Re: [AFMUG] mail servers

[Steve Jones]

When we migrated our on prem server to a hosting service we didnt want to
have every customer have to reset their passwords (its easier to walk
grandma ethel through changing a server name than changing a password)so we
sniffed port 25 for a long time collecting usernames and passwords (our box
didnt store them in plain text)
It was hard to not eyeball more than just the usernames and passwords. I
ended up doing a filter to take away the temptations.

We were going to do a port 25 block to clean up our IP reputation, but when
we sniffed again there was still a crazy amount of email still on port 25
and it wasnt worth the hassle at the time since there are so many users
that just dont want to get with the times or used antiquated servers (like
mail.com and sherweb in regard to dkim) and use secure transports

On Sun, Mar 12, 2023 at 3:20 PM Chuck McCown via AF  wrote:

> Back in the day, just sniffing the ethernet would get you all the email
> flying around your company.  Was kinda fun.
> I know one guy that would purposely jam another’s outgoing email.
>
> Once he detected who it was from he would just turn on transmit.  This was
> on a CSMA/CD coaxial network.
>
> *From:* Forrest Christian (List Account)
> *Sent:* Sunday, March 12, 2023 2:01 PM
> *To:* AnimalFarm Microwave Users Group
> *Subject:* Re: [AFMUG] mail servers
>
> Internet email isn't anonymous,  never was.  Even in the early days.
> There has always been a multitude of ways to track email back to the origin
> server.  And there has been a multitude of ways to obfuscate but not hide
> that origin.
>
> Any anonymity you may have is based on the origin server either not
> knowing or not being willing to disclose that information.  Every email
> received generally will be able to be tracked back to the origin server,
> with the caveat that sometimes the owner of the origin server will be
> unable to be determined since any random person can spin up a server, send
> mail,  and drop off the planet.
>
> Note that spf and dmarc don't validate the user.   They only validate that
> the email originated from servers known to send mail for a given domain and
> provide some cryptographic assurance of that fact. It's a way for
> legitimate companies to ensure that email that appears to come from them
> actually comes from them and for companies like google to be able to reject
> what appear to be emails with spoofed sender information.
>
>
>
> On Sun, Mar 12, 2023, 3:17 PM Jan-GAMs  wrote:
>
>> Because 45 years ago my company was connected to the rest of itself via
>> the arpanet and they promised us on a stack of bibles that those who used
>> the email system would always remain anonymous.  Of course, then later they
>> published a 5,000 page phone book with all our emails associated with our
>> work addresses for over 50,000 employees.  I printed it out and put it in a
>> 3-ring binder and put it in the computer room where the other users could
>> use it.  Back then we had these machines called an Alto and each user had
>> this big plastic cartridge with a huge disk in it.  If I recall, this
>> generated a lawsuit, because they promised us that no-one would ever know
>> our email address associated with our work phone, work address, etc... .
>> It wasn't true then and it still isn't true.  But that can't make it, the
>> promise, unsaid.
>> On 3/12/23 09:47, Steve Jones wrote:
>>
>> wtf, where did you get that email was designed for anonymity?
>>
>> This is getting to some Qanon level right here
>>
>> On Sun, Mar 12, 2023 at 11:40 AM Jan-GAMs  wrote:
>>
>>> good question Forrest.  mail.com provides several hundred domains to
>>> choose from and use and easily works with thunderbird as well as most other
>>> email reader applications.  Plus it's free.  All Google is doing is
>>> monopolizing email.  Email was originally designed to be used by arpanet to
>>> be free/open/anonymous and to still be functional even after a global war.
>>> Using spf/dkim removes the anonymous.  I don't think that's right.  I also
>>> think that since you have just shown me how easy it is to send fake mail,
>>> it also seems it could be about as easy to add a fake spf/dkim into it with
>>> a little more python scripting.  End result is now google knows exactly who
>>> you are and who you're sending to and the spam filters are broken because
>>> now we'll have verified spam mail.
>>>
>>> Who are you?  Who do you know?  What is the content?  Where is your
>>> privacy?
>>>
>>> Problems with the ease of Telnetting spoof mail: I do not know anyone
>>> who has their very own homemade mail server, plus, I do not know anyone who
>>> has actually built and setup successfully a homebrew DIY email server.  I
>>> do know lots of people who have tried to do so, including myself.  It's way
>>> easier to buy it as a service and then it gets expensive.  Another problem
>>> is most of the free email servers won't allow users to send more than 10
>>> emails at a time and you have to wait up to 

Re: [AFMUG] mail servers

[Mike Hammett]

"The cloud is the future" 


It certainly isn't. It's largely a fad that's already has people removing the 
wool from their eyes and moving on. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Darin Steffl"  
To: "AnimalFarm Microwave Users Group"  
Sent: Saturday, March 11, 2023 6:43:59 PM 
Subject: Re: [AFMUG] mail servers 


Jan, 


Most of the links you shared aren't of Google being hacked, but people being 
scammed/phished. Tricking a user into sharing their login info means the user 
was scammed, not that google was hacked. ONE link you shared says less than 24 
gmails in Iran were hacked somehow. None of your links share that google has 
had a massive data breach at any time. That's not to say it can't/won't happen 
but there's been no big hacks at Google as far as I can remember. 


I stand by my claim that you're being paranoid. I promise you that mail.com or 
hosting your own email is far less secure and more easily hacked than Google 
is. Do you have thousands of engineers working to keep your data secure? That 
answer is NO. I am not delusional enough to think that hosting my own Linux 
server for email will be more secure than Google. There's no way I can outsmart 
hackers, keep updated on hourly or daily updates and patches, etc. Nor do I 
want to do that when I can outsource to a company that does it much better than 
I do. 


I don't host a single server for our WISP in 11 years in business and I won't 
be starting today. The cloud is the future and keeps me hands off on servers 
and software. If there's a problem, it's someone else's job to fix it and my 
only job is to report the issue. What if I'm on vacation and I had one or more 
servers that failed? Now that's my job to fix things while I'm supposed to be 
off the clock. I don't need that kind of stress in my life so I refuse to host 
any servers that are mission critical to my business. The only thing resembling 
a server would be our Preseem appliance but we have backup OSPF routes around 
it in case that fails. 


