The trouble with text-only email
The announcement that the text-only option would be removed was made (on the mozilla-governance list) by Michele Warther in late September. It quickly became clear that the community viewed this idea with a bit of skepticism, leading Warther to explain the reasoning behind the change:
The spam-ridden nature of the Internet forces anybody receiving email to be somewhat selective about what is allowed through. Only the most obscure and privately held email accounts can be exposed to an unfiltered mail stream without driving the owner insane. Much of the filtering applied is content-based, but much of it, especially at certain large web-based email providers, also takes into account the "reputation" of the sending site.
Some aspects of email reputation are straightforward. An IP address that is observed to be the source of volumes of spam will quickly find its way onto various online blacklists. When an IPv6 address is involved, the resulting block can cover a significant part of the address space, causing considerable collateral damage; this is why LWN's server is configured to send email via IPv4 whenever possible. IP addresses known to be used for residential Internet access are often penalized — if they are allowed to originate mail at all. Anybody who maintains their own email system can attest that reputation scoring also seems to have a significant random factor.
One metric that some sites evidently use is email sent to accounts that are known to be inactive, which is seen as a sign of a spammy originator. This, seemingly, is where Mozilla has run into trouble. One way to avoid this problem is to track which recipients are actually reading their email; any recipient who doesn't look at any messages for a period of time can then be unsubscribed. Then, in theory, email providers can see that the emails from a given source are actually of interest and refrain from putting up obstacles in their path.
The problem, of course, is that this tracking requires the "feedback loops"
mentioned in Warther's message. These loops tend to take the form of
tracking images that are fetched from a server belonging to the sender.
The privacy implications of this kind of tracking are obvious: not
everybody wants email senders to know when their mail was read and where
the reader was at the time. Requiring this sort of disclosure would seem
to run afoul of Mozilla Manifesto #4: "Individuals’ security and
privacy on the Internet are fundamental and must not be treated as
optional.
" But the alternative, Warther said, is an ongoing series
of delivery problems for Mozilla's email in general.
There are other problems with tracking images and related mechanisms, starting with the fact that people who are paying attention tend to disable the loading of such images. Your editor recently received a complaint from a financial company that its emails were not being read; those emails were indeed read, they just weren't allowed to phone home and report that fact. Chances are good that this kind of blocking will increase in the future; not everybody wants to be a part of an unrequested "feedback loop".
In this particular case, it would seem that an acceptable compromise has been found, and the text-only option will remain. But, once a year, those subscribers will get a message asking them to click on a link to confirm their continued interest in remaining on the list. That should allow Mozilla to prune its inactive readers — a useful activity even without the reputation issues — without the need for involuntary tracking.
The fact that even principled organizations like Mozilla feel
the need to
employ tracking says something discouraging about the state of email,
though, not that there was really any need for more evidence that the email
system is broken. As the reputational checks become harder to pass, more
users will be forced to use one of a small number of huge webmail providers
(which have no trouble with "feedback loops")
just to get their work done. Every kernel merge window features one or
more developers having trouble getting their pull requests through to Linus
Torvalds's Gmail account, for example. It's not clear what the solution to
the email problem is, but the need is obvious.
Posted Oct 12, 2017 15:53 UTC (Thu)
by pabs (subscriber, #43278)
[Link] (15 responses)
Posted Oct 12, 2017 16:03 UTC (Thu)
by dbaker (guest, #89236)
[Link] (13 responses)
This is even harder for mail client's that have to rely on a third-party rendering engine for HTML mail, since they don't necessarily have the hooks into the renderer to tell it not to load remote content.
Posted Oct 12, 2017 16:20 UTC (Thu)
by rjek (subscriber, #94501)
[Link] (1 responses)
Posted Oct 15, 2017 20:23 UTC (Sun)
by rahvin (guest, #16953)
[Link]
Although privacy is mentioned lets not forget it's possible to put javascript into an HTML email and most email readers just pipe the HTML code straight into one of the browsers for display. Now you have a script from god knows where running by default in whatever browser code the email reader uses (which is explorer for Outlook on windows) if you are using HTML email. Because of this I consider HTML emails to be a security threat.
Posted Oct 12, 2017 17:18 UTC (Thu)
by david.a.wheeler (subscriber, #72896)
[Link] (4 responses)
I don't load elements from remote servers by default, and practically never have problems with desirable email. In my experience, email that's broken without remote loading is practically always spam.
> This is even harder for mail client's that have to rely on a third-party rendering engine for HTML mail, since they don't necessarily have the hooks into the renderer to tell it not to load remote content.
At least some third parties DO support this functionality.
Posted Oct 14, 2017 16:39 UTC (Sat)
by rbrito (guest, #66188)
[Link] (3 responses)
The code is here: https://github.com/rbrito/scripts/blob/master/drop-altern...
Posted Oct 15, 2017 14:54 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link] (2 responses)
Posted Oct 15, 2017 21:11 UTC (Sun)
by klempner (subscriber, #69940)
[Link] (1 responses)
For a while I used a mail client configuration which fell back to rendering html emails through links, but would prefer a plain text alternative which would usually be better than the output of this hack.
Posted Oct 16, 2017 14:43 UTC (Mon)
by mstone_ (subscriber, #66309)
[Link]
Posted Oct 12, 2017 20:44 UTC (Thu)
by david.a.wheeler (subscriber, #72896)
[Link]
There are discouragements to using HTML email in the US government, because of their security risks. There really aren't many upsides to using them either.
The Department of Homeland Security (DHS)'s "Enhanced Analysis of GRIZZLY STEPPE Activity" (February 10, 2017) reminds organizations to disable HTML in email. Here's the text:
The US DoD bars the use of HTML email in heightened alerts.
