This is wild to me. Tested it out myself and I couldn't send an SMS with a spot.xyz link to/from Google Voice <-> T-Mobile. And no "failed delivery" notice either, just a silent failure. And yet I still get so many texts that are obviously spam or phishing attempts.
Doing so silently and without a valid and case-specific reason should not be legally allowed.
Edit: Added "street/town" to analogy, and "case-specific" before reason
https://www.fiercewireless.com/wireless/sms-mms-deemed-infor...
I mean, going back to the postal service - even the weekly pile of "here, throw this away for me." dead trees we receive (in the US) is mildly irritating. Imagine THAT x 1000!
I'm grateful for the silent block in this case. I mean, my social security number is being canceled, I'm about to be arrested by the IRS, the FBI found a suspicious package with my personal information in it and my car warranty (didn't know I had one) is up for renewal. And that's just this morning. What more can I stand? One of these days I'll press 1 out of desperation...
Also I hate govt/big-corp censorship as much as the next person, but none of this seems remotely political or ideological. And consider the alternative.
The net-neutral solution is for ISPs/telecoms to not spam-block, but rather have spam-blocking be an optional, additional, layer that the consumer can choose at will, or not have at all. But the problem with that solution is that it requires the consumer to do extra work to obtain spam protection, and the consumer would not be protected by default. It also means extra work by all parties delivering spam messages. Unless spam ceases or things otherwise change, I think the clunky solution we currently have is fine for the most part.
USPS has a monopoly on first-class mail in the US and a Congressional mandate to deliver to every address.
They are used by large cooperations too. The Alphabet domain is abc.xyz. Science Corp's is science.xyz.
The only work around I found is to not include http://, just use the bare domain.
Personally, I find this behavior of my SMS provider reprehensible.
Cut and pasted the list and the message wouldn't send.
Narrowed it down to one. Typed just the bare domain. Wouldn't go through. (It was something incredibly benign like n17.org)
Couldn't find a history on that domain name for why it would have been filtered.
At least messenger responded with 'couldn't send message' but still no clue as to why... and it took me sending each domain name individually until I found the one that was failing the entire message.
It looks like T-Mobile looks for ".xyz" within the SMS and will silent drop the SMS (though it will claim it is delivered). ".xxyz" works, "..xyz" or ".xyzz" does not. "xyz" works, so does ".xy".
I thought SMS didn’t have delivery receipts?
They basically only accept pre-approved providers. If your have your own domain and infrastructure you have to petition them to whitelist you. Totally insane.
If you can read German, this guy who runs a shop decided to block himself all of t-online emails since they basically run email out of specification. https://blog.rolandmoriz.de/2020/09/21/t-online-blockiert-ma...
(1st biggest spam channel being email, which surprise/surprise - Twilio also dominates via SendGrid)
Is it possible for a spammer to generate >$75 per 10,000 people spammed? I've no idea were the SMS spams I've got link to (not about to find out) but they are so obviously spam.
We use SMS for communicating with users and would be happy to more a lot more per text to escape the 'positive ROI for spammers' territory.
I'd be happy to do that for important emails too!
This is my new mini-favorite thing. It feels a bit like a redux of "Shirt without stripes" (https://news.ycombinator.com/item?id=22925087)...
My domain is almost marked as spam solely on TLD grounds. What's the point of a TLD if it isn't a first-party domain on the internet?
SpamAssassin Score: -0.599
Message is NOT marked as spam
Points breakdown:
-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
high trust
[***.***.***.*** listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: ***.xyz]
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[***.***.***.*** listed in wl.mailspike.net]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ***.xyz (xyz)]
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
0.0 TVD_SPACE_RATIO No description available.Unfortunately for the people with legitimate uses, for email admins it's just a really easy (and arguably necessary) shortcut to block a ton of spam.
It was pretty cool that I managed to buy a bunch of domains like <my last name>.<new-tld>, but to be honest I really don't see myself using my .blackfriday domain for anything. For that matter, I think that (somewhat ironically) `my-last-name.email` would not be taken very seriously for a primary email address.
