On 05/20/2013 08:48 PM, Tom Metro wrote: > Steven M Jones wrote: >> For home I use SA, Spamhaus' Zen RBL, and a greylisting milter with >> sendmail as the underlying MTA. Works pretty darned well. > I imagine that the already small population of geeky people who ran mail > servers for personal use has gotten even smaller.
True enough - many I know who did have dropped to just a mailbox integrated with their mobile device, or have parked their domain at Google. I would have expected more BBLISA subscribers to be so inclined, as an opportunity to maintain their skills and do a little experimentation outside of the office. But then, I suppose most places are using Exchange, an appliance, or a hosted solution, and perhaps this specialty isn't even relevant to most sysadmins any more. > One remaining use case for self-hosting is privacy. Any time you > outsource your data to the cloud, you're relying on people you don't > know to implement security, and resist social engineering exploits. > Plus, recent court cases have suggested that in some cases the > government can consider mail stored in the cloud as abandoned if it has > been read and is more than 90 days old, and thereby access it without a > warrant or notice. If the government wants it, you must assume they already have it. The folks at the Associated Press might have a few recent thoughts to share on such matters... No, it's the question of commercial exploitation that stands out in my mind. Have you watched the online ads follow you from website to website, when you aren't using any tracking countermeasures? Anything that can be gleaned from the contents of your email or the patterns of activity it reflects is just more grist for the ad targeting and user profiling mill. No real complaints about Google on that score, really - at least they tell you what they're going to do with whatever data you store with them. Facebook seems more insidious to me, since they just talk about having you come play with your friends online. Well, always remember: If you aren't the customer, you're the product. > Obviously the challenge is determining who a client is, with IP address, > as guided by SPF, being the likely choice. Though what about clients > that don't use SPF? > > The very type of senders you'll want to receive mail from, like large > banks, are notoriously bad at making use of "new" tech, like SPF. (They > even have a tendency to outsource their mail to 3rd parties that send it > using the provider's servers and domains. Great way to train your > customers to ignore important signs that a message might be a phishing > attempt.) Well, funny you should mention that. One of the reasons I run my own servers is to be able to fiddle with email authentication. But in line with your first theme, the largest mailbox providers - Microsoft/Hotmail, AOL, GMail, Yahoo - are in fact trying to lead the way. Have a look at DMARC.org, and note that all of these providers have implemented DMARC. And some of the largest banks are doing so from the sender side, as well as eBay/Paypal and LinkedIn. DMARC allows the domain owner to coordinate with the mail receiver and leverage SPF and/or DKIM in order to block messages trying to use the domain owner's domain without authorization. There can be issues around third party senders, but they aren't really that hard to resolve. The fact is that the best and/or largest of these services have come up to speed and will try to educate their customers if anybody there is willing to listen. I wouldn't suggest things are great, but they are improving. --S. _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
