worry, "increased" here means from a couple a year, to a handful a month. Hardly a rash.) Whether it's caused by a virus getting installed on their computer or a phisher stealing their password, a compromised account can quickly send enough spam to cause a problem.

As such, we have recently changed the policies for mail sent through smtp.pobox.com. All outbound messages are now being checked by Cloudmark, which looks for "signatures" (URLs, phone numbers, email addresses, domain names, unique phrases, etc.) found in messages that have already been reported to them as spam. Accounts that have several messages flagged by Cloudmark in a day have their SMTP privileges automatically suspended.

This change is for your protection, as well as the protection of all customers who send mail from the SMTP server. Even a small number of spam complaints can adversely affect our ability to get the messages you send delivered to your correspondents' Inbox. And the accounts actually compromised by spammers could see their email address's reputation severely maligned.

However, Cloudmark, like all spam filters, is never 100% accurate. If you send a couple of messages misidentified as spam, your account shouldn't be affected. But, if more than a handful of your messages are misidentified as spam, you may see your SMTP privileges temporarily suspended. You'll be notified via email, and copy of the message will be sent to Pobox Customer Service for their review, and we will reinstate accounts that have been incorrectly deactivated. But, feel free to email us if you think the situation warrants an explanation.

Because this change can cause your SMTP privileges to get suspended, I will take this opportunity to remind you that the SMTP server is never to be used to send bulk messages. If you are CCing enough people, even a single message identified as spam is sufficient to get your SMTP privileges suspended. If you have a CC list that you regularly send mail (and it's more than a few people), we strongly encourage you to set up a mailing list.

Email Etiquette: on the Subject: of (no subject)

2011-05-06T16:43:00.000-04:00

In November, Facebook announced Messages, their email-that's-not-email. They specifically touted how it didn't have subjects, CCs or any of the other overhead or required bits of email -- just you, the name of your correspondent, and what you want to say. Yet, when I was surveying the staff for new blog topics, Mark offered this idea:

How about this? The fastest way to get me to ignore your message is to send me an email with no subject... or even worse, Subject: (no subject)!

I can see both sides of the issue. On the one hand, I've sat there with a fully written message, agonizing over a subject line, or just wanted to send someone a link, and ended up with the "I thought you'd find this interesting" subject. On the other, I've gotten an email with no subject, and had a moment of worry about whether I was about to open a virus or spam message.

I also do customer support for our email marketing service, Listbox.com. In email marketing, you would never send a message without a subject. Your subject line is your tiny billboard, your hook, your teaser to get people to open your message. In the same vein, when following up with Mark, he clarified that what he really meant was he would never open a message from a stranger without a Subject. But those are precisely the Subjects that are most difficult to write! If I could convey my entire thought in a line, I would just tweet at you, not email.

I spend a lot of time writing for other people -- email, IM, texting, with customers, business associates, family and friends. You learn to read the cues that other people are sending, and adjust appropriately. But when you send messages out into the void, there's no history to draw on... hence the sweaty-palmed subject agonizing.

How do you feel about Subject: headers? Are you grateful to Facebook for freeing you from their tyranny? Are they a critical part of the email experience for you? Or are you perfectly ok with getting an occasional Subject: (no subject)?

Spam and Security: What the Epsilon breach means for you

2011-04-07T15:37:00.001-04:00

Last week, I started getting notices from websites I use (Tivo, Target, one of my credit card providers) saying, "Our email provider has been compromised. Your email address may have been stolen." Epsilon, one of the largest providers of online marketing services, including email marketing, had been hacked. See a list of more affected brands.

All the emails were quick to say, "No account information has been stolen! They don't have your password!" So, you might be inclined to just delete them without a second thought. But this should actually give you a reason to worry -- about spear phishing. Some of the tips we generally give you about avoiding phishers, like look for personalized information, is exactly what has been compromised. So, if you get an email "from" your bank, that looks just like all their other messages, and addresses you by name -- it still might not be safe.

So, what should you do? The best advice I can give you comes from the X-Files: Trust no one.

