Need help deciding whether to switch to SG

General discussion re sg.

Need help deciding whether to switch to SG

Postby vertigo » Wed Sep 05, 2018 5:42 pm

I've been happily using email aliases for years now, but I've recently been having major issues with 33mail, the service I've been using, which is causing me to not receive emails. The problem is, I don't just use aliases for signups and other short-term uses; I use them permanently. I used one signing up for this site years ago, I use ones for online magazine subscriptions, online and B&M stores, PayPal, pretty much everything. So not getting emails to them is a real issue. I've looked at SG on and off for years, but never did anything, partly because 33mail was working fine and partly because I don't like the available domains (since I use aliases for real email as well as disposable, I want a "normal" sounding domain that's also easy to tell someone, so I don't have to spell it out to them every time). I've also looked on and off at buying my own domain to use, but I haven't been able to find one I like that's available, plus I'm not even sure how that all works.

In order for a service to work this way, it needs to be able to default to allow infinite messages to aliases, as it would be far too much work to manually set each one as trusted. I know there have been posts before about this, and apparently this is just not something SG is going to do, apparently due to the fact it's meant more for disposable emails that mostly get "eaten" vs a relay for all email, and I understand that, as you need to keep bandwidth in check. But I wonder if you'd be willing to do paid accounts that allow this, even if it's not actually set up. I wouldn't mind sending a check or something in order for my account to be tweaked to allow this. Another option would be to set up my own service with the source code on a service like DigitalOcean, but I have no idea how to do that, and even if I could figure it out I'd be worried about the security of it since I don't really know anything about managing that sort of thing. Which brings me to another question: how secure is this service (i.e. the server)?

As far as using my own domain, how would using SG with it differ from just using the domain on its own? Either way, I'm giving out the domain name, which opens it up to spam. With SG that's limited by only allowing emails sent to watchwords and such, and blocking aliases as needed, so I'm guessing this type of thing isn't possible with your own domain? Other than the obvious of being able to choose my domain name for my email addresses, are there any other benefits, or any additional risks, to using my own domain vs a SG one?
vertigo
 
Posts: 5
Joined: Mon Jun 13, 2016 10:58 pm

Re: Need help deciding whether to switch to SG

Postby josh » Wed Sep 05, 2018 9:43 pm

I'll try to respond

spamgourmet has been operating continuously for about 18 years, and we have no plans of shutting down. We have had some downtime - normally due to hardware failures. When mixups occur, this can sometimes stop email delivery for as long as a few days. These events rarely prevent delivery (i.e., the messages get delivered in a flurry when the service comes back up, but a few days of delay can make them essentially useless, of course). These events are fairly uncommon, and we often go for several years at a time with no real downtime.

We are indeed pretty stubborn on our functionality limitations, and have refused payments for additional functionality.

There's no real support organization, and it would would cost way more to set one up and maintain it than we believe we could receive from the paid subscribers. Personally, I think this policy is one of the main reasons we have lasted so long -- without the complexity and demands of an ongoing business with paid employees, we've been able to avoid investors and other possible sources of pressure to change the service in ways that would deviate from its original intent (or to shut it down or sell it or bring in new management, etc.)

That said - we're human, and sooner or later, we're going to have to hand off control to someone or something else, simply because of aging/mortality issues. At that point, I hope the new crew will continue to provide the service as it has been, but I will have no control over it.

I'm happy with our approach to security on the server system - we have a sensible configuration, we don't run services that we're not using, and we stay current on security updates for the software we are using. But we are not formally audited or evaluated by any third party. As I'm sure you know, no service can claim perfect security, and certainly we don't.

Btw, we don't really have any password structure requirements for our users -- I've always had my doubts about how useful those really are (and recently my suspicion has received some validation). Needless to say, if a user uses a weak or re-used/compromised password, there's nothing to stop an attacker from logging in and taking over the account. Some reviewers would probably reduce our security rating because we don't require you to use capitals and lower case and numbers and punctuation, etc., but if you're concerned with security, I'm sure you would use a good password (and I highly recommend using a password manager). On the back side, we use good one way encryption to store password hashes, and over the years we have made changes to keep it current, as older techniques became unacceptably weak.

