Monday, September 11, 2023

Today in E-mail Hegemony

Jamie Zawinski (Mastodon):

People keep telling me how email is a great federation success story.


Here’s the current top ten from the last ~2 years since our post-lockdown re-opening[…]

Gmail and Yahoo are dominant, with still a large number of AOL users from his audience, which likely skews more technical.

Also, my spell checker thingy won’t let you hit “Purchase” with an invalid TLD, and yet, I have 56 orders from gmail.con. There is no .con TLD yet, I checked, though I would not have placed bets on that. So how did those get through? JavaScript turned off? Nope. Every one of them was via Apple Pay, which does not do the typo check as Apple tells us the email directly.

It looks like Apple Pay lets you enter an e-mail address that’s different from the one used by your Apple ID, and Apple doesn’t verify it.

Update (2023-10-10): I saw first-hand, as people upgraded to SpamSieve 3, that many people have entered e-mail addresses into Apple Pay that are defunct or were never valid in the first place.

6 Comments RSS · Twitter · Mastodon

Speaking of checking e-mail address validity, I'm honestly shocked after all these years I have yet to realize any problems with the fact my "real" e-mail address (at least the one my provider thinks is real) has literally never been used by anyone by myself. This is to protect it from spam. 100% of the e-mail addresses on my domain that I use are actually aliases that redirect to my real address, including the one I give just to friends and family for personal use. Then there are tons of additional aliases named for various businesses, e.g. bizname@mydomain{dot}net. If I get spam to one of those aliases, (1) I can simply kill that alias without having to give a new address everywhere else, and (2) I know which business to ream out for selling my information. Yes, this has happened at least twice. And yes, both of them tried to deny selling my (alias) e-mail address which had literally never been typed/used anywhere other than their web site. Sure, it's a small hassle to set up a new alias when needed, but cPanel offers a nifty iOS app that lets me take care of it pretty quickly. But my original point was: I'm truly curious how much longer I can get away with sending messages with my e-mail apps configured with my default alias instead of the real address. On the other hand, when the day comes that e-mail apps *must* be configured with a real working address, that's probably also the day that spam will radically reduce. It occurs to me I'm pretty much doing exactly the same thing spammers do, but their purpose is malicious and my purpose is combating the malice.

@Lee I don’t think what you’re doing (and I have done similar) is in any danger. This is not really the same as what spammers do, since they wouldn’t be SPF-verified for your domain (unless your credentials are stolen).

gmail is definitely trying to de-federate email. And they use the spammers as a hammer to do it.

I have a domain name for my extended family, and run an email server for them, and it's becoming harder and harder to do. Because of Google, I've had to add SPF for the domain name, which is a nightmare as they all use different servers to send their email, so they wont be able to send email from a local server while traveling for example, and if they change providers they'll have to let me know, and that is aside from the fact that SPF breaks mail servers resending your email as well. So basically, to placate Google, I have to break other normal email services. Which is fine with Google, because they want it all broken unless you're using gmail.

Andrew Abernathy

I take advantage of Apple Pay's ability to provide arbitrary email addresses, and I wish it were much easier. I do something like what Lee describes, except it seems they create explicit aliases whereas mine are implicit via a catch-all domain. I can still block an address if desired, and this lets me track where my address is being passed around (or stolen), though I admit to having given the wrong address on a few occasions, which prevents me from being 100% certain about who is at fault if one of the addresses gets abused. (Mail could make this much nicer if it knew about my catch-all domain, so when I replied to an email that was addressed to my catch-all, the From could be automatically set up to match. Similarly, it would be super helpful if it were easy to type in an email address for an Apple Pay transaction, but also it verified that it was either a real address, or from a catch-all domain that I'd told Apple Pay about.

An extra frustration I often run into is when a web site asks for my email address, then when I try to check out with Apple Pay, they've requested an email address with the Apple Pay transaction as well, so I still have to go through the edit rigamarole. GoFundMe is an example which springs to mind.

Well, yes. And? If, instead of whimpering plaintively about this situation, we actually helped folks change it for the better, we'd not find ourselves in this malaise. Just getting people to own their own domains (as suggested by others here) is a really excellent start; solving deliverability issues both comes with the territory of running a mail server and gets easier with hoster diversity (DIY and paid plans). Honestly, we really must get away from this appalling fatalism. It's bad for the soul and completely unnecessary.

Speaking for myself, I find the biggest obstacle is convenience because you have to generate an address before use (harder than it seems when you're talking to someone in person or on the phone). Also, PayPal will give you away no matter what you do, and using your email address as an identifier on social/messaging systems is basically impossible unless you're willing to risk alienating people when you inevitably disable your address. That's actually the primary reason I use my freemail addresses, ironically.

@Peter Running your own SMTP server is really difficult these days, I hear. But if you’re going to outsource that, what is the benefit of using a local server that’s tied to the provider? I’ve been using Amazon SES, which looks to the mail client like a regular SMTP server and is easy to add to your domain’s SPF record. Amazon is highly available and cheap, but there are also some other smaller providers that offer this.

Leave a Comment