Posted Oct 12, 2017 21:39 UTC (Thu)
by davidstrauss (guest, #85867)
[Link]
Posted Oct 13, 2017 8:39 UTC (Fri)
by NAR (subscriber, #1313)
[Link] (3 responses)
Posted Oct 17, 2017 2:13 UTC (Tue)
by Mithrandir (guest, #3031)
[Link] (2 responses)
Posted Oct 17, 2017 5:53 UTC (Tue)
by johill (subscriber, #25196)
[Link] (1 responses)
Posted Oct 17, 2017 11:11 UTC (Tue)
by mathstuf (subscriber, #69389)
[Link]
Posted Oct 12, 2017 18:40 UTC (Thu)
by jhoblitt (subscriber, #77733)
[Link]
Posted Oct 12, 2017 17:21 UTC (Thu)
by alvieboy (guest, #51617)
[Link] (8 responses)
Posted Oct 13, 2017 5:22 UTC (Fri)
by eru (subscriber, #2753)
[Link] (7 responses)
Posted Oct 13, 2017 5:58 UTC (Fri)
by dd9jn (✭ supporter ✭, #4459)
[Link] (6 responses)
Posted Oct 13, 2017 6:49 UTC (Fri)
by eru (subscriber, #2753)
[Link] (5 responses)
Posted Oct 13, 2017 12:23 UTC (Fri)
by hkario (subscriber, #94864)
[Link] (4 responses)
it definitely won't happen with such attitude
> too much historical baggage.
SSLv2 and SSLv3 got deprecated without too much crying and gnashing of teeth, I think we can make software recognise and default to encoding quarter of a century old...
Posted Oct 13, 2017 18:44 UTC (Fri)
by tialaramex (subscriber, #21167)
[Link] (3 responses)
It is much, much harder to deprecate anything from MXs. That's why we have all this "opportunistic encryption" stuff for SMTP. GMail is actually an excellent example. On the _web_ side Gmail simply refuses access to archaic clients that can't reasonable modern security. But when delivering mail from a GMail user over SMTP, if Google finds you can't speak any secure protocols it shrugs and delivers insecurely.
Posted Oct 14, 2017 16:10 UTC (Sat)
by joib (subscriber, #8541)
[Link] (1 responses)
I don't think they accept anything over smtp. At least I had to go to the gmail settings page and explicitly disable some security setting in order to be able to use git send-email via my gmail account.
Posted Oct 14, 2017 21:39 UTC (Sat)
by tialaramex (subscriber, #21167)
[Link]
Posted Oct 15, 2017 16:46 UTC (Sun)
by dkg (subscriber, #55359)
[Link]
The administrators of the recipient domain can actually tell google (and other providers) not to fall back to cleartext delivery using a protocol called MTA-STS (or at least to report such a problem so that it can be diagnosed). If your e-mail provider doesn't do that, you should encourage them to do so.
You can test this for the domain you're interested in with the following commands:
Posted Oct 12, 2017 18:26 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link] (4 responses)
So HTML readers _won't_ get the link? No doubt there are subscribers who receive e-mails in HTML format but configure their clients not to load external resources; will they be automatically unsubscribed without prior notice?
Posted Oct 12, 2017 19:55 UTC (Thu)
by tome (subscriber, #3171)
[Link] (3 responses)
Posted Oct 12, 2017 20:14 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link] (2 responses)
But do you normally get your mailing-list emails in HTML format, or are you a text-only subscriber? If they're sending these notices to everyone they're unable to track then all is well, but (AIUI) the article implied that only text-only subscribers would get the links.
Posted Oct 12, 2017 20:49 UTC (Thu)
by tome (subscriber, #3171)
[Link] (1 responses)
Posted Oct 13, 2017 14:32 UTC (Fri)
by madscientist (subscriber, #16861)
[Link]
In that situation people reading HTML mail with images loaded would never get pinged, but it can't reasonably be called preferential treatment.
Posted Oct 12, 2017 18:59 UTC (Thu)
by jkingweb (subscriber, #113039)
[Link]
Posted Oct 12, 2017 19:42 UTC (Thu)
by ernstp (guest, #13694)
[Link] (12 responses)
Posted Oct 12, 2017 20:54 UTC (Thu)
by pbonzini (subscriber, #60935)
[Link] (9 responses)
While my surname is pretty uncommon, this account's username is just our first names strung together, so it is not unlikely that someone else has a very similar email address. In fact, it is surprising how much crap I get that is destined to others who, presumably, used the wrong domain. O_o
This address has only ever been given by me to the electric, gas and phone companies; yet, through the years, it has also been included in several mailing lists, including a parents list at a public school 400 km from here and a marketing list at Diners Club, whose messages are clearly destined to current owners of a Diners credit card.
Given this story, and the abundance of NameNumber@gmail.com addresses, I am not surprised that 1) companies want to know if you read their messages; 2) enough people get subscribed to mailing lists by mistake, and report it as spam, to throw a wrench in the filters' classification algorithms.
Posted Oct 12, 2017 23:13 UTC (Thu)
by josh (subscriber, #17465)
[Link] (8 responses)
You don't get subscribed to mailing lists "by mistake", and reporting it as spam is completely correct. If the kind of account you have gets subscribed to a mailing list, that mailing list is a spam source and should be blacklisted.
Posted Oct 13, 2017 8:14 UTC (Fri)
by mpr22 (subscriber, #60784)
[Link] (7 responses)
Working in a contact centre, I get to field angry telephone calls from people whose public transport discount smartcards are weeks late because they didn't receive the email that we sent to the wrong address they entered and which tells them "sorry, your application has problem XYZ, please log on and fix it". Given that the site asks them to enter their email address twice to guard against typos before allowing them to get anywhere near the ordering interface, I can confidently assure you that humans can't be relied on to type their email addresses correctly even when asked to type them twice for confirmation. So while you're right to say "report as spam", I regret to say you're wrong about "you don't get subscribed by mistake".
