Email Verification

I’m the owner of a Gmail address that bears my name, in the form first.last@gmail.com.

Many others who share my name, have addresses that are slight variations of mine, e.g. first.last2@gmail.com or first3.last@gmail.com, or even first.p.last@gmail.com. You get the idea.

Often when these people signup at websites, they mistype their email address—and accidentally enter mine.

On account creation, modern websites send a verification email to the registered address, containing a link that the user must click before they can use the service. This verification-loop confirms that the person actually owns the email address they entered. You’ve probably experienced this yourself.

If I’ve directed you to this article, it’s likely because your company does not verify email addresses, such that I’m currently experiencing one or more of the following problems:

  • I’m receiving notifications, alerts, user-related communications (often containing personal data), and I’ve been unable to stop them because either:
    • Your communications don’t have an unsubscribe link, or
    • There is an unsubscribe link, but requires login to confirm
  • Your service doesn’t allow me to reset the account password simply by knowing the email address, i.e. it’s requiring me to provide some user-specific information I wouldn’t know.

In other words, I am stuck, have wasted time that I shouldn’t have wasted, and need your help.

But just as importantly, I need that you get the message to whoever in your company is responsible for the website, insisting that they need to add email address verification to the account creation process, to prevent this from happening in the future.

Thank you.

Decommissioning old email addresses with FastMail

The first business email address I used, [email protected], now almost twenty years old, is the source of 95% of the spam I receive. I no longer use this address, and would simply like to kill it, but every now the arrival of an important message reminds me that decommissioning it could result in missing something important.

Our company uses FastMail for email hosting, and the account has several domains aliased, including makalumedia.com. Chatting with FastMail support, I discovered that I could use their advanced “Sieve” support to effectively kill the address without risking to miss important emails.

Here’s how I did it:

  1. In Mail.app, I created a smart folder that collected all mail addressed to [email protected] during the past 10 years (and which is not in my junk mail folder). This is the starting point of my list of “known senders” from whom I’ll continue to receive mails.
  2. I exported this smart folder to a mailbox file on my Desktop
  3. I then used the Mac app “eMail Extractor” to parse a list of all email addresses found in that file.
  4. I then used BBEdit to clean up the list, leaving me with only a single copy of unique {domain}.{tld} entries.
  5. I then created the following Sieve rule in my account at FastMail

This sieve triggers on any mail received on my old makalumedia.com addresses. It then checks if the sender is in my list of known senders (which in my real sieve is much longer than the above). If the sender is not in that list, it rejects the mail with a message to contact me through my blog to get my current contact information.

Since setting this up a few days ago, my spam has been reduced by probably 90%. The few that have gotten through were from senders on my known-senders list, and so I went and removed them from the list. So over time, my known-senders list will get cleaned of the few spammers who were present in the original list.

All in all, I’ve been super happy with Fastmail. Their service is well-designed, technically solid, and provides just enough geeky flexibility to do advanced stuff like the above. Well worth the money!

Support Authentication

When I signup for an online service, I like to use an email address that’s unique to that service, i.e. something like [email protected]. Email for my-special-domain.com is then configured to forward all incoming mail to my personal email address.

This allows me to do two things:

  1. Know which services sell my address on to third-parties. (If I start getting spam on this domain, I can figure out where it came from.)
  2. Kill any address for which incoming mail gets out of hand

This works fine, except for one problem, and a problem that shouldn’t exist:

Often when emailing [email protected], I’ll get a reply back indicating that—for “security” purposes—I must email support from the address associated with my account at the service.

What’s the problem with that? The problem is that the “from” address of my support enquiry provides absolutely no authentication or security at all, since email headers are dead-easy to forge.

Therefore, if a service wants to authenticate support conversations, there’s only one way to do it, and that is to provide an internal messaging system accessible only once a user authenticates into the service’s website. (Most financial institutions have this, since getting user authentication right is particularly important to them.)

