// ==UserScript==
// @name Redirect from mobile wiki to desktop
// @namespace http://tampermonkey.net/
// @version 0.1
// @description try to take over the world!
// @author You
// @match https://*.m.wikipedia.org/*
// @grant none
// @run-at document-start
// ==/UserScript==
window.location.hostname=window.location.hostname.split(".")[0]+".wikipedia.org";
Years back I used to run a similar service (dudmail) which I eventually shutdown due to the time sink (and the unbelievable pain of trying to handle unicode in a million different languages correctly)
I was definitely a lot younger and naive back then and whilst I had intended it as mostly a way to avoid site registration email spam, until reading that wiki link I had never really thought of the potential for abuse.
I'd have to go back and look but I'm pretty sure it was running on OVH towards towards the end as well.
I will admit that after the RIAA/youtube-dl story I felt that it confirmed my belief that it was a mistake for anyone to host anything on US based servers. This takedown with complete lack of transparency from a French provider (OVH) really proves me wrong.
Unless this is some extreme security situation/investigation where it was being used for communication between groups I can't really see this holding up in a European Court?
As an aside Guerrila Mail/ Shark Lasers was my go to service for that kind of 'subscribe this' throw-away email. Anybody has recommendations for alternatives?
France has a strong and growing body of anti-terrorist legislation, and I believe that some of it prevents providers from discussing some law enforcement notices (I believe that the same also exists in the US, hence some companies disclosing that they have NOT received any such requests. So when they stop saying that, you know what's up).
As other commentators have stated, OVH have datacenters in multiple jurisdictions. For example the US and European services are distinct entities and while product offerings are similar there are some specific differences. Also worth noting that while they use support teams across continents, the teams rarely have much context of what's happening in the other continents (has been as issue in the past for my teams).
It is unclear which entity was providing the service to Guerrilla Mail.
If I need a new service, I look at the list of temporary email services supported by the Bloody Vikings Firefox extension [1]. There are quite a few there.
The IPs are probably registered to their Montreal office but indeed, the data centre is in Beauharnois. Think they introduced their services there ~5 years ago.
Since the domain is using an ARIN IP it seems a decent bet that's where they were hosted.
Without knowing the inside story, it seems like an overreaction for OVH to take down an entire service based on law enforcement requests, unless there's more to the story, which there probably is.
FWIW, DNSimple was blocked by an entire country because we adhere to our local laws in the US and we didn't take down a site that was illegal in their country. This is the Internet we have today.
I don't know your use-case, or what your purpose for the throwaways are, but my solution is a domain I only use for email where *@mydomain.tld is redirected to something I read.
So when I register for hackernews I would likely just register hackernews@mydomain.tld, and if their data is ever leaked, or they sell it, I know who did it, or can block that email.
It's obviously not anonymous if that's your use-case, but it solves my issues of not wanting one email registered everywhere and eventually getting spam, and having accountability per service.
I do something similar, except that I add entries to the MTA configuration to do the redirects, rather than use a wildcard. That requires positive action (adding the entry), and I don't have to worry about spammers bugging me by just sending stuff to random addresses. If I start getting spammed (and it HAS happened) I can revoke the address by just removing the redirect.
Amusingly, spam is still getting sent to some of these addresses that I revoked years ago, only to get bounced. I guess it's too much work for spammers to clean the deadwood out of their lists, especially since that inflates the number of addresses they can sell. The good thing is that these addresses are excellent spam traps for fail2ban.
> I will admit that after the RIAA/youtube-dl story I felt that it confirmed my belief that it was a mistake for anyone to host anything on US based servers. This takedown with complete lack of transparency from a French provider (OVH) really proves me wrong.
There is a huge difference between these two cases. Most hosting providers in the world are not going to challenge law enforcement in their jurisdiction and will just cooperate. That's what OVH did, as everyone should have expected.
But at the same time most hosting providers in the world will oppose overreach of copyright trolls. That's what Github didn't do.
Still, if you need some minimal resilience it's never enough to rely on a single hosting provider from a single jurisdiction. Multiple different providers in different countries for frontend servers with some primitive DNS failover can easily solve this and similar problems.