The information you want to be most cautious about protecting, your passwords, is something you might not even think about giving out. For many of us, it's second nature to click on a link in email, then fill in our username and password at the page it takes us to. That's exactly what scammers count on.

What will protect you?

Typing in the URL of the website in your web browser. (Yes, you can use a bookmark, too.) In fact, if you always do this.... I won't guarantee that you never give up your private information, but you've gone a long, long way towards avoiding it. The way phishing works is by tricking you with visuals -- making the email and the web page they direct you to look like one you trust, when it's actually one the scammers control. If you don't click the links in their emails, you're off the hook!

Can you ever click a link in an email safely? Maybe. There are lots of links that direct you to pages (help pages, product pages) that aren't asking you for login information. But, remember, target.com, target2.com and target3.com could have totally different owners, so just because the URL of the page you're at looks almost right doesn't mean it's legitimate. And once you've visited a page or two, if they ask you for login information, you may not think about how you've gotten there.

Never email your account password, credit card or bank information. That's right. Never. No legitimate organization should ever ask you for your password. If they need to ask you about your credit card or bank information, the most they should ever do is provide card type and last 4 digits, and ask you to confirm it. If you need to make a payment, type in the URL of the site, and go to their pay page. They don't have a pay page? They should be able to accept a payment via PayPal. Still no? Then you're not dealing with a legitimate business.

What doesn't help?

Pages that know your username/email address. This is the big fallout from this security breach! Now, the parties who hacked the Epsilon database know that you are a customer of TD Ameritrade, Chase Bank, Citibank, [insert your financial institution here] AND they know what email address you use to log in. So, just because some piece of uniquely identifiable information is in the page doesn't mean that it's legitimate.

Looking for the "lock" icon in your browser. A lock icon on your web browser just indicates that the page is sending its information securely. Scammers can use encrypted traffic just as easily as a legitimate site, and a lock in NO way indicates that you're dealing with a legitimate business.

Pages that "look right". Scammers can, and do, replicate every element of a web page trying to fool you into thinking you're on a legitimate site. Logos, graphics, banners, fave icons.... none of these are indicators that the page you're on is associated with the business you're looking for.

A Valentine from Pobox Customer Service

2011-02-14T16:37:00.000-05:00

After last week's post about spreading love with email, Pobox's own Kate Marstin was inspired by someone she really loves -- you!

Dear Poboxers,

Valentine's Day seems like the best time to tell you all what I've been thinking. I've been keeping my true feelings to myself. I think that I might love you, customers.

When I first got this job many years ago, you intimidated me. Being part of the public face of Pobox was nerve wracking. I was never sure where I stood with you.

I still remember the first day I thought I could do this long-term. I had been down all day after a rather mean message came in from a customer, after I had worked very hard on her problem. I remember thinking, "perhaps, I'm not cut out to do this job." Then, she wrote back to tell me that one of my solutions had worked after all! She also apologized for her other message and thanked me. A couple of days later, a card arrived at the office -- via postal mail. She had written again to thank me. I saved that card as a reminder to myself to never give up on your problems.

When I was working every day, I felt a thrill when I'd help you with an issue that was difficult to track down and resolve. I'd notice happily when you sent a thank you email and tell my family about it later.

If I got one of your ideas implemented, I'd be glad that I had made you happy. If our technical staff turned down an idea, I'd try to go to bat for you. If they still said no, I'd be upset and sympathize. My coworkers and boss were my friends, but you were my priority. You were the ones who made it possible for me to get up every day, happy to go to work.

Even though we don't get to spend as much time together now that I'm only handling tickets on the weekend, I wanted to let you know how important you are to me. Thank you for making me happy to talk to you every day for so long. You all deserve my best support just for being customers. I made the cookies, though, because your kindness keeps you in my heart always.

Love and cheers,
Kate Marstin
Pobox Customer Service
pobox@pobox.com
http://www.pobox.com/

Kate, those cookies are incredible -- and she made enough for us to share with you! Have a valentine for Pobox Customer Service that you'd like to share? Put it in the comments. We'll pick a random customer to get a package of Kate's homemade treats. Happy Valentine's Day!

