[HN Gopher] The Perils of an .xyz Domain
___________________________________________________________________
The Perils of an .xyz Domain
Author : ghempton
Score : 268 points
Date : 2021-09-16 17:11 UTC (5 hours ago)
(HTM) web link (www.spotvirtual.com)
(TXT) w3m dump (www.spotvirtual.com)
| legrande wrote:
| Well .COM has had its day.
|
| There (was?) even a semi-parody site called Domains For the Rest
| of Us[0] that generates .COM domains that you can use for side
| projects (or startups?).
|
| [0] https://news.ycombinator.com/item?id=24538758
|
| The new gTLDs are a godsend since all the domain hacks have been
| largely exhausted. E.G: `del.icio.us`.
|
| I like the new avalanche of gTLDs since it reduces domain
| squatting, domain hacks, and stops people snapping up short .COMs
| as if they were some digital gold to be mined.
|
| Not to mention the hassle of having a really obscure ccTLD like
| .SO and having to battle to get that domain back if it was seized
| by pirates, yarr
| reidjs wrote:
| I read a series of blog posts about a guy who would essentially
| work backwards from a domain name to start a business. E.g. he
| would buy things like 'weehawkenjobboard.com' then SEO a job
| listing service for people/businesses in Weehawken NJ. I
| thought it was a pretty clever strategy.
| fotta wrote:
| Was it this[0] guy? Previously discussed on HN[1][2].
|
| [0] https://www.deepsouthventures.com
|
| [1] https://www.deepsouthventures.com/i-sell-onions-on-the-
| inter...
|
| [2] https://news.ycombinator.com/item?id=19728132
| reidjs wrote:
| That's the one
| egfx wrote:
| That's what I do too.
|
| https://news.ycombinator.com/item?id=26380124
|
| building one product at a time.
| egfx wrote:
| It's also how I code apps btw. I use this same approach for
| libraries I find on HN.
| jonny_eh wrote:
| > E.G: `del.icio.us`.
|
| Oh, you mean delicious.com?
| jitl wrote:
| These are also good reasons to avoid using .so domains. You can
| also expect mail delivery issues and blanket corporate firewall
| blocks on .so. The rising prominence of https://notion.so is
| changing the cultural situation somewhat, but very slowly.
|
| (Edit: I work at Notion)
| wlesieutre wrote:
| Notion said they were switching to .com "as soon as our
| engineering team has the bandwidth", but it's been a year so
| they might've changed their minds on disrupting the branding
|
| https://www.reddit.com/r/Notion/comments/f6x9mk/why_the_so_d...
| jitl wrote:
| I don't think we consider '.so' part of the brand.
| akvadrako wrote:
| I have been exclusively using a .so domain for about 10 years
| and never experienced any of these issues.
|
| What specific network blocks it?
| jitl wrote:
| You can see a bunch of users reporting this issue in the link
| the user above posted: https://www.reddit.com/r/Notion/commen
| ts/f6x9mk/why_the_so_d...
| akvadrako wrote:
| I don't see any mentions of who's actually blocking it,
| just some guys work and a VPN provider.
|
| There isn't any indication the blocking is worse than most
| other TLDs.
| profmonocle wrote:
| A potential issue with ccTLDs in general is they aren't subject
| to ICANN policies at all. Countries can do whatever they want
| with their TLD, ICANN's only involvement is keeping their root
| zone entries up to date.
|
| This means you're subject to the politics of whatever country's
| TLD you're using. If the country's lawmakers suddenly decide
| that their TLD should only be for use by local entities, or
| that owners of popular domains should pay more, or that certain
| types of content is banned, you have no recourse.
|
| (Not that ICANN policies always help you. Some of the new TLDs
| have contracts with ICANN that allow them to arbitrarily jack
| up prices, which they've done:
| https://domainnamewire.com/2017/03/07/yikes-death-spiral-
| new...)
| eigengrau5150 wrote:
| I associate ".xyz" domains with the alt reich. In fact, I
| consider any TLD that isn't .com, .net, .org, .edu, .gov, .mil or
| a standard international domain (like .co.uk for UK .com sites)
| illegitimate.
|
| .win can fuck right off.
| nickdothutton wrote:
| Most of these new TLDs are just the .biz of the present moment. I
| went to email whitelist a decade ago and haven't looked back.
| caitlinface wrote:
| What do you mean "email whitelist"?
| chipgap98 wrote:
| Presumably a list of TLDs or domains they will receive email
| from rather than only blocking bad domains as they come up.
| toast0 wrote:
| .biz was a new TLD, so yeah. It was part of the 2000 round of
| new TLDs. I don't think I've seen a .museum, but all of the
| others from that round give me negative vibes, although I guess
| slightly less than most of the newer new tlds.
|
| That said, I've got a 'clever' .pictures I use to share images
| and a totally appropriate .fun that has no need to have
| positive domain associations.
| unethical_ban wrote:
| Yep - used to work at a bank that _very aggressively_ blocked
| gTLD because they had a (very stupid in this case) security-first
| mindset. Despite having multiple first-class URL filter products
| that can detect reputation and site category without needing to
| bother an analyst or cause a disruption.
|
| SOCs, web filter, email filter teams and vendors all need to
| catch up to the 2010-era idea that carpet-blocking TLDs is not
| the first tool to reach for when securing a network, especially
| when you have a good URL filter in place.
| approxim8ion wrote:
| I have my personal site on an xyz domain because it's the only
| thing I could justify spending on. I don't intend to earn from
| it, it's just a static site, and it's significantly cheaper than
| anything else. I'll probably stick with it.
| js4ever wrote:
| Yes this TLD is cursed because of it's low price it has been used
| by all spammers and hackers on earth
| waiseristy wrote:
| The XYZ TLD is a hotbed for spam due to it's very low fee's for
| purchase / renewal. The registrar was, at one point, selling
| massive blocks of xyz domains to foreign squatters and spam
| artists for quick cash. No wonder it's become blacklisted by
| email/cell providers.
|
| Can anyone try `abc.xyz`? and see if that fails to send? It would
| be very typical for our corporate overlords to be omitted from
| our spam censorship filters.
