HackerTrans
TopNewTrendsCommentsPastAskShowJobs

mike-cardwell

13,507 karmajoined 17 tahun yang lalu


  ```

  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA512
  
  Last Updated: 2025-May-26
  
  Director Engineering @ https://redsift.com/
  
  Blog:     https://www.grepular.com/blog/
  Code:     https://gitlab.com/grepular
  Docker:   https://hub.docker.com/u/grepular
  LinkedIn: https://www.linkedin.com/in/mikecardwell
  
  Email:    mike.cardwell([-at-])grepular.com
  Matrix:   @grepular:matrix.org
  Mastodon: @[email protected]
  BlueSky:  https://bsky.app/profile/grepular.com
  
  Websites:
    - https://www.emailprivacytester.com
    - https://www.parsemail.org
  
  Public PGP Key: https://www.grepular.com/1801A332.txt
  
  Tips:
  
    Paypal:  https://www.paypal.me/grepular
    Bitcoin: bitcoin:1PQLtWnjUi1itHLG6QCQeHM3Nxua8pRsq1
    Monero:  xmr:44zg8QFZza5cMBWcEF4VqsU5panam7tMhfB6fFdzWbDpBcaVy7feqQXKD92smbYGy3C7KPA6d7Q6UWY8f11noJLWUrVKJAK
    Zcash:   zcash:zcAN9ij9YZ7Cc9HMqCfcjpusELTTKQWutgjSRH9Dxx5E4DLTKTxRye5FgFs7vDPn1edSoBNFvLPTxn7byjgwQaMVJeJ64kQ
  -----BEGIN PGP SIGNATURE-----
  
  iQEzBAEBCgAdFiEEWazVMy7edA17fJTj0V47FkDmu60FAmg0Z4MACgkQ0V47FkDm
  u62HMQf/Zbd4YtnvkHDlmAReYHYfRhq9SfBhuNsoRGPbIUwBjbIFqLDMoDI6yLaR
  fxwjneeUnBCiqldfxJsY2YQwYXC4/26vOraItxz1SNWZWkaIaYezRQMZqSI5geyx
  XnSbB1sImI/h2KTmWMgsFjosRXy2cKZbO24/wi3pGlC6yhE7ZdfO0Zy6xBAFMD8+
  mfZcLgcRrXeAOfIox4qKv7xEkxsk8MZpBC+/dqRoIatFqNFMvINeL+7Nkw9IPIfn
  u0yyBJNNpZo8xWSc9/WCigCOlQ+M2toUHKu7dl7egY2Z1t/5dF6nJDuN7RmsWgGI
  HHhO5j1hVZIANs4xzHF0YZD16wGyOw==
  =dcyi
  -----END PGP SIGNATURE-----

  ```
mike-cardwell.at.hn

Submissions

Show HN: Sanitising Email

grepular.com
1 points·by mike-cardwell·21 hari yang lalu·0 comments

Auth Proxy Injection for LLMs

grepular.com
3 points·by mike-cardwell·2 bulan yang lalu·0 comments

Website Testing on Steroids

grepular.com
2 points·by mike-cardwell·4 bulan yang lalu·0 comments

Apple's "Protect Mail Activity" Doesn't Work

grepular.com
5 points·by mike-cardwell·6 bulan yang lalu·1 comments

Ending Production of Home Assistant Yellow

home-assistant.io
5 points·by mike-cardwell·9 bulan yang lalu·1 comments

SaferNode

gitlab.com
2 points·by mike-cardwell·10 bulan yang lalu·1 comments

comments

mike-cardwell
·12 hari yang lalu·discuss
That timeline was exactly my experience with Apple here - https://www.grepular.com/Apples_Protect_Mail_Activity_Doesnt...

They don't seem to know or care what is going on with their own email systems.
mike-cardwell
·20 hari yang lalu·discuss
The text is added to get around bayesian filters. The spammer doesn't want the text to be displayed to the end user though typically.
mike-cardwell
·bulan lalu·discuss
I spend a lot of time telling Opus 4.8 to search for security bugs in the code it wrote, and it spends a lot of time finding them, and then fixing them. Fable wont let me fix the security issues that Opus 4.8 created.
mike-cardwell
·bulan lalu·discuss
https://gitlab.com/grepular/calendiff - Point it at a .ics URL and it monitors for calendar changes and emails you about them.

https://gitlab.com/grepular/foxcage - Runs Firefox inside podman to isolate it from the host. Has some interesting features that I wanted and nothing else gave me.

https://gitlab.com/grepular/claude-sandbox - Yet another Claude sandbox. Runs it inside podman again. Has a pretty powerful proxy system for securing your credentials.

Currently working on a tool for sanitising email. Will be blogging it up at https://www.grepular.com/blog/ when it's ready for others to use. Does things like applying policies to html/svg/calendar/vcard parts to whitelist or blacklist tags/attributes/css/url schemas, clean URLs, fetch remote content at delivery time and attaching to the email to prevent tracking, pgp and smime auto encryption/decryption and a million other features.
mike-cardwell
·bulan lalu·discuss
I don't use X. You can tell him if you want.
mike-cardwell
·bulan lalu·discuss
That wouldn't be better guidance. That would be additional guidance. I'm sure Google also never let anybody set up [email protected]
mike-cardwell
·bulan lalu·discuss
I wasn't able to sign up for [email protected], but I was able to get [email protected]. You should be careful about what standard email addresses you allow people to take. I recommend you take abuse@ back from me and you should really have a strong denylist. I just asked an LLM for a list of things you should be blocking and it came back with the following. The cert validation ones seem particularly important:

RFC 2142 mailbox names (the core list):

postmaster@ — required by RFC 5321; mail systems expect it to always work abuse@ — for reporting spam/misuse hostmaster@ — DNS issues webmaster@ — website issues noc@ — network operations security@ — security/vulnerability reports info@, marketing@, sales@, support@ — business functions

TLS/certificate validation addresses (RFC 8552 / CA-Browser Forum):

admin@, administrator@ ssladmin@, ssladministrator@, sysadmin@ These can be used to validate domain control and issue certificates, so handing them to a random user is a real security risk.

