Bitcoin Forum
November 20, 2018, 01:32:47 AM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Review: mailbox.org e-mail; pseudonymous friendly, antispam, €1/mo. (pay in BTC)  (Read 57 times)
This is a self-moderated topic. If you do not want to be moderated by the person who started this topic, create a new topic.
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 764


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
March 11, 2018, 10:37:03 PM
Merited by slaman29 (1)
 #1

This review is neither solicited, nor compensated.  I have no affiliation with mailbox.org, other than as a happy customer.



It is no secret that I use mailbox.org:  Their mailer hostnames are in the MX and related records for nym.zone, plus in the headers of all mail received from me (including by publicly archived mailing lists).

Although mailbox.org is popular on some other “crypto” forums, the only discussion I could find here is a German thread from 2015.  Thus, I wish to tell Bitcoin Forum users of my experience with this service.  Rather than writing a wall of prose, I will reduce the major points to three separate bulleted lists:  Positive, Neutral, and Negative.

Note:  mailbox.org offers a plethora of features, most of which are unused and untested by me.  I can only review their core service:  E-mail, sent from/downloaded to my own localhost.

TL;DR:  Overall, highly recommended for pseudonymous users who want reliable service and strong anti-spam for €1/month, payable in Bitcoin.



Positives:

  • Friendly to anonymous/pseudonymous customers.  They explicitly state that “anonymous registration at mailbox.org is absolutely possible”.  The only information they ask at signup is a name—which they explicitly hint that they cannot verify—plus a country for VAT reporting purposes (also unverifiable), and a language for the Web app user interface.
  • Excellent anti-spam protection.  The company which provides this service, Heinlein Support GmbH, does antispam as their bread and butter.  I have been freely spreading my address nullius@nym.zone around the Web and on mailing lists, with no attempt to obfuscate it.  I receive very little spam; and whatever spam I have recently received seems to be targeted to Bitcoin Forum users (ICO spam).
  • Anti-spam system properly rejects with SMTP 5xx.  No junk folder to silently eat false-positive messages!  (I think they may (?) have recently added a “junk folder” option; but if so, it is optional and opt-in.  Avoid.)
  • .onion site, kqiafglit242fygz.onion, for access to POP, IMAP, and XMPP services—albeit not for the Web interface, which is necessary to control account settings and payment.  They also run their own Tor exit, which can be pinned; I myself don’t do this.  Their Tor information page discusses both their exit and their .onion.
  • Reliable service.  In my time as a customer thus far, I have never seen the service go down, or show any other signs of unreliability.
  • Located in Berlin, Germany, without connection to the Land of the Free NSL.  Servers physically located in Berlin.  Subject to German data protection laws.  Clear Data Privacy Statement.
  • Well-established company.  mailbox.org was started in 2013; but the people running it have been providing some form of network services since 1989 (!).  The providing company has existed since 1992.  In an era fraught with flaky startups, I feel more comfortable knowing that my e-mail will not likely disappear due to dumb hipster “founder” kids either flaking out, or getting “acqui-hired” by Google.
  • TLS certificates verifiable through DANE.  (Untested by me, since DANE does not work through Tor; I’d need to make as special effort.)
  • Network-level communiations privacy between servers can help lessen the exposure of metadata (not protected by PGP) to network observers.  To this end, mailbox.org attempts to use TLS for all incoming and outgoing SMTP sessions with other MXes.  They also provide an option through which you may refuse all mail not sent over TLS; however, this can cause you to be unable to communicate with people who use incompetently managed mailservers.

    All mailbox users also have a special alias which can only receive mail via SMTP over TLS; mine is <nullius@secure.mailbox.org>.  If you want to test whether your mailserver can do outgoing TLS properly, try sending me a “hello” at that address, and see if it gets rejected!
  • Use your own domain.  No extra charge.  If you set up a domain with a catch-all alias, you can download mail, filter on envelope-recording headers, and inject it into your own local mail system.
  • Reasonable prices.  For those who download and delete mail, unless you need lots of aliases for domains, it should never be necessary to buy more than the €1/month service level with a 2 GB mail quota.  Webmail users who need more space (or those who use the “Office” features I have not tested) have many other service options, all of which seem cost-effective for the resources provided.
  • Paid service.  Yes, that’s a positive.  So-called “free” e-mail never is:  If you’re not the (paying) customer, then you are the product.  I am a mailbox.org customer.
  • Payable in Bitcoin (but see negative below: Bitpay).
  • 30-day free trial.