Our billing system is Azotel and they have hosted it in the cloud for us since 
we started 11 years ago. Total downtime in 11 years is under 1 hour. Not every 
cloud service is that reliable. They handle the multiple backups and securing 
of the servers too. Slack, for example, has probably had 12 hours of downtime 
or subpar performance in the 5 years we've used it but it still was an issue I 
didn't have to fix myself. 


On Sat, Mar 11, 2023 at 2:31 PM Steve Jones < thatoneguyst...@gmail.com > 
wrote: 



I like dmarc since you get to dictate the strictness and get reports on your 
overall deliverability 


On Fri, Mar 10, 2023 at 7:44 PM Darin Steffl < darin.ste...@mnwifi.com > wrote: 



Jan, 


I don't recall any hacks or data breaches to Google at all. I've seen plenty of 
other platforms with breaches like t-mobile but Google is pretty secure. I 
think you're acting a little paranoid in protecting your phone number. I can 
pay some online service and get your home address, phone numbers, and social 
security number if I wanted to. This information that you think is very secure 
is almost public knowledge for a fee. 


As others have said, DKIM/SPF are industry standards, not Google, and they're 
pretty old at this point. DMARC is newer, to me at least, in the last several 
years so not every platform gives much weight to this but DKIM and SPF is a 
must nowadays for any email provider. 


On Fri, Mar 10, 2023, 4:03 PM Josh Baird < joshba...@gmail.com > wrote: 



DKIM/SPF/DFMARC aren't "made-up standards" from Google. 


On Fri, Mar 10, 2023 at 4:31 PM Jan-GAMs < j.vank...@grnacres.net > wrote: 




I don't see how you come to the conclusion that my paid for mail service is 
supposed to have recently imposed made-up standards from google that comply 
only with google as some sort of long-standing standard. It's a recent standard 
imposed by google. And I'm never going to willingly give google my phone number 
so that when they get hacked again the hackers will have my email and my phone 
number. Why don't I just broadcast on some public website my social security 
number too? Yeah, tiktok or twitter, give them my phone number, ssi, home 
address, all my emails along with my real name. Because when you give google 
your phone number, they now have exactly who you are and access to all your 
private info. How many times in the last couple years has google been hacked? 
Constantly! I am not going to freely give this shit to them. 
Well, I'm wrong, you're right. When I bought the phone, google forced me into 
an email address as part of using the phone. I never use that email and I 
refuse to login to anything using that email. Other than that I don't know how 
to tell them to sit on a sharp stick and twirl. 

On 3/10/23 12:02, Steve Jones wrote: 



if you had followed your email providers instructions, you wouldnt 

Re: [AFMUG] mail servers

[Mike Hammett]

"I can assure you Gmail doesn't block emails that are..." 


I can assure you that they do. Scale is hard. The Mailops mailing list has a 
lot of traffic regarding the big mail providers epicly failing at mail 
constantly. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Darin Steffl"  
To: "AnimalFarm Microwave Users Group"  
Sent: Friday, March 10, 2023 11:57:00 AM 
Subject: Re: [AFMUG] mail servers 


I've never heard of mail.com but I can assure you Gmail doesn't block emails 
that are legitimate and follow proper SPF and DKIM configurations. 


I receive all emails from people I'm expecting to receive. The only ones that 
end up in spam seem to "host" their own email and don't follow best practices 
for outgoing emails. 


On Fri, Mar 10, 2023, 11:33 AM Steve Jones < thatoneguyst...@gmail.com > wrote: 



i got your spam emails this morning 




On Fri, Mar 10, 2023 at 11:04 AM < dmmoff...@gmail.com > wrote: 






Apparently nobody on gmail has noticed 



From: AF < af-boun...@af.afmug.com > On Behalf Of Jan-GAMs 
Sent: Friday, March 10, 2023 10:32 AM 
To: af@af.afmug.com 
Subject: Re: [AFMUG] mail servers 

All mail.com users cannot send you email. How many other's are blocked as well? 
Oblivion, must be sweet. 

On 3/9/23 20:14, Darin Steffl wrote: 



Gmail is the best. Been using them for our business since 2012. Virtually no 
issues at all aside from a handful of short outages over the last 11 years. 



It's hands off, costs very little, and I've NEVER needed to contact them for 
support. We also use Google drive and their version of office apps in the 
cloud. We don't store any files locally at all. All business docs are at Google 
and they're safe there and they handle the backups. 



I don't see any advantage to hosting local email on your own server. It's not 
worth your time. My time is worth $550/hr roughly when looking at net profit so 
spending even one hour a year trying to manage or fix my own email server would 
cost me more than what I pay Google. 



We're grandfathered in and think we get 10 free users for gsuite and I pay to 
upgrade storage to 100gb on 2-3 users so we pay less than $60 a year to Google 
for everything. Dirt cheap and great peace mind. 



This is relating to our internal business use. For customer email, we never 
offered it and never will. Just recommend a free Gmail account and go live your 
best life not having to support email. 



On Thu, Mar 9, 2023, 8:47 PM Steve Jones < thatoneguyst...@gmail.com > wrote: 



O365 handles SMTP relay for scanners and such really well, we just dealt with 
it a bunch. authenticated IP. I dont scan to a flatbed because the Edsel was 
before my time :-) 









On Thu, Mar 9, 2023 at 1:03 PM Chuck McCown via AF < af@af.afmug.com > wrote: 








I prefer to have it in house for the 10-20 email addresses it serves for 
employees and other business email addresses. It is free that way and we don’t 
have to worry about anything else. But for some reason the server hangs and 
needs to get rebooted, usually about the same time each day. 



Google got difficult, especially for email chains and other things so we 
stopped using them some time ago. For example, our scanner stopped being able 
to send emails due to something gmail did. 