| teddyh wrote:
| If I ever start a super-secret club, I now know what the domain
| name TLD should be. Nobody would be able to spread the secret!
| hermitdev wrote:
| Personally, I'd go for some non-printable characters. But,
| maybe I'm just nostalgic for when starting a directory name
| with ALT+255 rendered the directory inaccessible to Windows
| 9x...
| lgats wrote:
| most popular ".xyz" domains (ranked by # of DNS queries) all
| appear to be spam, https://domain.glass/whois/xyz
| soco wrote:
| It's sometimes difficult to believe how much misguided logic is
| put into input validation. Addresses which must have a street and
| a number, middle names not allowed, valid postal codes not
| recognized or auto-filling the wrong town, arbitrary maximum
| length for street names, and I could go on. We programmers (or we
| product managers?) invest way too much time in nonsense.
| ev1 wrote:
| I really hate this. I've seen separate input fields for street
| number and street name. Meanwhile you have vendors with street
| addresses like "Vodafone House, The Connection, Newbury RG14
| 2FN"
| 10GBps wrote:
| I run email servers and I get such a massive amount of spam on
| "vanity" TLD's that I just block them outright. I don't
| automatically block them all but any that start sending serious
| levels of spam get blocked. Which is most of them and that block
| covers the whole TLD. It's just too much work to try anything
| else.
|
| Now this is just for incoming email. I still allow web browsing
| and links to these domains through various systems and outgoing
| mail to those domains works.
|
| The incoming mail though, I just can't allow it. It's just pure
| spam at ridiculous levels.
| tombert wrote:
| I was pretty excited when ICANN opened up a bunch of new domain
| extensions, but it does sometimes feel like "all these extensions
| are great if you don't plan on using them".
|
| It was pretty cool that I managed to buy a bunch of domains like
| <my last name>.<new-tld>, but to be honest I really don't see
| myself using my .blackfriday domain for anything. For that
| matter, I think that (somewhat ironically) `my-last-name.email`
| would not be taken very seriously for a primary email address.
|
| I use a `.app` domain for my personal email, which has its
| issues, but if I owned a business, there is no way on earth that
| I would be using anything but .com.
| rileyphone wrote:
| I use `.art` and have had no problems thus far.
| weinzierl wrote:
| I secured _< my last name>.name_ many years ago. Must have been
| early 2000's ( _.name_ is around for a long time). It wasn 't
| exactly cheap and it is not one of the super cheap domains now.
| The registry seemed to have a relatively strict policy
| regarding who can own a _.name_ (not sure if still true, haven
| 't checked again since like 2002). So, the best preconditions
| to keep their space clean, it seemed...
|
| Yet I gave up on it for the same reasons mentioned in the
| article: It has a terrible reputation and seems to randomly be
| blocked here and there.
| vmception wrote:
| crypto space is making use of the new ICANN approved TLDs
| pretty rapidly
|
| their customers are on discord, twitter, telegram and wechat so
| email delivery is not a factor
|
| the entire sites and revenue drivers are entirely client side
| (with the "servers" being the smart contract methods stored on
| the nearest blockchain nodes, this has only one initial upload
| cost but functions similarly to lambda functions except the
| users pay for the computations), when the domain is down or
| blocked, the user can interact directly with the nearest node
| hosting the website's associated smart contracts, if they are
| interested enough
|
| this is working really well for a lot of organizations, and it
| has been this way for several years now
|
| makes lean SaaS services even leaner, and allows them to grow
| even faster - as long as their customer base is already a
| crypto native. I haven't seen any organization succeed if they
| have to sell their customer on some crypto browser extension.
| hcurtiss wrote:
| I had .email for a while. Many shopping sites wouldn't actually
| let you use the address, presumably given some filter assuming
| that "email" was a fake address. Because my name ends with
| "ss", I switched over to .es, which conveniently is a country
| TLD (Spain). That's worked very well, though occasionally I'll
| get spam in Spanish, which cracks me up.
| tombert wrote:
| That's a clever workaround, though doesn't the .es TLD
| requires some kind of tie to Spain?
|
| I'm not sure how they could possibly enforce that, but in the
| purely technical sense, are you technically breaking rules?
| greenshackle2 wrote:
| No. Not all ccTLD's have restrictions. .es is open to
| anyone.
| bink wrote:
| I wonder how well these new TLDs work for custom email if you
| use them with Google Workspaces / Google Apps for Domains or
| another reputable email hosting service. I've been using a
| custom domain (though a .net) for decades now and since I
| moved to Google Apps years ago I haven't had an issue being
| seen as spam.
| hcurtiss wrote:
| I use Fastmail. Delivery has been fine. My only challenge
| with .email was that some services wouldn't take the
| address as a valid email address.
| vel0city wrote:
| I use the free email provided with the domain hosting I got
| with a domain on one of these gTLDs. The only real issue I
| get are places that think the gTLD isn't a valid email
| domain, ensuring I always have to fall back to a more
| traditional email provider for some places.
|
| Otherwise, deliverability-wise I haven't really experienced
| any issues. My mail is regularly delivered to the big email
| providers.
| humanistbot wrote:
| > One surprising side effect of having a .xyz domain is that the
| mere inclusion of .xyz inside of a text message will result in a
| silent delivery failure for many providers.
|
| This is wild to me. Tested it out myself and I couldn't send an
| SMS with a spot.xyz link to/from Google Voice <-> T-Mobile. And
| no "failed delivery" notice either, just a silent failure. And
| yet I still get so many texts that are obviously spam or phishing
| attempts.
| iconjack wrote:
| It was wild to me too. I have an .xyz domain, which seemed
| appropriate for a non-commercial math site. I'd try to send
| links of math experiments to friends and colleagues via SMS, so
| they could tell me if they worked right on their phones or not.
| Can't tell you how much confusion and frustration it caused
| that the links were simply not being delivered, though all the
| conversation around the links went through just fine. No error
| was reported on either end. A year or so ago, I did a lot of
| searching trying to find some explanation of this bizarre
| behavior, but found literally nothing. It's nice to know I'm
| not crazy, at least. Is there a published list of what domains
| are not allowed to go through?