I thought the issue with doing that kind of thing is that they can easily go after the colo provider as well. "xxx is in your building, please pull the plug or you're liable also" is pretty convincing. Or am I mistaken?
Sure but then the solution is that you go and pick up the servers and move them somewhere else, instead of suddenly finding yourself with absolutely nothing and no way out.
Until you are served with a court order to preserve evidence for forensic inspection and then you are stuck with a powered off pile of hardware while you wait for the forensic analyst to show up and make bit level copies of everything; or you are served with a temporary restraining order/preliminary injunction forbidding you from reconnecting the hardware at all until the case is decided.
A better approach is to have a reverse proxy in a difference account/hosting provider. That way the take-down is of the proxy which should be minimal config and no data.
Setting up another reverse proxy in the event of a take-down should be minimal effort.
It then becomes a game of whack a mole if anybody wants to take down a service. I assume this is how The Pirate Bay stayed up for so long.
>>> Unless this is some extreme security situation/investigation where it was being used for communication between groups I can't really see this holding up in a European Court?
I feel the need to point out that each EU country has its own judiciary system and laws. There isn't such a thing as an European court. There's are laws/agreements set at the European level that are supposed to trickle down to each country and the process is fairly complicated and messy.
It's a very strong misconception from US readers to think that there is an Europe court, like there is a supreme court or something in the US.
> The European Court of Justice (ECJ, French: Cour de Justice européenne), formally just the Court of Justice, is the supreme court of the European Union in matters of European Union law. As a part of the Court of Justice of the European Union, it is tasked with interpreting EU law and ensuring its equal application across all EU member states under Article 263 of the Treaty of the Functioning of the European Union (TFEU).
The EJC is there to handle discrepancies between EU regulations and nations (not fully/correctly) implementing them.
So this is not a general supreme court. Cases which don't run in local law conflicting EU regulations can't end up there.
EU regulations don't cover everything and do often have large margins of interpretation. They are generally not laws but regulations about making laws.
So there is a good chance your case will never have a chance to end up there even if it continues to escalate.
Edit: also the ECJ does work different in the results they produce then you think, e.g. they can rule that a certain court action/law/etc. is in beach if regulations and anull it to some degree, but that didn't mean they can e.g. force gurillamail to be rehosted. At most they could "annul" a france court discussion that the takedown for given reasons was legal. Which seems similar but is a massive difference as they then could argue that the takedown was still legal due to other reasons and still win (or just delay it further).
This view is not accurate. There is at least the European Court of Justice[1], and there are directives[2], which are laws written and enacted by the European Union, without any national act being necessary. Of course, the Court of Justice (sadly) doesn't have a European Constitution to rule on, but it does overturn national laws sometimes.
The siblings are half-right; there is the ECJ, and a lot of law is harmonised, but far from everything. But it has nowhere near the political significance of the USSC. And both are appeal courts, so you have to exhaust your country's system first and be granted leave to appeal.
I don't really see there being much of a case to answer, although it may be possible to get the alleged secret law enforcement request. OVH terms of service will undoubtedly allow them to terminate your account for any reason.
European Courts are the ultimate court of appeal in the EU. In this instance I'd say the European Court of Human Rights would absolutely find shutting down these servers as a violation of the European Convention on Human Rights.
European Court of Human Rights is also not exclusive to European Union, other countries signed the convention as well and ratified at least parts of it. There appeals can reach ECHR and its rulings have to be enforced locally.
Actually, a hosting company challenging the police in jurisdiction where ECHR is ratified would go exactly there once it exhausts options in local courts. But not a customer of a hosting company challenging the decision of a hosting company.
.. on what basis? (a) you've not checked whether the OVH user agreement allows this kind of termination, which it almost certainly does, and (b) we don't know any of the underlying facts about the alleged police letter.
A court action might bring some facts to light, but it's unlikely to reinstate the service.
This is only my personal opinion but considering how weak the European cloud market is compared to the US one, it wouldn't surprise me if European cloud providers would bend to police requests because they are already in a vulnerable position.
The US is a toxic jurisdiction as far as any technology is concerned. They were the ones to give us the wonderful gifts of forever Disney copyright and the DMCA.
Can someone explain why a throw-away email service such as Guerrilla Mail has to go offline as a result of law enforcement?
