Randy Calvert

Happy Independence Day to the IPS team! I hope you have a great holiday break!

You don’t have to create the email address. Sendgrid can send as ANYTHING you want. If you don’t create the address however, users won’t be able to reply to the email and have it go anywhere that you see the response. On this site, IPB uses the outgoing address noreply@invisionpower.com to help encourage/remind people that if they reply to an email notification that it won’t be seen. There is no right or wrong answer… it just depends on how you want your community to operate. On my site, emails are sent from moderators@yourdomain.com… or you could do something like community@ or notify@.

DMARC is not a real issue. In fact, Invision does not have DMARC enabled either and their mail delivers fine. If someone fills out a Contact form on your site (and you're configured to send that message as email instead of routing to a support request in Commerce app), that is an OUTBOUND from your site via Sendgrid to wherever you have your have your emails pointed to. If it's pointed to an email address that is on your domain (like webmaster@domain.com), Sendgrid does a MX lookup on the domain and receives Google's MX and sends there. It does not come back to your forum. IPB does not have a concept of importing emails into your forum. (The Commerce app can fetch support tickets via POP3, but that's the only sort of way of getting email into IPB.). You can't send an email for example and have it post a topic or reply to a topic. Think of it this way... let's say you have the domain "yourdomain.com". On IPB you send email as coming from "webmaster@yourdomain.com". With Sendgrid setup, any email sent comes from webmaster@yourdomain.com. But you also have webmaster@yourdomain.com setup in Google.... you can send AND receive email from webmaster@yourdomain.com. That means if someone replies to the email sent from IPB, the reply will end up in your Gmail because it's the INBOUND MX record for your domain. Sendgrid = Outbound email only Google = Inbound AND outbound Sendgrid sends mail on your behalf. It cannot receive anything. There is no way to have email come INBOUND into your forum. It's "exit only".

Holidays (especially 4 day weekends) have been a super common attack time for my financial services customers for over a year. We actually have betting pools for what customer and what time! Attackers know when organizations are likely to be running on a skeleton crew and try to take advantage of it unfortunately.

And here it is… a Saturday afternoon on a holiday weekend. Attackers love to ruin weekend plans! This is a fantastic confirmation of value!

When running 8.1, run the compatibility script. It’s possible the 8.1 install was updated but is missing a required module. Not saying that is absolutely the reason, but it’s a possibility.

Incoming mail is controlled by MX records in DNS. For example, IPS also uses Google for receiving email: admin@localhost ~ % dig invisioncommunity.com MX ; <<>> DiG 9.10.6 <<>> invisioncommunity.com MX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3130 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;invisioncommunity.com. IN MX ;; ANSWER SECTION: invisioncommunity.com. 300 IN MX 5 alt1.aspmx.l.google.com. invisioncommunity.com. 300 IN MX 5 alt2.aspmx.l.google.com. invisioncommunity.com. 300 IN MX 1 aspmx.l.google.com. invisioncommunity.com. 300 IN MX 10 aspmx2.googlemail.com. invisioncommunity.com. 300 IN MX 10 aspmx3.googlemail.com. That routes inbound email to Google's various servers. Now... for OUTBOUND email, you have to list both Google and Sendgrid in SPF/DKIMM. In looking at the Invision SPF record, you see: v=spf1 mx include:servers.mcsv.net include:_spf.google.com include:sendgrid.net include:mail.zendesk.com include:helpscoutemail.com -all Each service provider needs to be included with an "include:" statement. For DKIM records, you need to publish both Google and SendGrid's record via DNS as they instruct. And yes, you can have multiple DKIM records. https://powerdmarc.com/multiple-dkim-records-on-email-domain/#:~:text=To publish multiple DKIM records,concatenated into your previous records. When you say email from your server is blocked, I assume it's Sendgrid that is sending that email. Look up the email in the Sendgrid console and see what it says for the message. Why is the other mail server rejecting it? If it's a configuration with SPF/DKIM, it should say that. It might also simply be that you're using Sendgrid's shared IPs and they are being blacklisted. (In that case, you would need a dedicated sending IP from them.)

A 503 error can happen for many reasons. For example, if your host upgraded PHP on the server but did not include a required module that is used by IPS, it could trigger that error. It simply means when the request was made, the server is not able to handle the request. https://blog.airbrake.io/blog/http-errors/503-service-unavailable But this type of error is not a software level error.... as you can see from above its server based.

Do you have a custom domain specified in the storage method settings?

Blocking what? Mail from sendgrid, mail from your personal email on the domain? If it’s the mail sent through Sendgrid look at the logs in Sendgrid to see why. If you are using a Sendgrid shared IP, it could just be a reputation issue. You may need a dedicated IP. I quit using Sendgrid after roughly 20 percent of mail could not be delivered to Hotmail and Comcast users because Sendgrid’s IP addresses were being rejected by them.

You might look at Google translate. https://www.dummies.com/article/technology/notable-websites/google/how-to-install-google-translates-website-translator-plugin-145074/

You might want to post that in the feedback forum as it will not be seen later in the sea of support issues. 🙂

Marc and Olivia do a good job with making the migration go pretty well. They've got it down to a science!!

That's a question to pose to Google forums. I personally switched to the recommended GA4 code to prevent potential dataloss. It took all of a few minutes to update.

Do we get to pick?!

ACP - System - Site Features - Integrations - Google Analytics

Did some votes get removed? With certain other areas like reputation… hiding or deleting content does not remove points. I’m wondering if something similar is happening here where some votes might have been removed or changed.

I swear I checked this. Sigh… I need a drink. Maybe two! Now I’m off to slink in the corner.

If you have suggestions for improvement, they should be posted in the feedback forum. Otherwise it’s lost in a sea of support topics. 🙂

If they got in via wordpress, in theory moving to the cloud should be fix the problem. If the problem was the Wordpress SSO AND if you moved it to the cloud, you might have problems. But given I have not seen similar issues for the plugin itself, my guess would be it was Wordpress itself that was the initial compromise vector. Moving to cloud should be good.

Moving to cloud would remove any infected files because they don’t use the original raw files provided by you. They want the source files to get to the uploads folder and the folder with third party resources in it. The main IPB core files with source code are not used. So in a majority of the cases it should fix it. But for example if your theme was edited, that might be carried over too. It depends on exactly what is injecting the bad code. That’s why it’s hard to give you a simple yes/no answer. It depends on what is actually the root cause of your problem. But if it’s on the cloud and having issues still, they should be able to help isolate where it’s happening. (For example having you switch to a default theme to see if it fixes problem.)

It's always good to be safe! 😄

Yes via FTP and overwrite anything. All the current images and data would be safe. The data is in the database and user uploaded images would not be in the files downloaded from the client area. You're replacing IPB core system files, not the user generated ones.

Are you using a proxy, firewall, or a cdn or something else in front of the server?

If you maintain control of DNS, the biggest problem will be dealing with the domain apex. domain.com (the apex) cannot be a CNAME according to RFC standards. www.domain.com (or any subdomain) can be. If you control DNS, it’s not easy to point the apex to IPS as they use load balancers to distribute load to multiple servers. You could create a redirect on your current VPS to take domain.com and issue a redirect to www.domain.com or use cloudflare simply to have a rule to direct domain.com to www.domain.com. For most people, this is too much work and headache so it’s easier to have IPS manage DNS so they can handle all of the changes themselves. They can map the apex through AWS since they also manage the load balancer. I have both cloud and self hosted like you are proposing and it works just fine!