| schleck8 wrote:
| > which seemed appropriate for a non-commercial math site
|
| They are used by large cooperations too. The Alphabet domain
| is abc.xyz. Science Corp's is science.xyz.
| mhh__ wrote:
| I didn't know about abc.xyz, that's a really nice URL
| samspenc wrote:
| Quite likely only investors in Google / Alphabet stock
| know that site and have it bookmarked because that's
| where Alphabet publishes its quarterly earnings. I also
| guess for the same reason, it only gets significant
| traffic once a quarter during earnings season.
| blendergeek wrote:
| I have this same problem with "obscure" .net domains. My text
| messages are silently dropped.
|
| The only work around I found is to not include http://, just
| use the bare domain.
|
| Personally, I find this behavior of my SMS provider
| reprehensible.
| idiotsecant wrote:
| Is it reprehensible only when it impacts you or is it still
| reprehensible when it's blocking hundreds of spam messages a
| day you might otherwise be receiving?
| epse wrote:
| Surely there are better ways to reduce spam than blocking
| entire TLDs? I also think it's the silent, unfixable nature
| that annoys most people. Email spam goes into your spam
| box, where you can still access it. You can mark email as
| not being spam. No such luck here
| pletsch wrote:
| Email providers absolutely block email, its the edge
| cases that make your spam folder.
| thaumasiotes wrote:
| > its the edge cases that make your spam folder.
|
| Well, from their perspective. Not from any reasonable
| perspective; I have a few obviously-spam emails in my
| gmail spam folder right now, but I've had plenty of
| problems with gmail refusing to deliver completely
| legitimate email to me.
| pasc1878 wrote:
| If there was no filtering how many spammessages would you
| receive?
|
| I suspect any more than you see
| techrat wrote:
| I ran into this recently even on Facebook Messenger. A friend
| of mine was hunting for a short domain name and I had a list
| of some three character .net and .org domains I recently had
| found that were available.
|
| Cut and pasted the list and the message wouldn't send.
|
| Narrowed it down to one. Typed just the bare domain. Wouldn't
| go through. (It was something incredibly benign like n17.org)
|
| Couldn't find a history on that domain name for why it would
| have been filtered.
|
| At least messenger responded with 'couldn't send message' but
| still no clue as to why... and it took me sending each domain
| name individually until I found the one that was failing the
| entire message.
| Symbiote wrote:
| If it was N26, that's a European bank so I could see
| similar domains being used in phishing scms.
| aaaaaaaaaaab wrote:
| >and it took me sending each domain name individually until
| I found the one that was failing the entire message.
|
| A true hacker would have used binary search ;)
| [deleted]
| sytelus wrote:
| I am pretty sure this is not intentional. Somewhere some
| classifier in Google has overfitted onto .xyz. They will
| probably fix that some day so this will not be true forever
| either.
| Thaxll wrote:
| You wonder why there is any filtering on sms ...
| Spivak wrote:
| Because spam really is that rampant. There aren't that many
| communication systems with a small search domain of user ids
| where anyone can send and receive messages from anyone by
| default.
| Thaxll wrote:
| Makes sense, but then they just blacklist entire TLD, it's
| a bit weird.
| maxwell wrote:
| Why not impose costs instead of filtering?
| indymike wrote:
| They do.
| kop316 wrote:
| ...whoa, yeah same here. tried "test spot.xyz" then "test
| spot.com" T-mobile <-> T-Mobile. "test spot.xyz" did not send.
| Even weirder, I got a confirmmation that it was delivered.
|
| It looks like T-Mobile looks for ".xyz" within the SMS and will
| silent drop the SMS (though it will claim it is delivered).
| ".xxyz" works, "..xyz" or ".xyzz" does not. "xyz" works, so
| does ".xy".
| DaiPlusPlus wrote:
| > though it will claim it is delivered
|
| I thought SMS didn't have delivery receipts?
| kop316 wrote:
| They certainly do. In Chatty:
| https://source.puri.sm/Librem5/chatty/-/merge_requests/786
| . Some carriers even charge for the service (!!):
| https://source.puri.sm/Librem5/chatty/-/issues/434
|
| MMS has delivery reports too (I implimented support for it
| myself for mainline Linux Phones). It even has read
| reports, but no carrier seems to honor using it (which is
| why I didn't bother to impliment it).
|
| I'm not sure if Android/iOS gives the user an option for it
| (which may be the source of confusion).
| frosted-flakes wrote:
| There is an option to enable delivery receipts on Android
| (Google and Samsung). I believe it is disabled by
| default.
| kop316 wrote:
| Read reciepts or delivery reports?
|
| I'm not sure if SMS supports read reciepts, but I didn't
| think so. The MMS standard allows for read receipts
| ("MAY" not "SHALL"), I was unable to get it working, and
| I suspect it's due to no carrier support.
|
| I was unable to get read receipts working at all, and I
| suspect it's because the carrier doesn't impliment it.
| frosted-flakes wrote:
| Delivery receipts, I've edited my comment. I've never
| been able to get read receipts to work. If I enable it,
| sometimes I will receive an actual text message that
| "123-456-7890 has read your message", instead of just
| marking the message as read.
| kop316 wrote:
| Ahh, fair enough, thanks!
| pope_meat wrote:
| Use signal. If you're encrypting your message, they can't
| filter your message out.
| kop316 wrote:
| Respectfully, I do use signal, my family, my boss, most of
| my friends, etc. do not, they use SMS.
|
| Also, Telegram seems to be much better supported on the
| Pinephone as of now, so that is what I generally prefer.
| foofoo4u wrote:
| A lot of systems block anything by default that isn't standard.
| For example, if you happen to own a domain to serve as your
| email that doesn't end in .com, .edu, .gov, then many systems
| will instantly invalidate you saying you don't have a valid
| email when in reality you do. A lot of companies or programmers
| don't seem to realize that its 2021 where we have hundreds of
| domain extensions to choose from.
| devoutsalsa wrote:
| I had a .ninja domain for a while, and I had to contact a
| certain DNS provide to add support for that TLD. They were
| very responsive, but I still had to ask.