I understand that shady people are doing a lot of shady things with such services, but when equally shady people (criminals, terrorists, pedophiles, etc.) use platforms like Facebook or WhatsApp to commit extremely serious crimes nobody is taking Facebook or WhatsApp offline.
For one, Facebook is its own hosting provider. Not only do they have their own servers, they have their own datacenters and networks. There's quite literally no one to take them offline like that.
It is common that large companies split into subsidiaries dedicated to handle one or a couple of tasks. I wouldn't be surprised if the FB hosting was handled by a separate company owned by FB. Regardless - if there is a request to take something offline, then it should be followed. It is unacceptable that we have two tier legal system. One, very strict for small players, and essentially no rules for the big boys.
It regularly happens, eg. China blocks Google, Brazil sometimes blocks WhatsApp.
It depends very much on who does the requesting, and how much pushback there will/would be, and how it will be dealt with. (In China, the pushback doesn't really matter, in Brazil it still does.)
It is selective application of the law. It is easy to shut down a small company without army of lawyers and infinite resources. If you don't have broad shoulders, then you need to accept that you have to follow the law. Law does not apply to large companies.
Probably lack of oversight, that is, the US law enforcement systems do not have access to the information shared.
Whatsapp may not be secure and the NSA and co may be listening in. I don't believe their end-to-end encryption claim has to be accurate. And it may be end-to-end encrypted but the NSA has a master key to said encryption.
Given how there's services like Encrochat, I believe the dodgy side of society is aware of Whatsapp not being secure and are avoiding it.
WhatsApp and Facebook are tied to real identities (phone numbers, names, etc.) so while law enforcement may not know what is said they know who said it. So if they compromise one end of a conversation they can probably find all the other participants. Guerrilla Mail on the other hand did not allow for that.
For the comparison, Facebook/WhatsApp would fully cooperate with the police, if an account is identified to be some sort of fraud/terrorism/drugs, they will communicate the known identity of the user with last known IP and any information they have (under warrant).
OVH cannot do that, they only rent physical servers, they have no information about the software or the user. If the police comes knocking, the only thing that can be done is to shutdown or seize the servers.
The police must have something against some users of guerilla mail (not a surprise given the nature of the service), they probably went against the servers because they couldn't get a reply or any action from guerilla mail. I checked and found no contact information and no ownership information on their website.
LE does in fact follow the link and use the contacts there 99.999% of the time. The site has been running fine on OVH for nearly 5 years without problem.
They can contact the server user so that the user can hand out that info information.
Any law enforcement should contact guerillamail not the hardware hoster.
Only if gurillamail itself is classified as a criminal organization or similar should OVH be contacted for takedown. Even then gurillamail still should be informed about the exact legal court order which caused that so that they can take appropriate actions.
The fact that they are taken down supposedly because of the law enforcement but no reason is given is SUPER fishy and smell like non law compliment overreach.ail
"Can someone explain why a throw-away email service such as Guerrilla Mail has to go offline as a result of law enforcement?"
It doesn't. Guerrilla Mail could very easily (and relatively cheaply) house their own infrastructure (a single 1U server ?) in their own rack and self provide their hosting.
The takedown notices would go to them. Subpoenas would go to them. They would be served and have great leeway in deciding how to respond and what information to share.
Further, placing the entire operation inside a corporate entity would insulate the owners and allow them to slow down the entire legal/notice/response process.
You do not have to rely on intermediary providers to publish your website.
If a site asks a mail, enter random-6-characters@pokemail.net , in 30 seconds, go to guerrillamail.com and enter the same random 6 characters for the verification link, if any.
I've been using mailinator.com for years - they have an almost identical service (they don't allow you to send mail, though)
Another helpful use case: Some annoying sites ask you to create an account before you can browse them, but there's a faster way: Click on a 'lost password' link, and enter <website name>@mailinator.com as your email - chances are, someone else has already used mailinator to create an account, and you can re-use theirs :-)
many websites do not accept the @mailinator.com email addresses. And Mailinator used to have a ton of alternate domains, nowadays I do not see those. what happened ?
Most people in HN use Disposable Email Address services like Guerrilla Mail almost on a daily basis to avoid companies spamming us or even worse: sell our email as PII.
