Punchcards buttons and switches.
Sent from my iPhone On Mar 12, 2023, at 8:55 AM, Bill Prince <part15...@gmail.com> wrote:
CLI rules. part15sbs{at}gmail{dot}com I can insert a spoofed email using only telnet to port 25 on a mail server in about 30 seconds not counting the time it takes to type the message itself. Basically you telnet to port 25, issue four commands (HELO, MAIL FROM, RCPT TO, DATA), and then type the message itself.
Spoofing email in an automated way only takes some basic python skills. Like I could teach anyone with a bit of computer experience how to do it in about an hour or so. This python script can run on anything that runs python, which is pretty much any general purpose computing device.
So it is ridiculously cheap and easy to spoof email.
The reason it is so easy is that email by itself has zero authentication of origin and an open, plaintext, protocol.
The purpose of spf/dkim/dmarc is to add a level of authentication information to at least be able to reject some spoofed emails.
What that Google bounce says is that there is something in the mail.com email which doesn't match the spf/dmarc/dkim records. I'm not 100٪ sure but it seems to not be happy with the linuxmail.org domain being inside the email record.
How are the mail.com emails being generated? Are they through a web server client on mail.com? If not, where? And are the emails from a mail.com address or are you just using mail.com to relay mail from another domain?
I can't recall ever using telnet for anything recent, it's
ancient, doesn't work with anything much in todays world. How
would this be useful in sending email?
On 3/11/23 21:36, Steve Jones wrote:
telnet is fancy expensive equipment needed to spoof
email? Ive never paid for telnet
You see, that's exactly where we part ways. Engulf and
Devour was the villain corporation in the Silent Movie by
Mel Brooks. Every time I saw that movie, I couldn't help
but think of Microsoft and Google slicing up the planet
for themselves. Gives me diarrhea just thinking about
those two companies.
You have to have some pretty fancy expensive equipment
just to spoof email, so why bother? It's not the little
folk who are doing the spoofing. So when they get all us
little folk passing on all our secrets of our little
lives. Then the spoofers will start using fake SPF/DKIM
and then we're right back to as much or more SPAM as
ever. Problem will be worse than ever.
On 3/11/23 18:07, Darin Steffl wrote:
I was curious so found that Gmail started
requiring emails sent to personal Gmail to have SPF or
DKIM enabled or emails would be rejected or sent to
spam. Good for them to drag the bad email hosts along
for the ride in preventing spam.
These prevention measures are
ridiculously easy to implement so I don't have any
patience for email hosts who don't set them up. If you
can't handle simple tasks, outsource things to the big
boys.
Do you use any Microsoft products? If you use
Windows and care about data security then you've
already failed. I find Microsoft the most
deplorable, but I'm only one guy. I have to pick
my battles. I refuse to use Microsoft (anything)
but we use Gmail at work and it's more or less
flawless. We have had some people report they
can't reach us but the resolution is always what
has already been mentioned here. Google made
DKIM/SPF mandatory I want to say just a few months
ago but many of the smaller mail providers do not
have it set up yet.
Jan,
Most of the links you shared aren't of
Google being hacked, but people being
scammed/phished. Tricking a user into
sharing their login info means the user
was scammed, not that google was hacked.
ONE link you shared says less than 24
gmails in Iran were hacked somehow. None
of your links share that google has had a
massive data breach at any time. That's
not to say it can't/won't happen but
there's been no big hacks at Google as far
as I can remember.
I stand by my claim that you're being
paranoid. I promise you that mail.com or
hosting your own email is far less secure
and more easily hacked than Google is. Do
you have thousands of engineers working to
keep your data secure? That answer is NO.
I am not delusional enough to think that
hosting my own Linux server for email will
be more secure than Google. There's no way
I can outsmart hackers, keep updated on
hourly or daily updates and patches, etc.
Nor do I want to do that when I can
outsource to a company that does it much
better than I do.
I don't host a single server for our
WISP in 11 years in business and I won't
be starting today. The cloud is the future
and keeps me hands off on servers and
software. If there's a problem, it's
someone else's job to fix it and my only
job is to report the issue. What if I'm on
vacation and I had one or more servers
that failed? Now that's my job to fix
things while I'm supposed to be off the
clock. I don't need that kind of stress in
my life so I refuse to host any servers
that are mission critical to my business.
The only thing resembling a server would
be our Preseem appliance but we have
backup OSPF routes around it in case that
fails.