| krono wrote:
| Blocking of messages/emails and blanket email
| server/domain/extension blacklisting is the same as a postal
| service not delivering mail to or from a particular
| entity/street/town.
|
| Doing so silently and without a valid and case-specific reason
| should not be legally allowed.
|
| Edit: Added "street/town" to analogy, and "case-specific"
| before reason
| thayne wrote:
| It's actually worse than that. It isn't blocked because of
| the sender or recipient, but because of the _content_. That
| would be like the postal service reading your mail and
| deciding that because of an address in the text of a letter,
| it shouldn 't be delivered.
| gtldexplosion wrote:
| What about MetaMask, popular crypto wallet with a Chrome
| extension. The extension blocks viewing of "blacklisted"
| websites IN YOUR BROWSER... and the blacklist is entirely
| community-led. So a competitor can just easily add your
| website to the list. Example: metalmark.xyz
|
| Try to visit it with the MetaMask browser extension added to
| your browser. They won't let you. Someone decided to block a
| small business, and for what? There's no evidence involved.
| Incredibly short-sighted of MetaMask to add this & randomly
| accept edits to the blacklist from the community without peer
| review.
|
| https://github.com/MetaMask/eth-phishing-detect
| SllX wrote:
| In effect, sure, but in implementation these aren't
| comparable. Postal services usually come with monopolies and
| mandates that ISPs, telecoms and email servers usually don't.
|
| USPS has a monopoly on first-class mail in the US and a
| Congressional mandate to deliver to every address.
| xenocyon wrote:
| As a consumer, I can see both sides of this. On the one hand,
| I like energetic spam blocking without fear of legal
| liability, even if there are occasionally a few false
| positives. On the other, I do not want ISPs/telecoms to be
| the arbiters of traffic (net neutrality).
|
| The net-neutral solution is for ISPs/telecoms to not spam-
| block, but rather have spam-blocking be an optional,
| additional, layer that the consumer can choose at will, or
| not have at all. But the problem with that solution is that
| it requires the consumer to do extra work to obtain spam
| protection, and the consumer would not be protected by
| default. It also means extra work by all parties delivering
| spam messages. Unless spam ceases or things otherwise change,
| I think the clunky solution we currently have is fine for the
| most part.
| maxwell wrote:
| The FCC classified SMS/MMS as unregulated, filterable
| "information services" rather than regulated
| "telecommunications services".
|
| https://www.fiercewireless.com/wireless/sms-mms-deemed-
| infor...
| krono wrote:
| They should really update the "Mission and strategy"
| chapter on their Wikipedia page [1]. In particular the part
| about "Protecting Consumers & Public Safety" seems horribly
| outdated!
|
| I will have to look up how this works in the EU and here in
| The Netherlands. Something to do for the weekend.
|
| [1] https://en.wikipedia.org/wiki/Federal_Communications_Co
| mmiss...
| duskwuff wrote:
| You'd be getting an unbelievable amount of SMS spam if
| carriers weren't allowed to block messages. There's a _lot_
| of bad actors out there.
| seph-reed wrote:
| So put it in a spam folder.
|
| If I had a spam texts folder that showed me everything I
| was being blocked from, I'd both appreciate it and not feel
| this massive breach of trust that things being sent to me
| are being completely ignored by a third party system.
|
| The system that does this is absolutely primed for
| censorship, and we have no way to know it's not being used.
| duskwuff wrote:
| > So put it in a spam folder.
|
| 1) Neither the SMS protocol nor any phone I've ever seen
| has any mechanism to file messages in "folders".
|
| 2) Processing SMS messages and delivering them to
| subscribers has a cost. Doing so for high-volume junk
| messages would place a significant burden on carriers.
|
| 3) Most carriers used to charge subscribers for receiving
| SMS messages. Some still do! Charging subscribers to
| receive spam SMS messages would be, quite rightly, called
| out as inappropriate.
| seph-reed wrote:
| Then put it behind a config setting.
|
| Or let me view it through some other means.
|
| I'm not opposed to spam filtration as a user default, but
| doing so silently without any indication of what is being
| filtered or ability to verify it is working is not
| acceptable for such a vital messaging system.
| tsimionescu wrote:
| I would add 4) feature phones and SIM cards have
| extremely low SMS storage capacities, around 100 or so
| max.
| gsich wrote:
| 1 and 2: true (to a degree, phones sort messages by
| sender which is a folder), but if a SMS already reached
| the provider they have the data. No need to send spam to
| the client. Instead display the SMS on some webinterface
| the customer can access. Or email it.
| dietr1ch wrote:
| I wonder if that's why he mentions "without a valid
| reason".
| ceejayoz wrote:
| "We get a lot of spam from those" would fall well within
| a vaguely defined "valid reason", I'd think.
|
| (Most of my SMS spam comes from .info domains.)
| reginold wrote:
| I just saw this in another thread but: "label, not remove"
| is a better philosophy. I want to receive every message
| addressed to me.
|
| Enable me to be the judge and get out of the way.
| throwaway09223 wrote:
| No, I'd just be filtering it client-side -- which is the
| only way it should work in the first place.
|
| Providers should be legally prohibited from intercepting
| and dropping messages.
| aquark wrote:
| We've run into this issue with replies to texts that the
| user sent first.
|
| Telecom spam filtering seems to be a ridiculously primitive
| and wide net. I can't imagine a valid use case for dropping
| a text sent to a number when that number just sent you a
| text a few seconds before.
|
| I don't understand why SMS spam has such a big issue with
| false positives compared to email spam when emails are
| practically free to send but SMS is much more costly.
|
| (Yes, I know there are a lot of false positives on email
| too ... but we run into false positive SMS spam issues a
| lot even though it feels like it should be a much simpler
| problem to solve).
| skrtskrt wrote:
| Seconded, having worked in this space I can assure everyone
| that there are multiple orders of magnitude more
| (attempted) spam SMS than legitimate SMS.
| silisili wrote:
| I believe that, completely. But keyword silently blocking
| is an objectively bad approach. Tell the sender it failed
| if you're so keen to do so. Or tag it with a big
| POTENTIAL SPAM at the beginning of the message and send
| it. Or literally any of the dozens of smarter ways of
| content filtering than (if .xyz in y).