But bad actors also use these services to anonymize themselves and not only abuse of legit services, but commit fraudulent activities like extortion, porn revenge, identity theft... and also terrorism.
I don’t know why OVH shuts down this service, but knowing in first person how laxe OVH rules are compared to other providers, it must be a serious thing. Probably they found out they could break the law (GDPR?) seriously keeping Guerrilla Mail as a customer.
I cannot agree more from the usage point of view.
But we have to think how others see them: The difference is about the “business model” of DEA and Freemail providers. It’s easy to justify in a court that the purpose of a Freemail service is to offer email service to individuals and that’s why they ask for PII and acceptance of a ToS.
Most of DEA don’t ask for PII to register (if any register at all) and the TOS if exists is against GDPR.
In Europe, SIM cards (prepaid or not) must have an owner, so PII is mandatory when buying one.
About anonymous letters. Do you know why the snail Mail in some European countries is “Royal Mail”? Because in the past the worst crime in a Kingdom was against the King/Queen. Anonymous mailing could cost you your life because it was a crime against the Royal Crown.
Good joke about Germany being privacy-conscious. From what I've read about state-of-the-art in Germany it is the most draconian state in EU (now when Britain has left).
Getting addresses at the big email providers anonymously is not easy. They ask for a mobile number if your IP isn't reputable enough (e.g. they're a Tor exit node).
In some countries anonymous e-mail is illegal. If your IP comes from such country, Google will _always_ ask for phone number on that account without option to refuse. Otherwise they will ask you after completing a registration (there is a delay to let you get hooked on, but Google still asks eventually). Some IP addresses are whitelisted — if you already have a "trusted" Google account, attached to that IP, or if Google recognizes your address as "corporate" or if you are an American and live in "liberal" state or... Basically, there are pockets of world, where Google does not ask it's existing accounts for phone numbers. But those pockets are shrinking and eventually you will be expected to cough up your phone. Unless you have already given Google your phone (e.g. by owning an Android device), which may create false impression, that you didn't need to.
OVH added to personal shitlist of companies never to go near.
Edit: downvotes from OVH I suspect. It's perfectly rational if you read the comments about the abuse team being mostly useless. It's best to judge a company at the point something goes wrong and how it's handled not when it's going right. This is badly handled.
We need to have more information to conclude anything. Servers hosting Guerrilla Mail might have been seized for an investigation for example and OVH might have very little choice but to comply.
I'm not saying it's great, but the story might have been the same if it was another provider. On the other hand, the location of the server might have a bigger impact as it changes which laws applies.
Your comment didn't get downvoted because people disagree or are shilling for OVH, but because it doesn't contribute anything to the conversation. Comments like this tend to get downvoted regardless of sentiment, which I'm surprised you haven't realized yet given your karma. This includes meta-commenting on comment voting.
i had a vps with ovh before and i am building a new service to launch soon and ovh was on top of my list...so i guess they can fuck the right off. vote with your wallet, as always.
I use GuerrillaMail regularly. This is a security tool. There is an absolute need for easy anonymous throwaway email addresses. Hopefully, this will be resolved quickly. Tell us how to help!
It takes like 30 seconds to register a GMail address. I understand it's a bit less convenient, but how often do you need a throwaway email with zero prior use?
Pretty much every website requires you to enter an email address to create an account. If you don't trust the site or don't think you are going to use it for more than a trial then if you use your real email address you risk getting spam either through database leaks, because they have signed you up to a bunch of newsletters or because after signing up for a thousand different sites you get privacy policy updates every week.
This is correct. I strongly recommend registering a random, throwaway domain and running your own mailserver.
Creating an entry in /etc/mail/aliases is just as fast as the interface on the throwaway email sites and you have much more control over the resulting inbound mail.
Way back in the day when I worked for some server rental place, we had an AUP and all of that, but an internal policy: if the cops came knocking about your stuff, we were gonna shut it all down.
Basic reason is that the effort involved in such an account cost us more money than we made in dealing with it. Easier to just cut the relationship.