Spreading Love with Email

2011-02-03T16:13:00.006-05:00

Valentine's Day could be the official holiday of Pobox -- we've been loving email so long, we're due to send it a silver teapot. Valentine's Day isn't just about flowers, chocolates, and stuffed teddy bears, though. Why not use technology to give the Valentine's gift that can touch even the most jaded cynic, the love letter? I'll even give you a few ideas to get you started.

1. Start today, and send your sweetie "10 things I love about you" by the 14th.

2. Do you save your old email? Go back through your archives, and forward some favorite messages from your early courtship.

3. Email the lyrics to "your" song.

4. Send a picture. In the age of digital cameras and smartphones, a picture can say a thousand words, so be effusive about your love. Or, for another take on idea 2, scan in photos from your first months together, if your love goes back to the pre-digital era.

5. Ask his or her friends, via email, about your valentine's best trait. Then compile and send to your loved one.

Let's see how easy it is to write a short and sweet note, by examining one I've written on behalf of us all to something we hold dear around here.

Dear Email,

You're still our #1 main squeeze after all these years! You're there for us all day, every day, handling all the details of our lives without complaint. But you can also still send a thrill through our hearts with those 3 little words -- you've got mail.

XOXO,
Pobox

It's not just cupids and hearts, though. Email can help you handle the practical side of love, too. Pobox Plus and Mailstore users can use Delivery Groups to set up an address that forwards to both members of a couple. Lots of customers have used them to set up addresses when planning their wedding. They end up keeping them because it's awfully handy to give out one address that can reach you both, without having another mailbox to check.

How do you use email to spread love -- sweet or practical? Share it in the comments (or just let me know if you use any of my ideas for your own e-valentine!)

The Spam section: an Anatomy of a Downtime

2010-11-04T15:51:00.006-04:00

For those of you who weren't following along on Twitter, the last 2 days were a bit of a rocky road for the Spam section. At this time, virtually everything has been restored to its proper state, but for those of you who would like to know more, here's what happened.

On Tuesday, November 2nd, the primary server for individual users' spam databases (which is what feeds the Spam section of the website, and the emailed reports) suffered a partial disk failure. All our servers have redundant hardware, but a reboot was required to get everything running again, which caused an outage of about an hour.

In order to more permanently fix this problem, we scheduled a maintenance window for early morning November 4th. Unfortunately, it didn't fix the problem. In fact, it broke harder, with a partially failing disk becoming a completely failing one.

When dealing with a hardware problem that also has a software solution, you always end up asking the same question. Will it take less time to fix the hardware (even if that time is an unknown number of hours) than it would take to write a software solution?

In the case of the Spam section, we know there is really one critical feature: let you release any misidentified spam. There are other nice features -- see what we've picked up for you, let you mark messages reviewed, search, get an overall count of messages identified. But, if you can release a misidentified message, then the section is working, and if you can't, well, it's just broken.

So, after several hours of working on the hardware, we ended up saying, "ok, it's time to try a software solution." This led to the most recent 7 days of spam becoming available at approximately 1 PM EDT (approximately 12 hours after the outage began.) We wanted to make sure than any real mail you had received this morning or late yesterday was available quickly, since we still weren't sure how long it would take to fix the hardware.

As is often the case, though, once the initial crisis is resolved, the permanent fix comes shortly behind. By 2:30, the hardware problem had been resolved. By 4 PM, a full restore of all spam data had been completed. At this time, the Spam section should be its old self again, and, if you hadn't logged in to check your Spam in the last few days, you'd probably never realize anything had happened.

If you have been logging in though, you may experience a few small issues as a result of this problem.

1. Messages you marked "reviewed" or deleted between 1 and 4 PM on November 4th will have their status reset to unreviewed.
2. If you received an emailed report between 1 and 4 PM on November 4th, the "View this message on the web" link, as well as the "Mark this Report Reviewed" button will not work. (The per-message "Release" link will work, though.)

