Hi,
I am planning on starting an e-mail service for Finnish people (not finished), and I would like to know a few things about some security issues. I am using a version of HiveMail, which i have translated and edited to my needs.

1) Do you think there are too many security risks, that it's not worth making one?

2) Is it my responsebility to see that no illegal E-Mails are sent. And if so, how can I do this? I cannot just read all the e-mails people are sending :eek:

3) Suggestions & comments & experience?

Originally posted by Niklas:

I cannot just read all the e-mails people are sending ...
Actually you SHOULD not. ;)

Yes, so there is no way for me to make sure the sent e-mails are legal etc :P:

If you start getting hate mail from anonymous people, then start checking logs. (And AFAIK, Hivemail's log features are a bit minimal at the moment.) Make sure you email program doesn't relay messages and that spam doesn't get you on the blacklist from hell...

Also, make Hivemail require a secondary address that is verifiable...this will help.

lol, now i have a feeling i dont want to make it anymore :P

I think there are waaaay too many security problems, not to mention your IP block will eventually get blocked for spam (oh yeah, someone will eventually send spam from your servers) and you'll have to deal with that.

i better forget about it :P

I'll just set an email service for my friends with the HV license I have :P

I have run an email service similar to what you are looking to do for 6 years. We currently have over 75,000 users and zero reports of spam.

Since what you are doing is nothing more than a vanity email address, do not allow remote smtp delivery. I am unfamiliar with your setup, but on ours using Imail it was quite easy to setup. Tell them to use their isp to send mail, unless they login and use the web interface, this will stop spammers cold.

We once had a user send by using the web interface some emails that caused an issue, but what are you going to do when someone sits there and types in each address by hand? That was the only issue ever.

As for security, and this is why we went from a free service to a pay service. (this is US law I am talking about, your mileage may vary). You cannot read the emails. You have to wait until you get a complaint and then investigate. In 6 years, we have had only a few serious issues involving the police and fbi. The main issue really was how ignorant most law enforement agencies are on how email works.

But if you grow, your time will be filled with people complaining that so and so sent them an email and said they didn't like their band. So I should kick that user for expressing a negative opinion. Since I always answer every single piece of mail sent to abuse, no matter how idiotic, it did take up time. Now that people have to pay, we lose alot of the users who signup just to use it once to bug someone.

But if you stay moderately small, it is not very time consuming. Just make sure you know your software and have it streamlined to avoid problems. With 75,000 users, it is just a side site for me now and takes up less than 15 minutes a day. Most of that just to process new orders and check the logs for anything out of the ordinary (in the begining this will take you much more time, but as you learn your software you can get it down to a few minutes).

It is doable, let me know if you have any other questions.

Chet

involving police and fbi, count me out :P

But same can be said for hosting. If you hosted 75,000 customers, you are going to get court orders eventually. With 75,000 priests and nuns staying at your house, you are going to get some that get the police knocking at your door eventually.

But at a small size, you will most likely not run into the same issues. And it was fairly hard and long to get to the size we are.

Chet

Originally posted by Chet:

I have run an email service similar to what you are looking to do for 6 years. We currently have over 75,000 users and zero reports of spam.

Since what you are doing is nothing more than a vanity email address, do not allow remote smtp delivery ...
I am kind of curious here. I once ran a free web-based e-mail service that had some 3k+ users. Not that people were actually sending spam from that outsourced interface, they were simply using their "vanity addresses" (forwarding or not) as drop boxes. I eventually got TONS of complaints and decided to just shut it down in order to avooid spending more than a couple of hours a week just to delete abusers and reply to complaints.

I still would like to start some kind of e-mail forwarding or web-based service though (I do get some kewl domain names that would make good e-mail addresses). Admire your semi-automated and basically hazzle-free e-mail operation. ;)

Do you have MSN nameslave?

Originally posted by Niklas:

Do you have MSN nameslave?
D'you mean MSN Messenger? Sorry, I don't use any IM.

(Don't ask me what those "kewl" domain names are ... LOL! :D )

We charged for forwarding and while people could use pop3, we didn't make it widely known. The service grew out of a community and those in the community knew about pop3, but the stranger signing up didn't.

So with those services not known, it just wasn't friendly for the spammers. Now that we charge a small fee, we let everyone know about pop3 and forwarding. But since they pay, the drive by spammer hits aren't worth it.

The new issue we ran into was idiot scam artists signing up with fraudulent credit cards. Since one of our packages is 130 domains at one address, they would sign and then signup for paypal with as many addresses as they could. We worked with paypal and started monitoring new signups and also found a pattern to the signups to stop that.

We actually use some domains we purchased from you, instead of just the wide range of silly names, i threw in 10 3 character domains for people to use. It is nice to have a domain for almost every signup you need. Easy to block spam that way.

Chet

Originally posted by Chet:

We actually use some domains we purchased from you ...
Hmm ... ?

Thought it was you - didn't you have some crazy 5 3 character domains for $10 or $15 on WHT about 5-6 months back?

Chet

I don't think so ...

Oops my bad, that was timechange. Darn two word shmushed together names.

Chet