From: Steve Jones 

Sent: Thursday, March 9, 2023 11:24 AM 

To: AnimalFarm Microwave Users Group 

Subject: Re: [AFMUG] mail servers 




How much is your time worth. The free internal server is costing you this. We 
are still using rackspace for subscriber mail and our office emails since its 
same domain and a pita to set up split routing for the mail. The cost of our 
mail is covered by the folks who have dropped service but wanted to keep their 
email, we actually make a tidy profit to cover any administrative stuff. 



for my business I use google. 6 bucks a month per user. The way I look at it is 
if im not making 6 bucks per guy a month I have bigger problems than my email. 
Im a nerd, 20 years ago dicking around with email servers would have been a 
blast. but now its like maintaining a battery powered inverter just so i can 
still use my corded drill. I can, it will work, its not that complicated, but 
its nonetheless a dumb waste of time. 



dealing with hosting email servers is a total waste of any resources unless 
your monetizing it. too large an attack vector 




On Thu, Mar 9, 2023 at 10:18 AM Chuck McCown via AF < af@af.afmug.com > wrote: 







It is only for our own company email. No customers on it. 










From: Tyson Burris 

Sent: Thursday, March 9, 2023 7:37 AM 

To: AnimalFarm Microwave Users Group 

Subject: Re: [AFMUG] mail servers 




Surgemail is exactly what I used. Seemed to be a good product. 

Tyson Burris, President 
Internet Communications Inc. 
739 Commerce Dr. 
Franklin, IN 46131 

Office # 317-738-0320 
Cell/Direct # 317-412-1540 
Online: 

Re: [AFMUG] mail servers

[Robert Andrews]

Who remembers a famous USENET author that had:

A host is a host from coast to coast

(what was the next line?)

As part of their signature..  Not the copycats, but the original...



On 3/12/23 13:13, Chuck McCown via AF wrote:
Back in the day, just sniffing the ethernet would get you all the email 
flying around your company.  Was kinda fun.

I know one guy that would purposely jam another’s outgoing email.
Once he detected who it was from he would just turn on transmit.  This 
was on a CSMA/CD coaxial network.

*From:* Forrest Christian (List Account)
*Sent:* Sunday, March 12, 2023 2:01 PM
*To:* AnimalFarm Microwave Users Group
*Subject:* Re: [AFMUG] mail servers
Internet email isn't anonymous,  never was.  Even in the early days.   
There has always been a multitude of ways to track email back to the 
origin server.  And there has been a multitude of ways to obfuscate but 
not hide that origin.
Any anonymity you may have is based on the origin server either not 
knowing or not being willing to disclose that information.  Every email 
received generally will be able to be tracked back to the origin 
server,  with the caveat that sometimes the owner of the origin server 
will be unable to be determined since any random person can spin up a 
server, send mail,  and drop off the planet.
Note that spf and dmarc don't validate the user.   They only validate 
that the email originated from servers known to send mail for a given 
domain and provide some cryptographic assurance of that fact. It's a way 
for legitimate companies to ensure that email that appears to come from 
them actually comes from them and for companies like google to be able 
to reject what appear to be emails with spoofed sender information.



On Sun, Mar 12, 2023, 3:17 PM Jan-GAMs  wrote:

Because 45 years ago my company was connected to the rest of itself
via the arpanet and they promised us on a stack of bibles that those
who used the email system would always remain anonymous.  Of course,
then later they published a 5,000 page phone book with all our
emails associated with our work addresses for over 50,000
employees.  I printed it out and put it in a 3-ring binder and put
it in the computer room where the other users could use it.  Back
then we had these machines called an Alto and each user had this big
plastic cartridge with a huge disk in it.  If I recall, this
generated a lawsuit, because they promised us that no-one would ever
know our email address associated with our work phone, work address,
etc... .  It wasn't true then and it still isn't true.  But that
can't make it, the promise, unsaid.

On 3/12/23 09:47, Steve Jones wrote:

wtf, where did you get that email was designed for anonymity?
This is getting to some Qanon level right here
On Sun, Mar 12, 2023 at 11:40 AM Jan-GAMs 
wrote:

good question Forrest. mail.com  provides
several hundred domains to choose from and use and easily
works with thunderbird as well as most other email reader
applications.  Plus it's free.  All Google is doing is
monopolizing email.  Email was originally designed to be used
by arpanet to be free/open/anonymous and to still be
functional even after a global war.  Using spf/dkim removes
the anonymous.  I don't think that's right.  I also think that
since you have just shown me how easy it is to send fake mail,
it also seems it could be about as easy to add a fake spf/dkim
into it with a little more python scripting.  End result is
now google knows exactly who you are and who you're sending to
and the spam filters are broken because now we'll have
verified spam mail.

Who are you?  Who do you know?  What is the content? Where is
your privacy?

Problems with the ease of Telnetting spoof mail: I do not know
anyone who has their very own homemade mail server, plus, I do
not know anyone who has actually built and setup successfully
a homebrew DIY email server.  I do know lots of people who
have tried to do so, including myself.  It's way easier to buy
it as a service and then it gets expensive.  Another problem
is most of the free email servers won't allow users to send
more than 10 emails at a time and you have to wait up to an
hour before you can send 10 more.  That's why I tried to build
my own, just so I could send customers the monthly billing
automatically.  I even hired a programmer who said he had done
it before, he failed.

On 3/12/23 07:32, Forrest Christian (List Account) wrote:

I can insert a spoofed email using only telnet to port 25 on
a mail server in about 30 seconds not counting the time it
takes to type the message itself. Basically you telnet to
port 25, issue four commands (HELO, 

Re: [AFMUG] mail servers

[Robert Andrews]

The original Usenet email had the actual path to a major server (ATT, 
UCB, UCSB, etc... ) in the beginning every email address, pretty hard 
not to know the path of the users back then...


On 3/12/23 13:01, Forrest Christian (List Account) wrote:
Internet email isn't anonymous,  never was.  Even in the early days.  
  There has always been a multitude of ways to track email back to the 
origin server.  And there has been a multitude of ways to obfuscate but 
not hide that origin.