Maybe they should look at hosting at 1984.is instead, as they seem to have a more robust policy in place regarding take downs:
"Unwavering loyalty to our customers and their fundamental rights is a core value of 1984, hence the name to remind us of what can happen if we fall asleep on our watch. We state that 1984 as a company and its officers will always go the extra mile to protect our customers' civil rights, including the freedom of expression, the freedom of the press, the right to anonymity and privacy. 1984 will always do everything within its legal power to inform our customers of any inquiries from any authorities, lawyers or courts into the customer's affairs that we may become aware of. It is essential that the jurisdiction that the company operates in is Iceland, where the IMMI legislation is forthcoming, making Iceland a haven for freedom of the press and freedom of expression in general." [1]
My bet is guerilla mail was pursued for fraud/terrorism/drug charges, it's not a stretch to guess how an anonymous email service is used by some users.
Looking at guerilla mail, there is no way to contact them and no information about who runs the service. It's a shady company with no legal information as far as anyone can tell. (nothing in the about us or the terms or service pages).
If the police wanted to investigate some users/mails, they would have to get a warrant to OVH to figure out who to contact in the first place (who runs that thing?). It's a fair guess that OVH receiving anything of that sort would shutdown the account immediately.
It's also possible that the police would purposefully shutdown the service and/or seize the servers but rather unlikely. Either way, all the roads lead to the site being dead.
Nowhere on the website it says that it's an anonymous email service provider - it was an anti-spam email solution first and foremost. In fact, the email sending feature prominently warned the user that their IP address would be included in the headers of the email sent. (The sending feature was not for anonymous email, but for the rare chance that a user needed to send an email from there or reply. Guerrilla Mail is mostly used for receiving)
of course - create any website open to the public where they can message each other, and there will always be some abuse. It's unavoidable.
But what can you do? You can't police the messages for every potential form of abuse. (I've only ran an automated spam filter to make sure that the service is never used for blatant spam. I've also blanket-blocked some domains whenever I noticed a pattern in any abuse reports, and finally recipients were able to easily do a permanent block themselves). In any case, running a messaging service even more difficult if you're a small guy and not Facebook or Google.
I thought you allowed to send messages to guerilla addresses only, but you allow to send messages to the rest of the world? If you intend it only for replies, maybe check that inbox has a message that passed DKIM verification, aged no more than 4 days.
You're being naive thinking you can run an open spam service with no consequences. Maybe you don't care about abuse but the hosting does and will act on the recurring complaints.
Seriously, cut the ability to reply to emails and that should be fine.
There's no use case to send replies for an anti-spam. Never seen a registration process that required to reply to complete the registration.
Tip: The google postmaster tool can show you the reputation of your domain and how much of your outbound emails are going to spam. That shall give you an idea how well it's abused. https://www.gmail.com/postmaster/
It wasn't shutdown for spam, and the service is not a spam service but an ant-spam service.
The service has been sending out emails since about 2013. It only lets out a limited number of emails, and there's an anti abuse policy in place. The IP address always has a good reputation with Google and Microsoft, I am well aware of all the feedback loops.
Any service of any importance should be run on hardware you own.
There should be nothing even slightly surprising about this. OVH is a shitty company that will let anyone do anything they want until enough complaints are made. They don't communicate.
Guerrilla Mail should colocate some servers and/or find a company that is small enough to have humans with whom they can actually communicate.
I host my temp mail https://getnada.com service @ OVH for the last 6-7 years and I hope they don't shut me down like that, They do from time to time send takedown requests to phishing attempts and other criminal activity which we take down ASAP but usually their response team is doing a good job.
I've been hosting the site on OVH since 2016. The site hasn't changed much during this time, and I've been quite happy with their services until now.
A little bit about Guerrilla Mail: It its' first and foremost, an anti-spam solution. Nowhere on the website it says that's an "anonymous email" provider. In fact, the email sending feature prominently warned the user that their IP address would be included in the headers of the email sent. (The sending feature was not for anonymous email, but for the rare chance that a user needed to send an email from there or reply. Guerrilla Mail is mostly used for receiving)
The timeline for the suspension went like this:
On October 12th, I received what seemed like a canned message from the OVHCloud Abuse team, saying that my server was (quote) "used for a fraudulent activity" and threatening termination within 48 hours.
There was no further details about the nature of the "fraudulent activity". I've replied to the message asking to give more details.
