# Yahoo Mail



## Phishfry (Jul 31, 2016)

I was looking through the recent political email leaks and had to laugh. These high level people are using web mail services like Yahoo Mail and wonder whodunnit.
I have no level of trust for webmail or POP mail in stock form. Can you imagine a national political organization. The actual threat surface involved. You would have to be at the top of your game to defend that turf. Even if clients were using open source operating systems(which I doubt).


----------



## Deleted member 9563 (Jul 31, 2016)

Not sure what the topic is here.  I love webmail and POP3. SquirrelMail rocks, and POP3 with SSL is good enough for me. I'd never use free public servers though as I consider them as a honeypot. That said, in general you would use e-mail through Tor or similar if you wanted a reasonable level of security. As for the Democratic National Convention, well that wasn't an email problem but a server problem, the way I understood it anyway. As always, security is a choice - one they didn't care to make. 

And Yahoo!? What's Verizon going to do with it?


----------



## protocelt (Jul 31, 2016)

OJ said:


> And Yahoo!? What's Verizon going to do with it?


Yahoo still has a sizable market and makes a good amount of money from their ad platform, so my guess is mainly ads.


----------



## kpa (Jul 31, 2016)

There is probably a scientific term for it but it's the effect of "they probably know their stuff, I shouldn't have to worry" -syndrome.


----------



## ronaldlees (Jul 31, 2016)

Have you read somewhere that they were _really_ using webmail?  I prefer POP (with encryption) because then I don't have to deal with webmail sites that force me to use javascript, which IMO torpedoes my security all by itself.  Plus, some of the webmail providers I'm familiar with use mixed 443/80 connections, usually in quantity. Prefer one pipe, one worry.


----------



## Remington (Jul 31, 2016)

Nice things about private email server is that firewall can be easily configured to reject any IPs from foreign countries and block all irrelevant ports to reduce hacking attempts, and all of my connections are encrypted.  I don't use easy to guess passwords.

One way to make email server more secured is to change all the standard ports to something different like imap 993 to 20993 to make it harder for hackers to find the right ports.

fail2ban is a good tool to block failed login attempts.  IP is permanently blocked after 5 failed login attempts.

DNC email server wasn't secured as Julian Assange said their servers was vulnerable for years. lol.


----------



## gkontos (Jul 31, 2016)

Unless both mail servers support TLS encryption, then the email is travelling unencrypted.


----------



## rigoletto@ (Jul 31, 2016)

So, what do you think about solutions like ProtonMail?


----------



## kpa (Jul 31, 2016)

lebarondemerde said:


> So, what do you think about solutions like ProtonMail?



That kind of service makes no huge difference as long as there are MTAs in active service that forward everything in unencrypted plaintext.


----------



## Phishfry (Jul 31, 2016)

I was speaking about the DNC hack. These quasi-governmental agencies are just as susceptible to outside influences and probably need training and protections. Yahoo mail for a high ranking political person seems a foolish IT policy.


----------



## rigoletto@ (Jul 31, 2016)

kpa said:


> That kind of service makes no huge difference as long as there are MTAs in active service that forward everything in unencrypted plaintext.



I understand MTA is the agent what actually send the mail, am I correct? I do not know too much about mail servers.

The interesting point of them (ProtonMail) is the ability to send an email encrypted when the receiver does not have (i.e) pgp keys. The sender should before (or later) give a code/password (any one) by a secure way (on hands, _courrier_, etc.) what will/was be used to encrypt the email. Then the receiver can also use the received mail to reply with a encrypted mail.


----------



## Phishfry (Jul 31, 2016)

So my point is we have a massive costly intelligence apparatus and our Presidential Election process just got hacked by our known 'enemy number one'. What exactly are they watching? Obviously not our enemies.

Meanwhile the dolts are using Yahoo mail.
Like a giant circus costing me dearly. Almost half my paycheck goes down the toilet with nothing to show for it.


----------



## Deleted member 9563 (Jul 31, 2016)

Just a note: DNC is pretty esoteric. In Canada it stands for do-not-call. For those who don't know the particular reference here, it is used in the USA to mean Democratic National Convention which is a political party organizational group there. 



Phishfry said:


> So my point is we have a massive costly intelligence apparatus and our Presidential Election process just got hacked by our known 'enemy number one'. What exactly are they watching? Obviously not our enemies.
> 
> Meanwhile the dolts are using Yahoo mail.
> Like a giant circus costing me dearly. Almost half my paycheck goes down the toilet with nothing to show for it.



I agree with you that the USA National Intelligence Agency appears to not be working for the people that hired them and, as you know, are generally considered known 'enemy number one' by those of us with an interest in security - regardless of what country we live in. Yes, you should probably complain about their efficacy. I suppose though, that since their employees are all being paid it does help to create jobs.



ronaldlees said:


> Have you read somewhere that they were _really_ using webmail?



The news seems to be referring to their email servers being hacked. So yes, I'd ask that question as well. I doubt that anybody would consider their email private if they were using Yahoo!, Google, etc., or any of those services which aren't private.



kpa said:


> There is probably a scientific term for it but it's the effect of "they probably know their stuff, I shouldn't have to worry" -syndrome.



You're on to something there. I think it is indeed misplaced trust. But perhaps even willful blindness.  I say that because if (as in this case) they were up to something nefarious and wanted to keep that from getting out, then any reasonable person would actually work at it. That is, make an effort.


----------



## Oko (Jul 31, 2016)

Remington said:


> One way to make email server more secured is to change all the standard ports to something different like imap 993 to 20993 to make it harder for hackers to find the right ports.


Don't do this kids! This is really bad security advise. While it might seems a good idea at first to use port 20993 instead of 993 and shake off 98% of benign script kiddies you just replaced a privileged port <1000 with unprivileged 1000< and made intrusion detection a hell of a lot harder. On the top of it you just told me by using non-standard port that you have something to hide. You just made yourself an interesting target for those 2% who actually know what they are doing.


----------



## Remington (Jul 31, 2016)

Oko said:


> Don't do this kids! This is really bad security advise. While it might seems a good idea at first to use port 20993 instead of 993 and shake off 98% of benign script kiddies you just replaced a privileged port <1000 with unprivileged 1000< and made intrusion detection a hell of a lot harder. On the top of it you just told me by using non-standard port that you have something to hide. You just made yourself an interesting target for those 2% who actually know what they are doing.



Relax.  It was only a suggestion and I don't use non-standard ports for my email servers.


----------