Posted Oct 13, 2017 8:35 UTC (Fri)
by gevaerts (subscriber, #21521)
[Link] (4 responses)
Posted Oct 13, 2017 22:20 UTC (Fri)
by pbonzini (subscriber, #60935)
[Link] (1 responses)
Posted Oct 15, 2017 18:26 UTC (Sun)
by matthias (subscriber, #94967)
[Link]
Posted Oct 19, 2017 9:51 UTC (Thu)
by rmv (guest, #48328)
[Link] (1 responses)
I'm on the mailing list of two US schools, a Texas Obgyn clinic, two US based banks, an Indian pharmaceutical sales organisation, a German home furnishings company and a Washington based VW dealership, a food delivery service in Mumbai and a matrimonial service in Kerala. Amongst others.
Being based in northern Europe, I'm pretty sure I didn't at any point sign up for any of those on a whim and then forget about it. These are all from organisations who've received an application from a genuine client and have taken absolutely no steps to corroborate the email address before using it.
If there's an unsubscribe link, I use it. If there's not, or I receive another email after using the unsubscribe link, it gets reported as spam.
The banks were the most persistent as they have enough reputation that reporting them as spam has little effect and the only way to unsubscribe was for the account holder to change their mail preferences and as I wasn't the account holder they couldn't do anything.
Posted Oct 20, 2017 3:54 UTC (Fri)
by mrshiny (guest, #4266)
[Link]
Posted Oct 22, 2017 10:41 UTC (Sun)
by gezza (subscriber, #40700)
[Link] (1 responses)
Posted Oct 26, 2017 15:14 UTC (Thu)
by itvirta (guest, #49997)
[Link]
I seem to remember that Paypal used scripts to prevent copy-pasting, at least when changing
Posted Oct 26, 2017 8:45 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (1 responses)
NOPE. That is not standard.
My email domain is owned by my brother, and he has configured his provider to silently dump unrecognised users.
When I managed a domain ages ago, I configured that to dump all unrecognised users into a single account, used pretty much to just "scan and dump" (when spam volumes were low enough :-)
Cheers,
Posted Oct 26, 2017 8:57 UTC (Thu)
by yaneti (subscriber, #641)
[Link]
Its understandable for situations where mail is accepted on machines that don't have the resources to scan for backscatter spam.
Posted Oct 12, 2017 19:51 UTC (Thu)
by marduk (subscriber, #3831)
[Link] (3 responses)
Might Mozilla do something similar with mailing lists? Every so often (month, year?) they could mail each subscriber a unique link and give them a number of days to renew their subscription. If the user doesn't go to the link to confirm their subscription within the time frame then they are automatically unsubscribed from the list. I don't think most people would have a problem with that.
Posted Oct 12, 2017 20:36 UTC (Thu)
by karkhaz (subscriber, #99844)
[Link]
Posted Oct 13, 2017 0:32 UTC (Fri)
by linuxrocks123 (subscriber, #34648)
[Link] (1 responses)
Hence I switched to YDNS. I suggest others do also.
Posted Oct 13, 2017 11:47 UTC (Fri)
by imphil (subscriber, #62487)
[Link]
Posted Oct 12, 2017 21:07 UTC (Thu)
by frostsnow (subscriber, #114957)
[Link] (1 responses)
Posted Nov 5, 2017 21:54 UTC (Sun)
by pboddie (guest, #50784)
[Link]
What the sender wants in such cases is for the mail client to pull down all those resources dynamically, thus getting the message under any payload size restrictions and also giving them the ability of seeing when you read the mail, plus what you clicked on since the images will also be hyperlinked. This lets them hypothesize/fantasize about all sorts of "insights" they might get your habits without actually having to ask you anything, although you can be sure that these organisations also like to pester you to fill out stupid questionnaires.
As for losing faith in the Web/HTML community, it wouldn't surprise me if this apparent tracking requirement weren't also part of some similar "insight"-mining process where someone at a higher management level in Mozilla is agonizing about "what our users want" while continuing to ignore all feedback that doesn't reinforce their existing notions on the topic.
Posted Oct 12, 2017 21:45 UTC (Thu)
by debacle (subscriber, #7114)
[Link] (7 responses)
Anyway, who cares? Those who prefer text (like us mutt users) can just ignore the HTML attachment.
Posted Oct 13, 2017 1:38 UTC (Fri)
by Tara_Li (guest, #26706)
[Link] (3 responses)
Posted Oct 13, 2017 8:55 UTC (Fri)
by karkhaz (subscriber, #99844)
[Link]
This is also convenient because once you know which senders are guaranteed to send HTML-only mail, you can write a procmail rule or the like to put them straight into the maildir. (I use a hosted email with Kolab Now, so I set the rule up server-side instead). If you're paying per-gigabyte for email storage and are worried about the size of HTML email, you can even have a cronjob that moves emails out of the maildir (deleting them from the server) and into local storage somewhere, perhaps adding it to a git repo or whatever.
Double bonus: if you get a lot of HTML email from one sender, and the emails are in a fairly fixed format, then you can parse the information you need out of that email and not bother reading the email at all. For example, whenever I get a delivery to my postbox, I get an email telling me so, with tracking pixels etc. But the email also contains a QR code as an attachment that I need to open my postbox for that delivery. So again, cronjob to find new mails from the post company, save all the QR codes, upload them to a URL on my web site, and I then browse to my website when I visit the post room---no need to even open the email. That's only worthwhile if you enough email from one sender to make it worth writing a custom parsing script for them, but (a) it's nerdy and (b) by doing this for the most prolific senders, I significantly reduce the time that I need to spend dealing with content-free email.