| honkdaddy wrote:
| Very interesting. I definitely get phishing SMS messages
| from time to time, but I didn't realize these were some
| of the very few which actually made it through. Any idea
| how these bad actors are able to send out these massive
| batches of spam SMS? My naiive guess would be bulk
| purchasing disposable SIMs but I imagine it's more
| sophisticated?
| Scoundreller wrote:
| If you're in Canada, and send an SMS containing the string
| "special message" to or from a Telus customer (or one of their
| sub-brands), it will be silently dropped. Telus is one of the
| big3 telecoms here.
| drampelt wrote:
| I just tried on Koodo which is part of Telus, no issues
| sending/receiving
| exikyut wrote:
| > _Ironically, Google Voice also has the same behavior with
| abc.xyz._
|
| This is my new mini-favorite thing. It feels a bit like a redux
| of "Shirt without stripes"
| (https://news.ycombinator.com/item?id=22925087)...
| tiffanyh wrote:
| I wish the Telco's did MORE filtering given the huge amount of
| SMS spam I get since Twilio has turned this channel into a
| positive ROI for spammers.
|
| (1st biggest spam channel being email, which surprise/surprise
| - Twilio also dominates via SendGrid)
| aquark wrote:
| I have no knowledge of the ROI involved here, but would love
| to understand this: Twilio is 0.75c to send a text.
|
| Is it possible for a spammer to generate >$75 per 10,000
| people spammed? I've no idea were the SMS spams I've got link
| to (not about to find out) but they are so obviously spam.
|
| We use SMS for communicating with users and would be happy to
| more a lot more per text to escape the 'positive ROI for
| spammers' territory.
|
| I'd be happy to do that for important emails too!
| mmerlin wrote:
| Probably decent ROI which is why it keeps on happening!
|
| They just need one person in each 10k spammed on average,
| to click the phishing url asking them to pay a fake bill
| and then charge them $328 instead of the $3.28 displayed o
| the page.
|
| I received (and reported to their scam Dept) a phishing SMS
| yesterday pretending to be from Australia Post asking for
| $3.28 to release a delivery package I'm waiting for, which
| is most people in Australia nowadays with the current
| slowdown in mail delivery speed.
|
| I am only guessing that the $3.28 phishing purchase would
| have attempted a $328 charge on my card... but that would
| be wildly profitable if the input costs per successful
| fraud were under $100...
| mcny wrote:
| One of the places I worked as a contractor recently, I could
| not get to abc.xyz on the work network. I tried some more xyz
| websites and none worked.
| petercooper wrote:
| Related thing from the past.. Gmail once had a bug(?) where if
| you sent any email containing a URL with the domain starting
| "0x", it would go straight to spam. I imagine it was a rule
| hard coded to block the use of hexadecimal long IP URLs, but it
| also picked regular domains starting 0x. It was fixed a few
| years ago.
| ArchOversight wrote:
| I own a domain starting with 0x and I spent a lot of time
| talking to people I knew at Google to get that one fixed
| because my mail would not be delivered.
| sneak wrote:
| > _One surprising side effect of having a .xyz domain is that the
| mere inclusion of .xyz inside of a text message will result in a
| silent delivery failure for many providers._
|
| Why are people afraid to use the real term for this?
|
| It's called censorship.
|
| Your provider is silently censoring your text messages. In
| peacetime. You can't expect it to improve when that's no longer
| the case.
| blowski wrote:
| Let's say I have a rule to block emails that mention "bitcoin"
| from arriving in my inbox. Is that censorship?
|
| Let's say, so many people have set up a similar rule that the
| email provider offers a quick way of adding that very rule. Is
| that censorship?
|
| Let's say, so many people use that "quick way" that the email
| provider turns it on by default. Is that censorship?
| Lammy wrote:
| Yeah, of course. How would it be possible to have censorship
| at all if "so many" people didn't tolerate it?
| mindslight wrote:
| No, No, Yes. "Censorship" comes from the word "censor" - an
| intermediary who controls speech. Programmers need to stop
| assuming that every situation is scale- and convenience-
| invariant.
| blowski wrote:
| If the email provider says "Would you like us to add a set
| of rules people tend to add?", is that censorship?
|
| There's a very fuzzy line somewhere, on one side of which a
| provider is helping users get what they want, and on the
| other is blocking content they don't want users to receive.
| I'm exploring where that line is.
|
| While you have a right to send emails to me, I have a right
| to sign up for a service that automatically blocks emails I
| don't want to receive. The line is crossed when that
| service starts blocking emails I would like to receive. I'd
| say there is a pretty competitive market of email
| providers, and the rules are reasonably transparent about
| what's being blocked. Thus, it seems that "censorship" is a
| rather strong accusation here.
| mindslight wrote:
| I would say the line has to do with how
| informed/empowered the user is about the initial content,
| ongoing changes, and their ability to make their own
| modifications.
|
| The original comment was about text messages, of which
| there is certainly not a competitive market (the Ma Bell
| T-1000 has reassembled itself into only 3 remaining
| pieces), users were surprised at the behavior, and there
| doesn't seem to be a straightforward way to opt out of
| stupid rules like blocking whole TLDs. So it's a far way
| from being able to say that such blocking represents the
| will of the user.
| blowski wrote:
| What if users don't want to be informed, or make their
| own modifications? What if they just want a click a
| button and not receive junk mail, albeit also not
| receiving the occasional non-junk email because it had an
| unusual address.
|
| I'd guess there are far more users like that, which is
| precisely why there are no major email providers offering
| the kind of service you talk about.
|
| As always comes up in these conversations, while you have
| a right to speak, users have a right not to listen, and
| to use tools to help accomplish that.
| teddyh wrote:
| > _Programmers need to stop assuming that every situation
| is scale- and convenience-invariant._
|
| I've seen it termed the "All _N_ s are equally likely"
| fallacy. I.e. when programmers write code, they know that
| they should write different code for when _N_ is 0, for
| when _N_ is 1, but as soon as it goes higher, most
| programmers tend to write code which is optimized for
| _arbitrary_ values of _N_ , even though in actual practice
| _N_ might almost always be, say, at most 10. This often
| leads to inefficient and overcomplicated code, where a
| simpler algorithm might be faster most of the time while
| still able to correctly, if more slowly, deal with non-
| typical values of _N_.