There was even an unexpected upside as a result of this problem. In order to make the spam from the last 7 days available, some changes had to be made to how incoming spam was processed. These changes significantly boosted the processing speed of incoming messages. So, we hope that this will lead to an overall reduction in the time it takes from when we catch a message, to when it appears for review on the web. It's a small change, but a welcome one if the message in question is one you're itching to release.

As always, we appreciate your patience and understanding during this outage. If you see any further issues, please let us know. If keeping up-to-date on outages is important to you, I would encourage you to keep an eye on our Twitter feed (which we have been updating throughout the day today). When the Pobox site is up, you will see our most recent tweet at the top of the Services page, but even when the site is down, our announcements are available on Twitter's website, as texts to your mobile phone, through RSS, and, of course, through the many Twitter applications out there.

New filter feature for Mailstore customers: filter to Mailbox!

2010-09-22T12:00:00.000-04:00

I'm excited to announce a new option we've just added to Email Filters: Deliver to folders! Mailstore customers can now set up filters that will immediately direct mail to specific folders in their Mailstore account.

To use it, just create a filter, specifying what we should look for in your message. Then, when choosing an action, select "Save The Message In Folder" and specify the name of the folder where it should be delivered.

This should make it easier for you to sort and categorize mail, before it hits your Inbox. For customers who access their Mailstore account from multiple email programs or devices, this means you can get consistent filtering, no matter which email program reads the message first.

Some details about how it works:

If the folder doesn't exist when the message is received, the folder will be created when the first matching message reaches Mailstore.

If you want to save the message to a sub-folder, like, Friends > Joe, just specify the folder path with dots(.) separating them, like Friends.Joe.

Special characters are not permitted in filterable folder names (even if you've already set up folders using those names.) Folder names can be numbers, letters, and dashes. Dots (.) cannot be used as part of the folder name, as that is reserved to indicate sub-folders.

We hope you enjoy this new feature! We're very excited about it (and about the changes to email filters from earlier in the year that made it possible to add, too.) If you have any questions or comments about using it, please let us know!

See something? Say something!

2010-08-04T14:15:00.006-04:00

When we make major site changes, we keep access to the old pages available, in case there's some unusual situation that causes the new pages to fail for someone. But minor changes can sometimes bite just as hard.

Site changes are tested in IE, Firefox and Safari before they go out in public. But differences between versions and setups, and the fact that our testers reload style sheets religiously means that, sometimes, what you see is not what we see. Here's an example I got just the other day:

We removed the Login text boxes from the top of www.pobox.com. (This change was the result of changes to Internet Explorer 8's security settings, which said that page was insecure because it was loading the blog headlines.) Looks fine, right?

But the next day, questions started coming in about the login box being "missing". We thought people wanted to know where the text boxes to put in their username and password went, and we told them about the reason for the change, the security alerts in Internet Explorer, etc. After almost a week, someone sent me the following:

Ouch! That was all it took to realize that all those messages about the "missing login" were not about missing text inputs ... people couldn't see the button! (Thank you again, Debbie.) Most people told us, "I assumed you knew, and you just hadn't gotten around to fixing it."

That's why we love to ask for screen shots when people report a problem. It's amazing how many questions/debugging sessions can be short-circuited by simply seeing what you're seeing.

So, if you're seeing a persistent display problem with the site, please let us know! The grass may actually be greener on our side of the fence, and we just don't know about the issue you're seeing.

All About Spam: Phish Food for Thought

2010-07-08T18:44:00.006-04:00

All About Spam is a series of blog posts about common spammer techniques. Have a question about a type of spam that you'd like to see in a future blog post? Leave a comment, or send an email to pobox@pobox.com!

A phish is a type of spam designed to gain access your secure information, like login/password combinations, credit card numbers or Social Security numbers. Phishers use social engineering to get you to reveal this information -- rather than using computers to hack their way into the data store, they use tricks of human nature to get you to give it to them.

Unlike most spam, which is just annoying, phishing has a real threat. Though estimates of the final total vary, everyone agrees millions of dollars are lost by consumers each year due to phishing attacks. So, how can you protect yourself?