Posted Oct 14, 2017 21:47 UTC (Sat)
by debacle (subscriber, #7114)
[Link]
Posted Oct 16, 2017 21:36 UTC (Mon)
by juliank (guest, #45896)
[Link]
Posted Oct 15, 2017 12:07 UTC (Sun)
by gdt (subscriber, #6284)
[Link] (2 responses)
Posted Oct 15, 2017 12:49 UTC (Sun)
by NAR (subscriber, #1313)
[Link]
And there's no need for HTML to represent non-ASCII characters.
Posted Oct 26, 2017 8:49 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Oct 12, 2017 22:44 UTC (Thu)
by dskoll (subscriber, #1630)
[Link] (19 responses)
we have seen an increase in greylisting/blacklisting as a direct result of our text only emails
I don't believe that. It sounds like complete nonsense to me. And I work in the anti-spam industry.
Greylisting is independent of the message content, so it cannot possibly penalize text/plain any more than text/html. And I challenge Mozilla to prove that plain-text emails are a causal factor in getting them blacklisted.
Total claptrap IMO.
Posted Oct 12, 2017 23:28 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link] (10 responses)
Sending email that people don't like results in getting labelled "spam". A fraction (but not an insignificant one) of email users mark any email they didn't expect "spam". Even the fact that they've _specifically asked to receive this email_ is something they pay no heed to in adding this label, if on Monday they think to themselves "Oh, I love puppies, I want to read all about puppies" yes, yes please, sign me up to the Puppy Lover mailing list, that doesn't prevent them on Tuesday receiving an email "Dear Puppy Lover, thanks for signing up to read about puppies" and thinking "Ugh, not this" and pressing the Spam button.
If you're big, the receiving side will put up with this anyway, they'll have to accept that yes, 1% (or whatever) of all Puppy Lover emails are labelled spam and (possibly while rolling their eyes) tell customers they're working hard to eliminate spam and thanks for clicking that "Spam" button religiously.
[ This happens for other categories too. The usual thing to do with reports of "phishing" is to thank the customer for being on their guard and re-assure them you take phishing seriously. It's not important whether the email they forwarded is actually a phishing scam, or an advert your agency sent to them, or just a routine email about say, confirmation of delivery of an order they just literally made, just tell them thanks for being such a clever customer who definitely isn't an idiot that doesn't know what "phishing" is. ]
But if you're a bit smaller, what happens is you get blocked as "too spammy" where that turns out to mean "Users are incompetent but we can't be bothered to do anything about that, so instead we're throwing your email in the garbage, too bad".
I know about this because although my employer owns a huge commercial "email marketing" company which falls into that "big" category I run a service for them which mostly doesn't use that company to send email, it sends only actionable alerts to customers who've usually either paid for the privilege of getting these alerts or signed up as part of some sort of premium package (e.g. they have a Platinum payment card and this service was one of the "freebies"), and nevertheless a non-trivial fraction of the alerts are marked as "Spam" by the recipient. Using the commercial "marketing" company (ie people who actually send spam for a living) gets the mail through.
Personally I would suggest we ask the same sites that offer them this "Spam" button to collect and publish lists of these people's email addresses so we can avoid "harassing" them altogether by refusing to let them sign up for anything ever again. It's not really important to me whether they learn anything from the experience, we're all better off regardless.
Posted Oct 13, 2017 11:44 UTC (Fri)
by dskoll (subscriber, #1630)
[Link]
Yes, that's all common knowledge, but has nothing to do with greylisting nor with text/plain mail being especially penalized.
Posted Oct 13, 2017 15:27 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link] (8 responses)
To be perfectly frank, I would probably consider that spam as well, unless there was a simple and obvious way to opt out of this "freebie" up front. If you're signing up specifically to receive the e-mails that's one thing, but if it's just bundled with some other service (so you might want that service but not the e-mails) then that isn't substantially different from any other source of unsolicited e-mail. If I recognized the source and there was an "unsubscribe" link I would probably use it, but in the absence of such a link—or if it didn't take effect promptly, by the end of the next business day at the latest—I would have no qualms about reporting the e-mails as spam. If the source isn't recognized, of course, then one must assume that any links could be an attempt at phishing, so that isn't an option.
If a company doesn't want me to consider their message spam: 1) Don't send anything without asking first. I don't care whether it's opt-in or opt-out as long as the option is clearly presented. (One-time "welcome" e-mails can be an exception, as can critical security messages on the order of "your account has been compromised".) 2) Provide an option to disable e-mails separate from other services, if any. If you send different categories of e-mails, e.g. relevant account notifications and general product updates, provide separate settings for each type. 3) Provide a functional "unsubscribe" link. "Please allow up to two weeks for the change to take effect" is not good enough. Unsubscribing should be an automated process. Click the link, maybe click another button to confirm that's what you want, and receive no further e-mails—allowing for ones already in transit, of course.
Posted Oct 13, 2017 19:04 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link] (4 responses)
I would agree with essentially everything here, except that I would not consider "opt-out" OK. Users should have to specifically request everything except essential communication like receipts, shipping notices, bills, and security alerts. It can be as simple as including a check box, but if that's the way you do it the box should default to not checked. Users should have to take active steps before they start receiving email. The only time a user should have to take any step to stop receiving email is when they've previously taken an active step to receive it and they've changed their mind.
Posted Oct 13, 2017 19:43 UTC (Fri)
by karkhaz (subscriber, #99844)
[Link] (3 responses)
This doesn't stop plenty of companies (presumably based in the US) from not complying with EU regulations though, I assume somebody would have to take them to court in the EU to enforce that they offer their user to opt-in to email.
Posted Oct 14, 2017 10:44 UTC (Sat)
by Jonno (subscriber, #49613)
[Link] (2 responses)
Well, only sort of. While a customer *technically* needs to opt-in before you can spam them, it is perfectly legal to make opt-in the default choice.
(Both a checked-by-default "I want to subscribe" checkbox and an unchecked-by-default "I don't want to subscribe" checkbox is fine, but only providing an after-the-fact "click here to unsubscribe" link is not).
