Really love the modern support experience of no-response, trial-and-error, until suddenly, if you're lucky, the void on other end magically solves the problem. Confidence-inspiring stuff
It occurs to me that I make fun of sovereign citizen types, but in tech we have our own set of rituals for getting large organizations to do what we want. While those people are still boneheads, maybe I should be more empathetic about their motivations and why they think that this time it might work.
People like to make fun of sovereign citizen types who think the law is magic spells, and if you only say the right words you have to be let off the hook or not pay taxes or whatever.
The thing is though that that notion is absolutly right. The law is like fucking magic.
what else could explain the fact that misspeaking even one word of the incantation will cause the magical shield of +5 "rights against self incrimination" to fizzle (or perhaps missfire and summon a canine companion) when being attacked by pigs?
the joke, if folks dont get the reference to an oldish story, is that you do actually in real life need to be be very specific and clear to cops in order to "invoke" your fifth amendment rights. https://www.washingtonpost.com/news/true-crime/wp/2017/11/02...
Which is incredibly stupid, but is just one example of the many ways in which law is so weird and unintuitive that its super easy for the uneducated to assume there are tons of weird eldrich legal phrases that if only spoken in the right place and time will conjure legal protection. Of course we who know better know that those eldrich legal phrases need to be spoken by a trained wizard (lawyer) with enough mana (money, time) at their disposal.
When the accepted interpretation of the US constitution allows for civil asset forfeiture or indefinite detention lawyers have no rights scoffing at magical ideas. The whole thing is Harry Potter nonsense.
Law is a fundamentally hard problem at scale, especially with a federated system that has bug fixed 725 years (post-Magna Carta) of edge cases.
If you think the second system effect is bad on a 20 year old system, try doing it for centuries of evolutionary system that started with 2-3 million users and has been forked.
I do agree that we are in an unfortunate place where we do have spells and incantations that must be recited but... that's such BS. This ruling was pure BS and a common speaker would clearly understand the intent of the defendent's request.
The US government can just revoke the rights of its own citizens if it wants. That's literally what stuff like the Patriot act was designed to do. The US government gives itself the right to steal from its own citizens via "civil forfeiture". The US government spies on its citizens 24/7.
The whole point of the right to own and bear arms is to guarantee the ability of citizens to defend themselves from and even fight the government should it turn into some corrupt, tyrannical and ultimately unconstitutional police state. The ultimate check and balance is the threat of violence.
Without that ability, all this "rights" nonsense is just magical thinking. No one has any rights that they cannot personally defend. No one enjoys any rights in 2023, they enjoy the government's mercy.
> It occurs to me that I make fun of sovereign citizen types, but in tech we have our own set of rituals for getting large organizations to do what we want.
I run a small transactional email provider (https://mailpace.com), our IPs are very rarely added to blocklists- but we are very strict on what we allow through our service, and surprisingly we’ve had no long term delivery issues with any of the big providers.
So thanks to the federated/decentralized design of email, is totally possible to be part of the network without any special privileges.
We are sending millions of emails every day though, which is quite different to sending a couple hundred personal emails a week. If you’re running this on a cloud host, expect to be blocked by default. However if you can find a small vps provider you’ll have better luck on sending yourself.
Right. When I changed my vps to another hoster, I totally forgot how much trouble it was to get a good reputation in the beginning.
But it was really not that much work again. Just unfortunate, because one big Mail provider just discarded instead of rejecting my mails. After this was settled, everything works quite nice again. Important to me is keeping spf, dkim, dmarc and now also mts up to date. See mail-checker.com e.g.
I still wonder though, why some big mail providers do not do dkim/dmarc? I happen to realize this when I started to fight spam and gave incoming mails without dkim/dmarc a high spam score.
One time, mail-tester.com found that my paid personal email hoster had moved my SMTP server to a new IP address without updating the anti-spam sender mechanisms. (You had one job, people.) When email is how you keep in touch with a lot of friends, and occasionally make new consulting contacts, that's relatively costly.
We host in a datacenter and sending from their IPv4 or our own /24 IPv4 block has no issue. We also have the volume to keep things going as well to build up the reputation.
(Unrelated to the OP - but I've been so frustrated by this for so long that it's worth the [flagged])
A product like this is exactly what I've been looking for with pretty great pricing.
The one thing that this (and most providers) are missing is making email easy to test. I'm about to launch a product where email is critical, and there's no way to send an example email (with a non-test email address) to your service and see that you receive it, without it being sent to the To address.
Better yet, the few providers that do support it charge as if it were a real email, when none of the delivery costs exist on their end (there are infrastructure costs, sure, but there is none of the reputation risk nor need for clean IPs, the reason people use transactional services like these in the first place).
Outlook/Hotmail blocks DigitalOcean. After half a dozens attempts over the years to delist my IP, and following all the best practices (dedicated fixed IP, SPF, DKIM, DMARC, FCrDNS, zero spam, TLS, etc.) I gave up.
Eventually, most people realize that their Outlook/Hotmail email service is defective because they're not receiving emails, and they migrate to another email service.
> Eventually, most people realize that their Outlook/Hotmail email service is defective because they're not receiving emails, and the move to something else.
Or people realise that DO's current anti-abuse is very insufficient and will move to something else.
Outlook/Hotmail is the only service that's blocking my emails.
I've been with DigitalOcean for 10 years. Beforehand it was just a matter of filling a form and waiting 24 hours to get the IP whitelisted. A few years ago, Microsoft started refusing whitelisting IPs.
DigitalOcean on the other hand started blocking SMTP by default for new customers since June/2022 [1], and thus significantly reduced the amount of spam coming out of their network. That said, they're still not doing enough to stop spam from their network, and they're still a source of spam [2].
I can cryptographically prove the identity of the server (and thus its reputation), and there's no justified reason to block mails based only on the network's IP address, while ignoring all the other factors.
I have a personal mail server and I too had no choice but to blacklist DO.
They generate a lot of phishing emails (rather than conventional spam). I used to diligently report it to their abuse contact, but they don't seem to care or do anything about it in the slightest.
> most people realize that their Outlook/Hotmail email service is defective
This is exactly what I've begun telling people and warning friends and family members about. I run my own email... well I run my own ISP at this point and we have our own dedicated block of IPv6 addresses but still rely on IPv4 addresses from our cloud providers and I've started to grow frustrated by the lack of movement by the incumbent email providers that I've started just straight up telling people don't expect any email delivery from me if you're using any provider that still lacks proper IPv6 on their SMTP servers.
It's no longer my problem and I will happily tell people that their email provider is defective and that they need to find a new host. If that is too much for them, to bad so sad not my problem. I did everything I could do. At some point you have to stop trying to work around "Big Cloud" and their nonsense.
Microsoft blocking a mail server and DO being blocked aren't necessarily the same thing.
I service a number of MS accounts (hosted domain and O/H/live.com) and they block mail from small servers I manage - and from (non-major) online services I work with. There are forums frequent that send verification mails to MS addys that never arrive.
Past that: My last time blocking mail server attacks from DO IPs is today. It's always today and has been years and years. Not just DO. OVH, Psychz and a at least doz more attack with that consistency.
[edit: Post below mentions DO SMTP changes in 2022. DO is still attacky but less attacky is possible. Not sure.]
And not that far behind, Amazon. Amazon is a lot harder because unlike the above, I regularly get legit traffic from them.
I've had decent deliverability to some of my Outlook addresses from my Digital Ocean droplets for about a decade. Low volume (a dozen or so a week?), only to a few dozen addresses. I had poor deliverability until I updated the Reverse DNS to match my sending hostname. Since then, I have not had a single email get filtered.
Or folks will check where their spam comes from. At least 2-3 years ago digital ocean was a ridiculously major source of spam. I've no interest in investigating why, but there is a near zero chance they were following anything like "all the best practices".
