Security, privacy and emails with Thexyz

Security and privacy are strong points to Thexyz, an email service from Canada founded in 2007. What are the challenges, what differentiates Thexyz and what can a regular email user do to be safe when checking emails? Read our interview with Perry Toone, founder of Thexyz, to know more.

Please present Thexyz to our audience

Thexyz is in its 16th year now. It started mostly just doing email for people but has now transformed into providing domain registrations and websites as well. We have two website offerings, Hosted Weebly and Managed WordPress. We use cPanel for our hosting control panel, it’s got a setup with usage-based billing now, so it’s affordable and fair to people. We’ve got some exciting plans for this year of 2022, as we scale our operation. We have a lot more customers now, so it’s just sort of keeping the ship steering and afloat.

What changed since the company started and what were its main challenges?

The challenges that I deal with are mostly related to anti-abuse and DDoS-related incidents. Last year, in particular, we had a big one and a number of mail providers around the world such as Protonmail, Runbox, Tutanota were also targeted with a note from a group called “Cursed Patriarch”. They demanded Bitcoin, otherwise, they’d DDoS-attack us. They did a little one on a Sunday evening. I was making dinner and a lot of emails were coming through on my phone, failovers things started kicking in.

Then, I saw a failover server was knocked offline and Thexyz got knocked offline very few times, and this was one of them, for 14 minutes or so. It was a very high-level DDoS attack. We had to enable all sorts of protections for it. We don’t pay Bitcoin to criminals, so we weather these storms.

I think it’s important for these mail providers to have solidarity and not pay these fees. Around 5 years ago there was a story about Protonmail paying a ransom after 7 consistent days of attack because their service was really suffering. After that, the attack just increased for 3 more days, so it shows that paying these ransoms is not advisable and does not really help.

Thexyz focuses on privacy and security as the main selling points. Why do you think big, famous email services don’t focus as much on security and protection? Does it have something to do with they wanting to sell the users’ data?

Yes. There’s this voluntary data sharing with Big Tech that makes it hard to be marketed as a privacy service when you are openly sharing data with third parties. I think privacy and security are very important and it’s part of our fundamental human rights.

It’s a challenge, though, to offer a service like this because it’s a balance between convenience, ease of use, and security. Especially with email, a very old technology in the internet world, it is inherently insecure. Making it secure introduces some challenges and makes things a bit more complicated to use. We are often talking to customers and finding that “happy balance”.

What can the average person do to protect themselves while using their email?

Two-factor authentication (2FA) helps secure your login. Last week, Microsoft discovered a new phishing attack in which attackers could get access to accounts that did not have 2FA enabled.

A lot of these attacks can be mitigated or prevented just by doing best practices. I believe it’s better to use an app rather than an SMS message to do 2FA. I think it’s a great step to securing your online identities.

I am also a big fan of aliases for online services. Suppose there’s an email you’ve had for 10 years and was used to sign up for different sites. If one of those sites’ databases gets hacked, your email address can be made available for purchase or download on the dark web together with your password and maybe your date of birth.

Hackers use this information to try to log into other accounts or build a profile on you to try to take your identity. It’s all tied to that email address, it’s your online identity. LinkedIn is a good example: it has been compromised several times, so I have a special alias (an email address) for this service. LinkedIn also sells your email address to anybody that wants to spam you. I have a special alias, so I collect LinkedIn’s spam and can tell when the company sold my information.

What are the biggest threats today for an email account owner?

I’d say phishing has increased a lot as well as the sophistication of the attacks. Just don’t click on any links and nothing will happen through your lack of action to an email. Just doing nothing is always my advice to people who are unsure.

There was one particular email I saw recently where things were more engineered, targeted towards leaders of a company. They may even send a legitimate email beforehand to see how they write emails, see the signature, and how they craft emails. All these details can be matched in a phishing email.

This company was targeted with one of them, and they could see in the email that the previous correspondents were they, so they trusted it, and it was asking for payment in the order of hundreds of thousands of dollars. They nearly did it, but they decided to ask for help to certify if it was legitimate and fortunately did not send it.

What are Thexyz’s plans for the near future?

Many people know Thexyz for the email, so a lot of our plans revolve around it. We’ll give people a lot more choices to use different email systems and make it easy for them to switch.

We do a lot of email migrations and sometimes people are not even customers of Thexyz, they’ll come to us for help moving their mail from one system to another. These days, a lot of our clients have switched to the Google Workspace and Office 365 email systems, so we’re starting to offer them as well and give customers the choice of remaining a customer while changing their email to a different provider of their preference.