Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)C

conorab

@ conorab @lemmy.conorab.com

Posts
14
Comments
174
Joined
2 yr. ago

  • Turning the Tables: How to Make Spammers Reveal Their Own IP Address

    Jump

  • The idea of having them send an e-mail to an address containing their IP is clever, however you need to authenticate that the person who sent the e-mail is either somebody who queried your site, or somebody that got the address from somebody who queried your site or else you could just figure out how to generate that base64 yourself and impersonate somebody else’s IP address which could have catastrophic results if you then fed these IPs into something like a block list and suddenly you’ve blocked Microsoft/Office 365. To be fair, I doubt anybody is going to try and reverse engineer one person’s code to then figure out how to impersonate who sent spam, but if this became a widely distributed program you could just pull off Github then it would be more concerning.

    A couple ways to solve this:

    1. Sign the information before encoding it in Base64 so you can verify it came from your site and wasn’t just spoofed. This has the upside of being stateless since you don’t need to keep a record of every e-mail you’ve generated but comes with the disadvantage of spending CPU time signing the text which could be exploited as a DDoS.
    2. Spit out a random e-mail address and record which e-mail address was given to each IP. Presumably you wouldn’t hold on to this list forever since IPs change owners frequently and so an IP that was malicious 1 month ago could be used by a completely different person now and so you can trim this list down once a month to avoid wasting disk space. You’d probably also want to keep some amount of these requests in memory (maybe 10Mb or so) to avoid ruining your IOPS.

    All this said, I think your time is better spent with the using unique e-mail aliases as the author suggested but with 2 changes: 1) use aliases which are not guessable to prevent somebody from making it look like somebody else was hacked (e.g. me+googlecom@ gets compromised, but the spammer catches on and sends from me+microsoftcom@ instead to throw off the scent) and 2) don’t use me+chickenjockey@, use chickenjockey@ or else the spammer can just strip “+chickenjockey” from the address to get the real e-mail address.

  • Mozilla Thunderbird Challenges Gmail With Its Own Email Service

    Jump

  • Eh it depends. I’m fortunate enough to be in a good IP block so I don’t get my e-mails dropped purely on that. It’s been a good learning experience and I’ve leaned on my own server a number of times for troubleshooting at work since I can see the whole mail flow. The only problem I have is the free Outlook/Hotmail will not accept my e-mails. Everybody else seems fine. All that said, I don’t host anybody else’s e-mail so I haven’t had any spam come out of my IP, and I would never in a million years host e-mail for a customer.

  • Mozilla Thunderbird Challenges Gmail With Its Own Email Service

    Jump

  • The spam filtering is painful. I kinda work around it by giving a unique e-mail for everything and of one starts getting spammed I just rid of that e-mail. Tends to give you advance warning of data breaches too since you’ll start seeing the spam come in before the announcement.

  • Mozilla Thunderbird Challenges Gmail With Its Own Email Service

    Jump

  • It’s a colocated server. I provided the physical server and they put it into a rack in a datacenter with power and networking (static IP).

  • Mozilla Thunderbird Challenges Gmail With Its Own Email Service

    Jump

  • If this works out it might be a nice place to migrate to away from my self-hosted e-mail provided they eventually let you bring your own domain. Just sucks that e-mail is essentially the most secure thing you need to have since compromising that can compromise every account attached to the e-mail. That’s a lot of trust you need to instill in your e-mail host.

  • Windows 11 is closing a loophole that let you skip making a Microsoft account

    Jump

  • This forced account shit is infuriating. I’d see students with computers that cannot get to government-provided education sites because they are forced to sign up with a Microsoft account to use their PC, which forced them to setup a child account because of their age and therefore be under a parent account, which means the child account can only use Edge and can only go to whitelisted websites, which blocks some government education sites unless the parent account allows it through which they can’t until the student goes home.

  • Whistleblower Alleges Meta Was Ready to Censor Content for Chinese Government

    Jump

  • I’m curious if this was going to apply to content on non-Chinese Facebook. Another part of the article referring to hiring a “chief editor” explicitly says that the editor part would apply to the Chinese version only, but at the same time, Facebook removed content posted by a person in New York from Facebook at the request of the Chinese government, so it could go either way.

    If somebody is decrying the state of free speech in their podcast, show or in the campaign trail you can be pretty confident it’s an empty platitude. That said, you probably won’t find many examples of people willing to defend free speech or any civil liberties the moment their freedom is on the line. That’s not Zuck though. He’s just full of it.

  • NSW government rejects almost all interim recommendations on drug policy from summit. Concedes on 12 month trial of pill testing at festivals.

    Jump

  • You could just walk over to the testing tent and ask questions for curiosity’s sake. DanceWize for example have charts (from memory) showing the absolute no-gos for mixing (mix this and this and you WILL die) so if you head over to a pill testing tent just to ask curious questions you’ll probably feel suspicious anyway and cops might take interest and “randomly” search you. No pretending to do a crime needed.

  • What's your favourite it's all in the gameplay game?

    Jump

  • Garry’s Mod…. what a rabbit hole that was…

  • Help me harden my home server

    Jump

  • Last time they’ll ever do that! Pass the buck of hosting web-facing Plex servers onto somebody else.

  • WordPress bans WP Engine from sponsoring user groups • The Register

    Jump

  • PatchLess

  • What kind of hosting service will allow this?

    Jump

  • Adding to this: doesn’t CAD usually want 3D acceleration? I would definitely try running the CAD software with the same VM configuration you plan to use in your Proxmox VPS first before progressing to make sure it (a works at all and b) is responsive enough. You could even try nesting Proxmox in Proxmox to emulate the kind of performance you’d had on a VPS.

  • Looking for selfhosted inventory management wit SSO

    Jump

  • SnipeIT just cares about serial numbers, models and manufacturers (you can just use a serial number in the asset tag section) for assets and I think consumables drop a bunch of those requirements. You might be able to put groceries under consumables? I’m less familiar with consumables in SnipeIT to be honest.

  • Looking for selfhosted inventory management wit SSO

    Jump

  • SnipeIT is really good and supports SSO including via LDAP.

  • Why self host a password manager?

    Jump

  • They don’t need to be interested though. You could conceivably dump all the password you collect in an attack and just start trying them automatically like you would any other breach. Find a bunch of bank accounts and your chances you getting away with millions are high. Not to mention: a breach like this means changing all your saved passwords to re-secure them which is a multi-day affair.

  • Why self host a password manager?

    Jump

  • Self-hosting removes the risk of somebody compromising Bitwarden’s servers and adding malicious javascript to send off your master password to a bad actor instead of just processing it locally like it’s designed to.

  • Anyone running ZFS?

    Jump

  • I don’t think ZFS can do anything for you if you have bad memory other than help in diagnosing. I’ve had two machines running ZFS where they had memory go bad and every disk in the pool showed data corruption errors for that write and so the data was unrecoverable. Memory was later confirmed to be the problem with a Memtest run.

  • GnuPG / GPG how create an EdDSA key !? [ SOLVED ]

    Jump

  • What distro and version of that distro are you using? Did you install gpg from the repository or elsewhere? What version of gpg are you running?

  • A Place for Data Scientists

    Jump