[None of what I just said is true for the BBS that your'e reading now, which is a completely separate system in a separate unrelated hosting provider, using third party PHP bulletin board software that may be incredibly secure, but I don't know - so definitely use a different password here.]

If you use your own domain with spamgourmet, it gets added to the list of locally managed domains, but not published. Strictly, any spamgourmet user would be able to use it the same way they do the published addresses, but practically they don't, because they don't know it's there (and in fact, using it is not in their interest, because you can withdraw it at any time and manage it somewhere else, and then their email messages would go to that place instead of spamgourmet).
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Re: Need help deciding whether to switch to SG

Postby vertigo » Thu Sep 06, 2018 3:26 am

Thanks for the detailed reply. I didn't have any concerns about the service going away, as it's been around for years with no sign of that changing. I assume you thought I was concerned about it due to my comment regarding 33mail, but the issue there isn't technical, it's the fact they're blocking mail (a bit of a long story), which obviously makes me mad and removes any and all trust I've built up in them. So the bottom line is, I need a new solution, but there are very few options, and apparently no real good ones. SG seems to have the potential to be really good, which is why I've kept returning to look at it over the years, but it apparently just won't work for my needs.

As for using my own domain, I'd actually read that in another thread a day or two ago, so I was aware of that facet of it. I'm just curious how it differs from using a SG domain, e.g. if using my own domain couldn't I essentially do the same thing? I was under the impression you can set it to anything@domain.com will all go to the same email, which would allow me to do aliases that way. It seems the only capabilities that would be missing would be the ability to block an alias, which could be handled by a simple filter in the email to send it straight to trash, and watchwords, which based on my usage of aliases has been shown to be unnecessary. I realize I'm asking questions outside the scope of SG, but I'm hoping that, based on the nature of this forum, you or someone else will be able to give me advice to help me figure out a solution.

And speaking of the forum, not sure if it's just me, but it keeps logging me out (other sites do this to, so it might be something on my end) and, more strangely, the login session doesn't seem to propagate properly in the browser. For example, I went to a topic to post, had to login, then hit back to go back to the topic, but it showed me as being logged out again, even if I refreshed the page, which is definitely not normal behavior. I would only be logged in if I stayed "forward" of the login page. And even after logging in, opening this topic in another tab I had to login again in order to reply, so the login doesn't seem to transfer across tabs properly either. And I don't have first-party isolation (FPI) enabled or anything else like that. This is the only site I've noticed this with.
vertigo
 
Posts: 5
Joined: Mon Jun 13, 2016 10:58 pm

Re: Need help deciding whether to switch to SG

Postby josh » Sun Sep 16, 2018 11:00 am

I'm not sure what's going on with the bbs login issue. I haven't seen that before.

You can do quite a bit by managing your own domain and email server if you're willing to spend some time and consideration setting it up.

One snag for doing it yourself easily these days is that most internet service providers effectively block you from running a mail server on your machine at home - that is, they block the TCP/IP ports normally used by mail servers. This has probably helped reduce spam quite a bit by preventing compromised home machines from turning into spammy mail servers (without their owners even knowing), but it has the collateral effect of making it really difficult for someone who actually wants to set one up for themselves.

Another side effect of the spam wars is that practically speaking, once you get past the port issue (by maybe leasing a server outside your ISP or getting an account somewhere that supports mail management at the user account level), you'll find that it's much easier to receive email than to send it, because of all the security measures in place that are going to be suspicious by default of your server.

If I was doing it these days, I would probably set up and manage the receiving end of the mail on a subscription unix account somewhere, but rely on a service provider for the sending side.

If you're set up that way with all the mail for your domain getting directed to the same catch-all address, you can send all the messages to a script that you write and do whatever you want with them - you could even come up with a scheme to add words and numbers at the beginning of addresses and use those to make decisions about whether to forward or delete the messages. If that works well, you could start letting other people use it as well - haha
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 20 guests

cron