Our billing system is Azotel and they
have hosted it in the cloud for us since
we started 11 years ago. Total downtime in
11 years is under 1 hour. Not every cloud
service is that reliable. They handle the
multiple backups and securing of the
servers too. Slack, for example, has
probably had 12 hours of downtime or
subpar performance in the 5 years we've
used it but it still was an issue I didn't
have to fix myself.
I like dmarc since you get
to dictate the strictness and get
reports on your overall deliverability
Jan,
I don't recall any
hacks or data breaches to Google
at all. I've seen plenty of other
platforms with breaches like
t-mobile but Google is pretty
secure. I think you're acting a
little paranoid in protecting your
phone number. I can pay some
online service and get your home
address, phone numbers, and social
security number if I wanted to.
This information that you think is
very secure is almost public
knowledge for a fee.
As others have said,
DKIM/SPF are industry standards,
not Google, and they're pretty old
at this point. DMARC is newer, to
me at least, in the last several
years so not every platform gives
much weight to this but DKIM and
SPF is a must nowadays for any
email provider.
DKIM/SPF/DFMARC aren't
"made-up standards" from Google.
I don't see how you come
to the conclusion that my
paid for mail service is
supposed to have recently
imposed made-up standards
from google that comply
only with google as some
sort of long-standing
standard. It's a recent
standard imposed by
google. And I'm never
going to willingly give
google my phone number so
that when they get hacked
again the hackers will
have my email and my phone
number. Why don't I just
broadcast on some public
website my social security
number too? Yeah, tiktok
or twitter, give them my
phone number, ssi, home
address, all my emails
along with my real name.
Because when you give
google your phone number,
they now have exactly who
you are and access to all
your private info. How
many times in the last
couple years has google
been hacked? Constantly!
I am not going to freely
give this shit to them.
Well, I'm wrong, you're
right. When I bought the
phone, google forced me
into an email address as
part of using the phone.
I never use that email and
I refuse to login to
anything using that
email. Other than that I
don't know how to tell
them to sit on a sharp
stick and twirl.
On 3/10/23 12:02, Steve
Jones wrote:
if you had
followed your email
providers instructions,
you wouldnt have created
your own problems.
spam is floating
score based.
bulk/public/free/spamhost
email providers have
high scores to start.
proper spf loweres it,
lack of dkim raises
it, lack of dmarc
raises it, content cn
raise it, all the IPs
in the mail chain can
raise it.
Thats why youre
responsible for doing
your part to increase
your deliverability.
If you were sending a
business
correspondence you
might go as far as
sending it certified
mail, becaus eyou want
deliverability. But if
you didnt go that far,
you wouldnt put the
correspondence in an
envelope that looks
like dish network
advertising because it
would be discarded as
junk mail, you wouldnt
put it an odd shaped
envelope that can get
stuck in the sorting
machines, you wouldnt
put phrase like "sperm
burglar" on the
exterior, youd put it
in a business class
envelope with windows
and clearly visible
address marking, a
proper return address,
etc.
Weve been managing
deliverability with
these types of methods
since before emails.
and even that changed
over time.
So, since
grnacres doesn't
have dkim or dmarc
records, they
should be getting
bounced like the mail.com records too. I don't have any
control over the
mail servers. I
rent the service
"easymail" along
with the domain
name from
easydns. You
know, it sounds to
me more like
google is a
terrorist
organization
stamping on the
competition just
because they can
get away with it.
They make shit up,
and terrorize
those whom they
want to force into
compliance with
their made-up
bullshit. Next
they're going to
be asking for
money
Where is the
anti-trust people
when you need
them?
On 3/10/23
10:55, Steve Jones
wrote:
grnacres.net doesnt have dkim nor a dmarc
record. Thats
bad domain
deliverability
practice,
nothing to do
with the
mailhost perse,
but if mail.com
doesnt support
dkim, its a
trash mail host
like sherweb.