Posted Oct 18, 2017 11:01 UTC (Wed)
by hkario (subscriber, #94864)
[Link] (1 responses)
definitely much easier than reading T&C of any website
Posted Oct 19, 2017 9:29 UTC (Thu)
by rmv (guest, #48328)
[Link]
Posted Oct 13, 2017 19:10 UTC (Fri)
by tialaramex (subscriber, #21167)
[Link]
I'm sure a tremendous number of people who have such a benefit available to them never sign up, just as when insurers hand over tens of thousands of codes to victims of a data breach that entitle the recipient to a free account almost none of those are ever used. Since the alerts are based on finding their data, if they haven't told us any data they don't get any alerts. But those who do are still depressingly likely to label the actual alerts spam.
In some cases the company white labelling the service asks for non-alert emails, those all go out through that "marketing" service I talked about, and doubtless any number of sensible customers label _those_ as spam, which has no effect because they're a big successful marketing company.
Posted Oct 19, 2017 7:44 UTC (Thu)
by nim-nim (subscriber, #34454)
[Link] (1 responses)
If this scum was not systematically using deceptive practices they could complain users are tagging legitimate messages as spam. As it is the tagging reflects what the customer actually wants, not what he's been tricked into.
Posted Oct 19, 2017 15:50 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link]
Such messages would not be "one-time welcome mails", as they are neither one-time nor plausibly intended to welcome a new user. The fact that they reset their system has no bearing whatsoever on whether the messages are spam.
> Or use one-message mailings, you can unsubscribe all your want, you've already received the only message associated with the mailing and the next one will use another list
The problem here is that the recipient never signed up for those one-message lists in the first place. "Don't send anything without asking first." If you're sending mail to people who didn't sign up, whether it's one message or a hundred, you're spamming.
Posted Oct 13, 2017 1:07 UTC (Fri)
by wahern (subscriber, #37304)
[Link] (1 responses)
Most implementations temporarily reject receipt before DATA, but there's nothing inherent in this approach. (See https://tools.ietf.org/html/rfc6647#section-2.5) You might want to process the message so you can apply whitelisting rules, including DKIM exemptions. Too many people disable greylisting because of the delay. If you can hasten delivery of desirable e-mail, fewer companies will disable greylisting.
Maybe it's not common because of weird bugs in Exchange that break redelivery if you reject on EOM. But IME the reason it's not more common is because the server-side frameworks weren't performant enough to handle many late rejections. In particular, it's difficult to design (and keep other engineers from breaking!) a filtering engine that supports inline, streaming processing with the equivalent of "redirect to /dev/null and reject with 451" short-circuiting. Most engines seem to quickly degenerate to slurping in the entire message body into a string in someone's favorite scripting language, which will never scale if you're not rejecting most messages upfront.
Posted Oct 13, 2017 11:43 UTC (Fri)
by dskoll (subscriber, #1630)
[Link]
Yes, our implementation actually does greylist post-DATA and has various mitigations to reduce greylist delay. But it still doesn't distinguish between text/plain and text/html
Posted Oct 13, 2017 4:38 UTC (Fri)
by fratti (guest, #105722)
[Link] (3 responses)
I feel like someone at the top completely misunderstands Mozilla's mission.
Posted Oct 16, 2017 8:33 UTC (Mon)
by jezuch (subscriber, #52988)
[Link]
Posted Oct 22, 2017 10:57 UTC (Sun)
by gezza (subscriber, #40700)
[Link] (1 responses)
Posted Oct 27, 2017 4:38 UTC (Fri)
by Mook (subscriber, #71173)
[Link]
Posted Oct 13, 2017 5:14 UTC (Fri)
by rsidd (subscriber, #2582)
[Link]
I don't read it as saying plain text mail is flagged as spam!
Posted Oct 13, 2017 20:59 UTC (Fri)
by Sesse (subscriber, #53779)
[Link]
Nothing is saying you can't greylist by sending 4xx on the DATA command (after seeing the content and deeming it dubious).
Posted Oct 12, 2017 22:48 UTC (Thu)
by dskoll (subscriber, #1630)
[Link]
Second point: Yes, some people will use honeypot addresses to trap spammers. But I find it incredibly difficult to believe that anyone would use an email account as a honeypot that was formerly an active, legitimate account that actually signed up for a mailing list.
The practice of sending a "Click here if you still want to subscribe" link periodically is all that's necessary to prune the list of people who don't read it.
Posted Oct 13, 2017 0:01 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link]
This says a lot more about contemporary internet mentality than anything. They want to present this as a way of making life easier for people, but it's as much about their own convenience as their users. People have worked so hard to destroy privacy that it's easier for a company to achieve their goal by ignoring their users' privacy than by protecting it, and even organizations that are nominally interested in privacy will often ignore it when privacy is even a minor inconvenience to their goals.
Posted Oct 13, 2017 2:31 UTC (Fri)
by fredex (subscriber, #11727)
[Link] (1 responses)
Posted Oct 13, 2017 7:27 UTC (Fri)
by FLHerne (guest, #105373)
[Link]
Posted Oct 13, 2017 4:03 UTC (Fri)
by marcH (subscriber, #57642)
[Link] (16 responses)
At least for the very specific case of *one-way newsletters* the solution is obvious: any "pull" system (RSS, read-only NNTP,...) is better. It's very simple really: "don't call us, we'll call you" and *poof*, all problems like spam, filtering, subscription, etc. are gone instantly.
Some would argue that the same "pull" superiority applies to any non-private communication, but... let's not go there https://lwn.net/Articles/702177/ :-)
Posted Oct 13, 2017 5:01 UTC (Fri)
by neilbrown (subscriber, #359)
[Link] (15 responses)
Yes, if only we had a 'pull' system as good as email..
