OUTBOUND SERVER INDEX

Home

How Authentication Works

How the authentication process works
Security and expiration considerations
Notification of changes to your settings
Failure modes to think about
The worst that can happen
Field and usage definitions
Pseudo code for how we authenticate that you can control listings for a domain

How the authentication process works

There are two ways for you to show that you are authorized to control mail server listings for a domain:

Demonstrate that you have FTP access to the website for the domain by creating a folder and file in the webroot

Demonstrate that you have FTP access to the website of a nameserver for the domain by creating a folder and file in the webroot

If you are an ISP, this gives you the ability to control the listings for large blocks of domains under your care, just by authenticating once as an admin for a nameserver.

We will give you a randomized folder name and file name, which you then create in the root of your web server. For example, if your domain is http://paler.net/, you create a folder such as http://paler.net/978012569123459/ and place a file such as 1561256152982677.html in that folder.

We will give you the contents to put in the file, including another randomized number.

When you have the file in place on your webserver, you will click a button. We will access the file and check to make sure the contents agree with the record in our database. If everything matches, you will have access to the Dashboard, which you can use to create and edit mail server listings.

More detail for each field and usage is provided below.

Security and Expiration Considerations

Limit authorization for editing listings to one workstation or a small range of trusted IPs. Obviously, you won't want to use a proxy or shared IP unless you can trust all users.
Set a reasonable expiration date based on the security of the workstation IP you have authorized. Consider these tradeoffs:
- The length of time you feel that your workstation IP won't change
- Who has physical access to your workstation, and for how long
- How often you are willing to repeat the authentication process
- Longer expiration dates allow you make changes without having to re-authenticate every time you want to make changes to your mail server IPs or add/delete domains.
- As long as you have a secure, static IP and workstation, you may wish to set the expiration date a month into the future, or whatever time period you are comfortable with.
- If you don't have a static IP and you are not confident that your workstation will remain secure over time, you can expire the authentication at any time—even immediately after you enter first listings—simply by deleting the folder you added to your webroot via FTP. You can also set the expiration date to "yesterday" to accomplish a high level of security.

Notification of Changes to Your Settings

We avoid using email in the authentication process so we can avoid sending you an email that you may not have requested or wanted. However, if you set your expiration date into the future, we recommend that you give us a notification email address. We will send you an email when/if someone alters your Outbound Index listings. Note that we may require phone verification of your preferred email address if that address is not @ the same domain. This is to prevent a malicious user from setting a spamtrap address as the notification address and then triggering a notification.

Failure Modes to Think About

Could someone get in and destroy your listings? Yes, if they can get FTP access to the root of your webserver, they could. But if they have FTP access to the root of your webserver, they could also bring your entire website down, or deface it in embarrassing ways. So it's probably a security breach you'll quickly remedy.

Another way someone could destroy your listings is if they could get control of your primary DNS server. But again, if they have control of your primary DNS, they could also destroy your ability to operate 9 ways to Sunday. Altered Outbound Index listings would be the least of your problems.

Someone could alter your listings if you don't expire the authorization, and you authorize a public proxy IP or a dynamic dialup IP, which is later used by someone else. They'd have to randomly figure out your domain name and get to this site.

Someone could alter your listings if they snuck into your office and used your computer, and you hadn't expired the authorization for your listings.

If you don't expire your authorization, and someone manages to spoof your IP, we would send you an email notification. We employ anti-spoofing checks pro-actively.

A 404 or custom File Not Found error screen could echo the file and folder name in its contents. However, it would not know the randomized number within the file contents.

The Worst That Can Happen

If your listings are maliciously altered, then incoming email servers which use the Outbound Index may handle your mail differently until you correct your listings or de-list.

Description of each field:

DOMAIN
The domain you are going to list mail servers for (once you gain access to the Dashboard)—or the nameserver domain for multiple domains that you plan to list mail servers for.

WORKSTATION IP
The IP or range of IPs you would be sitting at next time you make changes to your mail server listings.

EXPIRATION DATE
After midnight on this date, you would have to create a differently named folder and file, with different contents, in order to re-authenticate and be allowed to manage your mail server listings.

NOTIFY EMAIL ADDRESS
This is purely optional. You may leave this blank. If you are leaving your authentication open, you may wish to be notified in case someone other than yourself gets in. We will email the address you specify indicating that someone has changed the listings, and what their IP is.

FOLDER
We give you the randomized value for the folder name.

FILE
We give you the randomized value for the file name.

FILE CONTENTS
We give you the exact file contents, so you can copy/paste.