FeedBlitz and the Heartbleed vulnerability

We’ve been asked this a few times recently, so for the record: FeedBlitz isn’t vulnerable to the Heartbleed vulnerability.

FeedBlitz doesn’t use the platforms affected, and we don’t use OpenSSL for SSL encryption on our servers.

Does that mean you shouldn’t change your password here at FeedBlitz? Not exactly. If you use the same password here that you do on an affected service then maybe you should, yes.

But ZOMG. Can we talk a little about risk here, please? Do you hand your credit card to a waiter to pay for your romantic dinner? Do you give your card number over the phone when ordering something from a local business? If you have ever done so, you’ve willingly given your payment information to a complete stranger and probably thought nothing of it.

How risky is that?

Which is not to belittle the scale of the potential risk that Heartbleed poses to the Internet’s security infrastructure. But on an individual level, you’re probably more likely to have your wallet lifted at the next major league ball game you go to.  I’m personally currently unaware of any proven cases of this vulnerability having been exploited successfully for any kind of mass compromise.

Sturm, drang and panic. A heady, volatile and newsworthy combination to feed into the 24 hours cable news cycle.

How about some facts, instead of could haves and might haves. Wouldn’t that make a pleasant change?

As a  reminder, here’s the one thing hackers and phishers know: They get more mileage by phishing, spoofing and social engineering (i.e. pretending to be someone, or something you trust; or simply conning you into willingly handing over secret information).

Which segues nicely into my planned DMARC post, which I’ll probably get to on Thursday now.

Authenticating your Emails with SPF

Following up on last week’s post about Yahoo’s DMARC policy change, here’s how to authenticate mailings that (a) you send, and (b) we send on your behalf.  Before going into this, I want to make this point abundantly clear:

FeedBlitz automatically authenticates email we send; you don’t HAVE to do anything.

And for the vast majority of our clients, that’s perfect! That said, let’s say you want to authenticate email you send for your site’s domain anyway, and email we send for you as well. OK, sure, can do. In order to make that happen, you must have the ability to add a TXT record to your DNS settings, because that’s how SPF (the authentication protocol we’re going to set up) works.

Got that ability? Ok, good. Here’s what you have to do.

If you don’t have an SPF record already in place, you can simply add this as a TXT record to your domain’s DNS:

v=spf1 include:mail.feedblitz.com ~all

What this says is “hey, I’m an SPF authentication record for <my site’s domain>, anything that mail.feedblitz.com sends on my behalf is OK, anything else you should look at closely.”  This SPF entry in your DNS will authenticate email sent by FeedBlitz for your site based on your SPF records (remember, FeedBlitz’s emails already authenticate based on our SPF records, and your SPF entry won’t change that). It also invites providers to look more closely at other emails that purport to be from you. If this makes you nervous, replace “~all” with “?all” but then the SPF record doesn’t really say much of anything; it’s effectively a test entry that will, in the real world, have no effect at all.

You should therefore think about email sent by, or through, other systems on your behalf. Let’s say that you’re using Google Apps, and you send email for your site through your Google Apps account. Here is what Google help says should your SPF record be:

v=spf1 include:_spf.google.com ~all

So, to tell receiving ISPs that it’s really OK for your domain to have email sent on its behalf by both Google Apps and FeedBlitz, here’s what you should set your SPF record to be in your DNS:

v=spf1 include:_spf.google.com include:mail.feedblitz.com ~all

In other words, you simply add include:mail.feedblitz.com to any current SPF record (or the example given to you by your provider), and email we send on your behalf will authenticate using both our SPF record and yours. So for the above record, Google Apps will authenticate as well as FeedBlitz. The same approach works whatever ISP or service you use to send your site’s emails through. All you need to do is find out is what you need to have for your SPF record for the system you typically send email through, and then add the include:mail.feedblitz.com text to it. Your provider should be able to help you with the record you need to add for their systems.

Now, if you research SPF, you will see that some recommend using “-all” (dash all) instead of “~all” (tilde all) at the end of the SPF record.  It’s a critically important difference, and I really don’t like that advice for bloggers and businesses without dedicated and email-savvy IT staff. You should think very hard before using the “-all” version. Here’s why.

The tilde version “~all” says “Look closely at email that doesn’t authenticate, but we’re not saying it’s definitely bad” — effectively leaving ISPs to use their best judgment to determine whether email that purports to be from you but doesn’t authenticate is spam (or not). I certainly recommend using this option, at least at first. It’s the safest way to avoid valid email from you being accidentally junked. ISPs are really pretty good at blocking junk based on things like IP reputation, content filters and other techniques. Most of the time, this is going to be A-OK.

Switching to the dash version “-all” says something very different: “Any mail that does not authenticate is definitely junk.” That’s something you should only set if you’re really, really sure that statement is true, because now you’re saying anything and everything else is absolutely spam.

How could this possibly go wrong? Well, for example, say you send an email from home via your cable provider’s email servers instead of Google Apps or FeedBlitz for your blog’s domain, assuming that is how you’ve set up your SPF record. The “-all” now says that the email you just sent is junk. As a result, it might not be accepted by your recipient’s email provider at all, and if it is, it will certainly be routed to their spam folder. The same might happen if you use a third party service, such as a shopping cart or help desk system, that sends mail on your behalf, but not using the mail systems you identify in your SPF record. Or, say you switch hosting services or email providers and forget to update the SPF record you created several years ago. All your email will be junked, thanks to that “-all”, until you fix your SPF record.