I use a `.app` domain for my personal email, which has its issues, but if I owned a business, there is no way on earth that I would be using anything but .com.
Well, there's about a 1 in 7 chance that it would be the perfect domain to host your obituary. I'm sure you could make a smart watch app which detects when/whether to make the site publicly visible.
(I apologise if this dark humour offends anyone.)
I'm not sure how they could possibly enforce that, but in the purely technical sense, are you technically breaking rules?
Yet I gave up on it for the same reasons mentioned in the article: It has a terrible reputation and seems to randomly be blocked here and there.
their customers are on discord, twitter, telegram and wechat so email delivery is not a factor
the entire sites and revenue drivers are entirely client side (with the "servers" being the smart contract methods stored on the nearest blockchain nodes, this has only one initial upload cost but functions similarly to lambda functions except the users pay for the computations), when the domain is down or blocked, the user can interact directly with the nearest node hosting the website's associated smart contracts, if they are interested enough
this is working really well for a lot of organizations, and it has been this way for several years now
makes lean SaaS services even leaner, and allows them to grow even faster - as long as their customer base is already a crypto native. I haven't seen any organization succeed if they have to sell their customer on some crypto browser extension.
And, yes, a lot of the new web3 projects use alternative tlds because they're cheap and catchy. They also tend to use food-related nouns as project/coin names because branding is hard and a lot of them haven't been used by companies in the past.
Then I immediately got it. The amount of spam emails from .xyz .click .faith .top is huge. And with every email comes from them, we have to run spam scanner, which isn't cheap. So we have to score those TLDs more sensitive.
https://www.spamhaus.org/statistics/tlds/ can give some insight about spam rate by tld.
---
Translation: We used .xyz for spamming, of course .xyz is associated with spam.
No big issues so far except for the HR department of a potential new gig which can painlessly mail me@mydomain.xyz about job interviews BUT never get my replies back.
I don't who to blame more in this mess:
- Me for playing smartass instead of using a @gmail.com because they impose the rules so everybody comply to them (maybe my reluctance to encourage this broken system explain my recklessness)
- The IT department of this organization that probably didn't what to deal with modern standard and/or reasonable spam filtering and set up a blunt rule for new TLD (I mean come on it was a REPLY to a mail ADRESSED to this specific mailbox)
- The broken system that keep on inventing arbitrary new rules that everyone must implement to keep getting accepted by "the big players". (For instance I already had to change hosting two years ago because apparently you are also responsible for bad neighbors)
Guess i'll just have to be brave and migrate to a more classical TLD and set up redirects to ease transition. But it's pretty annoying to start over with crap like that because some dudes in "the big players" teams decided to ban a whole TLD just because it's "easier".
This is a great example of a Collective Action problem. Everyone would be better off if we could break the gmail domination of email policy, but as an individual you will have zero effect on gmail's dominance and only suffer the pain of not being a part of the system.
The responsible answer should be IRL legal actions against real spamers because they'll always adapt to new arbitrary protocol rules faster than legitimate users, it's their jobs!
Even from an environmental standpoint I get tired of user-shaming articles about why you should delete your email for the planet. Maybe as engineers our duty is somewhat to propose a new version of the mail protocol that doesn't allow this much crap to fly around in the first place. Current solutions seems to revolve around the concept of "everybody should duck and cover if anything is suspicious" thus blocking some legitimate message that no sane human would reject should they be in charge instead of a basic AI.
PS: I'm not suggesting by any mean that you should punish any human being with manual moderation.
PS:PS: Maybe a NGO whitelist system is a solution, I'm just fearfull about which entity will end up with such power. But actually domain filtering is already kind of an implicit unpredictable non shared whitelist build on top of ICAAN register... So here we are already...
I got in a painfully stupid argument with a middle-age IT admin “we don’t want to our employees installing apps”
It’s not an app, you don’t install it, it’s a “WebApp”, it’s just a freaking fancy website who’s domain ends in .app - lol, this was like three years ago and just thinking about it is getting me heated
If they think that any domain that ends in .app is for installing apps, their mind is gonna be blown about some of the sites on .net and .org domains...