Neutral characteristics:

  • Webmail “Guard” PGP features.  I myself do not use this, and have not tested it.  I think that overall, against real-world threats, it looks about as trustworthy as Protonmail; yet it has the significant advantage that unlike Protonmail, you can use it to communicate with all PGP users in the world, not only local users of the same service.  I think that this is a good “medium security” solution for people who need userfriendly webmail.  I would recommend that paid Protonmail users switch, and save some money:  For 5GB of quota, mailbox.org costs €2.50/month, whereas Protonmail costs €5/month (€4/month if paid annually).  Those who need or desire high security MUST always use private keys which never in any way leave their own hardware.  This German-language discussion seems savvy.

    Side note:  I myself would prefer to correspond with security experts who use their own keys on their own hardware.  However, knowing one’s correspondent is integral to opsec; and I know that I can only assess the expertise of a correspondent by evaluating the human element.  I would rather suggest that n00bs use mailbox.org Guard from their malware-infested PCs than try to tell them how to manage PGP private keys on the same computers from which their bitcoins get stolen.

Negatives:

  • Last-minute addition:  Bitpay is currently broken in a way which will effectually prohibit Tor users.
  • Bitpay.  #NO2X, “WE WILL NEVER FORGET.”  I don’t totally boycott all Bitpay services; but a service must be truly excellent for me to endure grinding my teeth whilst sending precious bitcoins to a Bitpay address.  @mailbox.org, please consider setting up your own node!
  • Even for POP/IMAP users, the Web interface must be used for account settings and payment purposes; and the Web interface requires Javascript, lots of Javascript.  Besides being unfriendly to people who disable Javascript for security reasons, the gobs of Javascript are slow to download over Tor.
  • Google CAPTCHA required (only) at signup.  (They actually apologize for this on the signup page.)
  • “Guard” PGP features (untested/unused by me) require some level of trust in mailbox.org.  As said above, I think overall their setup looks about as safe as Protonmail.  With Protonmail, the server could perform a targeted attack by provoding Javascript which phones home the decrypted private key; with mailbox.org Guard, the server decrypts the private key, and could keep it that way if desired.  Really, what’s the substantive difference?



I will update this review if/as necessary from further experience with mailbox.org.

Version history:

2018-03-11:  Initial post.

This thread is self-moderated for reason that due to experience with spam and trolls, I self-moderate all threads started by me unless there be a good reason to do otherwise.

1542677567
Hero Member
*
Offline Offline

Posts: 1542677567

View Profile Personal Message (Offline)

Ignore
1542677567
Reply with quote  #2

1542677567
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 764


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
March 11, 2018, 10:37:46 PM
 #2

(reserved for meta-information, if any)

Blue Tyrant
Copper Member
Member
**
Offline Offline

Activity: 70
Merit: 62

IOS - The secure, scalable blockchain


View Profile
March 12, 2018, 06:46:16 AM
 #3

Quote
Located in Berlin, Germany, without connection to the Land of the Free NSL.  Servers physically located in Berlin.  Subject to German data protection laws.  Clear Data Privacy Statement.

Regarding this point, isn't Germany a part of the infamous Fourteen Eyes (details well summarized by Privacy Tools)

Quote
The UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each other’s citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens. The Five Eyes alliance also cooperates with groups of third party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes), however Five Eyes and third party countries can and do spy on each other.