This is from DO's own site based on a quick search:
"I am being BOMBARDED, and I mean BOMBARDED with spam from Digital Ocean over 5 spams a day all from the same bunch of domains, all hosted on DigitalOcean and coming from your IPs.
In the last 2 weeks I’ve emailed your abuse mailbox 20+ times and filled in the contact abuse form 10+ times.
NOTHING is being done about it. My next plan of action is to keep posting here until Digital Ocean takes action.
Do you even have an abuse team? are they doing any work at all? I can provide 30 more samples if needed."
Absolutely pathetic - all major providers should blackhole email from DO.
Note that this contrasts to AWS. I was on AWS from flat network days (where folks were running scans internally etc. AWS respond with a ticket usually to abuse reports and then usually a bit later a note that things have been taken care of.
How does AWS which is FAR larger in IP address space than DO have so much LESS spam coming from their IP address space? Perhaps because they pay a tiny bit of attention to the issue.
This probably isn’t directly helpful or relevant advice, but I don’t see a good reason to spend double on DigitalOcean droplets compared to what you get with Hetzner Cloud.
I had this problem for years. I would get the block lifted and it would return in short order. I surmise it’s because my mail server runs on a VPS and other users on my subnet are not well behaved (actually I know this for a fact).
I solved the problem by paying for a next hop SMTPS server as an upstream smarthost for non-local mails. That means my mails come from a subnet that fronts TONS of other servers/domains. That makes it a bigger headache for MS to block.
Sad but there you go. I do not use the external service for inbound. Inbound mails come direct to my server per the MX.
Wow, Outlook actually tells you they blocked you? My email (custom gmail domain btw) just ends up in the Spam folder of outlook clients with no notification at all.
That's a different issue. You're usually not notified of spam designations, but bounces (where the mail server completely refuses to accept your email) do usually receive a notification. If you're designated as both (for example if you keep sending email that bounces) you'll get blackholed and wont receive any bounce notification either.
When I used to self-host my emails, GMail would "accept" mails then drop them. Microsoft was kind enough to tell me they dropped them but getting out of the blacklists was a pain.
An advantage of landing in spam is that the user still has a choice and is in control. Rejecting outright is a "lalalala I can't hear youu!!" type of stupid situation that only big providers can get away with, without the users realizing their bigcorp is the one with delivery issues
Conversely, if you as the sender get a bounce at least you know something went wrong and can try a different way to contact the other person (different email, telephone, text message...) Bouncing is the traditional approach, and the original ethos was "bounce, or defer, or deliver, but don't ever accidentally or deliberately just drop an email on the floor".
It depends whether you think of "the user" as the sender or the re cover -- as a (human) sender I'd rather get a bounce than be silently ignored in a spam folder, but as a receiver I prefer the grey-area emails to be accept-but-spamfolder, not bounced...
As a user, I'm thankful I don't need to sift through hundreds of spam emails a day to find potential false positives. Because that's what you're advocating. You'd apparently like everyone to have a terrible email experience for the sake of your own personal comfort and preference (self hosting your emails).
Besides, for something truly important, the people or organisations who need to reach me know how to do so other than via email (phone, chat, postal mail...).
This. Microsoft, Google, et al. aren't doing anything worthy of criticism here; it's the spammers who ruin email for the rest of us who should be facing the music.
Another useful tool is https://www.learndmarc.com/ -- I found the presentation very helpful when I was finally getting on the DMARC train a while back.
I self host. Over the years, I've had both situations with outlook. I've tried many things.
As it happens, I noticed my mails have gone through just fine in the last months, at least to companies using Microsoft services without me doing anything specific, after I threw the towel with Outlook. I did switch VPS providers almost a year ago, though to a provider that I expect to be more filtered (ovh).
I guess my question is can you please fix your braindead blacklisting?
Several times per year—I can practically guarantee it’ll happen sometime in December, and indeed had to deal with this just five days ago—I end up with a bunch of users whose email notifications stop working because Microsoft have started blocking the entire netrange where my server lives. I don’t have control over other Linode customers, guys! I even wrote extra code to stop sending mail to addresses that start bouncing specifically to avoid blacklisting, so after MS finally processes a blacklist mitigation request, someone also has to go in and re-enable those accounts.
SPF, DKIM, DMARC are all configured; I’ve sent from the same IP address for about a decade; I’ve not once received an email abuse report; mail volume is low (most days, volume does not reach the minimum threshold for SNDS to report data[0]). I’ve never had any other mail provider blacklist my server. SNDS always says everything is OK as I am S3150s. What is even the purpose of SNDS at this point when it lies about what is going on?
[0] P.S. The janky SNDS calendar widget resets the month to the current month every time you click on a date, even if the date being viewed is in a previous month. I don’t have any hope that anyone will ever touch SNDS code again since it was clearly designed in the early 2000s and the copyright on the site is now ten years old, but this is a pretty silly bug.
My guess is that the effectiveness issue isn’t actually due to SNDS and is probably related to sender reputation having famously high false positive rates. I read a paper a while back which introduced a different algorithm with tighter bounds on regret, I didn’t really understand it tbh, but I can implement it behind a flight and run a data study to see if it works better. The problem is that most graph based stuff doesn’t scale super well because of something-something complexity classes. I think the lady who architected it 5 years ago didn’t do a great job and there’s a bunch of arbitrary config stuff which was put as a placeholder and then became enshrined in stone… but the guy maintaining it rn is really smart so I’ll have him review my half-assed PR when he’s back next week (and idk how long it’ll take to finish the other half of it, shit never ships around here).
About the calendar widget thing… man am I glad I our team doesn’t own that. No one ever touches legacy stuff cause they’re afraid it’ll break or no one will update but the trick is to file it as an accessibility bug since that gets someone to actually prioritize it since it shows up in reports that the execs read. But dude good luck getting that off the backlog, the one engineer we have who is good at UX stuff (i.e, can code with both quality and velocity instead of just one) has her hands full as is.
Whatever the problem is, all I know is that last year Linode said they tried and failed to get Microsoft to actually fix the problem[0], apparently despite assurances and multiple requests for a root cause analysis. Everyone else seems to have figured out how to not be overrun by spam and also not block entire netranges, so I’d say it is well past time for Microsoft to figure out how to do that too.
Asking infrastructure providers to police email content is a very invasive thing to want. I don't think I agree with that.
Realistically, what can they do here? Make servers unaffordable to discourage abuse? Give most servers "Internet*" access where some ports are missing?
But that's how the world works right now: every provider has acceptable use policy, and not just for emails. Not necessarily because they care, but because they are beholden to an AUP, from their upstream or peers. Which makes it viral: if they won't hold AUP, they'd get cut off, and there's very little use in an internet service provider without connectivity.
> Give most servers "Internet*" access where some ports are missing?
Disallow SMTP traffic unless an account has a certain reputation or verified identity related to it?
I mean, they don't have to do that, and I would agree the government shouldn't force it to happen. But if someone is constantly causing you problems you shouldn't be required to deal with their shit. If you don't want to behave, expect consequences from everyone else in society.
If every time my friends invited me over I brought over another random person that smears feces all over the walls and pees in the corner I probably won't get invited over very often. Linode (and other cheap VPS hosts) are that person constantly enabling abusive people and subjecting them to others.
Personally inviting someone to your party? Surely the analogy to linode is something like an apartment building owner. You wouldn't ban your established friend just because you keep having problems with nearby tenants.
Oh man I think around 2 years ago there was a 3x spike in Europe outbound spam and the fraud team had to disable like 200k+ tenants from some shady cloud VPS. We didn’t have a long term plan for the abuse back then besides playing whack-a-mole, and if we have one now, I haven’t heard of it.