On October 16, I've received a reply, but still no details about the specific case. They mentioned that, their quote: "the problem here is clearly, that your service is too easy to use for fraudulent and illegal activities. ", further threatening to shut down the service within 7 days "if the situation does not improve". They also suggested a list of measures that the site should take.
I've replied informing that most of measures that they suggested were already taken, plus some other measures including an anti-abuse policy that has worked well over the years.
On October 19, I received a reply, this time hinting that I should pay them for an additional service, their quote "Maybe you see an option in using a service which lets you customize the Whois-Record, so your contact details can be mentioned for abuse instead of ours.".
I've started to deeply consider such a service, but before I would take it up, I wanted to get more info about the alleged law enforcement requests they receive, that are never forwarded, so I've asked them for more information about these once again.
On November 2nd, I received a reply, but still no details about the specific case, or the rate of such requests, questions that I've asked previously were ignored. Again, they were offering the additional service, their quote "change of infra to have your own abuse contact in registry info".
At this stage I was ready to buy whatever they were offering. I've replied to the email with only two sentences "Is there someone I can speak with directly on your team?
Let's do a 30 minute call and reach an understanding."
On November 4th, I received a reply notifying that the server has been suspended.
Btw, if there's anyone at OVH that wants to look at the issue, it is WTLXFRCVSG.85a1
your server seems reachable through a ping.
If I understand well the situation it seems that they suggest you to acquiert your own IP address to have your own @abuse contact. I think a lot of guys report your ip to @abuse (managed by OVH, not you) about spam that why OVH react.
Yes, I was under the impression that this is what they meant. It would have been great to be able to to chat so that I could learn more about how much this would cost, but as outlined above, they decided to end the conversation.
You're right, currently the server is sitting in "rescue mode" and under OVH's instructions, I'm not allowed to swap it back to the normal hard disk boot. That's ok, I can still mount the disks manually via SSH and move everything out. So at least that's some good news - the server hasn't been seized.
The hosting bill has been paid up until December, so I'll will be looking to get a partial refund hopefully.
Anyways, gotta roll with the punches I guess. Thanks for your comment.
119 comments
[ 3.1 ms ] story [ 163 ms ] threadhttps://en.wikipedia.org/wiki/Guerrilla_Mail
I was definitely a lot younger and naive back then and whilst I had intended it as mostly a way to avoid site registration email spam, until reading that wiki link I had never really thought of the potential for abuse.
I'd have to go back and look but I'm pretty sure it was running on OVH towards towards the end as well.
Unless this is some extreme security situation/investigation where it was being used for communication between groups I can't really see this holding up in a European Court?
As an aside Guerrila Mail/ Shark Lasers was my go to service for that kind of 'subscribe this' throw-away email. Anybody has recommendations for alternatives?
France has a strong and growing body of anti-terrorist legislation, and I believe that some of it prevents providers from discussing some law enforcement notices (I believe that the same also exists in the US, hence some companies disclosing that they have NOT received any such requests. So when they stop saying that, you know what's up).
It is unclear which entity was providing the service to Guerrilla Mail.
If I need a new service, I look at the list of temporary email services supported by the Bloody Vikings Firefox extension [1]. There are quite a few there.
[1]: https://addons.mozilla.org/en-US/firefox/addon/bloody-viking...
Unlike others I've tried before, they seem to have a fairly large amount of domains in rotation, making them difficult to block as a website admin.
[1] https://goo.gl/maps/g31VwjMtvr7GwCsf8
https://www.ovh.com/ca/en/discover/canada.xml
The IPs are probably registered to their Montreal office but indeed, the data centre is in Beauharnois. Think they introduced their services there ~5 years ago.
Since the domain is using an ARIN IP it seems a decent bet that's where they were hosted.
FWIW, DNSimple was blocked by an entire country because we adhere to our local laws in the US and we didn't take down a site that was illegal in their country. This is the Internet we have today.
So when I register for hackernews I would likely just register hackernews@mydomain.tld, and if their data is ever leaked, or they sell it, I know who did it, or can block that email.
It's obviously not anonymous if that's your use-case, but it solves my issues of not wanting one email registered everywhere and eventually getting spam, and having accountability per service.