I have a .dev domain now and everything seems to be running smoothly, plus it's +20% cheaper.
New generic TLDs have the disadvantage of being recently unleashed. There are no venerable sites on XYZ, or its siblings. Much of what's registered there, and that word was "much" and not "all", is absolutely unworthy crap. And for those who are faced with defending either their own or their customers, clients, users, employees, or other stakeholder's security and time, wholesale blocking of the entire TLD solves a lot of problems with very little downside cost.
The obvious response is "but there's a lot of crap on legacy TLDs as well". Yes, there is, but there are also valued, venerable, and essential domains, and blocking all of them is not a viable option. (Though the prospect of whitelisting is becoming increasingly attractive.)
I've known people who are, on the one hand, Internet freedom advocates of decades-long standing --- before most people reading this were born. Who wholesale block access by all China ASNs to their webservers --- because all they see from such networks is malicious traffic. Again: effect-to-effort ratio here is high.
No, it's not "fair". Yes, there's collateral damage. But you're absolutely fighting not merely human nature but all of control theory in trying to combat this.
Register on XYZ and you'll be increasingly fighting a common practice of default-deny, whitelist-by-request. For every user you're trying to reach.
And you should ask yourself if it's really worth it.
XYZ, meantime, are mining and arbiraging short-term cashflow for long-term reputation at the specific expense of its legitimate customers. Those with the least bit of sense will abandon the registrar, leading to an ever-accelerating reputational death spiral.
Can anyone try `abc.xyz`? and see if that fails to send? It would be very typical for our corporate overlords to be omitted from our spam censorship filters.
>Ironically, Google Voice also has the same behavior with abc.xyz.
There (was?) even a semi-parody site called Domains For the Rest of Us[0] that generates .COM domains that you can use for side projects (or startups?).
[0] https://news.ycombinator.com/item?id=24538758
The new gTLDs are a godsend since all the domain hacks have been largely exhausted. E.G: `del.icio.us`.
I like the new avalanche of gTLDs since it reduces domain squatting, domain hacks, and stops people snapping up short .COMs as if they were some digital gold to be mined.
Not to mention the hassle of having a really obscure ccTLD like .SO and having to battle to get that domain back if it was seized by pirates, yarr
[0] https://www.deepsouthventures.com
[1] https://www.deepsouthventures.com/i-sell-onions-on-the-inter...
https://news.ycombinator.com/item?id=26380124
building one product at a time.
It's dead, Jim.
Oh, you mean delicious.com?
Luckily, they could still book me in but at a different time slot...
I had a .xyz domain. I thought it was easier, the domain was short to type.
I was completely wrong. I asked a few non-technical friends. They said they would never use my site because of the .xyz, it felt like a spam site. I redid the site on .net with a longer domain name - much better results.
I know this is common knowledge, but it still really creeps me out that companies can track this.
Unfortunately, this often times leads to direct phone calls along the lines of, "Hey taftster, did you get my email? It shows that you haven't opened it yet."
This side-effect is also very annoying.
Roll your eyes all you want, but get the dotcom.
- no DKIM/DMARC verification headers that make sense, just a default ~all
- wonders why emails are classified as spam
Well, yeah. Maybe use an email spam rating tool next time, like mail tester [1]?
However, your (correct) evaluation of their weird DKIM/DMARC/MX values notwithstanding, I currently have 10/10 totally perfect score from mail-tester.com and gmail marks my email to my wife as spam.
As in, a 15 year history of my email address having multi conversations per day to her email address and some of my emails (which are responses to her emails) get marked as spam by gmail.
I think I am going to sue google.
(Edit: I work at Notion)
This means you're subject to the politics of whatever country's TLD you're using. If the country's lawmakers suddenly decide that their TLD should only be for use by local entities, or that owners of popular domains should pay more, or that certain types of content is banned, you have no recourse.