Dumb question, but wtf is the solution even? I’m confused about what you expect us to do. I haven’t thought about the problem much so I might be missing some obvious Pareto improvement.
You didn’t make any mistakes encoding, I just screwed up my decoding, it happens :D
Thanks for clarifying, ok, hmm… that seems hard to do if you can check the IP block by using a subnet mask but the specific IP isn’t resolved until later in mailflow. It might not actually work like that in… ProtocolFilterHub? I always get this mixed up, wait… I think this might be something that we are already working on. And have been working on for a while, wow. Looks hairy. It’s stuck since the guy working on it transferred to another team, and no one picked it up, but some PM noticed before I did and put it up for vote in semester planning. Always creepy to see engineers get referred to as “resources”.
Linode respond swiftly to abuse reports[0], block outgoing SMTP by default, and prevent so many people from even registering for services that it is the #1 question people ask on their IRC channel. What more should they do? What is “enough”?
90% of the spam that I receive from a DMARC-validated sender comes from Google; should every Gmail user be punished because Google aren’t “doing enough”?
[0] Linode twice threatened to shut off services within 24 hours due to some vigilante scanning the internet with a broken virus scanner and automatically sending reports: https://virtuallyfun.com/2014/04/23/dumbass-of-the-year-awar... (n.b. this is not my site)
> Linode respond swiftly to abuse reports[0], block outgoing SMTP by default
One instance of them supposedly responding quickly to an email abuse report isn't showing they're consistently responsive to abuse reports. I don't know if they are or are not. I don't even know that this blog post even refers to Linode, they're not mentioned once.
And its not true they always block outgoing SMTP by default. Loads of old accounts do not have SMTP blocked. New accounts since 2019 sometimes have it blocked, but given the last few times I've made an account and didn't have any blocks it doesn't seem that often. Maybe I just got lucky though.
And don't get me wrong here, I'm not intentionally singling out Linode here. There's loads of cheap VPS providers that enable this kind of abuse. They're not necessarily better or worse in this regard to many others.
> 90% of the spam that I receive from a DMARC-validated sender comes from Google; should every Gmail user be punished because Google aren’t “doing enough”?
Yes. Just like those telephone companies originating most of the spam phone calls should get disconnected. If they're going to enable abusers, they should get cut off.
Here is the issue that most ESPs are facing.. Every 5-6 months something is being enabled or not from Outlook's side which affects either IPs or the domain name of the sender and messages land in Junk folder or in quarantine zone.
Now, I do know that the IPs might be affected by complaints or spamtraps, or maybe the client sent something suspicious, but trust me most ESPs don't allow those messages to be sent. Also, when the IPs appear GREEN in SNDS, and SPF/ DKIM and DMARC are a part of DNS authentication and headers appear like this: CAT:HSPM;SFS:(13230031)(4636009)(451199024)(7596003)(356005)(7636003)(86362001)(450100002)(8676002)(1096003)(14286002)(34206002)(5660300002)(336012)(26005)(42186006)(9686003)(33656002)(83380400001)(7846003)(33964004)(564344004);DIR:INB;
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
You are expecting that quarantine zone is the last place to find a legit message.
For obvious reasons I won't share more details, but I bet that from time to time someone is messing with spam filters that can easily result in false positive and angry senders.
In any case, especially when we raised tickets to Outlook, at least please inform your team not to reply like robots. If they will share with us the exact reason why a message landed in junk folder that would really help us. If it is the content, we will change it. If it is related with the sender, we will block the sender. If those are complaints, we will block senders and check their subscription sources, but at least we need something especially when SNDS shows Green IP, 0 spamtraps, 0 complaints.
Thank you for reading this.
Yo I’m not even gonna apologize about this, it would be so wack if we didn’t do that:
a) if a mail sever looks like it’s gonna send spam, then you gotta block it. I personally have philosophical hang ups about this, like it’d be wrong to sentence someone to prison for crimes they didn’t commit just because a system added up some points and made a prediction with high confidence, but in real life, you absolutely need to be proactive.
b) there is literally no way to do this that wont immediately get abused. Trust me we’ve tried. We make it nearly impossible to get unlocked on purpose because if it was easy, then it’d be like 1 innocent person using it and 99 attackers due to the adversarial incentive structures.
Now ofc there’s more nuance here, we really do want to get it wrong less often, and you do pay us so it’s not fair to blame it all on the bad guys, so I’m grateful for the feedback but I think you should give me even more detailed feedback since there’s not much I can do except give a vague high level explanation unless you help me by being specific.
Do you somehow track the amount of false positives these predictions generate? How do you tune the prediction to not generate too many false positives?
> but in real life, you absolutely need to be proactive
Why is Microsoft the only provider who needs to do such proactive blocking? Why don't you need to do that for email addresses associated with Office 365?
> I think you should give me even more detailed feedback since there’s not much I can do except give a vague high level explanation unless you help me by being specific.
My story is very much the same as for everybody else having the same trouble, including the person whose blog post sparked this discussion: A root server for personal use located in the data center of a mid-sized hoster, running a mail server as part of its duties. In my case the whole mail setup runs on IP-addresses separate from everything else. Mail volume to Microsoft would probably be on average 1-2 emails per month. No issues whatsoever getting emails delivered to other mail providers, only to Microsoft. This whole setup is in place since several years.
> Why is Microsoft the only provider who needs to do such proactive blocking? Why don't you need to do that for email addresses associated with Office 365?
The way you implement this, low-volume senders (nerdy individuals or small projects that can't use SES/Mailgun/… for GDPR reasons), even if they manage to get off the list once (olcsupport.office.com, escalate), never get the chance to build up reputation in the long term (I'd have to contact olcsupport again in a few months and that's just not sustainable for a small-time postmaster).
I get it, you're afraid that some VPS from a cheap cloud provider suddenly floods the inboxes of thousands of Outlook.com customers. I realize that a fresh IP that sends dozens of emails out of the blue has to be blacklisted.
But why don't you allow my VPS to send, say, 16 emails a day to Outlook.com inboxes? And if ⅛ of the recipients report junk, I get blacklisted. But if all 16 recipients are happy, my IP can now send 16+16=32 emails/day for the next few months (as long as the non-ISP hostname matches; otherwise, it might be a new VPS customer), and so on.
This way, your customers are happy (I don't think spammers rent/hack a fresh VPS in order to send 16 emails, and I don't think they are very good at building up IP reputation), and I'm happy (my personal VPS can send a few emails to my Outlook.com contacts every few weeks/months, and my project VPS can gradually build up and maintain the reputation it needs).
I'm obviously being naive about that approach, but I don't remember having trouble reaching Gmail inboxes or those of local providers, and at least for Gmail, I know that they have pretty effective spam filtering too, so I reckon that they use some approach like the one I described.
For a side project, I have just given up contacting olcsupport and instruct Postfix to send through our @outlook.com address instead, but that is a wobbly workaround at best. For personal email, I now relay through SMTP2GO because GDPR doesn't matter that much, but it makes me sad to have that gaping hole (called Outlook.com) in my decentralized email fantasy, after having spent so much time researching, configuring, diagnosing.
> I'm obviously being naive about that approach, but I don't remember having trouble reaching Gmail inboxes or those of local providers, and at least for Gmail
There are plenty of those who do have such issues with Gmail.
The simple reason behind all this is that spammers also have near endless patience. If it takes sending 15 emails per day per IP, they'll do it. If it's a criteria you can figure out as a legitimate user, the spammer can as well. They'll "subtract one" and bypass it.
So the end result is that there's intentional fog over the methods. Just things you can try and get right and maybe that's sufficient. Eventually the good side tends to prevail, with some effort. Other than that it's one of the hardest problems out there with insane weight on both sides.