I experimented with using rss2email to read lwn comments in my mail reader a while back.
Maybe we could use anonymous-POP as a pull system which supports everything the email supports.
Posted Oct 13, 2017 6:01 UTC (Fri)
by johill (subscriber, #25196)
[Link] (13 responses)
Posted Oct 14, 2017 7:00 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (12 responses)
Posted Oct 17, 2017 12:15 UTC (Tue)
by Herve5 (subscriber, #115399)
[Link] (5 responses)
I had been an intense user of NNTP, with client softwares that were able to show the discussion trees, change news servers on the fly etc.
I remember seeing my favorite discussion groups, be it philosophy or specific sharewares (do this word still exist, 'shareware'?) -my favorite groups *voluntarily* moving to Google groups...
Please tell me I am wrong, but I hardly remember even the name of my softwares -ah yes, MacSOUP on macintosh at the time... but that was when I was young...
But if of all places there is one that could resurrect it, it's LWN!
Posted Oct 17, 2017 14:45 UTC (Tue)
by sfeam (subscriber, #2841)
[Link] (1 responses)
Posted Oct 18, 2017 12:30 UTC (Wed)
by Herve5 (subscriber, #115399)
[Link]
Posted Oct 18, 2017 11:44 UTC (Wed)
by anselm (subscriber, #2796)
[Link] (2 responses)
NNTP disappeared when people figured out that it is easier to put up a web forum or blog than to get a new USENET newsgroup approved.
Posted Oct 18, 2017 12:33 UTC (Wed)
by Herve5 (subscriber, #115399)
[Link] (1 responses)
Posted Oct 18, 2017 14:57 UTC (Wed)
by anselm (subscriber, #2796)
[Link]
Easier from the POV of the forum/blog operators, not necessarily that of arbitrary users.
Posted Oct 26, 2017 6:15 UTC (Thu)
by Garak (guest, #99377)
[Link] (5 responses)
Posted Oct 26, 2017 7:02 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
Posted Oct 26, 2017 22:03 UTC (Thu)
by Garak (guest, #99377)
[Link] (3 responses)
Posted Oct 26, 2017 22:08 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
NNTP died not because ISPs are cracking down on users the moment they start a listening socket on port 119. It died because the whole NNTP infrastructure requires a lot of attention and maintenance. And nobody cares about it, since simple web forums are MORE functional for an average user.
And there actually is a fair number of self-hosted blogs/forums.
Posted Oct 26, 2017 23:49 UTC (Thu)
by rodgerd (guest, #58896)
[Link]
Posted Oct 29, 2017 3:40 UTC (Sun)
by Garak (guest, #99377)
[Link]
Posted Oct 13, 2017 16:17 UTC (Fri)
by perennialmind (guest, #45817)
[Link]
Posted Oct 13, 2017 8:59 UTC (Fri)
by mjthayer (guest, #39183)
[Link] (4 responses)
Posted Oct 13, 2017 11:47 UTC (Fri)
by dskoll (subscriber, #1630)
[Link]
I agree. I run a few mailing lists and I might look at implementing this.
Posted Oct 13, 2017 14:20 UTC (Fri)
by cesarb (subscriber, #6266)
[Link] (2 responses)
I'm not sure I like that idea much. It means that, if you miss a single email (or read it too late), your mailing list subscription can be lost.
Posted Oct 14, 2017 6:48 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (1 responses)
Posted Oct 15, 2017 19:18 UTC (Sun)
by dd9jn (✭ supporter ✭, #4459)
[Link]
Posted Oct 13, 2017 20:08 UTC (Fri)
by flussence (guest, #85566)
[Link] (3 responses)
The last correspondence I allowed Mozilla to send me was a horribly bungled unsolicited marketing newsletter from the Spread Firefox website, sent from a third party server I'd never heard of, with an invalid return address and a gibberish text/plain part which screamed “phish attempt”. As I recall there was quite a bit of outrage about that and they were every bit as deflective and dismissive back then as they are now. They need to get off their high horse.
Posted Oct 14, 2017 0:23 UTC (Sat)
by roc (subscriber, #30627)
[Link] (2 responses)
Posted Oct 14, 2017 19:23 UTC (Sat)
by flussence (guest, #85566)
[Link] (1 responses)
Posted Oct 14, 2017 19:28 UTC (Sat)
by flussence (guest, #85566)
[Link]
Posted Oct 15, 2017 21:05 UTC (Sun)
by mlinksva (guest, #38268)
[Link] (3 responses)
I don't understand. Are there some feedback loops not mentioned that text emails do not obtain but HTML emails do?
Posted Oct 16, 2017 19:25 UTC (Mon)
by eythian (subscriber, #86862)
[Link] (2 responses)
Posted Oct 19, 2017 2:35 UTC (Thu)
by mlinksva (guest, #38268)
[Link] (1 responses)
Mail services, not the sender.
I still don't understand the argument.
Posted Oct 21, 2017 16:50 UTC (Sat)
by runekock (subscriber, #50229)
[Link]
By tracking, the sender gets better at only sending to people who actually open the mail. And mail services can use that as a factor in their spam filter.
Posted Oct 19, 2017 14:11 UTC (Thu)
by mirabilos (subscriber, #84359)
[Link]
Posted Oct 19, 2017 14:23 UTC (Thu)
by kpfleming (subscriber, #23250)
[Link] (4 responses)
Posted Oct 19, 2017 14:45 UTC (Thu)
by corbet (editor, #1)
[Link] (1 responses)
Posted Oct 19, 2017 14:53 UTC (Thu)
by kpfleming (subscriber, #23250)
[Link]
Posted Oct 19, 2017 17:24 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
So unfortunately it makes sense to just block a large address subset.
(I saw something similar with IPv4 and /24s; even to this day my IDS logs show that more than one IP in a subnet is typically used at once..)