Cant blame
recipient mail
servers when the
root issue is
the sending
server isnt
current. Its
like getting
pissed that
somebody
doesnt get
communications
you sent out by
telegraph
X-Received: by 2002:a17:906:b0d9:b0:8af:3519:ea1 with SMTP id bk25-20020a170906b0d900b008af35190ea1mr29983208ejb.57.1678462982507;
Fri, 10 Mar 2023 07:43:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678462982; cv=none;
d=google.com; s=arc-20160816;
b=bJKHFyjF+9UzBXciF4y3cYBJwrgmwap9OQ3AsQpf2nOFXGkTbLP4C0qHnlLFHXPcA5
TAdqmLZYourjPpwIUaAuOjrJO9npBlDZRwv5N/S7xI4iPV2aly79cft4VRXOcfmk7CA0
n0mVQfby5GZR1DD+W1UzAdSHRUH51Nn/V7ounZGXel07tvWfVO8Oso9xga3lPfnUACNp
TcgZPJSw+qZN7TBryDh9Wu1NFoyTBlKOGbgmQ/kCB0sSolGD+JqNOny+m40Pwdqh40ZD
jfEM9U9v6Wc6ORTM1FaDpf5Lp9kw8+8gZwnpXwXqFX4mb8gxYt+hZCPJm+kDipw/lDr3
bhLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:subject:from:content-language:to
:user-agent:mime-version:date:message-id;
bh=IehNk68dy6Xm43VADrOc3Wts/VQhOY9VIh8QjaijTk8=;
b=NyqdCYZBzsrNlw9g7CPu4CfeQy64PQOMwX8TEIFWlUxO7XScd6qJ5xAmPDrypL8w2e
/h4c7ONmrtQsk65hcKCBSJxq4sztWtnPNbv9HZ2VBdC6R/JGcUovOQ5syUTVRAaGoGyg
6quG7biEF/Sud2xX/FBh1gMx50IFKJnscAlxCqvWnWzI5C01HgPhIT9hVh3Plz2YjWHQ
hgdmHROdvAdaX6uEl3nz7l4ojOhValcTQDuIakI9ydlRN2QZT12hL1OWX71MpeoGvVMA
jmEKbqXHlTu8rWPYvmL0M3Nx0V+oWCnCINPPYL1Pxu0Ob575PZS4DBo1hQE7tozljWxT
avNg==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of j.vank...@grnacres.net designates 64.68.200.34 as permitted sender) smtp.mailfrom=j.vank...@grnacres.net
Return-Path: <j.vank...@grnacres.net>
Received: from mailout.easymail.ca (mailout.easymail.ca. [64.68.200.34])
by mx.google.com with ESMTPS id p5-20020a1709066a8500b008d490a104b2si49101ejr.523.2023.03.10.07.43.02
for <thatoneguyst...@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 10 Mar 2023 07:43:02 -0800 (PST)
Received-SPF: pass (google.com: domain of j.vank...@grnacres.net designates 64.68.200.34 as permitted sender) client-ip=64.68.200.34;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of j.vank...@grnacres.net designates 64.68.200.34 as permitted sender) smtp.mailfrom=j.vank...@grnacres.net
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 738E268D1A for <thatoneguyst...@gmail.com>; Fri, 10 Mar 2023 15:43:01 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at emo09-pco.easydns.vpn
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo09-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csxoJG_y5IgL for <thatoneguyst...@gmail.com>; Fri, 10 Mar 2023 15:43:01 +0000 (UTC)
Received: from [192.168.2.100] (047-224-130-187.res.spectrum.com [47.224.130.187]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 03E3A68C4C for <thatoneguyst...@gmail.com>; Fri, 10 Mar 2023 15:43:00 +0000 (UTC)
Message-ID: <7b07154d-8e71-69fc-f76a-bcfb5ec52...@grnacres.net>
Date: Fri, 10 Mar 2023 07:42:59 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
To: thatoneguyst...@gmail.com
Content-Language: en-US
From: Jan-GAMs <j.vank...@grnacres.net>
Subject: hellody
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
nope,
this gmail
account is
standard free
account.
Im
probably
special cause
all my
communications
get routed
through the
FBI servers
for my online
antics
it was a
test. Only
the ones
addressed to
you went
through. The
others tested,
bounced. Your
address is
different
somehow. You
mentioned your
gmail is a
paid-for
account, the
others that
bounced were
the free-gmail
type accounts
one gets by
logging into
google. The
emails were
sent from mail.com and from my own business accounts.
The business
ones went
through and
the mail.com
ones bounced
except for the
one sent to
you. I picked
4 gmail
addresses and
sent them
out, all of
the ones sent
from the mail.com
got bounced
except yours.
What makes you
so special?
On
3/10/23 09:14,
Steve Jones
wrote:
i
got your spam
emails this
morning
Apparently
nobody on
gmail has
noticed
All mail.com
users cannot
send you
email. How
many other's
are blocked as
well?
Oblivion, must
be sweet.
On
3/9/23 20:14,
Darin Steffl
wrote:
Gmail
is the best.