Similar question as my sibling comments. I have rented a server with a static IP address for over ten years now. Nobody else has used this IP during this time. Yet, every few months I have to beg Microsoft to unblock the IP. In the beginning I could do this on my own, but something changed a few years ago and now I have to beg my ISP (netcup) instead to contact Microsoft on behalf of me to temporarily whitelist the domain. Then wait another 2-3 months and do the same dance again.
Why? Why can Microsoft not learn that an IP has been healthy and spam-free for 10+ years and only bother me when there is actual spam is being sent?
Aww man, not joking this actually breaks my heart, something about the way you wrote it makes it sink in how much we’ve failed you. I’m angry at how much of your time we’ve wasted and this experience is completely unacceptable.
…I think this is just a systemic issue beyond my ability to comprehend, let alone solve, and— I hope I’m wrong about this but honestly when I look ahead it seems the future is only going to get worse for people like you. Which I wish I could phrase in a way that was more kind and respectful, it’s not what anyone wants, these unthinking scars inflicted on email as a medium.
But what I can do is make sure that it’s not worse for you, specifically. If I was perfect I’d attack this rot at its core, but I’m not, so I’ll just solve the problem in front of me even though I know it doesn’t scale and hope God forgives me. Get in touch with me directly and I’ll figure out how to make sure you don’t have to jump through those hurdles again.
Exact same situation as the person you're replying to, except ~5y instead of 10 and I gave up trying getting unblocked after at one point even the mandated reply to an automatic follow-up e-mail a few steps down the line of the appeal-chain got blocked. That behavior was consistent over multiple weeks of retrying. It was truly kafkaesque but I resorted to just not being able to email Outlook/MS recipients. Getting an outreach from someone who wants to get in touch and not being able to reply is the most frustrating. So many people probably believe I ghost them.
Outgoing email volume is a handful a week, zero automation ever, and I must have spent dozens if not in the low hundreds of hours over the years on e-mail deliverability to Microsoft alone until finally giving up. Not comparable to anywhere/anyone else.
Just to say, behind every single false-positive is a story like mine and TonyTrapp. Missing out on a group tour with the local club. An old lost friend or family member not being able to get back in touch. Missed recruitment opportunities. A lawyer not receiving a time-sensitive follow-up.
But why do you consider this good practice? It's (unnecessarily?) frustrating for senders and poses a legal risk for recipients (the sender has the logs to prove that they sent the invoice, while the recipient doesn't have any record).
Again, not the person you replied to. But some feedback mechanisms take time (so action has to be taken after a 2xx reply) and some indicators are just very very very accurate that leaving them in even just Spam is a way bigger risk. Users have a terrible tendency to dig out malware from Spam folders.
This was not the cause in my case (no attachments, no URLs, just plain text, as far as I can remember). I know how to send email (ask mail-tester.com).
Regardless, there are always better options than silently discarding the whole email: delete attachments, erase everything that looks like a URL, even erase the whole message body, but please tell the recipient that you accepted an email and from whom.
Why doesn't whitelisting an address ensure one receives messages from it, the address has never sent spam, sends at most a couple of emails a day. But I couldn't receive emails from it, there was no notification or information despite the address being on my whitelist?
Huh? This shouldn’t be possible in principle? Don’t quote me on that though, I wish I’d paid more attention to my notes but they’re a mess and haven’t kept up with newer changes, if they were accurate at all in the first place. I’d submit an escalation so support can look into it.
Eg. Known bad domains, known bad IP addresses, incorrectly setup DKIM / SPF, no reverse DNS, non-matching reverse DNS, and that's before even looking at content to determine whether spam.
For privacy and compliance reasons (read: “oh boy wouldn’t wanna get sued, eh?” reasons) we actually don’t snoop into the message body much. Hooray, good job on not doing the maximally big brother thing for once, MS!
My hot take is that this prolly won’t last because every org descends to doing a creepy level of data collection eventually so I have a textbook on privacy preserving ML downloaded for when we join the “surveillance but we found a way to make it technically legal” squad. We haven’t done that yet though.
I was trying to ask generically because Microsoft deals with a universe-sized quantity of email traffic in comparison to my self-hosted barely used domains.
By tiers (which may be the wrong word, maybe just 'layers'), only relating to my setup, I mean things like:
- Tier 1: Spamhaus DROP and eDROP lists are outright blocked
- Tier 2: IP addresses that have illegitimately connected to my mail server ports are outright blocked (port scans, invalid login attempts, etc. - I manually check some of these against abuseipdb.com to determine their validity)
- Tier 3: IP addresses that have scanned non-open ports on my systems are outright blocked from connecting to my mail server ports
Just running these rules for a couple of months has dropped unwanted connections to my mail server ports a heavy percentage. One theory being that if you can block known-bad and highly-likely-bad connections, then actual spam detection (through email content review) is minimised to a certain degree.
I actually want to implement additional anti-spam IP address block lists and just haven't gotten around to it yet, but the above does a good enough job for my essentially unknown domains (as I said, a universe of difference to what Microsoft has to deal with)
- Tier 4: Black-box spam detection built-in to the all-in-one mail server solution I use (I don't know how it works, I don't know how to edit the 'rules' or even if I can).
'Tiers' I would expect Microsoft to have would be:
- Their own lists of known-bad IP addresses / ranges / ASNs
- Reverse DNS lookup validation
- DKIM checks
- SPF checks
- More protocol level 'things' beyond the understanding of a simple network admin such as myself.
- Weighting the results of all of the above to determine some kind of 'spam likelihood' score.
All of this is before reviewing the content of the actual message.
What's the best way to quickly get MS to trust a server/domain?
Does MS ignore IP reputation in cases where the domain has a good reputation?
How would you go about getting a new domain and an IP address from a public cloud provider working consistently?
I've had issues with outlook when it comes to new domains and IPs, but after some time it works. I do however usually have more email than a personal server so what's the best way - if such a thing exists - for a personal server that has much lower volume of mail to be trusted?
Hmm, oh wow, occasionally I’m reminded that if I flipped sides to run phishing campaigns I’d be totally unstoppable.
There isn’t a quick way, by design. You need to wait a minimum period and meet some predicates, and the organized scammers already know what the period is via empirical testing but I’m not comfortable disclosing details of those predicates for disorganized scammers to use. More so because I’d definitely get into trouble for it than due to any belief in security via obscurity. Cushy job makes you risk averse.
Since I can’t share any of the tricks, some general advice— the main thing that matters is a long track record of good behavior. You can end up in a vicious cycle where you fight the system when it punishes you and then it doubles down on the beatings— this is bizarre and kafkaesque and happens all the time. What you want is for there to be two-way communication, if it’s unbalanced with traffic being broadcast but no one engaging with it, that’s going to be cracked down on sooner than if recipients reply.
I don’t. I have slept in the daytime ever since covid and actually got a move to the east coast approved as a health accommodation after I started routinely missing important afternoon meetings due to my incurable insomnia (mornings are easy when you stay up all night). I still struggle with it, especially since it’s not a consistent offset to my circadian rhythm. There’s data I’ve collected but it’s hard to fit a simple function to it— it’s not like I’m on a 26 hour schedule either. This isn’t due to trauma or addiction, my brain is just an outlier in many dimensions and this is one of them.
My penis enlargement pill newsletter isn't showing up in my customers' inboxes. I could have been a penis-enlargement millionare if it wasn't for your stupid spam filter. What to do?
After many years of regularly getting blocked by Hotmail and outlook.com, I just decided to reject every incoming email from Hotmail and Outlook with an error message explaining the situation. If they don't allow me to respond to emails sent by their customers, why would I allow them to send me emails in the first place?
I run my own mail servers and hotmail and other Microsoft-based email services regularly blocks my mail by source IP on the various domains I run.