1. Question unsolicited emails. Obviously, if you go to your bank's website, and click the "Forgot password?" link, you should expect an email shortly. If you get an email from your bank (or Amazon, or any other organization) out of the blue, asking you to log in to your account, view it with a critical eye.

2. View links with suspicion. The number 1 method for phishers is a link that directs you to a page that looks legitimate, but isn't. The easiest way to get around this method? If your bank emails you and asks you to log in, type in the URL you know is good (or Google for it, if you don't know it), rather than using the link in the email.

3. Look for personalized information. This method isn't foolproof ("spear phishing" refers to more focused messages, attempting to get information from more specific groups -- which allows for more customized messages), but it's a good starting place. For instance, most banks will include your name when sending you a message, plus some portion of your account number. Transactional emails, like receipts, are also generally safe bets -- you can recognize, "is this something I ordered?"

4. Keep a close eye on details. Many phishing messages have somewhat obvious problems. Misspellings, poor grammar, bad addresses, colors that are slightly off, formatting that doesn't quite match the usual messages you see ... all of these should be tip-offs that something not quite right is afoot.

5. Never enter your financial information on an insecure web page. Credit card numbers, bank login credentials, account numbers and any other secure data should only be entered on secured web pages. Look for https:// URLS and a lock icon on your browser.

The most important thing to remember is, just because a message looks like it's from a legitimate organization, doesn't mean it is. The first phishing schemes revolved around a few large organizations -- AOL, Wells Fargo, Bank of America. It was easy to detect these as fakes, if you didn't have an account at one of these places. Using the same level of suspicion when dealing with emails from organizations where you do have an account could protect you from a very painful error.

Lock it down: Good (and bad) security questions!

2010-07-01T14:17:00.013-04:00

In order to retrieve your Pobox password, we ask you to answer (among other things) the security question you set up when you created your account. But are you using a good question? Your account is only as secure as your security question.

Pobox lets you specify the question yourself, so you don't have to use the classic "What is your mother's maiden name?" Fully 10% of Pobox customers use some variant on this question -- but research indicates it's not a very safe way to secure your account. (Neither is "What is my pet's name?", if you ever talk about or post pictures of your pet online.)

Your security question and answer can be updated at any time, so go take a look at what yours is. If you can use any question, though, how do you pick a good one?

1. The answer should be hard for someone else to find out. This is a security question, and knowing the answer to it provides access to your account. Like a good password, that means it should be hard for someone else to figure out. So, "What is my high school's mascot?" is not secure at all. "What was on the cover of my sticker book?" is much better (though using it would probably would still have let my sisters break into my account.)

2. The answer should be hard to guess. Any question where the answer is a month, a color, a day of the week, a number under 10 or basically any other limited list of answers is a bad question. "What month did I get married?" only has 12 possible answers. Same with "What color is my bedroom?" Unless you know you'll always remember the paint was called "Deep Sea Diving", guessing "blue" would only take 5 or 6 tries, max.

3. The answer shouldn't change over time. The Pobox default security question is, "What is your favorite book?" This is great for me -- my favorite book has been the same for 15 years, or as long as I've been using that as my security question! But, if your favorite book changes every few years, this might not be a good choice for you. Per question 2, "The Bible" would also be a bad answer to this question, because so many people use it. If the Bible is your favorite book, consider a different security question, or using your second favorite.

We have also had more than a few uncomfortable customer service situations over questions like, "Who is my lover?", with respondents having to go back to girlfriends 5 or 6 back to come up with the correct answer.

Another problem is that many, many customers find it difficult to answer their security question correctly. Also consider these factors when writing your question.

4. Write the question so it's easy to always give the same answer. So, "Who was my kindergarten teacher?" could be Susan Jones, Ms. Jones, or Miss Jones. "What was my kindergarten teacher's last name?" only has one answer -- Jones.

5. Give a real answer. Some customers will tell us, "Security questions aren't secure, so I just put in random letters and numbers as my answer!" That's great, if you're writing them down and keeping track of them, or using a password crypt like 1Password. But, if you just hit whatever random keys you like, and don't keep track of them, we have no way to confirm you are who you say you are. If you forget/lose your password, and need to gain access to your account, you have basically made it impossible for us to grant it to you.