Been using
them for our
business since
2012.
Virtually no
issues at all
aside from a
handful of
short outages
over the last
11 years.
It's
hands off,
costs very
little, and
I've NEVER
needed to
contact them
for support.
We also use
Google drive
and their
version of
office apps in
the cloud. We
don't store
any files
locally at
all. All
business docs
are at Google
and they're
safe there and
they handle
the backups.
I
don't see any
advantage to
hosting local
email on your
own server.
It's not worth
your time. My
time is worth
$550/hr
roughly when
looking at net
profit so
spending even
one hour a
year trying to
manage or fix
my own email
server would
cost me more
than what I
pay Google.
We're
grandfathered
in and think
we get 10 free
users for
gsuite and I
pay to upgrade
storage to
100gb on 2-3
users so we
pay less than
$60 a year to
Google for
everything.
Dirt cheap and
great peace
mind.
This
is relating to
our internal
business use.
For customer
email, we
never offered
it and never
will. Just
recommend a
free Gmail
account and go
live your best
life not
having to
support email.
O365
handles SMTP
relay for
scanners and
such really
well, we just
dealt with it
a bunch.
authenticated
IP. I
dont scan to a
flatbed
because the
Edsel was
before my time
:-)
On
Thu, Mar 9,
2023 at
1:03 PM Chuck
McCown via AF
<af@af.afmug.com> wrote:
I prefer to have it in house for the
10-20 email
addresses it
serves for
employees and
other business
email
addresses. It
is free that
way and we
don’t have to
worry about
anything
else. But for
some reason
the server
hangs and
needs to get
rebooted,
usually about
the same time
each day.
Google got difficult, especially for
email chains
and other
things so we
stopped using
them some time
ago. For
example, our
scanner
stopped being
able to send
emails due to
something
gmail did.
Sent:
Thursday,
March 9, 2023
11:24 AM
To:
AnimalFarm
Microwave
Users Group
Subject: Re:
[AFMUG] mail
servers
How much is your time worth. The free
internal
server is
costing you
this. We are
still using
rackspace for
subscriber
mail and our
office emails
since its same
domain and a
pita to set up
split routing
for the mail.
The cost of
our mail is
covered by the
folks who have
dropped
service but
wanted to keep
their email,
we actually
make a tidy
profit to
cover any
administrative
stuff.
for my business I use google. 6 bucks
a month per
user. The way
I look at it
is if im not
making 6 bucks
per guy a
month I have
bigger
problems than
my email. Im a
nerd, 20 years
ago dicking
around with
email servers
would have
been a blast.
but now its
like
maintaining a
battery
powered
inverter just
so i can still
use my corded
drill. I can,
it will work,
its not that
complicated,
but its
nonetheless a
dumb waste of
time.
dealing with hosting email servers is
a total waste
of any
resources
unless your
monetizing it.
too large an
attack vector
On Thu, Mar 9, 2023 at 10:18 AM Chuck
McCown via AF
<af@af.afmug.com> wrote:
It is only for our own company
email. No
customers on
it.
Sent:
Thursday,
March 9, 2023
7:37 AM
To:
AnimalFarm
Microwave
Users Group
Subject: Re:
[AFMUG] mail
servers
Surgemail is exactly what I used.
Seemed to be a
good product.
Tyson Burris, President
Internet Communications Inc.
739 Commerce Dr.
Franklin, IN 46131
Office #
317-738-0320
Cell/Direct #
317-412-1540
Online: www.surfici.net
![ICI]()
What can ICI do for you?
Broadband Wireless - PtP/PtMP
Solutions -
Mesh
Wifi/Hotzones
- IP Cameras -
Fiber - Towers
-
Infrastructure.
CONFIDENTIALITY
NOTICE: This
e-mail is
intended for
the
addressee
shown. It
contains
information
that is
confidential
and protected
from
disclosure.
Any review,
dissemination
or use of this
transmission
or its
contents by
unauthorized
organizations
or individuals
is strictly
prohibited.
Surgemail
you could run
1000 customers
on a raspberry
pi! Not free
though.
Extremely
granular
configuration
options.
We used Icewarp since 2004 without
issues. At
its peak we
had thousandth
of accounts on
it, but now
just a
handful.
Not free. And they went to per user
licensing so
it’s not cost
effective for
hosting
anymore, but
it’s
reasonable for
internal
email.
Get Outlook
for iOS
We are having trouble with mailcow.
Anything
better out
there. It
hangs all the
time these
days.
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
|