I've been using the same /29 network for over 15 years now. There's no nearby adjacent networks that are on any blacklists.
I monitor blacklists on a regular basis.
No marketing. The domains I run are strictly personal and projects. I monitor volume and all kinds of stuff. I know there's nothing like spam or any kind of marketing going outbound.
It's astonishing how honest Microsoft is when I send them an email telling them to unblock. They literally just admit that they never had reason to block the domain/IP and they unlist it for a few years and then it goes back on their list.
It's become apparent that they blacklist by default.
Fortunately I only run into the occasional idiot who uses Hotmail or live.com.
GMail is the worst for email blocking resolutions. They don't have an effective feedback loop built into their system. So when a user does block you, no one is told about it, to be fixed. Therefore lowering your reputation with them over time.
How can we as ESPs respond to them appropriately with removal of these people who don't want our emails anymore, if we don't know who the user is?
If there are any GMAIL service team members here, I would LOVE to know why a feedback loop was never implemented like the other providers.
Maybe ask yourself why some users end up blocking you altogether. Surely you didn't start sending them newsletters or the like without being completely certain that they wanted to receive them, and you provide a simple, prominent and reliable way to unsubscribe if/when they change their mind, right?
There's a block-by-default setup for new email servers. You have to go through the reputation-building process which is not at all clear nor is it always guaranteed to work.
Yes, it "works" for most people, but it also has the effect of entrenching the incumbent large email providers and preventing more independent providers from cropping up.
The current method is very lazy and collectively punishes a lot of innocent email providers for the crimes of the abusers.
> How can we as ESPs respond to them appropriately with removal of these people who don't want our emails anymore, if we don't know who the user is?
1. Don't send spam
2. ???
3. Profit!
Literally _all_ email that I've blocked has been from companies where I uncheck the box "send spam to me" and the company sends it anyway, or where the company thinks "oh this guy bought stuff from us, we can now send our daily/weekly/fuckly marketing spam!" or "we got your email from whatever shady place, and now we're sending you our information because you're in our industry" or stupid shit like that.
Gmail does not have a "block everything from this domain feature". I would love to block whole domains from my gmail account. Alas, I run my own email server to achieve it.
Running a mail server should be something anyone can do. And while this is cool, there are so many other problems to do it. It's the price we pay of letting big tech companies control so much of the virtual infrastructure: big tech has commoditized the internet so much into a platform for consumerism that it becomes a valuable target for spam.
In my opinion, the internet would be much better if none of the big players ever entered it, including Google, Facebook, Yahoo, etc, and it would allow for many more decentralized and valuable commons like email.
The main benefit of Gmail and other big providers is the anti-spam, anti-scam, "Google knows best" approach works really well.
When I last helped manage a mail server for a small business (late 2000's) SPAM was an absolute mess. You can really see why Azure etc has consumed on-premise Exchange.
The massive downside is they are the deciders of who gets through their gates, and if you're on their shitlist, goodluck.
> The main benefit of Gmail and other big providers is the anti-spam, anti-scam, "Google knows best" approach works really well.
We've been spammed and scammed into thinking this is true. Sadly, Gmail is actually worse than competitors and especially worse than running your own email server.
Safety and security is the best argument for monopolization and decreased freedom in general. It will always be a tradeoff. Fortunately a majority is typically more than happy with being fully patronized. The problem really starts if you are start being banned from infrastructure: e.g. see banking apps and 'safety net'. We are seeing the begining of a really dystopian world if regulators do not step in.
I would also propose ease of use as a solution to our problems that the wolf in sheep's clothing took care of for us.
We basically handed over how we communicate to make it easier (Emails, Team Communication such as Slack/Teams, etc), essential internet infrastructure (Cloudflare, Amazon etc), banking, etc because it was easier..
My worst nightmare is somehow being locked out of my accounts, the only means is either emailing the CEO directly, posting on HN until it's hopefully solved or just moving to the country, and eat a lot of peaches.
The problem with "more than happy" is that their happiness is measured in terms of chosing the local maximum of least bad. Moreover, that local maxima slowly changs over time to be worse and worse, so that people's happiness becomes a temporary sense of relief at having chosen the least bad option, which in the course of decades makes for a curtailing of freedoms that is far from true contentment.
- the infamous "spam solutions" webpage that was a snarky attempt at "educating" people about fixing spam was created around February 2004 which was 2 months before Gmail service was introduced: https://craphound.com/spamsolutions.txt
Other "small" areas of the internet are also universally hit with spam abuse:
- blogs that allowed "readers' comments and feedback" got inundated with spam and the blog owners added CAPTCHAS or disabled comments completely.
- small web forums like vBulletin and phpBB forums got hit with spam and admins put in "email signup and valid email verification link" workflows.
The existence of a big player like Gmail that was introduced in 2004 is not the reason for "so much spam".
Spam volume is always a problem on any communication network where the cost to create new identities is $0 and the cost to send messages is near $0.00. An extreme example of the opposite situation is Bloomberg Terminals chat system not having a spam problem. Why? Because it costs $25000 a year subscription to use. Bloomberg did recently "unbundle" their chat system for a lower price but the point is that the friction for new accounts is still high enough to deter spam abuse.
The basic fact of the matter is that >99% of people will never be interested in hosting their own e-mail server, and that's okay.
This means we need organizations to host e-mail for people. In a capitalist system, that means companies, and it leads to consolidation and monopolization. So far, governments have been seemingly uninterested in going after the large e-mail providers for anticompetitive practices; maybe that should change. But as long as those anticompetitive practices only really affect individual hobbyists who wanna host their own e-mail, while business interests are unaffected, I don't see this changing.
I don't think it just affects hobbyists. It allows affects people who want to use smaller email servers, or even people who WOULD use smaller email servers simply because larger ones did not exist.
I think the government SHOULD go after consolidation such as Google, and that traditional anti-trust law is insufficient to combat the dangers of large tech companies.
This is precisely because traditional anti-trust laws only look after large PROPORTIONS. In today's modern economy, due to its size, we have a danger that we've never seen before: large ABSOLUTE size, which was never a problem in history as it is today.
Therefore, we need new laws that go after absolute size, as well as large proportions (traditional anti-trust).
I am a big fan of free markets, but the trend towards consolidation, at least in activities that profit from efficiencies of scale, is unmistakable, to the degree that it often kills the market unless prevented.
You probably cannot "consolidate" a market of book authors and musical bands, because quality of artistic expression does not scale with money. But the market of publishers and recording companies is quite consolidated, because money buys more efficiency there.
> But the market of publishers and recording companies is quite consolidated, because money buys more efficiency there.
Not quite. Publishing/recording depends on specific laws (intellectual property) to disable the competitive-market mechanisms. For example, copyright being extended to 95 years, but there are many other mechanisms surrounding copyrights that have enabled the current monopolies in publishing/recording.
That is true, but an unbridled capitalistic system that has relatively weak controls for protection of the commens DOES lead to such things frequently. I am not against capitalism, but against the form of capitalism we have today, which is focused on arbitrary and endless growth with relatively little controls to prevent pathologies like Google.
> big tech has commoditized the internet so much into a platform for consumerism that it becomes a valuable target for spam.
What? Spam existed long before the big tech was around (admittedly the first Spam was probably from DEC, but before 'big internet tech' existed anyway) - it grew because of the amount of people/consumers on the internet. And credit where credits due: getting rid of spam was very time consuming until Google came out with one of the first effective filters.
> the internet would be much better if none of the big players ever entered it, including Google, Facebook, Yahoo, etc,
How this could have been possible? Like there must have been some outside regulations in the late 90s/early 2000s. Maybe as an effect of the dotcom bubble?
Also it’s a good theory but doesn’t fit the capitalist
picture at all.