Amusingly, spam is still getting sent to some of these addresses that I revoked years ago, only to get bounced. I guess it's too much work for spammers to clean the deadwood out of their lists, especially since that inflates the number of addresses they can sell. The good thing is that these addresses are excellent spam traps for fail2ban.
There is a huge difference between these two cases. Most hosting providers in the world are not going to challenge law enforcement in their jurisdiction and will just cooperate. That's what OVH did, as everyone should have expected.
But at the same time most hosting providers in the world will oppose overreach of copyright trolls. That's what Github didn't do.
Still, if you need some minimal resilience it's never enough to rely on a single hosting provider from a single jurisdiction. Multiple different providers in different countries for frontend servers with some primitive DNS failover can easily solve this and similar problems.
Or don't use a "hosting provider" at all.
A full rack at he.net with 15a of power is USD $350/mo[1] - and that's probably not a super competitive rate. You can probably do better elsewhere.
Now you are the host. The notices go to you.
I don't know why we have this collective amnesia about what it takes to run a simple website.
[1] At their Fremont, CA HQ building.
Setting up another reverse proxy in the event of a take-down should be minimal effort.
It then becomes a game of whack a mole if anybody wants to take down a service. I assume this is how The Pirate Bay stayed up for so long.
Downside is doubling bandwidth costs.
I feel the need to point out that each EU country has its own judiciary system and laws. There isn't such a thing as an European court. There's are laws/agreements set at the European level that are supposed to trickle down to each country and the process is fairly complicated and messy.
It's a very strong misconception from US readers to think that there is an Europe court, like there is a supreme court or something in the US.
https://en.m.wikipedia.org/wiki/European_Court_of_Justice
> The European Court of Justice (ECJ, French: Cour de Justice européenne), formally just the Court of Justice, is the supreme court of the European Union in matters of European Union law. As a part of the Court of Justice of the European Union, it is tasked with interpreting EU law and ensuring its equal application across all EU member states under Article 263 of the Treaty of the Functioning of the European Union (TFEU).
So this is not a general supreme court. Cases which don't run in local law conflicting EU regulations can't end up there.
EU regulations don't cover everything and do often have large margins of interpretation. They are generally not laws but regulations about making laws.
So there is a good chance your case will never have a chance to end up there even if it continues to escalate.
Edit: also the ECJ does work different in the results they produce then you think, e.g. they can rule that a certain court action/law/etc. is in beach if regulations and anull it to some degree, but that didn't mean they can e.g. force gurillamail to be rehosted. At most they could "annul" a france court discussion that the takedown for given reasons was legal. Which seems similar but is a massive difference as they then could argue that the takedown was still legal due to other reasons and still win (or just delay it further).
[1]: https://en.wikipedia.org/wiki/European_Court_of_Justice [2]: https://en.wikipedia.org/wiki/Regulation_(European_Union)
I don't really see there being much of a case to answer, although it may be possible to get the alleged secret law enforcement request. OVH terms of service will undoubtedly allow them to terminate your account for any reason.
You are not going there because an hosting company shutdown your mail service.
Last cases for reference: https://hudoc.echr.coe.int/eng#{%22languageisocode%22:[%22EN...}
A court action might bring some facts to light, but it's unlikely to reinstate the service.
I understand that shady people are doing a lot of shady things with such services, but when equally shady people (criminals, terrorists, pedophiles, etc.) use platforms like Facebook or WhatsApp to commit extremely serious crimes nobody is taking Facebook or WhatsApp offline.
What is the rationale behind this?
Closing Guerrilla Mail will upset us a lot but the rest of the world will ignore it. Close Whatsapp and the world will be a chaos.
It depends very much on who does the requesting, and how much pushback there will/would be, and how it will be dealt with. (In China, the pushback doesn't really matter, in Brazil it still does.)
> if there is a request to take something offline, then it should be followed.
Whatsapp may not be secure and the NSA and co may be listening in. I don't believe their end-to-end encryption claim has to be accurate. And it may be end-to-end encrypted but the NSA has a master key to said encryption.
Given how there's services like Encrochat, I believe the dodgy side of society is aware of Whatsapp not being secure and are avoiding it.
OVH cannot do that, they only rent physical servers, they have no information about the software or the user. If the police comes knocking, the only thing that can be done is to shutdown or seize the servers.