So, what are some questions that are hard to find out, hard to guess, unlikely to change over time, but easy to always type the same? A good list of questions is different for everyone, but try one of these real questions on for size!


Who was your first crush? (unless the answer is "my spouse")
Who knit your baby blanket? (unless the answer is "my mom")
What was your childhood stuffed animal's name?

Another good choice is something that wouldn't mean something to someone else, but makes sense to you. So, for instance, I have a piece of furniture in my house. It's not a cabinet, it's not a table, it's not a buffet or a curio cabinet. It's something in between. So, I call it Joe. For me, "What is the furniture with a name called?" would be a good question, though you probably shouldn't use it yourself. One of the best security questions I ever saw was "Who has skinny feet?" I'm sure the person who used it could answer that question in a second, but it would be very difficult to guess if you weren't them.

Even if you're 100% positive you used an awesome security question when you created your account, go look at yours now, and make sure you know the answer. If you are using an insecure security question, change yours today. Though no one likes to believe that someone would want to crack their account, it can and does happen. Be your own best first line of defense, and make sure your security questions and passwords are strong and secure.

Welcome, Aliencamel! Which Pobox account is right for you?

2010-05-24T16:07:00.008-04:00

Pobox offers a warm welcome to Aliencamel customers! You may have recently received an email detailing your migration options. Let me tell you a little bit more about Pobox.

All accounts include email forwarding, spam filtering, and vacation autoreplies. If you already have another place you want to read your email, then a Pobox Basic account will let you forward your aliencamel.com mail to the email address of your choice for USD$20/year.

Want to add email filters? Pobox Plus accounts include email filters that let you redirect, block, send autoreplies, send a condensed version to your mobile phone, or tag the subject of your message. Plus accounts are USD$35/year, and include all the Basic features, as well.

And if you're looking for a new home for your aliencamel.com address, Mailstore accounts support IMAP and POP for nearly all current email clients, plus webmail! It's 10GB of storage, plus all the features of Basic and Plus, for USD$50/year.

Once you've selected an account type and signed up, there are two other things you'll want to do: add your aliencamel.com address, and import your whitelists (some of you have 10,000 and counting!) You should already have your code and URL to add your aliencamel.com address -- just remember, you can't add it if you're using aliencamel.com as your forwarding address. So remove that as a forwarding address first, then use the URL to add it as an alias. To import your whitelists, just send an email to pobox@pobox.com, including your pobox or aliencamel address, and your whitelist attached as a file, and we'll import it for you!

With 15 years and counting, we hope that Pobox can be your email home for a long, long time. If you have any questions about the service, please contact Customer Support; we'd be happy to tell you more about ourselves and the best option for you!

Please don't email your credit card number!

2010-05-13T18:23:00.002-04:00

When someone is hatching a secret plan in a movie, you might see them ask, "Is this a secure line???" The average telephone call is transmitted as-is, which means, as it travels through the many lines and machines necessary to tranmit the call around the world or down the street, someone with the right equipment could listen in.

Email works the same way.

You might have the impression, given how fast email works, when you send an email that it just goes from your computer to the recipient's mailbox. In fact, even simple setups usually pass your email through 4 or more computers.

Email is like a postcard; for the most part, people aren't interested enough in what you're saying to bother looking at it. But credit card numbers are an obviously-identifiable string, making them easy to look for in a stream of content going by.

How do you prevent your credit card number from being picked up? Encryption. That's why you're never supposed to type in your password or credit card number to a web browser that doesn't show a secured lock or key. That lock indicates that your data is scrambled while in transmission; the website then has the information necessary to unscramble it on the other end.

Ok, then, why don't we just encrypt email, too? Well, it's not that simple. Companies pay a security provider for that encryption service. The security provider generates the information, and verifies that it's accurate, and provides the key to you that's necessary to scramble your data. And, over the years, the security provider has made sure that all the web browsers out there work with their service, so you never have to think about it.