| wongarsu wrote:
| It's spam protection. Which I guess is a form of censorship,
| especially in a medium like SMS that has no built-in way to
| mark something as spam and still deliver it.
| burnished wrote:
| I'd argue its not censorship. If I don't pick up your call
| because I don't recognize the number, or my phone is on
| silent, is that censorship? Lacking an agenda or a message
| I'd hesitate to call anything censorship.
|
| Like, without a censor actually redacting things or
| controlling the conversation, can it really be called
| censorship?
| marcosdumay wrote:
| It's not censorship if one of the peers on the conversation
| do it. It's certainly censorship if a monopolistic or
| oligopolistic platform does it. And there's a lot of middle
| ground where things get hard,
| burnished wrote:
| >>It's certainly censorship if a monopolistic or
| oligopolistic platform does it
|
| this seems like a good point, I'll have to think on it.
| For this particular situation I'm having a hard time
| seeing the argument on the basis that .xyz domains are
| cheap and get used for lots of attacks as stated in the
| article, so is it censorship or defense?
|
| I think the question at the heart of my disagreement
| would be "what speech is being censored?", I don't see a
| compelling answer so I have a hard time seeing it as
| censorship at all.
| marcosdumay wrote:
| It would get deep into the grey area if Google users had
| any capacity of enabling the communications with those
| sites. As of today, Google is the one in control of the
| communications, and dictate who can reach anybody over
| most of the internet. They just don't have a policy of
| empowering their users to decide who they want to talk
| to.
|
| What speech is being censored is harder to discover. They
| are blocking people from communication without any
| feedback, and it would take a large effort to reach them
| and discover who they are. Certainly most of what is
| blocked is spam, but that's true for whatever block you
| implement today, unless you spend an unreasonable amount
| of resources targeting it into non-spam.
| burnished wrote:
| OK, I think we are probably pretty close in agreement. I
| still don't think censorship is the appropriate word here
| but also want to be clear that is what I am disagreeing
| about, not any of the larger issues.
| burnished wrote:
| Censorship is part of an agenda. This is not censorship, and
| you calling that waters the phrase down. If I have a poorly
| constructed email filter, is that censorship? I wouldn't say
| so, and this example is more in line with that than with any
| active censorship.
|
| So, in short, no one is afraid to call something censorship, I
| think they are just waiting for the right time. When it is
| applicable.
| sneak wrote:
| Hiding spam from users is an agenda, so therefore my usage
| complies with your definition.
| burnished wrote:
| Do you think that furthered the conversation, or are you
| trying to score points? Or perhaps my meaning was unclear?
| LeifCarrotson wrote:
| Censorship has strong connotations of authoritarian regimes
| with political motivations. When they're doing it in peacetime
| with (I believe) a genuine goal to benefit the user by removing
| spam messages or by making abbreviated URLs like 'spot.xyz'
| clickable (even if that parser is broken, written by someone
| who only expected .com/.net/.org), it's just called parsing.
|
| In much the same way, propaganda is just advertising with
| negative connotations, and a cult is just a religion with
| negative connotations. Calling all advertising propaganda or
| all religious people cultists is not likely to win people to
| your cause.
| unethical_ban wrote:
| You'll find I agree that the concept of silently spam filtering
| on TLD of a link is something that pisses me off.
|
| You'll also find that calling this "censorship" as if it has to
| do with government action, or that it has to do with the
| content of the specific site, is ludicrous.
|
| This is incompetence, not malice.
| teddyh wrote:
| Censorship is far from not limited to government action. I
| see this misconception a lot, and I believe it comes from
| Americans misinterpreting their first amendment.
| RyJones wrote:
| perhaps it's a parsing error, like the bug yesterday about
| usernames may not end in MIME types? SMSC[0] is re-implemented
| many times.
|
| 0: https://en.wikipedia.org/wiki/Short_Message_service_center
| duskwuff wrote:
| Given the context, it's absolutely a spam thing. When the
| .XYZ gTLD launched, registrars were incentivized to discount
| it aggressively, sometimes as low as $1 for the first year.
| Spammers loved this.
| ThrowawayR2 wrote:
| Censorship would be intentionally preventing people from seeing
| something that they want to see. Here, the main intent is to
| prevent spam and nobody wants to see spam.
|
| Even as a free speech advocate, it's hard to see a problem with
| this.
| sneak wrote:
| False positives mean that they are censoring things that
| aren't spam, as illustrated in TFA.
| lopis wrote:
| Spam protection is very hard, so xyz was sacrificed because
| most of it was spam. Filtering out viagra pills junk mail from
| your inbox is also censorship.
| imwillofficial wrote:
| Email is such a steaming pile of shit these days. I can't wait
| till everyone moves off of it.
| gspr wrote:
| Maybe, but there's no other asynchronous, federated, widely
| deployed, open-standards competitor. Not by a million km.
| [deleted]
| mtm7 wrote:
| Has anyone noticed any of this with .dev domains?
| EduardoBautista wrote:
| I haven't noticed any issues. An advantage of .dev is that it
| belongs to Google, so I am sure it that will work smoothly for
| the most part.
| readflaggedcomm wrote:
| Alphabet also owns abc.xyz, but the author observes that
| Google Voice seems to censor it.
| CydeWeys wrote:
| But .xyz does not belong to Google, and the contamination
| is coming from all the other bad .xyz domains that Google
| has no control over.
| bwship wrote:
| We thought we were being smart when we bought a .io domain. Can't
| tell you how many times we told people the site was foo.io, and
| they would say, ok got it. "foo.io.com".
| dhosek wrote:
| Wikipedia has a blanket ban on .xyz domains unless specifically
| whitelisted. I'll likely move finl.xyz to some other tld
| eventually.
| fegu wrote:
| I wonder about how the .wtf TLD compares.