There was no option due to lack of upload bandwidth for individuals at their home. And CGNAT.
If there had been significant populations with sufficient upload capacity, and ipv6, then there could have been a market for network devices that operated out of people’s homes under their own control.
Not that this would have ensured that big players would not exist, but it could have technically allowed a solution to be innovated.
The other option I can think of is a federal government provided email utility using post offices for identity verification and stiff penalties for spam/malware, to create a “trusted“ network, as opposed to using opaque processes from Google/Apple/Microsoft/Meta to create a “trusted” network.
For running mail you don’t need upload bandwidth, and in my country certainly outside of mobile, CG nat isn’t a thing. Static IPs tend to cost a pound or two more a month from many ISPs but not all.
20 years ago, and of course before then in the dialup age, your ISP operated your mail, so there was plenty of competition. Free at the point of use mail which meant you weren’t locked to a single ISP so there were benefits, but the big benefit was the unlimited space that the funding of companies like google allowed for, they could muscle in and knock out competition.
Eventually isps stopped providing as demand was tiny and the cost outweighed it. Same with things like nntp servers.
I pay a couple of quid a month to Zoho to provide my mail, off my own domain. Obviously I have static ip4 and 6 addresses from my ISP, but I’m happy to outsource as long as the cost is transparent and I’m not locked in, so I do. Part of that is to fund companies which are better armed to fight against monopolistic email practices than I am on my own.
There are other suppliers I can shift to by moving my MX records and updating a couple of TXTs, but there’s no need to at the moment.
> For running mail you don’t need upload bandwidth, and in my country certainly outside of mobile, CG nat isn’t a thing. Static IPs tend to cost a pound or two more a month from many ISPs but not all.
The thing is it cannot just be mail thing, to make it economically and time wise worth it. I can pay relatively little per month and have Apple/Google/Microsoft to take care of all of my needs, from email to file syncing to photo and phone backups, with the big risk that I can get arbitrarily locked out at any given moment.
But to offset this convenience, people would need an all in one, easy to setup, plug and play device that does it all. Something like a Synology NAS, where all they have to do is answer a few prompts about their domain and at most, swap in and out HDD when and if the disks or the NAS fail.
I ran into this issue several years ago. After complaining, MS allowed me to send email to MS properties (hotmail, live.com), but continued to block my email to their Office 365 clients.
I now use AWS SES to handle mail delivery. It's free for up to 200 daily messages which is fine for me.
Is this mira of a U.S. centric problem? I selfhost my mail in Germany, have one at a smaller mail provider and never had problems.
It is also not uncommon for companies to either have a local Exchange Server or use the mail service at their hosting provider. If everything is configured correctly, delivery works fine.
Your experience may not be typical. I ran mail servers before office 365 was a thing, and I often had to get off block lists. There are stories on HN about it being worse, now that you have to request unblocking from MS and Google. Yours is the first comment that doesn't complain.
Nah, I have the same experience as the GP, and in every HN thread about email self-hosting, there are a number of comments along the lines of “I’ve been self-hosting my email for 10-20 years and never had any problems”. My SME employer also self-hosts without issues.
Experiences obviously differ, but it’s unclear where the differences stem from, apart from long-term IP reputation.
> Yours is the first comment that doesn't complain.
It is potentially more of those with problems are more likely to speak up than everyone else just posting "works fine for me" a thousand times over.
I haven't had much deliverability problems with self-hosted things. I set it up right, and I get the emails I expected to get. So there's now two of us saying "works fine for me."
I haven't ever heard of them asking money for delisting. Surprising. Considering their track record it must be serious. A bulletproof host range? Traffic from those is absolutely guilty by association as the hosts are enabling abusive behaviour.
> Traffic from those is absolutely guilty by association as the hosts are enabling abusive behaviour.
I guess if you would be barred from entering Walmart because you live on the same street as someone with 'abusive behaviour' you would be 'oh, yes, totally my fault, sorry for disturbing you'.
Side note - the privacy consent is downright aggressive. If you want to remove your consent you have to unselect 100+ checkboxes for each of the partners, whereas accepting is a simple "accept all". I bypassed using reading mode, but darn...
I think that governments should offer one free email account per citizen for life. Which you could use or not, but is there for you as a digital inbox… which are the options?
- Self hosting is a bit elitist - not for the masses.
- A paid-for option (proton, tutta,…) would be cataloged as elitist. People perceive email as free.
- A free option provided by a Corporate player will gravitate towards monopolies and lack of privacy.
- A free for life government issued, easy to recover digital point of contact where all your government interactions are pointed towards would be a great step. You could still have a separate one if you don’t trust big brother, but at least your “recovery” address would be secure for life.
Estonia has personalidentificationcode@eesti.ee and registrycode@eesti.ee, which you are supposed to set up to forward to your actual email aadress. Unfortunately these are restricted for use by governmental agencies for important official notifications (e.g. you're being conscripted, your marital status changed, something has changed in regard to a property you own). [0]
You could create a public alias of the form firstname.lastname.n@eesti.ee, but creation of those was ended in 2018 and they were shutdown in November 2023. [1]
> Unfortunately these are restricted for use by governmental agencies for important official notifications (e.g. you're being conscripted, your marital status changed, something has changed in regard to a property you own).
When your marital status changes, isn't that a notification that goes from you to the government, and not the other way around?
Your tax codes aren’t going to update the minute you say your vows. Someone needs to do that on the other side and let you know when it’s been processed.
I guess it depends if the government recognizes the marriage date that is declared, or the date that they process it (if the marriage was not in front of an official).
Divorce date can be pretty random, since it's rarely done live by a judge/official.
The marital example is something I came up with, but not actually sure if that happens as I haven't gotten married myself. But it sounds something like that would exist so you can react to someone faking your identity and registering a
fictive marriage with someone in your name.
> Remember when the US gov did that with a number? The SSN?
The problem is that the SSN is treated as a password when it should be treated as username.
Knowing first.last at gmail.com gives you nothing much, security-wise. Knowing I'm 123456789 at ssn.usps.com wouldn't be that much different, though given the limited search space, it would be an easy target for spammers. (Perhaps expanding from nine digits to something bigger (16+, see perhaps ISO/IEC 7812) would be useful, though there'd have to be a lot of work to update systems, even though they're not short of numbers.)
I was thinking more along the line of walking to your local Goverment office and validate your ID.
Many countries offer digital IDs to interact with them. And a (cumbersome vs digital but fast Vs traditional government processes) way of unlocking it. It would be just offering a email inbox linked to it.
In Spain we have an Inbox from the DMV for fines, one with the Tax authority, one with local government… these are messaging boards inboxes. The move to a single digital inbox could help streamline many government processes.
Yes, I agree. In fact I'm also Spanish and the solution felt as obvious as it would be in Spain. The reason I suggested the (US) passport analogy was to make it as relatable as possible to the American audience of HN :-)
Yeah it was so much better keeping a book of letters from creditors that you showed to any future creditor to show trustworthy-ness.
Whatever mess you think SSNs have caused by their unintended use outweighs the previous system. The simple test for that is, why do people use SSNs as it's not legally required for anything but USG interactions.
> The simple test for that is, why do people use SSNs as it's not legally required for anything but USG interactions.
Because if I want to open a bank account, rent an apartment, or get a mortgage, the other party requires me to give them my SSN, on the assumption that it is a valid unique key for tracking debt payment reliability.
It doesn’t matter that the SSN is only legally required for interactions with the US government. When housing is a human necessity, and all sources of housing require a SSN, then using a SSN is not a choice from which one can infer preferences.
Companies ask for the SSN because its so much more efficient than their previous systems.
They already did debt repayment without SSNs; it's just easier with one. The existence of fraud with a SSN doesn't mean there wasn't fraud without one; and if there was more fraud now then companies would abandon asking for SSNs.
