New sonic.net webmail application

[mary]

The above measure is with the preview pane collapsed. With it showing, its own 'white space' bars further reduce the usable area.

[kgc]

The above measure is with the preview pane collapsed. With it showing, its own 'white space' bars further reduce the usable area.

Mary, improved performance on small screens is one of the things that we're working on right now. The internal test version has some improvements already in place and works without horizontal scroll bars in screens as small as 1024x768 - we're currently working on reclaiming as much slack space as possible to get more on the screen at a time. Hopefully we'll be able to push this out to the public beta soon.

[tikvah]

My friend who is over right now and uses Sonic says please keep Squirrel Mail. It works cross platform (phone, iPad, and computer) and does everything it is supposed to. She's tried the new beta one and says it's awful. She has a lot of folders and it only lets you see 8 at a time, not scroll through the list. And the functionality to deal with subfolders is lacking.

Cyndi

[kgc]

Cyndi, could you ask your friend what os/browser she is using and if she knows what screen resolution she is using or if she is using enlarged fonts? At 1024x768 I'm able to see 17 folders listed and the scroll bar is available on the side to see the rest. Also, can you clarify what is lacking in the functionality dealing with subfolders?

[scott]

On Sunday Apr 14, 2013 at 3:12 pm I submitted a long Reply to this "Official" Thread
that was started by Kelsey Cummings, the Sonic.net System Architect requesting user
feedback regarding the new Beta RoundCube WebMail. . .

To my surprise, so far, NO-ONE has replied to it directly or commented on it in any
related threads NOR has there been ANY response privately or in the forums by anyone
from Sonic.

I've read your post in question, and we do very much appreciate the feedback. It was constructive, and you clearly spent some time on the post -- again, very much appreciated, and we thank you for the post.

I think what may have happened is that some noise occurred in the forum just after your very clear signal, which decreased the signal-to-noise ratio. That isn't your fault, to be sure, and that isn't an excuse for not responding to your message. (But it is an explanation.)

Kelsey, have you read the post in question? It is good feedback.

[kfroiland]

i love the new app. SO much better!!!!!!
However i noticed one hiccup.I was cleaning up my inbox. I tried using the "move" feature and it didnt work several times. fyi

[nliten]

WebMail Configuration Change REQUEST to enhance user privacy and security.

When sending Email via the Sonic hosted WebMail interfaces two of the informational "X-" Headers that
are added cannot be configured by the Sonic User. These two Email Headers expose potentially sensitive
and exploitable data related to that Sonic User.

Email Headers can and often are easily, even routinely harvested by various BOTS, Viruses, Malware,
etc., as email traverses and/or gets cached on servers, client systems, various networks or while
it is being routed over the Internet. The harvested Email Headers and/or the entire email can then be
used/stored/sold/shared for often unsavory purposes by spammers, scammers, hackers, identity thieves,
unscrupulous businesses, various rouge agents/agencies and other individuals or groups that do not
generally have the best interests of Sonic.net or the respective Sonic customer/User in mind.

The incredible usefulness of the Header details to those that use them for unsavory purposes is quite
amazing. A few of the countless possible or typical uses are; to assist with user tracking and the
building of linked user profiles for targeted marketing, for spamming and related uses, for the
gathering of data which is then used for more advanced/sophisticated attacks against individuals or
businesses via phishing or social engineering based scams, etc.

Normally the "X-" Headers are intended to be used only for "informational" purposes and aren't
typically required for actual email routing. However, the specific headers of concern mentioned below
are generally used to aid Admins with email system troubleshooting and also to help track email
system abuse and to find the source of that abuse.

Fortunately Sonic is a sophisticated ISP and likely does not need to rely on the presence of the
below listed Headers at all or at least NOT in an un-encrypted "clear text" format for the
purposes of troubleshooting and abuse tracking. Sonic can accomplish these goals with various
existing network, router and server logs and other tools available to them along with existing
email Headers like the "Message-ID".


The Email "X-" Headers of concern that are added by WebMail to outgoing email and which the Sonic User
currently cannot, configure, modify or delete, are those...