Posted Oct 19, 2017 18:34 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
An ISP should give you a /48 network at least, not a single address from their /64.
Posted Oct 28, 2017 19:29 UTC (Sat)
by whyagaintang (guest, #97642)
[Link]
Quote from the paper:
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
Not blindly loading elements works just fine
Not blindly loading elements works just fine
Not blindly loading elements works just fine
Not blindly loading elements works just fine
Not blindly loading elements works just fine
Text-only email discouraged in US government
Organizations should ensure that they have disabled HTML from being used in emails, as well as disabling links. Everything should be forced to plain text. This will reduce the likelihood of potentially dangerous scripts or links being sent in the body of the email, and also will reduce the likelihood of a user just clicking something without thinking about it. With plain text, the user would have to go through the process of either typing in the link or copying and pasting. This additional step will allow the user an extra opportunity for thought and analysis before clicking on the link.
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
Still, this was recently published (unsure about when the original report was, though, or how serious it is): https://www.scientificamerican.com/article/the-only-safe-e-mail-is-text-only-e-mail
Alvie
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
Forcing secure SMTP with MTA-STS
dig +short -t txt _mta-sts.example.net
wget -q -O- https://mta-sts.example.net/.well-known/mta-sts.txt
Here's how that status looks for gmail itself (which is in mode: report):
0 dkg@host:~$ dig +short -t txt _mta-sts.gmail.com
"v=STSv1; id=20160707T010757;"
0 dkg@host:~$ wget -q -O- https://mta-sts.gmail.com/.well-known/mta-sts.txt
version: STSv1
mode: report
policy_id: 1503837332
mx: gmail-smtp-in.l.google.com
mx: .gmail-smtp-in.l.google.com
max_age: 86400
0 dkg@host:~$
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
If it was wrong the first time, it will be wrong the second.
The trouble with text-only email
the password (which is annoying if you're using password storage software), I can't remember if
it was for the email address too.
The trouble with text-only email
Wol
The trouble with text-only email
Otherwise its just rude and inconsiderate. Imagine if you normal postal service acted like that..
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
"the email system is broken"
"the email system is broken"
"the email system is broken"
"the email system is broken"
$ sudo apt install w3m
and then:
~/.mutt/muttrc:
auto_view text/html # view html automatically
alternative_order text/plain text/enriched text/html # save html for last
~/.mutt/mailcap:
text/html; w3m -I %{charset} -T text/html; copiousoutput;
(from: http://jasonwryan.com/blog/2012/05/12/mutt/)
"the email system is broken"
"the email system is broken"
"the email system is broken"
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
"the email system is broken"
Wol
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
about: triggering google analytics is fairly concerning.
Thanks.
I'm not the person you're replying to, and I don't have a page for this (just tried things out right now), so I'll have to go with instructions:
The trouble with text-only email
That last step loads a page off discovery.addons.mozilla.org, which appears to include Google Analytics.
The trouble with text-only email
The trouble with text-only email
Dormant accounts
The trouble with text-only email
The fact that even principled organizations like Mozilla feel the need to employ tracking says something discouraging about the state of email, though, not that there was really any need for more evidence that the email system is broken.
The trouble with text-only email
;-)
The trouble with text-only email
The trouble with text-only email
Of course these are not mutually exclusive: you can perfectly keep email on life support in parallel with another, actually working solution.
The trouble with text-only email
One problem was that all threading was lost. I thought I should get grumpy at the grumpy editor, but on looking into the details, I discovered that rss had no way to export "in-reply-to" or "references". So I had to keep my gumpyness to myself.
i.e. I connect to the pop server at lwn.net, login as guest/guest, use UIDL to list the uids of the 100 most recent comments, and collect the ones that I haven't seen....
The trouble with text-only email
The trouble with text-only email
Imagine how much more NNTP would rock if it received just 1/10th of the massive (https://lwn.net/Articles/732570/) efforts trying (and failing) to fix email's unfixable design flaws.
It shouldn't even be that much effort considering NNTP is literally email's cousin, sharing so many genes and a lot of compatibility.
(on NNTP)
And for me all of this disappeared, almost over one single year, once Google imposed logging in specificaly for each dedicated newsgroup, etc.
eternal-september.org
(on NNTP)
(on NNTP)
(but my worry also was about all those guys that voluntarily migrated to Google...
Still I find worth re-checking what is left today on NNTP!
(on NNTP)
I thought NNTP disappeared when Google bought Déjà News?
(on NNTP)
(on NNTP)
network news transfer protocol
I really don't understand why NNTP seems to get so little love.
I think I understand it. Several big factors. One big factor is the difficulty of operating an NNTP server. Sure, it's not that hard to pony up for a linode or aws vhost. But just imagine if that hurdle was removed, and instead every ISP woke up tomorrow and removed the annoying server prohibition clauses from their terms of service. If that happened, I think we'd see a rapid innovation in nntp server appliances that many home users would dabble in operating. I.e. Razpi+usbdisk+enablingarouterportforward. Now shortly after gaining more traction, we'd start to encounter and resolve NNTP's problems. Whitelists and simple reputation systems would do the trick without much work (from the perspective of a community of hundreds of reasonably adept home server operators working in traditional FOSS ways). Or cryptocurrency like solutions (I recall before bitcoin, several basic ideas of cryptocurrency were kicked around as a spam-paid-postage solution, probably in a dusty LWN/Schneier article).
The next big factor is how the kinds of idealized communications systems like this are opposed by large forces. 'Streaming' non-live content would never have been a thing if there wasn't effectively a war on S/FTP by big copyright moneyrakers. Napster should never have been a thing in a world where s/ftp and nntp exist in foss ways for everybody. But that didn't happen because the home-server persecution campaign was successful. Likewise the NSA/FBI don't like secure communication systems, which is what s/ftp+nntp would have turned into. Instead we got facebook and googleplus which NSA's PRISMs cut like a hot knife through butter. Seriously, Facebook only exists because of home server persecution IMHO. And it's a weird thing, to get away with it, they had to obfuscate it. And it seems to have worked. The original promise of the internet as a balanced truly two-way street, where everyone could easily be a web server, as well as a web browser, was more than the establishment could allow to disrupt.
