Email Required (digital exclusion of people without email)

Mail servers no longer simply accept RFC-compliant email. Thanks to Google, Microsoft, and Spamhaus, when you are forced to send an email you are forced through a series of arbitrary hurdles and obsticles imposed by the recipient. Every hurdle is an attack on your personal freedom and autonomy. It’s an attack on your control over what info you disclose to who.

This guide is for a few (perhaps rare) circumstances:

• You are expected to send an email to a person or org, e.g. per a legal obligation, but you would rather not give in to email-pushers who at the same time impose hurdles on email acceptance (network non-neutrality).
• You have missed a deadline to send an email and need a good excuse for missing the deadline.
• You are going to send a snail mail to an org for whatever reason. If you are taking the time to send them a letter anyway, might as well nitpick their mail server and add a log showing a refusal by their overly defensive mail server, just to drive the point that email cannot be relied on under their configuration. Gov agencies and various orgs are unplugging their fax machines with reckless disregard because they do not know their email shit stinks.

Email has become so enshitified by corporate assholes (Google and Microsoft) that it’s generally easy to be refused and to collect a server log showing a denial. You simply stand up a mail server on a residential network and configure it to directly connect to the recipient’s mail server. This is the default config, in fact.

Some uncommon mail servers still accept connections from residential IP spaces, so merely running your own server does not cover all bases. You can go a step further and configure the mail server to connect over Tor. It still does not guarantee refusal but it substantially increases the chances of refusal.

The onionmx project is stale but still relevant. A failure log looks like this:

to=<foo@some.org>, relay=none, delay=126, delays=0.09/0.11/126/0, dsn=4.4.1, status=deferred (connect to some.org[1.1.99.99]:25: Connection refused)

If you don’t want to risk sending a bluff email that risks getting accepted, simply do an MX lookup using dig:

dig @"${dnssvr}" -t mx -q "$domain" +noclass +nocomments +nostats +short +tcp +nosearch

then telnet to port 25 of the MX server. First try direct from your residential IP. If you can connect then try the same again over Tor. This will give a quick idea of whether the connection is allowed.

The reason email has become an exclusive and unreliable piece of shit is ultimately because there are too many conformists who are okay with Microsoft and Google controlling how email works -- denying RFC-compliant transactions to force more senders into corporate dependency. Push back is needed. Anyone who objects to MS and Google dictating terms has a duty of civil disobedience.

In most cases, when you are objectionably forced to supply an email address, the solution is to walk and take your business elsewhere. But what about the cases where you are trapped because you are forced (e.g. by law) into an interaction that demands an email address?

We need a fix. One idea is to designate a few universally shared email addresses for everyone to use:

1. something like nobodyhome@righttobeanalog.org, which simply rejects all connections. The rejection message from the mail server would be a lengthy canned response that mansplains to the sender: “You unreasonably demanded an email address from someone who objects under GDPR Art.18 to that kind of processing. Please note we kept a copy of your attempt and will serve as witness to the data subject’s express Art.18-protected objection.” (edit: would also be useful to detect the sending server’s ownership, and if MS or Google add an extra blurb about objections to surveillance advertising)
2. something like blindverify@digitalrights.org, which accepts the message just to the extent necessary to see the body of the message and visit all the URLs therein, in case someone is filling out a required field on a form that will lead to a confirmation procedure. Then after visiting the links it perhaps does a rejection comparable to message too large refusals, ideally in a way that avoids backscatter if possible. Maybe withhold the final ACK after the last packet is read.
3. blindverify-blackhole@righttobeoffline.org: same as blindverify but instead of signalling an error it accepts delivery, followed by an auto-response (comparable to a vacation responder) telling the sender that the msg was blackholed.

Of course whatever address gets designated will end up on lists and will be specifically refused by some forced-email pushers, but we could do the cat and mouse game with dynamic addressing a bit and in the very least have a solution that at least works for the less forceful less motivated forced email pushers.

Other solutions?

(update)
4. (Spamgourmet tweak) SG gives us a way to forward just the first X msgs and blackhole the rest. It would be useful to forward only the 1st msg (for verfiication) but instead of blackholing the subsequent messages, refuse them.

Snags identified with blind-verify approaches:

1. The verification URL could lead to further interaction beyond simply visiting the link, which would leave the procedure incomplete.
2. The verification email could have contradictory links; e.g. “click here to verify” and “click here to delete your account”, which would create a possible race condition and unexpected results.

I wanted to talk to someone at a law firm in a big office building. Accessing the building required badging in. I said to the security staff I wanted to visit a law firm in that building. They said I must register on a touchpad. The form required my name, phone number, and email address, which had red asterisks -- required fields and grayed out button until they were filled. I entered bogus info and got a visitor badge.

Got an email from a bank saying my account has been put in a restricted state because they have been unable to reach me. Their emails reach me fine. They rarely send paper mail but when they do I can see that they have the correct address on file.

Then I looked closer at their email, examined the HTML, and found that they insert a tracker pixel in their messages. So if I were to use a graphical mail client with default configs, they would surreptitiously get a signal telling them my IP (thus whereabouts) and time of day every time I open my email from them. I use a text client so the tracker pixels get ignored.

Would a bank conclude from lack of tracker pixels signals that they are not reaching a customer, and then lock down their account?

I’m not going to call them and ask.. fuck them for interrupting my day and making me dance. I don’t lick boots like that. I just wonder if anyone else who does not trigger tracker pixels has encountered this situation.

An insurance agent who I called on the phone for a quote demanded my email address. I resisted, said he could have my fax number instead. He said the form he is filling out in order to get me a quote will not move forward without an email address. I got the impression this was not a requirement of the agent but rather the underwriting company, which means no matter which agent sells me the policy it’s impossible to get insurance from that underwriter without an email address. I would be denied insurance with this underwriter had I not supplied an email address in a phone conversation. They assume if you have access to a phone line, you have email.

So I gave him a disposable. This is still not an okay solution. The quote he sent by email traversed Microsoft servers and contained sensitive information without encryption. It doesn’t matter that MS did not get my real email address considering they still got lots of personal info about me from the quote.

It’s also interesting to note that mortgage lenders require borrowers to always have homeowner’s insurance. So I will dream about pulling this activist move: drop the insurance after securing a mortgage, tell the bank “I cannot get insurance because I don’t have an email address”. Insurance companies tend to refuse to sell policies to someone who is not the beneficiary of the policy, so the bank would not be able to insure the home on their side. I would just love to see that shitshow play out. If anyone wants to drop their homeowners insurance for any reason, this might be your best defense for doing so.

Funnily enough, the insurer offers a “paperless discount”, which means they actually have a paper-sending service for those who are not paperless. Yet everyone must have an email address before they even get a quote.