You might not like SSNs but their existence has been a benefit not a detriment to the USA.
All that test confirms is that when every company requires them to do business, one can no longer accomplish anything financial without submitting an SSN to a third party. I guess one could choose to only ever be self-employed, take no loans, and use Mattress Bank.
The purpose of an LLC/Corporation (the Company) is to provide a corporate veil from the managing directors. In such situation, an SSN is not required, but most businesses will then require the Company's Tax Identification Number (TIN) which effectively provides the same identification value as an SSN. Going down that route, the Company itself can take loans and transact with both domestic and international banks.
This would probably work in a lot of European countries or places with high levels of government trust. I could see the German post office for example offering something like this and getting wide acceptance.
You’ll have a lot of distrustful Americans commenting how terrible this idea is and the government can’t be trusted. They’d rather get it from a corporation and be subjected to unlimited surveillance capitalism and manipulation.
How does anyone have trust in their government besides to provide basic services? Every single government is hellbent on mass surveillance, and the EU is currently leading the way, not the US: https://www.eff.org/deeplinks/2023/11/article-45-will-roll-b...
How does anyone have trust in their governments to provide even basic services? Not where I live.
Still, I'd prefer to try and fix it (for various levels of "fixing") than throw the baby with the bathwater. It's an imperfect system but trusting a corporation is no better.
Do you not make the distinction between government and state in your language?
The government usually provide little service, but the state do. The question whether you trust it as a single entity is a bit hard to understand. Do you mean trust that my father gets his pension? Or that my kids get a good education? Or that my neighbor who is a doctor can provide decent health care?
I probably trust some of those more and some less, depending on the circumstance. But basing trust on funding model seems intellectually .. challenging. Would I trust a university teacher more if the employer is not a state university? Would I trust a policeman more if working for a private security company?
Not likely. Trust is based on other factors, including reputation and competence.
In American English, government and state (in the sense you mean it) are synonyms.
Other countries seem to think of the government as "the current ruling party coalition members holding ministerial positions", so it would be inappropriate to refer to say, the driver's license bureau as "the government", but in the US, you'd never limit the sense of government in that way - you'd say something like "the administration" if you wanted to refer to the federal head of state and department heads, but the current federal executive, the US Congress, your local driver's license bureau, your tax assessor, your state environmental agency are all "the government" in the US.
This is something that comes to mind whenever I hear about a local government doing a monoboly-busting effort to provide internet connectivity to their city, county, etc. I know their heart's probably in the right place, but I don't want the government to have a plug in the wall of my home that serves all of my communications and media.
"Think about the children" is pretty effective in Europe. They don't require to violate privacy when they could just make a law with popular support. They are pushing for all the messaging apps to provide unencrypted data to government.[1]
Yeah, the Germans have such a great reputation when it comes to trusting government. Many aren’t old enough to remember the fun of the Stasi and the West German equivalent, the BND. And let’s not forget the Nazis with their meticulous tracking and record keeping.
I really don't understand how people think government issues services have more privacy, when in reality it is the exact opposite. It didn't even take NSA leaks to know that government privacy violations are lot more both in terms of quantity and the impact. I would never use a government email if it is tied my real self.
At least in my country I know for a fact that data which should be legally private is used by political party plans and by the police.
I don’t trust them with privacy. But I don’t trust FAANG with that either.
But I do freak out about loosing my domain name where my email is hosted, or access to an iCloud / gmail account that a lot of services are anchored about.
Two months ago LinkedIn did not like me changing my 2FA client, and locked me out for a month. I have over 5.000 contacts and was chasing a few leads to change jobs. I can tell you is cold outside. Nobody provides support. I had to leverage a friend who knew someone at LinkedIn to sort it out. I hear being locked out of Google, MS and Meta is also bad.
I have an .ac account for life that is my “last resort” recovery, but having a government provided email for secure recovery purposes would feel reassuring.
That's fine. But they NEED to ban people using their service from spam else they would dominate. That is what people don't understand.
> but having a government provided email for secure recovery purposes would feel reassuring.
It depends on the country and the region, but I have faced issues multiple times with not able to make any progress with the government. It happened in much more important cases like passport, for which if something fails on their system, you are screwed.
Nobody provides support in government services as well unless it is required by law, and I have been locked out of government services. In countries like China, you could be locked out of government service if your credit score is low. In Sweden you could be locked out of it if you don't allow unions.
A paid-for option (proton, tutta,…) would be cataloged as elitist. People perceive email as free.
The era of Pii as a commodity is coming to a close. The writing is on the wall for this.
Once that happens, free email will vanish. Poof. Gone. So will many other "free" online things.
This period of most people getting free email is really quite short historically. A decade.
(Many people used to get email addresses from their ISP, which were part of their paid plan)
I wonder what will happen when gmail goes paid. It's going to happen, and I expect so regionally (eg, not the EU zone or some such) within 5 years.
A lot of people depend upon said free email, and as much as I dislike Google, they have absolutely zero obligation to give anything away.
They've spent the last few years moving classes of accounts to paid. They've been closing down accounts which seem dormant.
Soon... a year maybe?, I think we'll see some sort of precursor change. A reduction of storage for free accounts, or number of emails you can send, or something.
> This period of most people getting free email is really quite short historically. A decade.
I do agree from a long perspective free email has been somewhat short. But I'm not sure about scoping it to just a decade. It was easy to get a Gmail account in 2004, that's close to 20 years ago. And Gmail wasn't even the first free email host, loads of people used other free email services like Yahoo (1997), Hotmail (1996), Lycos (1997), and others. 1996-2024 is 28 years, close to three decades.
How poor are people that a low cost email service is too expensive? $5 a month for Europeans or Americans would be nothing. Think how much poor people spend on stamps.
In many cases is the expectation of the service being free…
If someone told you that checking the weather app is .50 usd per query, you probably would try to find a different alternative, as you expect it to be free.
well then however they are affording a mobile phone and the monthly service, they can probably figure out how to pay $5/month for email if they don't want to use one of the free options.
People can have an older phone, given free, cast off by people buying the latest-and-greatest, and use public wifi for everything. The phone can literally be free.
> - Self hosting is a bit elitist - not for the masses.
Is it? Most people, including nomads & unhoused, seem to have smartphones these days (at risk of theft, but arguably easily replaceable). And 4/5G/PublicWifi connectivity in urban areas is so saturated.
I wonder, is it reasonable for me to want government investment and legislation (but no other state interference) into some open source server project that we can run on our phones for this? (heck, give us mesh network functionality too while you're at it).
And am I reasonable in my (left-leaning thought) that, like sexual health consumables, mobile phones should be subsidised by tax revenue, along with other necessities/'empowering tools'?
You can’t realistically host an email server on your phone, which is what is meant. For that to work, your phone would need to be able to be woken up (to handle receiving a message) by arbitrary parties on the internet at any time, which is generally considered undesirable, quite apart from the bother caused by your phone ever being offline (sender’s server will keep retrying every so often for a couple of days, sender will generally be notified of this each time—and note the problem of the sender’s phone-hosted mail server being offline too if that’s what you were doing).
> You can’t realistically host an email server on your phone, which is what is meant. For that to work, your phone would need to be able to be woken up (to handle receiving a message)...
What you have described is normal behavior for a modern wireless device.
Temporary interruptions occur regularly, a reason for which store and forward designs feature in email servers to this day.
The problem to overcome is not temporary disruption but addressing.
The modern wireless device communicates regularly in this way with one trusted, well-known, well-behaving service. That’s very different from allowing anyone in the world to ping your phone and wake it up, at any time.