For email, you would need a similar scrambling key for everyone who emails you, and you'd need to distribute your key to everyone you email. And you need a secure way to do that. And most people don't want that way to cost a lot of money. There are ways, and they work, and they've been around for a long time. They just aren't used by most people.

Think of email as a conversation you might have walking down the street. Generally, no one would bother to listen in. But if you started saying your credit card number repeatedly, well... it only takes one nasty person to cause a problem. So, please don't email your credit card number.

15 Years of Pobox: The Wired article that got it all started!

2010-04-14T15:31:00.001-04:00

Do you recognize this magazine cover?

If so, you might be one of our very first customers! The May 1995 issue of Wired magazine included the following sidebar in first page of the Scans section:

Email Trail

A new service called pobox.com offers an easy-to-remember e-mail address that you can use for the rest of your life (or the life of the company, anyway.) For example, any mail sent to mengwong@pobox.com is forwarded to pobox.com founder Meng Weng Wong's CompuServe account (71552.1674@compuserve.com). This way, if you switch online services, you don't need to message everyone you know informing them of your new e-mail address -- just e-mail your new information to pobox.com. --Mark Frauenfelder Price information: pobox@pobox.com, http://pobox.com/pobox/signup.cgi

Well, Meng's CompuServe address is long gone, but you can still email him at mengwong@pobox.com. And for those of you who took the chance that "the life of the company" was going to be a timespan that was useful to you, a very hearty thank you.

15 Years of Pobox: Memorable Customer Service Requests

2010-04-05T17:10:00.011-04:00

Not to toot my own horn, but I think Pobox Customer Service is great. I'm so proud to be able to work at a place where, by and large, we can actually help people resolve the issues they're having, not just give them canned responses or read off a script.

We think customer service is so important that virtually every staffer, no matter what job they've been hired to do, spends their first week doing email customer service. It helps new staffers get an idea of who you guys are, what you think is important, problems that people are worried about, areas of the service that need improvement, and the kinds of areas people are interested in us spending more time on.

That being said, because so many of you use your Pobox address (or URL!) for your own businesses, we get more than a few customer service questions or complaints about services we have NOTHING to do with, like the time we were asked for a refund for our guinea pigs. We've been told our kittens were insufficiently cute (I forwarded that one to the kitten cuteness complaint department), and our muesli lacks the requisite number of sultanas. We've been asked for help rescheduling people's travel plans, and for processing returns of products too varied to mention.

It's not all complaints, though! We've also gotten requests to join our band, from piano players in the Ukraine. He may have actually been looking for this band, but it did spur many a discussion about what instruments we would all play. Thankfully, Rock Band came out, and only our friends and loved ones have been subjected to the stylings of the Pobox house band.

There are many support emails that have stood the test of time, but one in particular is frequently cited in tales of Pobox CS history. I have reprinted it below.

logmeoutofthisaccountbecausesomeoneisusingmynameillegallyibelieveitis
venuswilliamsthetennisproandhergangongtheirtourstalkingmeongalveston
islandintexastheyareinvisibleasholographs,abusingassualtingmeandmywife
thatsaholographto.tiamowerythedisneystaranactorofsistertosisterthey
arethreatinghernottogetoutoftheholographtheywillkillherandmethatswhy
theyaremessingovermyemailandstealinginfothatimightgetwithinaemail
accountanytimeeventhoughihavebeenemailingthepresidentfromtimetotime
abouttheieractivityeverydayfollowingmesunupsundownevenwhileisleepstill
filmingthemselvesabusingmeandfilmingpronoabuseofandontheassualtofmy
wifealways.pleasereporttrhisimportantoftheiractivityasapthisis
importantwhereeverigetfreeemailwithinanacountstatusvenuswilliamsand
gangathreattoeveryonesystemwithintheinternetsystem.theyarerealslick,
getyourlawyersonthem.okiamtypinginrosenberglibrarygalveston,texasand
theinvisiblearewatchingmetypethisrightnowthatshowmuchathreattheyare
tomedamsomeonejusthitmewiththierfistandifeelthatpunchinvisiblepunch
thatsallisignbackuptommorrowok

So, remember, if you're on Galveston Island, beware the invisible punch!