Messages getting marked as spam when you send from your own domain name using Gmail?

We recently heard from a couple of customers who set up Gmail to “Send mail as” a different email address at their custom domain name many years ago, and who are now having problems sending mail to people who use for their mail service (the messages were wrongly being flagged as spam at Outlook).

If this happens to you, it’s because the way Gmail used to set this up doesn’t interact well with modern email providers. The way they send these messages makes it look like a “spam forgery” to providers like that check for DKIM and SPF.

You can easily solve this by deleting the address in Gmail, then re-adding it. (If you’re one of our customers, the “Using Gmail to send messages” section of this page on our website shows the settings to use at Gmail.) Google will then set it up in a better way that works with modern email providers.

Read the rest of this entry »

Extortion scams that claim to have hacked your account

We’ve seen a few reports recently of customers receiving messages that begin something like this:

I’m going to cut to the chase. I am aware [redacted] is your pass word. More to the point, I know your secret and I’ve evidence of your secret. You don’t know me personally and no one paid me to examine you.

Or like this:

You may not know me and you are probably wondering why you are getting this e mail, right? I’m a hacker who cracked your email and devices a few months ago. Do not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account.

The message then goes on to demand money (usually in the form of a Bitcoin ransom) in order to not reveal your “secret”.

These are a scam; you should ignore them. The mail is sent in bulk by spammers to millions of people, just like any other spam, and they know nothing about you beyond your email address and possibly a password they stole from another site. Our filters block most of these (we’re blocking more than a dozen per day per account, on average), but unfortunately no filter can block all spam messages, and the spammers are constantly changing them to get around the blocking.

You can find more information on sites like Sophos and Krebs on Security.

Read the rest of this entry »

Outlook error 0x800CCC13 and Windows 10

We’ve had reports of an error message like this in Outlook when using Windows 10:

error (0x800CCC13): Cannot connect to the network. Verify your network connection or modem.

If this happens to you, it’s because of a problem with Windows 10, not with Outlook or our servers. According to the Microsoft page about it, updating Windows 10 should fix it. If it doesn’t, they suggest using a “workaround” to repair corrupted files on your computer.

PHP 7.0.0 and 5.6.16

The PHP developers recently released PHP version 7.0.0, as well as an update to the 5.6 series, version 5.6.16. We’ve upgraded PHP on our servers as a result.

The official release of PHP 7 means we’ll start encouraging customers to use it (as long as they use modern scripts like current versions of WordPress). It’s almost twice as fast as old versions of PHP. Yes, really: Twice as fast. We’re using it ourselves on this blog.

If you’d like your WordPress or other PHP-based site to seem snappier, or be able to handle twice as many visitors per second, you can easily do so:

  1. Login to our My Account control panel
  2. Click PHP Settings
  3. Click PHP 7.0 series
  4. Click Save Settings

Then test your site to make sure it works properly. If it does: Great, you’ve just made your site much faster! If it doesn’t, it’s probably because you’re using older scripts that haven’t yet been updated, and you can simply set PHP back to an earlier version for now. We recommend that you always use the latest version that works properly with your scripts.

As always, if you have any trouble, don’t hesitate to contact us.

Disabling SSLv3 and TLS 1.0

If you use an SSL certificate on a site you host with us, we now offer more control over the SSL/TLS protocol versions your site uses.

Old protocol versions, including SSL version 3 (“SSLv3”) and TLS version 1.0, are no longer considered secure. You can now disable these to improve security, at the expense of preventing some older, less-secure browsers from making SSL or TLS connections. Some credit card companies are starting to require that SSLv3 and TLS 1.0 both be disabled.

Read the rest of this entry »

WordPress 3.0.2 update (and mod_security rule)

If you use WordPress blog software on your site, be sure to upgrade to WordPress 3.0.2 as soon as possible. The upgrade contains an important security fix for a vulnerability that allows any WordPress “author” to become an “administrator”.

Although all WordPress users should upgrade right away, we’ve added security rules to our servers to protect our Web hosting customers who haven’t yet upgraded. Other people may find the rules useful if they use mod_security on Apache Web servers. The rest of this post contains more technical details.

Read the rest of this entry »

Avoiding problems with missing images in WordPress

WordPress installations handle missing image files very inefficiently by default, running the entire WordPress script to build a custom “404 Page Not Found” page rather than simply letting Apache return an immediate default “404” response. Running the WordPress script when not necessary is a huge waste of processor time. For example, WordPress might be able to only process 8 requests per second for a missing image when WordPress generates a custom “404” page, but Apache can return process over 1,000 raw “404” responses per second. If your Web site contains references to missing files, this default WordPress behavior can be driving up your CPU usage unnecessarily. We’ve seen poorly-configured Web sites spend a significant portion of their CPU time processing missing images.

Read the rest of this entry »

Even better performance from WP Super Cache

In a previous post, we talked about how increasing the WP Super Cache “Expire time” from 1 hour to 48 hours can help the performance of WordPress blogs.

Here’s another tip that can help dramatically: Remove “bot”, “ia_archive”, “slurp”, “crawl”, “spider” and “Yandex” from the Rejected User Agents box in the WP Super Cache plugin settings. (In most cases, this will leave the box completely empty.)

Read the rest of this entry »

Protect your WordPress login

Update: This post is outdated. We now offer SSL certificates for free to all customers, and recommend that you make your entire WordPress blog use SSL (rather than just making the dashboard SSL using the FORCE_SSL_ADMIN trick described below).

Do you login to your WordPress blog securely? Are your username and password encrypted so that “hackers” can’t steal them and then break into your blog? (Probably not!)

By default, each WordPress blog is configured to send the login username and password as plain (unencrypted) text. If a hacker can see what you are sending during your login, they can easily steal your username and password. This can happen if you have a virus installed on your computer. It can also happen if your computer is virus-free but connects via WiFi. If your main computer uses a wireless connection, or if you or other users of your blog ever login with their laptops — blogging from a coffee shop, anyone? — remember that these connections can be insecure, and could be susceptible to revealing your password.

You can protect your blog by installing an “SSL certificate” and configuring WordPress to require secure logins. Your browser will then encrypt your username and password so that no one can intercept them.

Read the rest of this entry »

WordPress security thoughts

In the last few days, there’s been a lot of talk on the Internet about the security of WordPress blog software.

Several shared hosting companies apparently allow customers to view the text of other customer’s files by default, and that allows malicious customers to discover the database password of another site (from the “wp-config.php” file) and alter the site.

Read the rest of this entry »