In other words- I Love the Network News Transfer Protocol. I fear that government sponsored propaganda campaigns effectively trolled usenet to death with racism provocation tactics (obviously I venture this far unreservedly after the recent issues with that and Russia/US/2016election). In my analysis, the way that FOSS/NNTP could have survived that onslaught was if everyone could run an nntp server at home on Network Neutrality non-discrimination terms. For a long time, the linode/aws workaround was simply too high a bar, preventing the needed critical mass of operator/developers. Even now, ethical people read the linode/aws ToS and see the bigger picture and history, and decide it's not worth the headache. The solution I see is to actually tackle the real problem of defining how Free Speech exists on the internet. By my math, it requires the ability to operate a server, and thus be able to have any kind of conversation you want with anybody, without considering whether it may cause you to be illegally violating a contractual terms of service. And at the end of the day, the unethical people don't care about that, and have all the darknet communication they want already. It's akin to the old- If you outlaw guns(home servers) then only outlaws with have guns(home servers and the communcation security advantages they enable).
$0.02...
network news transfer protocol
Nothing will happen. There are no "no-server" clauses in ISP contracts in Russia or Ukraine. Yet the density of mail and NNTP servers is not greater than in the US.
That's your opinion/analysis. My own includes perhaps more focus on the how and why earlier internet innovation came more from the U.S. than other countries. While I certainly am cogniscent of the myriad of ways the U.S. governmental system has been atrocious in recent years and not so recent decades, I do think that when it comes to the nexus Free Speech and capitalism accelerated consumer goods innovation and availability, there is some valuable difference that explains the U.S.-centric development of tech.network news transfer protocol
In Russia, there could be a full page advertisement every week in newspapers with a personal message signed by Putin telling the public how free they are to engage in Free Speech even harshly critical of his regime. But that doesn't mean I think it would be a wise idea to believe that and act on that belief. I.e. read the wikipedia page on journalist murders in Russia over the past couple decades, and various government's beliefs about those cases, and worse, U.S. policies that seemed to both see a problem there, but not discuss it much.
I really think the path of nntp server appliance innovation would be wholly different in the U.S. OTOH, one of the saving graces of my analysis is that I believe this is an opportunity for nations other than the U.S. (but probably not Russia) to outshine the U.S. in future internet communications innovation. And while as a U.S. citizen I feel bad about that, I recognize all the blood on our hands and see it as a just desert that our own corruptness may cause history to look back on this failing of ours, with a brighter view of the countries that managed not to squander the opportunity.
Just my opinion/analysis/$0.02...
network news transfer protocol
network news transfer protocol
network news transfer protocol
NNTP died not because ISPs are cracking down on users the moment they start a listening socket on port 119. It died because the whole NNTP infrastructure requires a lot of attention and maintenance. And nobody cares about it, since simple web forums are MORE functional for an average user.
I didn't say an ISP crackdown was the cause of NNTP's death. I again highlight the aspect of my analysis that you seem indifferent to. Things didn't come to where they are all at one, it was a remarkably fascinating evolution of computer network communication tool development over the last several decades. My theory is that what NNTP required to be successful was *development*, because indeed, as it was/is, the attention and maintenance requirements were/are too high for it to succeed in competition with a multitude of smaller scale web forum platforms. My theory is that if there was a FreeSpeech/NetworkNeutrality protection that allowed anyone to compete and test further development without paying a premium to aws/linode or their own ISP for 'business class' service that allows the operation of an NNTP server, then we would see the *development* increase to a point where NNTP could outcompete the myriad of alternatives that have outcompeted it in the last decade or two.
And there actually is a fair number of self-hosted blogs/forums.
At the end of the day, I see significant value in what usenet achieved for end-user experience in some important ways. An analogy would be the difference between the historical ubiquitous cable television channel line-ups, versus a different front-end app for netflix/hulu/disney/cbs/nbc/etc. We needn't explore all the nuance in this thread, but there was something pretty amazing about the breadth of channels all in one place, with users having full control over the development of the front-end. I think if users could have full control over the back-end as well, development would reach a critical mass point where NNTP could easily once again outshine the currently more popular alternatives.
And I have no particular attachment to NNTP(and I'll admit, you were right to throw SMTP alongside it) as it was or is. My attachment is to what it basically accomplished. I think there are important facets of what SMTP and NNTP accomplished, that as they fade away, would be a shame to lose. I think ordinary users with FOSS techniques could easily resolve the serious deficiencies that existed and still exist. But a big problem is that there are big money interests, Google with GMail and googlegroups, and Reddit amongst others that depend on the high bar to ordinary people being able to operate group/email back-end servers. I think that Google's Network Neutrality stance is entirely corrupted by their monetary interest in how things evolved. And I think that is having very negative effects on how things continue to evolve.
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The polite and correct way is to ask the user on the other end to refresh their opt-in status every few months.
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
Spamhaus routinely blacklists big chunks of the space, so that we were often getting nailed by a block on somebody else's address. So we finally just gave up on IPv6 delivery, which is really kind of sad.
IPv6
IPv6
The trouble with text-only email
The trouble with text-only email
The trouble with text-only email
Mail clients that block cookies by default, like Apple Mail, offer some level of protection. In these clients it’s more difficult for a tracker to track users across mailing lists, since the mail client doesn’t provide a persistent identifier. The same is true for webmail clients which proxy images, like Gmail and Yandex. Content proxying has the added benefit of preventing a tracker from being able to link the browser’s cookies to any identifiers received when an email is opened