My Project Flexamail

[Serapth]

Im taking a moment here to shill my own product! That said, im sure it will be useful to many of you.

In a nutshell, Flexamail allows you to do all kinds of web related tasks using your email. Using your email you can surf, use twitter and facebook and as many people here so love to do, you can host pictures as easy as attaching them to an email and sending it out.

So for example, lets say you have a sweet image of Daniel Sedin photoshopped to look like Justin Beiber that you just need to share with the forum, its simple. Just send an email to imagehost@flexamail.com, attach the picture to the email and click send. Seconds later you will get an email with a link you can use to post here. If you want, you can later log into Flexamail.com and see how many times it was downloaded and from where. Using the same basic premise, you can share any kind of file or even copy protect them.

Also of use to those of us at work or school and cant surf the web, what are you going to do... work? Good god no! Flexamail can help you here too. Just email www@flexamail.com ( or pdf@flexamail.com if your prefer a PDF results ) with the subject set to the site ( ie forum.calgarypuck.com ) and click send. Seconds later you will get the webpage back as an email. Since its email, firewalls don't effect it. There is also support for Twitter and Facebook access if thats your thing.

When you sign up you get a complete list of all commands it uses.


Anyways, if it sounds useful to you check it out and let me know what you think. I hope you find it cool and useful.

EDIT: Oh yeah, you have to sign up before anything will work. Don't worry its free and we don't share your email with anyone.

[Pinner]

Sounds pretty cool, make sure this thread gets a bump Mon. morning so more people see this.

[ricosuave]

It does look useful, but FYI - corporate IT departments dont take kindly to users trying to bypass the system.

[Serapth]

Quote:

Originally Posted by Pinner

Sounds pretty cool, make sure this thread gets a bump Mon. morning so more people see this.

True enough, probably bad timing eh?

Quote:

Originally Posted by ricosuave

It does look useful, but FYI - corporate IT departments dont take kindly to users trying to bypass the system.

This is true, but on the other hand is a hundred fold better than most other systems. For example, if you installed a VPN on a work machine, you could get fired on the spot, or any other system that could compromise security. Also, if you are allowed access to personal email, you are probably ok in terms of your companies corporate policies. That said, let common sense be your guide!

To be honest, I should probably be targeting corporate IT departments. People accessing Twitter and Facebook at work aren't really the problem, people *LIVING* on Facebook or Twitter are. By being "yet another email", its not really all that intrusive.

[Rathji]

Quote:

Originally Posted by ricosuave

It does look useful, but FYI - corporate IT departments dont take kindly to users trying to bypass the system.

That was my first thought reading this post. We don't have a lot of controls at work but if I found someone bypassing one of them in this way I would be choked.

[sclitheroe]

Quote:

Originally Posted by Rathji

That was my first thought reading this post. We don't have a lot of controls at work but if I found someone bypassing one of them in this way I would be choked.

Lol.

I wish all my users used something like this to bypass our AUP. Not only is it easier to filter at the mail proxy than the firewall, I also have a complete log of their activities on the SMTP server AND their outbox

[sclitheroe]

Thinking more about this, it has tremendous potential. I love the idea of finding a Flexamail user at the office and using the service to deliver goatse.cx to them over and over again until they have to spam filter their own email.

Would also be a nice way of airing out office grievances via someone ELSE's twitter account

[Rathji]

Quote:

Originally Posted by sclitheroe

Lol.

I wish all my users used something like this to bypass our AUP. Not only is it easier to filter at the mail proxy than the firewall, I also have a complete log of their activities on the SMTP server AND their outbox

Very good point, not sure why that didn't register right away.

I think my biggest problem with it might be because this is actually easy enough for anyone to use, even my average user who is a 40-50 year old social worker who can hardly use a mouse let alone figure out a way to bypass our limited enforcement measures.

Edit: The more I think about it, the reason that is so simple is really good from the OP's perspective and he should be commended for that. Of course that doesn't change the fact that it is going on my MXLogic deny list on Tuesday morning.

[Winsor_Pilates]

Love the picture hosting service. I hate that everytime I want to post a picture on here, I have to upload it some file hosting service first which seems like a painful internet process in todays getitdonequick times.

[sclitheroe]

Quote:

Originally Posted by Winsor_Pilates

Love the picture hosting service. I hate that everytime I want to post a picture on here, I have to upload it some file hosting service first which seems like a painful internet process in todays getitdonequick times.

Dropbox...copy the file to the Public folder, right click file and Choose "copy public link"...done

[sclitheroe]

So I took a look and signed up just for poop and giggles.

Brutal - there's no way to specify which SMTP hosts this thing should accept email from me from. So it looks like once I know someone is a Flexmail user, I can spam like crazy by spoofing my SMTP from: address.

Second, once you've created an account, there's no way to delete your account. Nice.


Edit: Those are honest opinions/feelings. I'm not ripping on Serapth - the thing is labelled as a beta and must be treated as such. But man, you've got to find a way to make it easy for users to manage what "locations" (that would be which IP's to your app) they can send commands from. Otherwise this thing is a giant data sieve/DOS bot/Tojan distribution thingy just waiting to happen.

[Rathji]

Quote:

Originally Posted by sclitheroe

Dropbox...copy the file to the Public folder, right click file and Choose "copy public link"...done

haha beat me to it.

https://www.dropbox.com/referrals/NTIzMTEyNzk 3 gigs to start, and 250mb as incentives for inviting people (this is why the link is a referral link). If you do sign up via that link, you also get an extra 250mb.