Any anonymity you may have is based on the origin server either not 
knowing or not being willing to disclose that information.  Every email 
received generally will be able to be tracked back to the origin 
server,  with the caveat that sometimes the owner of the origin server 
will be unable to be determined since any random person can spin up a 
server, send mail,  and drop off the planet.


Note that spf and dmarc don't validate the user.   They only validate 
that the email originated from servers known to send mail for a given 
domain and provide some cryptographic assurance of that fact. It's a way 
for legitimate companies to ensure that email that appears to come from 
them actually comes from them and for companies like google to be able 
to reject what appear to be emails with spoofed sender information.




On Sun, Mar 12, 2023, 3:17 PM Jan-GAMs > wrote:


Because 45 years ago my company was connected to the rest of itself
via the arpanet and they promised us on a stack of bibles that those
who used the email system would always remain anonymous.  Of course,
then later they published a 5,000 page phone book with all our
emails associated with our work addresses for over 50,000
employees.  I printed it out and put it in a 3-ring binder and put
it in the computer room where the other users could use it.  Back
then we had these machines called an Alto and each user had this big
plastic cartridge with a huge disk in it.  If I recall, this
generated a lawsuit, because they promised us that no-one would ever
know our email address associated with our work phone, work address,
etc... .  It wasn't true then and it still isn't true.  But that
can't make it, the promise, unsaid.

On 3/12/23 09:47, Steve Jones wrote:

wtf, where did you get that email was designed for anonymity?

This is getting to some Qanon level right here

On Sun, Mar 12, 2023 at 11:40 AM Jan-GAMs mailto:j.vank...@grnacres.net>> wrote:

good question Forrest. mail.com  provides
several hundred domains to choose from and use and easily
works with thunderbird as well as most other email reader
applications.  Plus it's free.  All Google is doing is
monopolizing email.  Email was originally designed to be used
by arpanet to be free/open/anonymous and to still be
functional even after a global war.  Using spf/dkim removes
the anonymous.  I don't think that's right.  I also think that
since you have just shown me how easy it is to send fake mail,
it also seems it could be about as easy to add a fake spf/dkim
into it with a little more python scripting.  End result is
now google knows exactly who you are and who you're sending to
and the spam filters are broken because now we'll have
verified spam mail.

Who are you?  Who do you know?  What is the content? Where is
your privacy?

Problems with the ease of Telnetting spoof mail: I do not know
anyone who has their very own homemade mail server, plus, I do
not know anyone who has actually built and setup successfully
a homebrew DIY email server.  I do know lots of people who
have tried to do so, including myself. It's way easier to buy
it as a service and then it gets expensive.  Another problem
is most of the free email servers won't allow users to send
more than 10 emails at a time and you have to wait up to an
hour before you can send 10 more.  That's why I tried to build
my own, just so I could send customers the monthly billing
automatically. I even hired a programmer who said he had done
it before, he failed.

On 3/12/23 07:32, Forrest Christian (List Account) wrote:

I can insert a spoofed email using only telnet to port 25 on
a mail server in about 30 seconds not counting the time it
takes to type the message itself. Basically you telnet to
port 25, issue four commands (HELO, MAIL FROM, RCPT TO,
DATA), and then type the message itself.

Spoofing email in an automated way only takes some basic
python skills.   Like I could teach anyone with a bit of
computer experience how to do it in about an hour or so. 
This python script can run on anything that runs python,

which is pretty much any 

Re: [AFMUG] mail servers

[Mike Hammett]

Proxmox Mail Gateway and Zimbra. Kick your feet up and move on with life. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Chuck McCown via AF"  
To: af@af.afmug.com 
Cc: "Chuck McCown"  
Sent: Wednesday, March 8, 2023 5:05:45 PM 
Subject: [AFMUG] mail servers 




We are having trouble with mailcow. Anything better out there. It hangs all the 
time these days. 

-- 
AF mailing list 
AF@af.afmug.com 
http://af.afmug.com/mailman/listinfo/af_af.afmug.com 

-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] mail servers

[Chuck McCown via AF]

Back in the day, just sniffing the ethernet would get you all the email flying 
around your company.  Was kinda fun.  
I know one guy that would purposely jam another’s outgoing email.  

Once he detected who it was from he would just turn on transmit.  This was on a 
CSMA/CD coaxial network.  

From: Forrest Christian (List Account) 
Sent: Sunday, March 12, 2023 2:01 PM
To: AnimalFarm Microwave Users Group 
Subject: Re: [AFMUG] mail servers

Internet email isn't anonymous,  never was.  Even in the early days.   There 
has always been a multitude of ways to track email back to the origin server.  
And there has been a multitude of ways to obfuscate but not hide that origin. 

Any anonymity you may have is based on the origin server either not knowing or 
not being willing to disclose that information.  Every email received generally 
will be able to be tracked back to the origin server,  with the caveat that 
sometimes the owner of the origin server will be unable to be determined since 
any random person can spin up a server, send mail,  and drop off the planet. 

Note that spf and dmarc don't validate the user.   They only validate that the 
email originated from servers known to send mail for a given domain and provide 
some cryptographic assurance of that fact. It's a way for legitimate companies 
to ensure that email that appears to come from them actually comes from them 
and for companies like google to be able to reject what appear to be emails 
with spoofed sender information. 





On Sun, Mar 12, 2023, 3:17 PM Jan-GAMs  wrote:

  Because 45 years ago my company was connected to the rest of itself via the 
arpanet and they promised us on a stack of bibles that those who used the email 
system would always remain anonymous.  Of course, then later they published a 
5,000 page phone book with all our emails associated with our work addresses 
for over 50,000 employees.  I printed it out and put it in a 3-ring binder and 
put it in the computer room where the other users could use it.  Back then we 
had these machines called an Alto and each user had this big plastic cartridge 
with a huge disk in it.  If I recall, this generated a lawsuit, because they 
promised us that no-one would ever know our email address associated with our 
work phone, work address, etc... .  It wasn't true then and it still isn't 
true.  But that can't make it, the promise, unsaid.