| ISL wrote:
| Whoa. I use an xyz domain daily. This thread is eye-opening.
| Here's the reply from a SpamAssassin validator.
|
| My domain is almost marked as spam solely on TLD grounds. What's
| the point of a TLD if it isn't a first-party domain on the
| internet? SpamAssassin Score: -0.599
| Message is NOT marked as spam Points breakdown: -5.0
| RCVD_IN_DNSWL_HI RBL: Sender listed at
| https://www.dnswl.org/, high
| trust [***.***.***.*** listed
| in list.dnswl.org] 0.0 URIBL_BLOCKED
| ADMINISTRATOR NOTICE: The query to URIBL was
| blocked. See
| http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
| for more information. [URIs:
| ***.xyz] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average
| reputation (+2)
| [***.***.***.*** listed in wl.mailspike.net] 0.0
| SPF_HELO_NONE SPF: HELO does not publish an SPF Record
| 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
| [URI: ***.xyz (xyz)] 0.0 HTML_MESSAGE BODY: HTML
| included in message 0.1 DKIM_SIGNED Message has
| a DKIM or DK signature, not necessarily
| valid -0.1 DKIM_VALID_AU Message has a valid DKIM
| or DK signature from author's
| domain -0.1 DKIM_VALID Message has at least one
| valid DKIM or DK signature 2.0 FROM_SUSPICIOUS_NTLD_FP
| From abused NTLD 0.5 FROM_SUSPICIOUS_NTLD From abused
| NTLD 0.0 TVD_SPACE_RATIO No description available.
| jordemort wrote:
| I have a .haus domain for personal use. I can send and receive
| email just fine, but I do run into a lot of apps that do some
| sort of misguided "validation" on the email address and reject
| .haus as an invalid domain. One retailer lets me use the .haus
| email address as a login, but once I log in and try to make a
| payment it requires me to enter a different "valid" email address
| to send the receipt to. It's very irritating.
| tombert wrote:
| I have similar issues with my two main emails, which end with
| `.app` and `.sexy`. Both of these work fine, but validation
| will fail a lot of time (particularly for `.sexy`, but even for
| `.app`), forcing me to defer back to an unwieldy .com that I
| own.
| dangrossman wrote:
| I've been using a .info domain for email for, I don't know,
| 15-20 years. Maybe 3-4 times in those decades I've run into a
| service that won't let me sign up with my "invalid email". And
| once, I was locked out of my smart garage door opener app
| because a new version decided my already-registered email was
| now invalid for logins. Customer support kept telling me to
| just reset my password, but even the password reset form
| decided my email was invalid. A few months later, another new
| version of the app decided my email was valid again.
| invokestatic wrote:
| I have a .co domain that gets rejected occasionally as well.
| Highly regret that domain choice since people often mistake it
| for .com.
| abdusco wrote:
| I had a .co domain, and it was a pain to spell it out to
| people. "It's like .com, but without m" and people usually
| got confused, or thought it was a typo and "fixed" it as
| .com.
|
| I have a .dev domain now and everything seems to be running
| smoothly, plus it's +20% cheaper.
| ChrisArchitect wrote:
| tough story for a company and I know there's a ton of shady TLDs
| out there now but this will change rapidly I think - it used to
| be a .com world but as we all know .io etc has changed rapidly in
| last 5 years. Lately due to lack of .coms I get the feeling a lot
| of the other TLDs like .shop, .whatever are being used more and
| more for random sites for startups, projects etc, so I'm sure as
| they become more accepted in tech systems like SMS (weird about
| the filtering) and servers etc.
| kiwih wrote:
| Oh. As someone with a blog on a .xyz, this is disappointing news
| (but extremely good to know). Guess I should look at migrating...
| type0 wrote:
| Why are .net domain names relatively unpopular? New technology
| sites often use .io and .dev even when there are a lot of
| available .net names.
| bink wrote:
| .net and .org were the original .xyz. Back in the late 90s and
| early 2000s they were seen as less reputable for businesses. I
| think they still carry some of that tarnish.
| jer0me wrote:
| .org domains actually have some credibility as there's this
| misconception that you need to be a non-profit to register
| one, like how you have to be a accredited university to
| register a .edu domain or a government entity to register a
| .gov domain. .net domains however have a bad reputation
| regardless for some reason.
| kureikain wrote:
| Before I get into email business(I run my own email forwarding
| service[0]), I don't understand why provider block those domains.
|
| Then I immediately got it. The amount of spam emails from .xyz
| .click .faith .top is huge. And with every email comes from them,
| we have to run spam scanner, which isn't cheap. So we have to
| score those TLDs more sensitive.
|
| https://www.spamhaus.org/statistics/tlds/ can give some insight
| about spam rate by tld.
|
| ---
|
| [0] https://mailwip.com
| GuB-42 wrote:
| > We should have known better from the beginning as we
| previously founded Outreach.io, the leading sales engagement
| platform, making us no strangers to email deliverability. In
| the early days of Outreach, we had utilized some short .xyz
| domains to use for shortened links in emails sent on behalf of
| our customers.
|
| Translation: We used .xyz for spamming, of course .xyz is
| associated with spam.
| ifreund wrote:
| From that spamhaus link .xyz has a lower bad percentage (4.4%)
| than .com (5.1%) and .net (10.5%).
| dredmorbius wrote:
| What are its positives?
| sneak wrote:
| Seems like an easy solution is to simply start spamming from
| .coms like we had to back in my day.
| dredmorbius wrote:
| The reality of Internet filtering and firewalls, and a rule
| generalisable to _any_ attempt at control and autonomy, is that
| the effect-to-effort ratio matters. The principle of a small
| effort with a large result is behind the architecture of every
| switch, gate, door, valve, or dam.
|
| New generic TLDs have the disadvantage of being recently
| unleashed. There are no venerable sites on XYZ, or its siblings.
| Much of what's registered there, and that word was "much" and not
| "all", _is_ absolutely unworthy crap. And for those who are faced
| with defending either their own or their customers, clients,
| users, employees, or other stakeholder 's security and time,
| wholesale blocking of the entire TLD solves _a lot_ of problems
| with very little downside cost.
