login security

[gecko]

Hello,

I was setting up an alternative sender address the other day and -due to a typo- entered a wrong email address. Can the owner of that address -to which obviously a confirmation link was sent now- use that link to gain unauthorised access to my mailbox?

BTW, listing *all* logins *and all* failed login attempts with timestamp and IP of the last week or two, including those via IMAP and POP, would greatly improve traceability of whatever is going on with one's account. I have noticed that such a list has already been implemented in the account settings section, but doesn't seem to be in operation yet.

Cheers and regards,
gecko

[David]

I don't use Runbox gecko but while you wait for a reply, I would (if it were me) at least change my password.

[gecko]

David,

Thanks for the hint. Good point, even though I added the correct alternative sender address now and it seems that when you click the link that you're sent, you have to enter your ID and password to make it take effect.

However, it would be great if an RB rep could officially dispel my worries .

Thanks,
gecko

[Geir]

gecko,

The confirmation link is only used to verify the owner of the alternative address. To access your Runbox account you always have to log in with your username and password. So no need to worry!

Also, we have added a list of the last Webmail logins under Account, as you have noticed. We have extended it today with IP to domain lookups, and we plan to add failed logins too.

- Geir

[gecko]

Geir,

Thanks for the reply. Just as a suggestion: showing POP/IMAP access in that list would be nice as well. It would be even nicer if one could enable/disable POP/IMAP access in my account control panel, ie only allowing HTTP if they're disabled.

Regards,
gecko

[tomhab]

Geir:

For some reason it only occasionally logs my log in attempts. I normally log in using the following because it's quicker loading etc:
https://secure.runbox.com/mail

which forwards to
https://secure.runbox.com/login.ttml...x.com:443/mail

But then logging in doesn't create an entry in that table you mentioned.

[gecko]

The login history works for me in that it does list all logins. However, once the DNS lookup is performed, the timestamp changes (maybe to GMT?).

One more thing -- just to mention it and meant as something to ponder about: If a malicious person succeeded in breaking into your account and intentionally performed five futile attempts thereafter, no one would notice it as the login history would only show the five failed login attempts... One would probably have to list all (failed) logins of the last week or two to prevent that from happening.

Anyway, I do admit that this issue probably doesn't have top priority.

Regards,
gecko

[laverton]

Quote:

Originally Posted by gecko

The login history works for me in that it does list all logins. However, once the DNS lookup is performed, the timestamp changes (maybe to GMT?).

That was because the timestamp-field was set to auto-update, so that when the location is updated the timestamp is also updated. Problem fixed!

[gecko]

Hi,

I just noticed that logging in from secure.runbox.com does not create a login history entry but doing so from beta.runbox.com does. Anyone else who observed this behaviour?

Does the login history also cover logins through POP/IMAP?

Regards,
gecko

[kservik]

The system only records Webmail logins. Other types of attacks is monitored by our sysadmins.

Kim

[gecko]

Quote:

Originally Posted by gecko

Hi,

I just noticed that logging in from secure.runbox.com does not create a login history entry but doing so from beta.runbox.com does. Anyone else who observed this behaviour?

Does the login history also cover logins through POP/IMAP?

Regards,
gecko

Hi,

Today I noticed once more that only logging in from secure.runbox.com creates an entry in the login history in the account section whereas doing so from secure.runbox.com does not create an entry. IMO this renders the login history rather unreliable.

Regards,
gecko