I decided to post this to my blog, in order to have something I can conveniently point to in the future, when trying to convince these services that they’re misguided and causing unnecessary inconvenience to users who prefer to use throw-away addresses on their accounts.

1Password for Teams and Families incompatible with VPNs

One of the services for which I’ve truly been happy to pay is 1Password for Families, which allows my wife and I to centrally manage information vaults that are shared among ourselves, and among our kids, across all our Mac and iOS devices.

Some time ago, I wrote about how I secure our home network with a VPN. After doing that, we began having to frequently respond to CAPTCHAs when accessing any website that uses the CloudFlare security platform, as CloudFlare (understandably) doesn’t trust the IP addresses of the Private Internet Access VPN service that we use. This is an annoyance, but certainly something we can live with.

Unfortunately, however, I recently discovered that all of our 1Password applications (iOS and Mac) have stopped syncing their data with 1Password’s servers. And to make matters worse, the apps don’t provide any feedback to the user that synchronization has failed! It was only after removing a Families account from one of the devices, and trying to add it back did I finally see a “No response from server” error.

My experience with CloudFlare-managed websites immediately let me to suspect that 1Password had their client API sitting behind CloudFlare, and an email to 1Password support confirmed this:

After reviewing the situation with his colleagues at 1Password, however, he then followed up to say that, sorry, but it looks like their service is just incompatible with Private Internet Access:

Right now, because so few users are affected by this, 1Password’s response is just: “Sorry, you can’t use our service if you’re going to use a VPN.” This seems short-sighted for the following reasons:

  1. The problem doesn’t only affect users on Private Internet Access IP addresses. It affects users on any IP address that CloudFlare distrusts. Currently that’s at least PIA users, and almost certainly includes other popular VPN providers. But over time, one can certainly expect that set of IP addresses will expand.
  2. More fundamentally, when accessing a website, CloudFlare provides a means by which a legitimate user on a distrusted IP address can successfully get through—by responding to a CAPTCHA. In other words, there’s a model in place by CloudFlare that anticipates false positives. If you’re going to put your software API in front of CloudFlare, as 1Password has done, then you must also engineer a model and user experience that accounts for false positives. (Perhaps CloudFlare offers a mechanism to surface a CAPTCHA like mechanism to the human user of an app that’s getting trapped on its API by CloudFlare.)

Hopefully, the team at 1Password will reconsider the situation, and find a solution.

How to protect your home network with a VPN router

In this article, I describe how I added security to my home network by installing a router that directs all internet traffic through an encrypted VPN connection. The adventure includes my experience with the FlashRouters company, the Tomato router firmware software, an OpenVPN connection to the Cloak network, the Linksys E2500 router and the Netgear Nighthawk R7000 router.

Continue reading How to protect your home network with a VPN router

Reflections on my first few weeks of listening to podcasts

A few weeks ago, and way late to the game, I started listening to podcasts. Of the several I’ve heard so far, the ones I enjoyed have included Horace Dediu’s “The Critical Path“, Benedict Evans’s “Cubed“, Gabe Weatherhead and Erik Hess’s “Technical Difficulties” and Shawn Blanc’s “The Weekly Briefly“. The ones I’ve disliked have included John Gruber’s “The Talk Show” and Marco Arment’s “Accidental Tech“.

I wanted to take a moment to reflect on why I liked some and disliked others. This is mostly for my own benefit, since going through this exercise will likely reveal my motivations for listening to podcasts in the first place. Continue reading Reflections on my first few weeks of listening to podcasts

Calling Gmail technical support (yet another scam story)

My livelihood and many of my hobbies revolve around technology. This past week, after witnessing an unfortunate series of technology problems affecting my Mom, I’ve been reflecting on how I take for granted as commonly understood so many technological concepts that, in reality, are not commonly understood at all.

Continue reading Calling Gmail technical support (yet another scam story)