  On 3/12/23 09:47, Steve Jones wrote:

wtf, where did you get that email was designed for anonymity? 

This is getting to some Qanon level right here

On Sun, Mar 12, 2023 at 11:40 AM Jan-GAMs  wrote:

  good question Forrest.  mail.com provides several hundred domains to 
choose from and use and easily works with thunderbird as well as most other 
email reader applications.  Plus it's free.  All Google is doing is 
monopolizing email.  Email was originally designed to be used by arpanet to be 
free/open/anonymous and to still be functional even after a global war.  Using 
spf/dkim removes the anonymous.  I don't think that's right.  I also think that 
since you have just shown me how easy it is to send fake mail, it also seems it 
could be about as easy to add a fake spf/dkim into it with a little more python 
scripting.  End result is now google knows exactly who you are and who you're 
sending to and the spam filters are broken because now we'll have verified spam 
mail.  


  Who are you?  Who do you know?  What is the content?  Where is your 
privacy?


  Problems with the ease of Telnetting spoof mail: I do not know anyone who 
has their very own homemade mail server, plus, I do not know anyone who has 
actually built and setup successfully a homebrew DIY email server.  I do know 
lots of people who have tried to do so, including myself.  It's way easier to 
buy it as a service and then it gets expensive.  Another problem is most of the 
free email servers won't allow users to send more than 10 emails at a time and 
you have to wait up to an hour before you can send 10 more.  That's why I tried 
to build my own, just so I could send customers the monthly billing 
automatically.  I even hired a programmer who said he had done it before, he 
failed.  


  On 3/12/23 07:32, Forrest Christian (List Account) wrote:

I can insert a spoofed email using only telnet to port 25 on a mail 
server in about 30 seconds not counting the time it takes to type the message 
itself. Basically you telnet to port 25, issue four commands (HELO, MAIL FROM, 
RCPT TO, DATA), and then type the message itself.  

Spoofing email in an automated way only takes some basic python skills. 
  Like I could teach anyone with a bit of computer experience how to do it in 
about an hour or so.  This python script can run on anything that runs python, 
which is pretty much any general purpose computing device.

So it is ridiculously cheap and easy to spoof email. 

The reason it is so easy is that email by itself has 

Re: [AFMUG] mail servers

[Forrest Christian (List Account)]

Internet email isn't anonymous,  never was.  Even in the early days.
 There has always been a multitude of ways to track email back to the
origin server.  And there has been a multitude of ways to obfuscate but not
hide that origin.

Any anonymity you may have is based on the origin server either not knowing
or not being willing to disclose that information.  Every email received
generally will be able to be tracked back to the origin server,  with the
caveat that sometimes the owner of the origin server will be unable to be
determined since any random person can spin up a server, send mail,  and
drop off the planet.

Note that spf and dmarc don't validate the user.   They only validate that
the email originated from servers known to send mail for a given domain and
provide some cryptographic assurance of that fact. It's a way for
legitimate companies to ensure that email that appears to come from them
actually comes from them and for companies like google to be able to reject
what appear to be emails with spoofed sender information.



On Sun, Mar 12, 2023, 3:17 PM Jan-GAMs  wrote:

> Because 45 years ago my company was connected to the rest of itself via
> the arpanet and they promised us on a stack of bibles that those who used
> the email system would always remain anonymous.  Of course, then later they
> published a 5,000 page phone book with all our emails associated with our
> work addresses for over 50,000 employees.  I printed it out and put it in a
> 3-ring binder and put it in the computer room where the other users could
> use it.  Back then we had these machines called an Alto and each user had
> this big plastic cartridge with a huge disk in it.  If I recall, this
> generated a lawsuit, because they promised us that no-one would ever know
> our email address associated with our work phone, work address, etc... .
> It wasn't true then and it still isn't true.  But that can't make it, the
> promise, unsaid.
> On 3/12/23 09:47, Steve Jones wrote:
>
> wtf, where did you get that email was designed for anonymity?
>
> This is getting to some Qanon level right here
>
> On Sun, Mar 12, 2023 at 11:40 AM Jan-GAMs  wrote:
>
>> good question Forrest.  mail.com provides several hundred domains to
>> choose from and use and easily works with thunderbird as well as most other
>> email reader applications.  Plus it's free.  All Google is doing is
>> monopolizing email.  Email was originally designed to be used by arpanet to
>> be free/open/anonymous and to still be functional even after a global war.
>> Using spf/dkim removes the anonymous.  I don't think that's right.  I also
>> think that since you have just shown me how easy it is to send fake mail,
>> it also seems it could be about as easy to add a fake spf/dkim into it with
>> a little more python scripting.  End result is now google knows exactly who
>> you are and who you're sending to and the spam filters are broken because
>> now we'll have verified spam mail.
>>
>> Who are you?  Who do you know?  What is the content?  Where is your
>> privacy?
>>
>> Problems with the ease of Telnetting spoof mail: I do not know anyone who
>> has their very own homemade mail server, plus, I do not know anyone who has
>> actually built and setup successfully a homebrew DIY email server.  I do
>> know lots of people who have tried to do so, including myself.  It's way
>> easier to buy it as a service and then it gets expensive.  Another problem
>> is most of the free email servers won't allow users to send more than 10
>> emails at a time and you have to wait up to an hour before you can send 10
>> more.  That's why I tried to build my own, just so I could send customers
>> the monthly billing automatically.  I even hired a programmer who said he
>> had done it before, he failed.
>> On 3/12/23 07:32, Forrest Christian (List Account) wrote:
>>
>> I can insert a spoofed email using only telnet to port 25 on a mail
>> server in about 30 seconds not counting the time it takes to type the
>> message itself. Basically you telnet to port 25, issue four commands (HELO,
>> MAIL FROM, RCPT TO, DATA), and then type the message itself.
>>
>> Spoofing email in an automated way only takes some basic python skills.
>>  Like I could teach anyone with a bit of computer experience how to do it
>> in about an hour or so.  This python script can run on anything that runs
>> python, which is pretty much any general purpose computing device.
>>
>> So it is ridiculously cheap and easy to spoof email.
>>
>> The reason it is so easy is that email by itself has zero authentication
>> of origin and an open, plaintext, protocol.
>>
>> The purpose of spf/dkim/dmarc is to add a level of authentication
>> information to at least be able to reject some spoofed emails.
>>
>> What that Google bounce says is that there is something in the mail.com
>> email which doesn't match the spf/dmarc/dkim records.  I'm not 100٪ sure
>> but it seems to not be happy with the linuxmail.org domain being inside
>> 

Re: [AFMUG] mail servers

[Darin Steffl]

You can't spoof SPF or DKIM unless you also have access to a domain's dns
records.