1) Added by the (new, beta) Sonic RoundCube WebMail Client:

X-Sender: [email protected] ([email protected]) <-- Actual Sonic User Account E-mail

Received: from myStaticRDNS.mydomain.com ([xxx.xxx.xxx.xxx]) <-- Actual Sonic User: RDNS and IP
by webmail-beta.sonic.net
with HTTP (HTTP/1.1 POST); Fri, 12 Apr 2013 09:09:09 -0700


2) Added by the (current) Sonic AtMail WebMail Clients:

X-Atmail-Account: [email protected] <-- Actual Sonic User Account E-mail

X-Origin: xxx.xxx.xxx.xxx <-- Actual Sonic User IP


The other E-mail Headers ("From" and "Reply-To") and the associated "Email Name" only list info
taken from the selected "Alias" profile which was previously configured by the Sonic User.

An Alias email address is often or at least can be used and then discarded when/if it is or gets
compromised by Spammers but, unfortunately the primary Sonic account email address can't be easily
changed and is vulnerable to becoming a permanent SPAM target. Alias email addresses are also
useful to help a user track down which companies or individuals are helping spammers to target them.

There are many other reasons why a user and/or business may choose to use a private Domain
and/or Sonic based "Alias" Email addresses. Theses include among others, privacy, email handling
efficiency, etc. The presence of the above listed "X-" Headers in an un-encrypted form may serve
to undermine or compromise these goals.


I'd like to request that Sonic alter the WebMail Configurations to provide Sonic Users with
an additional layer of Security/Privacy and SPAM Harvesting protection by either removing the
above listed "X-" Headers from outbound email OR, at the very least, encrypting the data!

Possible Solution that could be considered for RoundCube WebMail...
The RoundCube WebMail software should make the above tasks very easy...

1) In the RoundCube Main Configuration File, "main.inc.php" that should be located in the
etc/ directory on the server box(s) running RoundCube add/change the following option:

Code: Select all

$rcmail_config['http_received_header_encrypt'] = true;

This will encrypt the IP/RDNS related info in the "http_received_header", "Received" Header.
This setting of "true" will then cause the following plug-in to encrypt the data of the "X-Sender" Header.

2) Add the following FREE RoundCube Plug-in and activate it on the RoundCube Server(s)...
I've attached the plug-in for your convenience

log_sender-1.0.tar.gz

Plug-in for RoundCube

(510 Bytes) Downloaded 4241 times

or, you can download it yourself at:
http://code.google.com/p/roundcube-plug ... 1.0.tar.gz
This plug-in ENCRYPTS the "X-Sender" Header on outgoing Email when the "http_received_header",
"Received" Header is also encrypted.

Alternatively you may choose to configure RoundCube to NOT add the optional
"http_received_header", "Received" Header at all, by setting...

Code: Select all

$rcmail_config['http_received_header'] = false;

You could also choose to modify the plug-in script to always use an empty string as the
data for the "X-Sender" Header, regardless of any "encryption" setting and/or the presence
of the "http_received_header", "Received" Header.


Possible Solution for AtMail WebMail...
Probably irrelevant at this point if Sonic continues to follow through with the recently
announced plan to completely shut down AtMail WebMail on 4/22/2013 or at sometime in the
near future.

[tikvah]

Kelsey, I just sent your query to her in email. I can tell you the computer is a Macbook Pro and I think she's running Snow Leopard, but it might be Leopard or Lion. The iPad will have whatever the OS for that is and the phone is some generic smartphone. She might have said similar to an Android but I don't remember for sure. Whenever I've seen her computers/devices, the fonts have all looked normal.

Cyndi

[thulsa_doom]

When sending Email via the Sonic hosted WebMail interfaces two of the informational "X-" Headers that
are added cannot be configured by the Sonic User. These two Email Headers expose potentially sensitive
and exploitable data related to that Sonic User.

Yeah, we put that in when we started seeing compromised user accounts spewing spam with no reliable indication of which account was breached. Wundermail doesn't currently do this.

[kgc]

@nliten - we've discussed this at some length and what you see is the result of those conversations.

The synthetic Received header amounts to the same thing added by our outbound SMTP servers when mail is sent through them. All major webmail providers except for gmail (as far as I'm aware) also generate this synthetic header. This has the distinct advantage that the receiving server is able to process the received headers to the original source for use in spam filtering and affords webmail users no more or no less anonymity than users that choose to use their own clients.

The plugin that you've pointed out encrypts this header but that results in a positive score in SpamAssassin due to it having an unparsable received header.

On the other hand, the data in the X-Sender could be encrypted, we'd just need to write/modify a plugin to do it.