As a nomad, and someone who does run a self hosted mail server for fun, I don't think that's such a good idea. As mentioned, phones can be stolen or broken or just off. Do I want to increase dependencies on phone further by it being the primary store for all my mails as well? Each platform, which is not using TOTP MFA would still depend on email OTPs and so with a broken phone one completely loses access. With TOTPs atleast I get to save a few recovery codes.
The cost of losing a phone would mean losing all that data as well. Now, one could say we could and should keep backups. Then, comes the cost of losing access to new mails while the phone is incapicitated. Then, even setting up of email server on a phone with dynamic IP is a whole can of worms in itself and let's go with the easiest solution of using a VPN. So, now we need a VPN, a backup solution and a device to quickly accept emails when the primary device is down. Aren't we just building remote mail servers now? I do have a cloud instance serving my own email but do we expect most users to handle the infra? So now for making it easier for everyone and amortizing the costs let's start offering a solution where multiple people can run email accounts in a single server. Now we have gmail and other providers.
I suppose I haven't been fully compelled by any of these replies (but I don't have anything compelling in return). Sorry, my lack of knowledge is the failure here (Dunning Kruger effect: I don't see why dynamic IPs / mac addresses / OTP / VPN / encryption are real insurmountable issues here)
Also nomadic, also in tech - And I would happily run a mail server on my phone, sacrifice thickness of phone for the extra necessary battery life, and keep a spare phone somewhere for quick restore/swap (I have a spare old android I keep in case I break my current one, which I can keep at a friend's place, an Airbnb or a subscription locker / safe.
What's the alternative being proposed though, Google et al? Or a home server (I have no home)? Or still free market, but providers are smaller businesses that are more heavily legislated and are watched over by the state to ensure our data is safe? I'm just not sure 'where' my data+computing should be, other than right next to me in my pocket (but then where do my backups go?).
Sorry for the appalling and directionless writing, it's just that everything just seems to circle back to the solution being: *'two small portable battery operated wireless devices that we have control of and the big providers do not have access to; keep one of them on our person and one in another safe place for DR purposes.'*
I think there are more effective ways for governments to intervene. There are essentially two separate issues:
1) Permanent allocation of names and numbers
2) Interoperability standards and rights allowing us to link names and numbers to service contracts.
Once these issues are regulated in a consumer/citizen friendly way (like they did with phone numbers in the UK), governments could provide some sort of default service on top of it, but in my view this is not the most important part.
A crucial difference being that the government option is publicly funded and ideally does not have an incentive to sell their users' souls in exchange for shareholder profits.
You'd still need to be able to block these addresses or at least have a reputation system for them, otherwise telemarketers would just tank their own reputation for some sales, or people would pay the homeless to sign up and let them send spam via their digital inbox.
Yeah, just like how physical mail works. Nobody ever has to deal with spam in their physical mailbox. (/s)
That just becomes marketing budget for spammers (which is to say, those for whom email is a component of a revenue stream), and a layer of cost friction for everyone else — meaning that you only really reduce the percentage of email that's actually sincere, non-"hustle"-driven communication.
I get less junk mail than junk email. The ratio of legitimate correspondence to junk seems way better as well, or do I have to take the measurement from after the spam filter?
I disagree. I don't believe that would solve spam you would just force the spammers to use much more aggressive tactics. If you introduce a fee to email you're only hurting the people who actively communicate back and forth via email as a primary method. Mailing lists anyone?
Spammers will take your $0.02 fee per email as an operational expense. Most spam is not sent by the spammers themselves from their own servers but are instead relayed through a third party who handles the delivery part on their behalf who are paid money to run these spam campaigns through their servers instead anyways so they are already paying a fee, this is just an extra cost on top of what they are already paying to do it.
How much is the cost of the third party now compared to how much it would be when there is a 2 cent per email overhead?
I had a look at legit services, Sender will let me do 30k emails at around $15/mo. If I can assume that's representative, I only need the profit multiplied by probability of a sale to beat $0.0005 to make money. If I had to beat $0.02, I would need to increase the odds, perhaps by sending only to interested parties. Or somehow drastically increase my profit margins by 40x without reducing the probability of a sale.
We would simply have far less spam with a per email fee.
> If you introduce a fee to email you're only hurting the people who actively communicate back and forth via email as a primary method. Mailing lists anyone?
So don't require a stamp for email sent from one of your contacts, or from a mailing list you're subscribed to. No reason email from everyone in the world needs to be treated equally.
With Twitter being worse than ever while also implementing the paid-for blue check, I'm no longer convinced that nominal costs solve much of anything. Maybe it's a different model (per email vs per account w/ Twitter), but I feel like scammers/phishers would pay the premium.
While extremely idealist and would never happen in practice, I think I'd rather see a provider that enforces KYC-esque requirements and is a closed iMessage-esque system. I took my phone number off my main mobile device due to spam (pretty much everyone I know has an iPhone) and have not looked back since.
If I want privacy, I'll self-host. If I don't care, I'll use the monopoly.
Hum, maybe finally a good use of a distributed, append-only database (like blockchain)?
Reputation ledger where reported spam takes a lot off (say 100 units), sending an email costs little (1 unit), and possibly a way to earn more reputation by not having particular email be reported as spam (1.1 units back after 2 weeks for every sent email).
To enter the system, you need to start with at least 1000 units.
I definitely don’t like government being involved with that. Because it would evolve into “you must use your official government provided email address for <whatever>.” And once that address gets out there, you’ll be spammed your entire life because companies and governments and credit bureaus and other potentially annoying actors would know that’s “your” email address. Hard pass.
I tried searching around to see if USPS offered hosting an email address in the same way I can have mail delivered to a physical address and I was unable to find it.
USPS provides postal mail to all citizens. All government business can be conducted through the mail. If the government provides email should they also provide phone, fax, and chat services?
Sure, although I think the utility of a communications network capable of receiving and sending documents within a country is very well proven to be a benefit to society, so any comparison to something less battle tested seems unnecessary.
It makes no sense that in the physical world, we entrust government with identity verification and transmitting correspondence, but that trust is somehow lost in the digital world.
I think the utility of a social communications network capable of receiving and sending updates within a country is a very well proven benefit to society, so any attempt to draw a line between email and social updates seems unnecessary.
Each US citizen deserves access to a public network to express their First Amendment right without moderation.
> Each US citizen deserves access to a public network to express their First Amendment right without moderation.
Sure, make access to the internet an inalienable right also, but web hosting and domains are cheap enough that that should suffice. The network is the internet, and if people want to visit your website to see what you are saying, they can.
Well, the government owned physical mail service worked pretty well for a few centuries, so... Not much?
Now, of course, you shouldn't be organizing a criminal conspiracy or in general much anti-government protests over the mail or government-downed email. But the majority of communication is quite benign, and so having a government email for the 80% use case (bills, party invites, holiday wishes, etc) would be great. You can use a separate service for your more sensitive communication.
I mean, iirc in the USA the postal service is a consitutionally mandated service. So this could be (legally) done "overnight" simply by defining electronic mail sevice as a form of postal service. Plus that would be an email service subject to the privacy protections of the USPS.
Agreed. Though to be clear, I meant legal right to privacy, not necessarily in practice. The USPS cannot legally open mail without a warrant, whereas any LEO can legally just ask google for access to your emails and google can legally just give it to them.
You can complain on the forums about how unfair life is, how incompetent companies are, fight every provider to prove your reputation until cows come home,… Or you can pay someone to handle that for you. It’s a no-brainer. The whole discussion is moot.
You pay your plumber to plumb, your builder to build, and email delivery company to deliver your emails. Trying to DYI everything is a waste of everyone’s time.
1. Visit https://olcsupport.office.com/ and submit the complaint.
2. Wait for the auto-reply, followed by the "Nothing was detected" email.
3. Reply to the latter with "Escalate" in the body.
Within a day, they hammer shit in place and the block is removed.