On Sun, Mar 12, 2023, 2:17 PM Jan-GAMs  wrote:

> Because 45 years ago my company was connected to the rest of itself via
> the arpanet and they promised us on a stack of bibles that those who used
> the email system would always remain anonymous.  Of course, then later they
> published a 5,000 page phone book with all our emails associated with our
> work addresses for over 50,000 employees.  I printed it out and put it in a
> 3-ring binder and put it in the computer room where the other users could
> use it.  Back then we had these machines called an Alto and each user had
> this big plastic cartridge with a huge disk in it.  If I recall, this
> generated a lawsuit, because they promised us that no-one would ever know
> our email address associated with our work phone, work address, etc... .
> It wasn't true then and it still isn't true.  But that can't make it, the
> promise, unsaid.
> On 3/12/23 09:47, Steve Jones wrote:
>
> wtf, where did you get that email was designed for anonymity?
>
> This is getting to some Qanon level right here
>
> On Sun, Mar 12, 2023 at 11:40 AM Jan-GAMs  wrote:
>
>> good question Forrest.  mail.com provides several hundred domains to
>> choose from and use and easily works with thunderbird as well as most other
>> email reader applications.  Plus it's free.  All Google is doing is
>> monopolizing email.  Email was originally designed to be used by arpanet to
>> be free/open/anonymous and to still be functional even after a global war.
>> Using spf/dkim removes the anonymous.  I don't think that's right.  I also
>> think that since you have just shown me how easy it is to send fake mail,
>> it also seems it could be about as easy to add a fake spf/dkim into it with
>> a little more python scripting.  End result is now google knows exactly who
>> you are and who you're sending to and the spam filters are broken because
>> now we'll have verified spam mail.
>>
>> Who are you?  Who do you know?  What is the content?  Where is your
>> privacy?
>>
>> Problems with the ease of Telnetting spoof mail: I do not know anyone who
>> has their very own homemade mail server, plus, I do not know anyone who has
>> actually built and setup successfully a homebrew DIY email server.  I do
>> know lots of people who have tried to do so, including myself.  It's way
>> easier to buy it as a service and then it gets expensive.  Another problem
>> is most of the free email servers won't allow users to send more than 10
>> emails at a time and you have to wait up to an hour before you can send 10
>> more.  That's why I tried to build my own, just so I could send customers
>> the monthly billing automatically.  I even hired a programmer who said he
>> had done it before, he failed.
>> On 3/12/23 07:32, Forrest Christian (List Account) wrote:
>>
>> I can insert a spoofed email using only telnet to port 25 on a mail
>> server in about 30 seconds not counting the time it takes to type the
>> message itself. Basically you telnet to port 25, issue four commands (HELO,
>> MAIL FROM, RCPT TO, DATA), and then type the message itself.
>>
>> Spoofing email in an automated way only takes some basic python skills.
>>  Like I could teach anyone with a bit of computer experience how to do it
>> in about an hour or so.  This python script can run on anything that runs
>> python, which is pretty much any general purpose computing device.
>>
>> So it is ridiculously cheap and easy to spoof email.
>>
>> The reason it is so easy is that email by itself has zero authentication
>> of origin and an open, plaintext, protocol.
>>
>> The purpose of spf/dkim/dmarc is to add a level of authentication
>> information to at least be able to reject some spoofed emails.
>>
>> What that Google bounce says is that there is something in the mail.com
>> email which doesn't match the spf/dmarc/dkim records.  I'm not 100٪ sure
>> but it seems to not be happy with the linuxmail.org domain being inside
>> the email record.
>>
>> How are the mail.com emails being generated?  Are they through a web
>> server client on mail.com?  If not, where?  And are the emails from a
>> mail.com address or are you just using mail.com to relay mail from
>> another domain?
>>
>>
>>
>> On Sun, Mar 12, 2023, 1:20 AM Jan-GAMs  wrote:
>>
>>> I can't recall ever using telnet for anything recent, it's ancient,
>>> doesn't work with anything much in todays world.  How would this be useful
>>> in sending email?
>>> On 3/11/23 21:36, Steve Jones wrote:
>>>
>>> telnet is fancy expensive equipment needed to spoof email? Ive never
>>> paid for telnet
>>>
>>> On Sat, Mar 11, 2023 at 10:48 PM Jan-GAMs 
>>> wrote:
>>>
 You see, that's exactly where we part ways.  Engulf and Devour was the
 villain corporation in the Silent Movie by Mel Brooks.  Every time I saw
 that movie, I couldn't help but think of Microsoft and Google slicing up
 the planet for themselves.  Gives me 

Re: [AFMUG] mail servers

[Forrest Christian (List Account)]

I've run, successfully,  my own email server.  It isn't that hard.  Had to
in the early days.   Pain in the ass to maintain  and manage,  yes. Pain to
get running,  not so much.   It's a big enough pain to run on an ongoing
basis that I choose to pay someone else to do it nowadays.

As far as anonymous email goes. It isn't a big impact in that anyone can
register their own domain with privacy enabled or otherwise identity
hidden.

It's difficult to spoof dkim in particular because you have to sign each
email with the private key which has the Public key registered in DNS.   So
you send an email, and your email server has to sign it with the correct
key for the origin domain. That way you know the email originated from a
trusted server for the domain.   That's the real point of dkim...  ensuring
the email origin matches the header information.   It isn't about removing
privacy, it's about preventing someone from pretending to be a domain which
they aren't.