|
| The obvious response is "but there's a lot of crap on legacy TLDs
| as well". Yes, there is, but there are _also_ valued, venerable,
| and essential domains, and blocking all of them is not a viable
| option. (Though the prospect of whitelisting is becoming
| increasingly attractive.)
|
| I've known people who are, on the one hand, Internet freedom
| advocates of decades-long standing --- before most people reading
| this were born. Who wholesale block access by all China ASNs to
| their webservers --- because all they see from such networks is
| malicious traffic. Again: effect-to-effort ratio here is high.
|
| No, it's not "fair". Yes, there's collateral damage. But you're
| absolutely fighting not merely human nature but all of control
| theory in trying to combat this.
|
| Register on XYZ and you'll be increasingly fighting a common
| practice of default-deny, whitelist-by-request. For every user
| you're trying to reach.
|
| And you should ask yourself if it's really worth it.
|
| XYZ, meantime, are mining and arbiraging short-term cashflow for
| long-term reputation at the specific expense of its legitimate
| customers. Those with the least bit of sense will abandon the
| registrar, leading to an ever-accelerating reputational death
| spiral.
| [deleted]
| Dig1t wrote:
| > initial email open rates rose from 70% to 86%
|
| I know this is common knowledge, but it still really creeps me
| out that companies can track this.
| taftster wrote:
| Disable auto-image loading, and it will cut down the ability
| for companies to do this.
|
| Unfortunately, this often times leads to direct phone calls
| along the lines of, "Hey taftster, did you get my email? It
| shows that you haven't opened it yet."
|
| This side-effect is also very annoying.
| DaiPlusPlus wrote:
| Who gives companies their personal phone number?
| sodality2 wrote:
| Perhaps this is from a nosy colleague who has enabled read
| receipts. I learned this the hard way when I "didn't see"
| an email I had in fact opened.
| techsupporter wrote:
| I get unenrolled from electronic statements from Capital
| One and a local credit union if I go 12 months without
| "opening" an e-mail from them. I do open and read their
| e-mails but since I don't have image loading enabled, they
| don't know that so they "helpfully" start sending me paper
| bills again, and stop sending me the e-mails to say that
| the bills are ready. It's incredibly annoying.
| plumeria wrote:
| What about .app domains?
| maxwell wrote:
| The .app TLD is owned by Google, requires HTTPS, and I haven't
| run into any issues in practice. Whereas my corporate VPN
| blocks all .xyz domains.
| profmonocle wrote:
| > requires HTTPS
|
| I've always felt conflicted about this. I generally support
| moving everything to HTTPS, and requiring it for new TLDs
| isn't a terrible idea because there's no chance of breaking
| anything legacy.[1]
|
| On the other hand, Google owns the TLD, controls the HSTS
| preload list, controls the most popular browser. The idea
| that an entire TLD could be added to the HSTS preload list
| was a completely unilateral decision by Google. It makes me
| uneasy.
|
| [1] ...unless you were using the domain internally assuming
| it would never be added to the root zone, which bit some
| people when they did this with .dev
| jonny_eh wrote:
| Ya, these issues seem to be on a case-by-case basis. If the
| owner of a TLD is careless, it can get a bad rap and become
| useless.
| Twisell wrote:
| Got a nice .xyz domain mainly for mail with SPF,DKIM correctly
| set up and tested against multiple validators.
|
| No big issues so far except for the HR department of a potential
| new gig which can painlessly mail me@mydomain.xyz about job
| interviews BUT never get my replies back.
|
| I don't who to blame more in this mess:
|
| - Me for playing smartass instead of using a @gmail.com because
| they impose the rules so everybody comply to them (maybe my
| reluctance to encourage this broken system explain my
| recklessness)
|
| - The IT department of this organization that probably didn't
| what to deal with modern standard and/or reasonable spam
| filtering and set up a blunt rule for new TLD (I mean come on it
| was a REPLY to a mail ADRESSED to this specific mailbox)
|
| - The broken system that keep on inventing arbitrary new rules
| that everyone must implement to keep getting accepted by "the big
| players". (For instance I already had to change hosting two years
| ago because apparently you are also responsible for bad
| neighbors)
|
| Guess i'll just have to be brave and migrate to a more classical
| TLD and set up redirects to ease transition. But it's pretty
| annoying to start over with crap like that because some dudes in
| "the big players" teams decided to ban a whole TLD just because
| it's "easier".
| cortesoft wrote:
| > (maybe my reluctance to encourage this broken system explain
| my recklessness)
|
| This is a great example of a Collective Action problem.
| Everyone would be better off if we could break the gmail
| domination of email policy, but as an individual you will have
| zero effect on gmail's dominance and only suffer the pain of
| not being a part of the system.
| slavik81 wrote:
| It is rather disappointing. I run my personal blog and email on
| .xyz because it's great for graphics puns. Hotmail and gmail will
| accept my messages, but corporate email servers often seem to
| blackhole me.
| davefp wrote:
| Funnily enough, I've found that the .email TLD is often rejected
| as an invalid domain when I'm filling out my email address
| online.
| qecez wrote:
| Just get the dotcom. [0,1]
|
| [0] http://www.paulgraham.com/name.html
|
| [1] https://zlipa.com
| NackerHughes wrote:
| Oh, if only it were that easy! Just get the dotcom that's
| already registered or otherwise costs PS3,995/year bro!
| jagger27 wrote:
| Gee, I wonder who made zlipa?
|
| > Bootstrapped with <3 by @qecez.
|
| > Our goal is to help makers find an awesome home for their
| project and not to help you flip. We reserve the right to
| refuse, or cancel membership to anyone without explanation.
|
| Nice, so only _you 're_ allowed to flip your parked domains.
| smalley wrote:
| Does anybody know if there's a consolidated list of domains and
| their various blacklist/deliverability issues compiled someplace?
| I for one would love to know how broad this problem is across the
| various TLDs for network filtering/email/sms/messaging etc. Seems
| like it would be a pain to maintain even as a snapshot but I
| would definitely be interested.
___________________________________________________________________
(page generated 2021-09-16 23:00 UTC)