The part in bold being the German part. Not to mention they have been plans from the German side to align themselves with the five eyes, as per a suitably cited Wikipedia articel

Quote
Germany is reportedly interested in moving closer to the inner circle: an internal GCHQ document from 2009 said that the “Germans were a little grumpy at not being invited to join the 9-Eyes group." Germany may even wish to join Five Eyes

And to quote another article

Quote
According to summit participants, the German chancellor seemed far more interested in the "Five Eyes" alliance among the US, the UK, Australia, New Zealand and Canada. The top-level allies within this exclusive group, which began in 1946 as a pact between London and Washington, have agreed not to spy on one another, but instead to share information and resources. In Brussels, Cameron stressed to his fellow leaders how many terrorist attacks had been prevented by successful intelligence work.

Merkel, meanwhile, stated: "Unlike David, we are unfortunately not part of this group." According to the New York Times, Germany has sought membership in the "Five Eyes" alliance for years, but has been turned down due to opposition, including from the Obama administration. But this could now change, the paper speculates.


So there's a highly chance that Germany may soon change their stance on the issue of privacy especially now that the leadership of the US has changed from the Obama administration which rejected their plea to a new one

slaman29
Sr. Member
****
Offline Offline

Activity: 644
Merit: 268


Crypto is going lunar!


View Profile
March 12, 2018, 09:26:20 AM
 #4

Very interesting article nullius, thanks. I think the one Negative bit is just too much to overcome at the moment (BitPay). The issue with wanting a good service, especially one so important as a pseudonymous email, isn't with the price but with the ease of maintaining it. BitPay is impossible for me to use (and I want to avoid it anyway).

The secondary issue, but also important: how we can be secure in the knowledge that the email service won't just disappear? I got really upset when Sigaint went down and it was doing so well!

BitDice[]               ▄▄███▄▄
           ▄▄██▀▀ ▄ ▀▀██▄▄
      ▄▄█ ▀▀  ▄▄█████▄▄  ▀▀ █▄▄
  ▄▄██▀▀     ▀▀ █████ ▀▀     ▀▀██▄▄
██▀▀ ▄▄██▀      ▀███▀      ▀██▄▄ ▀▀██
██  ████▄▄       ███       ▄▄████  ██
██  █▀▀████▄▄  ▄█████▄  ▄▄████▀▀█  ██
██  ▀     ▀▀▀███████████▀▀▀     ▀  ██
             ███████████
██  ▄     ▄▄▄███████████▄▄▄     ▄  ██
██  █▄▄████▀▀  ▀█████▀  ▀▀████▄▄█  ██
██  ████▀▀       ███       ▀▀████  ██
██▄▄ ▀▀██▄      ▄███▄      ▄██▀▀ ▄▄██
  ▀▀██▄▄     ▄▄ █████ ▄▄     ▄▄██▀▀
      ▀▀█ ▄▄  ▀▀█████▀▀  ▄▄ █▀▀
           ▀▀██▄▄ ▀ ▄▄██▀▀
               ▀▀███▀▀
        ▄▄███████▄▄
     ▄███████████████▄
    ████▀▀       ▀▀████
   ████▀           ▀████
   ████             ████
   ████ ▄▄▄▄▄▄▄▄▄▄▄ ████
▄█████████████████████████▄
██████████▀▀▀▀▀▀▀██████████
████                   ████
████                   ████
████                   ████
████                   ████
████                   ████
████▄                 ▄████
████████▄▄▄     ▄▄▄████████
  ▀▀▀█████████████████▀▀▀
        ▀▀▀█████▀▀▀
▄▄████████████████████████████████▄▄
██████████████████████████████████████
█████                            █████
█████                            █████
█████                            █████
█████                            █████
█████                     ▄▄▄▄▄▄▄▄▄▄
█████                   ▄█▀▀▀▀▀▀▀▀▀▀█▄
█████                   ██          ██
█████                   ██          ██
█████                   ██          ██
██████████████████▀▀███ ██          ██
 ████████████████▄  ▄██ ██          ██
   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ██          ██
             ██████████ ██          ██
           ▄███████████ ██████▀▀██████
          █████████████  ▀████▄▄████▀
[/]
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!