I took a bit closer look at your email bounce.

Is your wife's email @mail.com or @linuxmail.org?

If it's @mail.com, you may want to check the envelope sender settings in
the email client.

What appears to be happening here is Google is getting a message which
seems to be from @linuxmail.org but can't verify that the source IP is
correct.  However the origin IP is correct for @mail.com, so if your wife's
email is @mail.com, this might be as simple as fixing the envelope sender
in the client.   If that isn't it,  then you may want to verify your
outbound mail server setting.

If this is via a web client, then mail.com needs to fix their email
settings.   They're sending this mail into Google with @linuxmail.org
addresses which don't have any spf and dkim records,  and worse,
linuxmail.org is listed in numerous spam blackhole lists.

On Sun, Mar 12, 2023, 12:40 PM Jan-GAMs  wrote:

> good question Forrest.  mail.com provides several hundred domains to
> choose from and use and easily works with thunderbird as well as most other
> email reader applications.  Plus it's free.  All Google is doing is
> monopolizing email.  Email was originally designed to be used by arpanet to
> be free/open/anonymous and to still be functional even after a global war.
> Using spf/dkim removes the anonymous.  I don't think that's right.  I also
> think that since you have just shown me how easy it is to send fake mail,
> it also seems it could be about as easy to add a fake spf/dkim into it with
> a little more python scripting.  End result is now google knows exactly who
> you are and who you're sending to and the spam filters are broken because
> now we'll have verified spam mail.
>
> Who are you?  Who do you know?  What is the content?  Where is your
> privacy?
>
> Problems with the ease of Telnetting spoof mail: I do not know anyone who
> has their very own homemade mail server, plus, I do not know anyone who has
> actually built and setup successfully a homebrew DIY email server.  I do
> know lots of people who have tried to do so, including myself.  It's way
> easier to buy it as a service and then it gets expensive.  Another problem
> is most of the free email servers won't allow users to send more than 10
> emails at a time and you have to wait up to an hour before you can send 10
> more.  That's why I tried to build my own, just so I could send customers
> the monthly billing automatically.  I even hired a programmer who said he
> had done it before, he failed.
> On 3/12/23 07:32, Forrest Christian (List Account) wrote:
>
> I can insert a spoofed email using only telnet to port 25 on a mail server
> in about 30 seconds not counting the time it takes to type the message
> itself. Basically you telnet to port 25, issue four commands (HELO, MAIL
> FROM, RCPT TO, DATA), and then type the message itself.
>
> Spoofing email in an automated way only takes some basic python skills.
>  Like I could teach anyone with a bit of computer experience how to do it
> in about an hour or so.  This python script can run on anything that runs
> python, which is pretty much any general purpose computing device.
>
> So it is ridiculously cheap and easy to spoof email.
>
> The reason it is so easy is that email by itself has zero authentication
> of origin and an open, plaintext, protocol.
>
> The purpose of spf/dkim/dmarc is to add a level of authentication
> information to at least be able to reject some spoofed emails.
>
> What that Google bounce says is that there is something in the mail.com
> email which doesn't match the spf/dmarc/dkim records.  I'm not 100٪ sure
> but it seems to not be happy with the linuxmail.org domain being inside
> the email record.
>
> How are the mail.com emails being generated?  Are they through a web
> server client on mail.com?  If not, where?  And are the emails from a
> mail.com address or are you just using mail.com to relay mail from
> another domain?
>
>
>
> On Sun, Mar 12, 2023, 1:20 AM Jan-GAMs  wrote:
>
>> I can't recall ever using telnet for 

Re: [AFMUG] mail servers

[Chuck McCown via AF]

Punchcards buttons and switches.Sent from my iPhoneOn Mar 12, 2023, at 8:55 AM, Bill Prince  wrote:CLI rules.--bppart15sbs{at}gmail{dot}comOn Sun, Mar 12, 2023 at 7:34 AM Forrest Christian (List Account)  wrote:I can insert a spoofed email using only telnet to port 25 on a mail server in about 30 seconds not counting the time it takes to type the message itself. Basically you telnet to port 25, issue four commands (HELO, MAIL FROM, RCPT TO, DATA), and then type the message itself. Spoofing email in an automated way only takes some basic python skills.   Like I could teach anyone with a bit of computer experience how to do it in about an hour or so.  This python script can run on anything that runs python, which is pretty much any general purpose computing device.So it is ridiculously cheap and easy to spoof email. The reason it is so easy is that email by itself has zero authentication of origin and an open, plaintext, protocol.The purpose of spf/dkim/dmarc is to add a level of authentication information to at least be able to reject some spoofed emails. What that Google bounce says is that there is something in the mail.com email which doesn't match the spf/dmarc/dkim records.  I'm not 100٪ sure but it seems to not be happy with the linuxmail.org domain being inside the email record.    How are the mail.com emails being generated?  Are they through a web server client on mail.com?  If not, where?  And are the emails from a mail.com address or are you just using mail.com to relay mail from another domain?On Sun, Mar 12, 2023, 1:20 AM Jan-GAMs  wrote:
  

  
  
I can't recall ever using telnet for anything recent, it's
  ancient, doesn't work with anything much in todays world.  How
  would this be useful in sending email?

On 3/11/23 21:36, Steve Jones wrote:


  
  telnet is fancy expensive equipment needed to spoof
email? Ive never paid for telnet
  
  
On Sat, Mar 11, 2023 at
  10:48 PM Jan-GAMs 
  wrote:


  
You see, that's exactly where we part ways.  Engulf and
  Devour was the villain corporation in the Silent Movie by
  Mel Brooks.  Every time I saw that movie, I couldn't help
  but think of Microsoft and Google slicing up the planet
  for themselves.  Gives me diarrhea just thinking about
  those two companies.
You have to have some pretty fancy expensive equipment
  just to spoof email, so why bother?  It's not the little
  folk who are doing the spoofing.  So when they get all us
  little folk passing on all our secrets of our little
  lives.  Then the spoofers will start using fake SPF/DKIM
  and then we're right back to as much or more SPAM as
  ever.  Problem will be worse than ever.