So you need to be very, very sure that email will only be sent from the domains and IP addresses that you specify in your SPF record before you switch to the “-all” version of SPF. And you need to remember to update it as you add, switch or drop online service providers.

Now you know how to set up SPF for your domain. After you do this, you should ensure that emails we send on your behalf are from an address on that domain, and not a generic consumer provider, so that the authentication you set up can take effect.

The flaw with SPF, which is why it’s imperfect, is that other spammy systems might authenticate correctly for themselves (because of their own SPF records) but still spoof your address. That’s the situation DMARC addresses, (and what caused all the problems with Yahoo), and I’ll cover that tomorrow.

FeedBlitz: Rewind the Week

FeedBlitzIt’s time again here at FeedBlitz to Rewind the Week, and bring you some of the tech and business news you might have missed while you were busy taking over the world (that’s what you’ve been doing, right?).

This week, headlines were dominated by tech news, and not all of it was bad. Maybe it’s best to start with the good news—well, it’s good news for Dropbox, anyway … [Read more...]

DMARC’s (Un)intended Consequences: Why Yahoo is Bouncing Your Emails

Let’s get straight to the point. Over the weekend, possibly last Friday night, Yahoo changed a key DNS (domain name system) entry. The effect was brutal: It started bouncing out every email that said it was from a yahoo address, but had not been sent by a yahoo server.

So, if your email said it was from blogger@yahoo.com but was in reality sent by a third party, such as FeedBlitz (bear in mind this is not targeting FeedBlitz specifically, and is not a blacklisting; this applies to any third party service and I’m using us as an example), then if you sent your email over the weekend, it was bounced by Yahoo.

That’s bad, and it gets worse. It was also bounced by Gmail, because they are paying attention to the DNS record Yahoo changed, called a DMARC record. Bottom line: Your emails didn’t get through, if you specified your “from” address to be a Yahoo email.

They didn’t get routed to junk or the spam folder.  They were bounced out and never accepted for delivery, if (to repeat ad nauseam) you specified your “from” address to be a Yahoo email account. [Read more...]

FeedBlitz: Rewind the Week

FeedBlitzIt’s that time again, time to rewind, and take a look at some of the stories you might have missed this week in the world of tech, business, or sometimes, even the beauty of art.

This week’s FeedBlitz: Rewind the Week touches on all three of the above, with a special ‘hat tip’ towards innovation, and how young people are using today’s latest technology (Google Glass, 3D mapping) to foster change – even if that change is just in how we see ourselves.

Let’s get started. First, nothing says Friday like a ‘tech scandal’, right? [Read more...]

Wednesday Wrap: Our Top Five Guest Bloggers of 2014 (So Far!)

FeedBlitzWednesday is normally our spot to feature guest bloggers, people who bring an outside voice and vision to the FeedBlitz table, and who generously share their experiences in digital marketing with our community.

Today, we wanted to do a look back at some of the best guest bloggers we featured over the first couple of months of 2014.

You might have missed one or two, and now, you’ll have a roundup of the top five, on one handy dandy cheat sheet.

Enjoy! [Read more...]

FeedBlitz: Rewind the Week

FeedBlitzMy new goal is to stop complaining about the weather.

We’re finally seeing the back end of March, and while spring came in like a lion, and pretty much went out like a lion (hey, spring, that’s not how it works!), we have April to look forward to, and are one month closer to summer.

So there. Done. No more weather talk.

On that positive note, today’s FeedBlitz: Rewind the Week manages to bring you everything you need to have a fantastic weekend: Money, media, and music.

Let’s start with the money. [Read more...]

FeedBlitz: Rewind the Week

FeedBlitzToday’s FeedBlitz: Rewind the Week is going to be a little different. Instead of the usual roundup of top tech news of the week, we thought we’d bring you some video inspiration.

Bill Gates was recently asked by the smart folks at TED to choose his favorite Ted Talks (not surprisingly, his wife Melinda’s talk made the list. Good husband!).

So, we thought we would share four fantastic Ted Talks with you today – one by Bill Gates himself, and the other three chosen by Gates on his list of 13 favorites.

So, let’s start! [Read more...]

FeedBlitz: Rewind the Week

FeedBlitzFor today’s FeedBlitz:Rewind the Week, we’re going to do a little looking back, and a little looking forward.

This week saw the 25th anniversary of the World Wide Web. According to one article (of many) “On March 12, 1989, computer scientist Tim Berners-Lee proposed a type of digital information sharing at CERN that would use “linked information,” “nodes,” and “hypermedia” to form a “web.””

And if you want a real giggle, have a look at the very first web site, from 1990 (and still live today).

Anyhow, let’s get started, and take a look at some of what’s been kicking around the World Wide Web this week, that you might have missed. [Read more...]

FeedBlitz: Rewind the Week

FeedBlitzThere’s hope, there’s hope!

Not only is today Friday, which is always a pleasure to see no matter how much you love the work you do, for most of us here in the U.S. it’s Daylight Savings Time weekend!

And, after the winter we’ve had (and, let’s face it, are still having), being able to “spring ahead” this weekend will bring us an extra hour of much needed daylight – and that wonderful feeling that our elusive spring, might actually, finally, be ‘in the air’.

That said, Friday also brings another edition of FeedBlitz’s Rewind the Week, where we drop a handy dandy selection of some of the best digital news from the past week into your inbox. Today we bring you – the tech edition!

So, without further ado, let’s begin. [Read more...]