It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
kohlrak: -
avatar
sanscript: When I mentioned about the anonymous telnetting p25 in post nr 14, I was speaking generally and was originally answering rtcvb32, not to you. Only about the lack of encryption, but I'm stopping there now, as this is fruitless and getting staled ;-)
Ah, sorry. My mistake. I thought you were addressing something i needed to address (considering that's the exact problem the spam email was trying to pull off: making it look like i had sent the email, when the receiving server should have done a simple check to see if it actually received it from an ip tied to kohlrak.sytes.net [to be fair, i don't do that check, mainly because i'm paranoid at getting account confirmation emails, and it seems no one can properly configure an email server, not even Spyderco]). I figured if you had a legit claim, it would've been something i needed to address.

The encryption issue isn't a problem the way the server's set up, either. The way email works, you have to assume that nothing private is being sent that you aren't hand encrypting yourself, for reasons i stated above.
avatar
kohlrak: Eh, if it became common practice, the pubkey would be available to the spammers the same avenue the email address is, which wouldn't solve anything. Sure, it'd solve the crap we're seeing now, but not for long. If the key is done privately, why not just give out the email privately as well? I've seen people have success with whitelisting email addresses, as well, and spam rarely comes from a known source (does happen, but much less common).
Yes and no. I was also thinking there'd be signing/encrypting between email servers, so say something comes from @Yahoo.com, but didn't go through their API/webpages, it wouldn't be signed, thus it could be rejected immediately even if you used the public key for who you were sending it to.

So there'd be 3 layers probably.

1) encrypted to who it is sent to
2) signed by the sender
3) signed by the server that it's legit

If there's additional ones i am not sure. Regardless it would also provide more privacy as you could do encrypting/decrypting locally rather than the server and the server could only sign between servers for verification, thus anything they get/save would be private.
avatar
kohlrak: Eh, if it became common practice, the pubkey would be available to the spammers the same avenue the email address is, which wouldn't solve anything. Sure, it'd solve the crap we're seeing now, but not for long. If the key is done privately, why not just give out the email privately as well? I've seen people have success with whitelisting email addresses, as well, and spam rarely comes from a known source (does happen, but much less common).
avatar
rtcvb32: Yes and no. I was also thinking there'd be signing/encrypting between email servers, so say something comes from @Yahoo.com, but didn't go through their API/webpages, it wouldn't be signed, thus it could be rejected immediately even if you used the public key for who you were sending it to.

So there'd be 3 layers probably.

1) encrypted to who it is sent to
2) signed by the sender
3) signed by the server that it's legit

If there's additional ones i am not sure. Regardless it would also provide more privacy as you could do encrypting/decrypting locally rather than the server and the server could only sign between servers for verification, thus anything they get/save would be private.
Well, the problem with this is the ying-yang i'm dealing with from my end. See, my emails are mostly rejected, so i have to bounce off of Google, and even that's rarely enough. Whitelisting email providers easily gets like 99% of spam (at least, the spam i'm getting). My current email filter setup goes through my whitelist, and anything in my whitelist goes to the main inbox. Then it goes through the usual SPAM filters, that look for keywords (like "nigeria" or "prince") or known addresses, but it's very, very light. Next, it scans for links: most people who email me don't need to give me links, so anything with a link is probably spam or something else, which goes to a "filtered" folder that I have. Anything that passes all that, goes to the same place as the whitelisted emails. Very, very little gets passed that that is spam, and most emails that I do want that don't pass the smell test land in the filtered folder. This bounced email landed in the main inbox, and it was important that it did: i need to check to make sure I didn't actually send it.

The problem is, and this is why i like my filtering method, is that I also like freedom of speech, and especially freedom to compete. The whole reason i started hosting my own, instead of using google, is that when i first started using the net, everyone and their brother has a Freewebs account. See, it was the cool thing at the time to have your own website. Well, on more than one occasion, freewebs "got a virus" and files were lost, webpages fell apart, etc. I learned my lesson: you can't fully rely and depend on someone else. Say, instead of my totally rad Star Trek Starfleet Command III screensaver, that was an important email about ransom of a family member, or perhaps (and more likely) a job offer, or maybe it was an actual hot babe (and back then people did use email, and a few of my exes actually did contact me via email) i had my eye on (not the ones you don't know). What opportunities might i miss if i am not getting all my emails or if my emails are getting "deleted" or "lost" because of a "virus"? But, on the flip side, because of spam emails, real opportunities get drowned out, and also, my email server gets blocked because it doesn't pass smell tests.

So what's the solution? If you block everything, you won't get important emails. I actually had a problem with my current setup (since comcast blocked SMTP, thus people not reading the MX records are also getting blocked which doesn't make me happy), so i got no-ip to redirect emails in. Bigger problem: no-ip was doing anti-spam tests that was causing emails to get blocked. I actually had an important email trying to come through that got blocked: an email from Spyderco, since their email servers, like how things really are in the real world, weren't configured properly (probably still aren't). After contacting no-ip with my theory, they made a special exception for emails coming to me, and i started getting emails that i was supposed to be getting but otherwise wasn't. Sure, you could blame spyderco and others for not properly setting things up, but, truth is, their products are of a unique quality and price ratio that fit my own needs, I couldn't exactly afford to have that particular attitude with them.

Centralized authorities (google, facebook, government, etc) come with that "dataloss" risk (to be fair, it's come down alot) as well as privacy risks and freedom of speech and information (aka censorship) risks. But without it, you have to deal with the anarchy. I took the far less popular option, and the option that takes the most effort: anarchy. Frankly, i'm happy with it, and it stays within the spirit of the internet.
avatar
kohlrak: *snip*
Why not just get yourself a VPS for like $15 a year and run your own server? You'll be away from the Comcast port block, you wouldn't have to route via a third party service like no-ip, and you would have complete control over your anti-spam solution.

Even a webhosting account usually provides email accounts. I;d stay away from the big ones like gator and godaddy as they;re frequently blocked and/or they're going to nickle and dime you.

I have a personal VPS for my own domains. Be happy to send you the link via a pm if you want to review it.

The downside of running your own VPS is you have to pay attention to it. Stuff like updates isn;t done for you. That's half the fun though. :)
Post edited May 19, 2018 by drmike
avatar
kohlrak: *snip*
avatar
drmike: Why not just get yourself a VPS for like $15 a year and run your own server? You'll be away from the Comcast port block, you wouldn't have to route via a third party service like no-ip, and you would have complete control over your anti-spam solution.

Even a webhosting account usually provides email accounts. I;d stay away from the big ones like gator and godaddy as they;re frequently blocked and/or they're going to nickle and dime you.

I have a personal VPS for my own domains. Be happy to send you the link via a pm if you want to review it.

The downside of running your own VPS is you have to pay attention to it. Stuff like updates isn;t done for you. That's half the fun though. :)
It's the "V" of the VPS that makes a big deal. Remember the initial problem that i was trying to solve. The only reliable solution to the problem is to cut as many other parties out of as much of the process as much as you can. Naturally, it comes with the port blocking problems and the like, but that's what I get for choosing a solution that's less popular. I believe that if more people took my decision, we could hold companies like comcast to task for port blocking. Basically, comcast provides my internet, no-ip provides my domain and port unblocking, basically. At the end of the day, these guys are not really doing much for me, which i can then turn around and relax and enjoy the setup that i created, instead of having to constantly worry about being censored, bandwidth quota, having to appeal to some terms of service, dealing with, loosing my files due to someone mishandling something (since i'm the one who would be at fault for loosing my stuff, at this point).