(Not that ICANN policies always help you. Some of the new TLDs have contracts with ICANN that allow them to arbitrarily jack up prices, which they've done: https://domainnamewire.com/2017/03/07/yikes-death-spiral-new...)
What specific network blocks it?
https://www.reddit.com/r/Notion/comments/f6x9mk/why_the_so_d...
I get that the people here want more control over their devices, but to be fair, anyone posting here is at the extreme end of the tech spectrum when compared to your average phone user. Those phone users want someone else to help them. It's why I have spam assassin crancked super tight on the mail server that my parents use. They would rather miss a few legit emails and texts than get flooded with spam.
The .co.cc discussion was here on HN https://news.ycombinator.com/item?id=2733352
Not surprising at all to me, who has used the Internet for over two decades --- to be honest, all these new and unusual TLDs, whenever they show up in search results, are almost entirely sites filled with SEO spam and similarly useless content. It's nearly an instinct to ignore them at this point.
(As for the company, it's too bad virtualspot.com and virtual-spot.com were already taken; spotvirtual.com looks weird, but at least doesn't have the negative connotations of an even weirder TLD.)
I suspect I'm either lucky, or something.
Sometimes I send reminders from my xyz domain to my corporate email accounts (which tend to have a rather aggressive filtering) and everything seems to work fine.
SOCs, web filter, email filter teams and vendors all need to catch up to the 2010-era idea that carpet-blocking TLDs is not the first tool to reach for when securing a network, especially when you have a good URL filter in place.
* “Do you mean ‘biz’” on web forms
* other forms just refusing to validate unless I disable the client-side validation
* other systems ostensibly accepting it and just never sending me anything, because it fails to validate silently in their backend
* having to put whatever I am trying to get done on hold for a few minutes when I need to read it to a human, because they’ve “never heard that one before”
That said, I've got a 'clever' .pictures I use to share images and a totally appropriate .fun that has no need to have positive domain associations.
Google prefers to crawl and index .xyz sites over others domain endings. But they won’t rank them well in the index.
Now this is just for incoming email. I still allow web browsing and links to these domains through various systems and outgoing mail to those domains works.
The incoming mail though, I just can't allow it. It's just pure spam at ridiculous levels.
If I was owner of the .xyz TLD domain, I would be very concerned to kick out spammers because it kills the value of the .xyz TLD.
I've always felt conflicted about this. I generally support moving everything to HTTPS, and requiring it for new TLDs isn't a terrible idea because there's no chance of breaking anything legacy.[1]
On the other hand, Google owns the TLD, controls the HSTS preload list, controls the most popular browser. The idea that an entire TLD could be added to the HSTS preload list was a completely unilateral decision by Google. It makes me uneasy.
[1] ...unless you were using the domain internally assuming it would never be added to the root zone, which bit some people when they did this with .dev
> Bootstrapped with <3 by @qecez.
> Our goal is to help makers find an awesome home for their project and not to help you flip. We reserve the right to refuse, or cancel membership to anyone without explanation.
Nice, so only you're allowed to flip your parked domains.
Why are people afraid to use the real term for this?
It's called censorship.
Your provider is silently censoring your text messages. In peacetime. You can't expect it to improve when that's no longer the case.
In much the same way, propaganda is just advertising with negative connotations, and a cult is just a religion with negative connotations. Calling all advertising propaganda or all religious people cultists is not likely to win people to your cause.
So, in short, no one is afraid to call something censorship, I think they are just waiting for the right time. When it is applicable.
Let's say, so many people have set up a similar rule that the email provider offers a quick way of adding that very rule. Is that censorship?
Let's say, so many people use that "quick way" that the email provider turns it on by default. Is that censorship?
0: https://en.wikipedia.org/wiki/Short_Message_service_center
Like, without a censor actually redacting things or controlling the conversation, can it really be called censorship?
Even as a free speech advocate, it's hard to see a problem with this.
You'll also find that calling this "censorship" as if it has to do with government action, or that it has to do with the content of the specific site, is ludicrous.
This is incompetence, not malice.