[Serapth]

Quote:

Originally Posted by sclitheroe

So I took a look and signed up just for poop and giggles.

Brutal - there's no way to specify which SMTP hosts this thing should accept email from me from. So it looks like once I know someone is a Flexmail user, I can spam like crazy by spoofing my SMTP from: address.

Second, once you've created an account, there's no way to delete your account. Nice.


Edit: Those are honest opinions/feelings. I'm not ripping on Serapth - the thing is labelled as a beta and must be treated as such. But man, you've got to find a way to make it easy for users to manage what "locations" (that would be which IP's to your app) they can send commands from. Otherwise this thing is a giant data sieve/DOS bot/Tojan distribution thingy just waiting to happen.

SMTP servers are not a static thing, especially when it comes to something like Blackberry users, where the outgoing SMTP servers are not only highly dynamic, but also obfuscated. Additionally, the vast majority of people have dynamic ip addresses at home, so locking down by IP would do very little. Finally, it is not so easy to spoof as you think, Flexamail is not completely without security. Adding an optional feature to lock down to IP could be handy for the security minded. The service has been running for about a year and has thousands of users and we have never had a reported spoofing problem. I am not saying it isn't possible, I am just saying in practicality, it has never actually happened.

As to your bot/trojan distribution comment, frankly thats just silly. Take your scenario, in order to "attack" a user, you would need to know they were a member and their email address.... and knowing that, frankly, would give you no more power than you would have if......... you knew their email.

[Serapth]

Quote:

Originally Posted by sclitheroe

Dropbox...copy the file to the Public folder, right click file and Choose "copy public link"...done

Don't get me wrong, I am a giant fan of Dropbox, but one huge fault with this scenario is, it requires Dropbox to have been installed on the machine you are using. Besides that, frankly, that really isn't all that easier, just different.

[Rathji]

Quote:

Originally Posted by Serapth

Don't get me wrong, I am a giant fan of Dropbox, but one huge fault with this scenario is, it requires Dropbox to have been installed on the machine you are using. Besides that, frankly, that really isn't all that easier, just different.

Or you could log into the dropbox website and upload the file. No harder (or easier) than sending an email. The only real difference is with dropbox the file is 'yours'. You upload it once, and if you want to keep it there, it is on every PC you install dropbox on, plus it is stored on the web. That by itself can be good, or bad, depending on your perspective and the files you are posting.

So it is the same as Dropbox in some ways, but different in those ways as well. Which is a good thing, I think.

[sclitheroe]

Quote:

Originally Posted by Serapth

As to your bot/trojan distribution comment, frankly thats just silly. Take your scenario, in order to "attack" a user, you would need to know they were a member and their email address.... and knowing that, frankly, would give you no more power than you would have if......... you knew their email.

If I knew they were a user, and they were linked to Twitter, I could tweet obfuscated URL's to their followers leading to a compromised site. And I'd pull that off without needing a login or password.

That seems fairly significant to me.

[Serapth]

Quote:

Originally Posted by sclitheroe

If I knew they were a user, and they were linked to Twitter, I could tweet obfuscated URL's to their followers leading to a compromised site. And I'd pull that off without needing a login or password.

That seems fairly significant to me.

If there was an email server dumb enough to just accept the values it was sent, sure, but in reality it's not so easy to spoof. That whole telnet to port 25 trick sure isn't going to work. Hell, Flexamail receives probably 300 emails a week with spoofed FROM addresses. Just because you send a message and claim to be X person, doesn't mean the receiving server is going to believe it.


Think about it, if email was so easily spoofed betweens domains, who would ever trust it, as one of every 3 emails sent would be from Steve Jobs or Barack Obama.

Now, emails sent within the same domain that isn't properly locked down, that is easy to spoof. But even that can be fairly easily defeated.


EDIT: Ironically, our security logs show a half dozen spoofed email attempts since 11:52 EST.

[sclitheroe]

Quote:

Originally Posted by Serapth

If there was an email server dumb enough to just accept the values it was sent, sure, but in reality it's not so easy to spoof. That whole telnet to port 25 trick sure isn't going to work. Hell, Flexamail receives probably 300 emails a week with spoofed FROM addresses. Just because you send a message and claim to be X person, doesn't mean the receiving server is going to believe it.


Think about it, if email was so easily spoofed betweens domains, who would ever trust it, as one of every 3 emails sent would be from Steve Jobs or Barack Obama.

Now, emails sent within the same domain that isn't properly locked down, that is easy to spoof. But even that can be fairly easily defeated.


EDIT: Ironically, our security logs show a half dozen spoofed email attempts since 11:52 EST.

Cool. So how do you verify that an email claiming to be from someone is actually from them? Are you using reverse DNS lookups, or some other technique?

[Serapth]

Quote:

Originally Posted by sclitheroe

Cool. So how do you verify that an email claiming to be from someone is actually from them? Are you using reverse DNS lookups, or some other technique?

My general preference is not to talk specifically about the security mechanisms built into Flexamail, especially in a world so instantly indexed by google. That whole security through obscurity is a very valid concept!

Pretty much any other technical questions I am more than willing to discuss.

[sclitheroe]

Quote:

Originally Posted by Serapth

My general preference is not to talk specifically about the security mechanisms built into Flexamail, especially in a world so instantly indexed by google. That whole security through obscurity is a very valid concept!

Pretty much any other technical questions I am more than willing to discuss.

Cool.