On 3/11/23 18:07, Darin Steffl wrote:


  I was curious so found that Gmail started
requiring emails sent to personal Gmail to have SPF or
DKIM enabled or emails would be rejected or sent to
spam. Good for them to drag the bad email hosts along
for the ride in preventing spam.


These prevention measures are
  ridiculously easy to implement so I don't have any
  patience for email hosts who don't set them up. If you
  can't handle simple tasks, outsource things to the big
  boys.
  
  
  https://support.google.com/a/answer/174124?hl=en#:~:text=Important%3A%20Starting%20November%202022%2C%20new,to%20verify%20they're%20authenticated. 

  
  
  
On Sat, Mar 11, 2023,
  7:33 PM Matt Hopkins 
  wrote:


  
Do you use any Microsoft products? If you use
  Windows and care about data security then you've
  already failed. I find Microsoft the most
  deplorable, but I'm only one guy. I have to pick
  my battles. I refuse to use Microsoft (anything)
  but we use Gmail at work and it's more or less
  flawless. We have had some people report they
  can't reach us but the resolution is always what
  has already been mentioned here. Google made
  DKIM/SPF mandatory I want to say just a few months
  ago but many of the smaller mail providers do not
 

Re: [AFMUG] mail servers

[Bill Prince]

CLI rules.

--
bp
part15sbs{at}gmail{dot}com


On Sun, Mar 12, 2023 at 7:34 AM Forrest Christian (List Account) <
li...@packetflux.com> wrote:

> I can insert a spoofed email using only telnet to port 25 on a mail server
> in about 30 seconds not counting the time it takes to type the message
> itself. Basically you telnet to port 25, issue four commands (HELO, MAIL
> FROM, RCPT TO, DATA), and then type the message itself.
>
> Spoofing email in an automated way only takes some basic python skills.
>  Like I could teach anyone with a bit of computer experience how to do it
> in about an hour or so.  This python script can run on anything that runs
> python, which is pretty much any general purpose computing device.
>
> So it is ridiculously cheap and easy to spoof email.
>
> The reason it is so easy is that email by itself has zero authentication
> of origin and an open, plaintext, protocol.
>
> The purpose of spf/dkim/dmarc is to add a level of authentication
> information to at least be able to reject some spoofed emails.
>
> What that Google bounce says is that there is something in the mail.com
> email which doesn't match the spf/dmarc/dkim records.  I'm not 100٪ sure
> but it seems to not be happy with the linuxmail.org domain being inside
> the email record.
>
> How are the mail.com emails being generated?  Are they through a web
> server client on mail.com?  If not, where?  And are the emails from a
> mail.com address or are you just using mail.com to relay mail from
> another domain?
>
>
>
> On Sun, Mar 12, 2023, 1:20 AM Jan-GAMs  wrote:
>
>> I can't recall ever using telnet for anything recent, it's ancient,
>> doesn't work with anything much in todays world.  How would this be useful
>> in sending email?
>> On 3/11/23 21:36, Steve Jones wrote:
>>
>> telnet is fancy expensive equipment needed to spoof email? Ive never paid
>> for telnet
>>
>> On Sat, Mar 11, 2023 at 10:48 PM Jan-GAMs  wrote:
>>
>>> You see, that's exactly where we part ways.  Engulf and Devour was the
>>> villain corporation in the Silent Movie by Mel Brooks.  Every time I saw
>>> that movie, I couldn't help but think of Microsoft and Google slicing up
>>> the planet for themselves.  Gives me diarrhea just thinking about those two
>>> companies.
>>>
>>> You have to have some pretty fancy expensive equipment just to spoof
>>> email, so why bother?  It's not the little folk who are doing the
>>> spoofing.  So when they get all us little folk passing on all our secrets
>>> of our little lives.  Then the spoofers will start using fake SPF/DKIM and
>>> then we're right back to as much or more SPAM as ever.  Problem will be
>>> worse than ever.
>>> On 3/11/23 18:07, Darin Steffl wrote:
>>>
>>> I was curious so found that Gmail started requiring emails sent to
>>> personal Gmail to have SPF or DKIM enabled or emails would be rejected or
>>> sent to spam. Good for them to drag the bad email hosts along for the ride
>>> in preventing spam.
>>>
>>> These prevention measures are ridiculously easy to implement so I don't
>>> have any patience for email hosts who don't set them up. If you can't
>>> handle simple tasks, outsource things to the big boys.
>>>
>>>
>>> https://support.google.com/a/answer/174124?hl=en#:~:text=Important%3A%20Starting%20November%202022%2C%20new,to%20verify%20they're%20authenticated
>>> .
>>>
>>> On Sat, Mar 11, 2023, 7:33 PM Matt Hopkins 
>>> wrote:
>>>
 Do you use any Microsoft products? If you use Windows and care about
 data security then you've already failed. I find Microsoft the most
 deplorable, but I'm only one guy. I have to pick my battles. I refuse to
 use Microsoft (anything) but we use Gmail at work and it's more or less
 flawless. We have had some people report they can't reach us but the
 resolution is always what has already been mentioned here. Google made
 DKIM/SPF mandatory I want to say just a few months ago but many of the
 smaller mail providers do not have it set up yet.

 On Sat, Mar 11, 2023, 4:49 PM Darin Steffl 
 wrote:

> Jan,
>
> Most of the links you shared aren't of Google being hacked, but people
> being scammed/phished. Tricking a user into sharing their login info means
> the user was scammed, not that google was hacked. ONE link you shared says
> less than 24 gmails in Iran were hacked somehow. None of your links share
> that google has had a massive data breach at any time. That's not to say 
> it
> can't/won't happen but there's been no big hacks at Google as far as I can
> remember.
>
> I stand by my claim that you're being paranoid. I promise you that
> mail.com or hosting your own email is far less secure and more easily
> hacked than Google is. Do you have thousands of engineers working to keep
> your data secure? That answer is NO. I am not delusional enough to think
> that hosting my own Linux server for email will be more secure than 
> Google.
> There's no