Common automated/system senders people impersonate or that cause confusion:

noreply@, no-reply@, donotreply@ mailer-daemon@ — bounce messages (RFC 5321 sender) root@, daemon@, bin@, sys@ — Unix-style system accounts null@, devnull@

Brand/trust-sensitive ones worth blocking too:

billing@, accounts@, payments@ help@, contact@, service@ legal@, privacy@, dmca@ register@, registration@, signup@ The service's own name (e.g. [brand]@, team@, staff@, official@)

[edit] Re the TLS issue. You should set up a CAA DNS record and also check on crt.sh later to see if anybody managed to get a cert for rootshell.is if you didn't lock down the validation addresses
mike-cardwell
·bulan lalu·discuss
You declare HSTS preload, but you are not in the preload list. You can not be added to the preload list at https://hstspreload.org/ because www.rootshell.is exists but has an invalid certificate.

Your MX TLS configuration supports various anon ciphers. These should be disabled.

Your DANE is broken. Try any of a number of freely available online validators.
mike-cardwell
·bulan lalu·discuss
Weirdly, if I click Load Images, all I get is a load more CSP errors and the image fetches don't happen.
mike-cardwell
·bulan lalu·discuss
You defeated https://www.emailprivacytester.com straight off. Which is more than most new email services. You seem to be relying on CSP entirely for this, but it works.
mike-cardwell
·bulan lalu·discuss
Targetted automated spam, most likely written by an LLM you say. By any chance do you see the text "agentmail" anywhere in the headers/body of that email?
mike-cardwell
·bulan lalu·discuss
Working 14 hours a day isn't normal. From an IT person who works 8 hours a day.
mike-cardwell
·2 bulan yang lalu·discuss
This reads like you just made up a workaround without reading the proposed law or without looking at the reality of the situation in other countries that it has been implemented. Your suggested workaround doesn't work.
mike-cardwell
·2 bulan yang lalu·discuss
Are you unaware that scalpers are set up to hoover up as many tickets as possible before an actual person that wants to visit the event can get one? Because it seems like you are?
mike-cardwell
·2 bulan yang lalu·discuss
The "market price" you're talking about, is set by how many scalpers are creating scarcity. If the number of scalpers is 0, then the "market price" is different. It becomes the price that both the vendor is willing to sell for, and the event visitor is willing to buy for. Which is a more desirable "market price" to achieve.

The only thing scalpers make possible, is pricing out people that the vendor wanted to sell tickets to.
mike-cardwell
·2 bulan yang lalu·discuss
Re "sent via AgentMail" - that's good to hear, but I hope it's not the entire planned text, as "AgentMail" will mean nothing to most people that receive an email from your service. It wont indicate that the email was composed by an AI rather than a person, which is the information that needs to get across.
mike-cardwell
·2 bulan yang lalu·discuss
I received this email the other day:

  From: Kushal <[email protected]>
  Date: Mon, 18 May 2026 05:03:11 +0000

  Saw your question on the Agent Vault thread about websocket-frame auth
  (Home Assistant) and the worry about the model reflecting the bearer
  token back into its own context.

  chrome-relay's answer is structurally different: the credential never
  enters the agent's context because the agent never touches it — the HA
  session lives in your real Chrome (cookies, WS handshake and all), and
  the agent drives the tab over CDP, only ever seeing the rendered page.
  URL: https://chrome-relay.kushalsm.com/

  For your HA + agent setup today, are you keeping the session alive in a
  browser the agent attaches to, or doing the WS auth on the agent side
  and managing the token-in-context risk yourself?

  Kushal
Read to me like an LLM had written it. It references something I said in a HN comment, but it was clearly just an excuse to spamvertise their product.

I looked at the headers and it contained a List-Unsubscribe header pointing to https://api.agentmail.to

So basically somebody wrote a bot to scrape HN for comments related to some software they wanted to push and send targetted spam. agentmail.to is a Ycombinator funded email service for LLMs which can be, and is, used to send targetted spam and impersonate people. They could mostly solve this problem by adding a block of text to every email expaining an "AI" wrote it. They'd lose customers doing that though of course. I reported this abuse but haven't (and don't expect to) received a response.

I don't even get the point anyway. You can get Claude using an SMTP or IMAP server in seconds.
mike-cardwell
·2 bulan yang lalu·discuss
> Why should anything be done?

Because there is demand for it. A lot of people like going to live music and theatre events and scalpers make it more difficult and more expensive for them.

Why shouldn't anything be done? Because capitalism is God?
mike-cardwell
·2 bulan yang lalu·discuss
In the UK they're making it illegal to resell tickets for more than the original cost. That should deal with the majority of the problem.
mike-cardwell
·2 bulan yang lalu·discuss
Perhaps he's moribund