The police must have something against some users of guerilla mail (not a surprise given the nature of the service), they probably went against the servers because they couldn't get a reply or any action from guerilla mail. I checked and found no contact information and no ownership information on their website.
"Please contact us on Twitter / Facebook" is not a receivable contact information.
FYI: A website is required by (French) law to have legal mentions including the company name, address, director, company registration number...
It was hosted in Canada on space owned by a Canadian company.
Any law enforcement should contact guerillamail not the hardware hoster.
Only if gurillamail itself is classified as a criminal organization or similar should OVH be contacted for takedown. Even then gurillamail still should be informed about the exact legal court order which caused that so that they can take appropriate actions.
The fact that they are taken down supposedly because of the law enforcement but no reason is given is SUPER fishy and smell like non law compliment overreach.ail
What do you think happens when the hoster receives an official warrant to disclose who is one particular customer? They shutdown the customer.
It should be handled better. On that we can agree.
It doesn't. Guerrilla Mail could very easily (and relatively cheaply) house their own infrastructure (a single 1U server ?) in their own rack and self provide their hosting.
The takedown notices would go to them. Subpoenas would go to them. They would be served and have great leeway in deciding how to respond and what information to share.
Further, placing the entire operation inside a corporate entity would insulate the owners and allow them to slow down the entire legal/notice/response process.
You do not have to rely on intermediary providers to publish your website.
If a site asks a mail, enter random-6-characters@pokemail.net , in 30 seconds, go to guerrillamail.com and enter the same random 6 characters for the verification link, if any.
Thanks for helping me avoid spam
Another helpful use case: Some annoying sites ask you to create an account before you can browse them, but there's a faster way: Click on a 'lost password' link, and enter <website name>@mailinator.com as your email - chances are, someone else has already used mailinator to create an account, and you can re-use theirs :-)
I mean yes, but then you'd also have to shut down Gmail, live.com and all the dozens of free email hosters.
Better make prepaid SIM cards illegal too. Oh an letters can be mailed anomalously, better make that illegal too.
Some countries go further and require government ID to sign up for even stuff like social networks (South Korea)
You propose it as a ridiculous conclusion but these are things that democratically-elected governments do.
In some countries anonymous e-mail is illegal. If your IP comes from such country, Google will _always_ ask for phone number on that account without option to refuse. Otherwise they will ask you after completing a registration (there is a delay to let you get hooked on, but Google still asks eventually). Some IP addresses are whitelisted — if you already have a "trusted" Google account, attached to that IP, or if Google recognizes your address as "corporate" or if you are an American and live in "liberal" state or... Basically, there are pockets of world, where Google does not ask it's existing accounts for phone numbers. But those pockets are shrinking and eventually you will be expected to cough up your phone. Unless you have already given Google your phone (e.g. by owning an Android device), which may create false impression, that you didn't need to.
Edit: downvotes from OVH I suspect. It's perfectly rational if you read the comments about the abuse team being mostly useless. It's best to judge a company at the point something goes wrong and how it's handled not when it's going right. This is badly handled.
Please refresh the guidelines.
So far they have always forwarded requests to us, but in some cases they shut down some of our servers if we didn't respond within a few hours.
This looks like the request was directly addressed to them and they may be legally prohibited from talking about it.
Creating an entry in /etc/mail/aliases is just as fast as the interface on the throwaway email sites and you have much more control over the resulting inbound mail.
Start a Delaware corp (or Wyoming or Nevada, etc.), get a simple checking account with a debit card, and purchase a domain.
Basic reason is that the effort involved in such an account cost us more money than we made in dealing with it. Easier to just cut the relationship.
"Unwavering loyalty to our customers and their fundamental rights is a core value of 1984, hence the name to remind us of what can happen if we fall asleep on our watch. We state that 1984 as a company and its officers will always go the extra mile to protect our customers' civil rights, including the freedom of expression, the freedom of the press, the right to anonymity and privacy. 1984 will always do everything within its legal power to inform our customers of any inquiries from any authorities, lawyers or courts into the customer's affairs that we may become aware of. It is essential that the jurisdiction that the company operates in is Iceland, where the IMMI legislation is forthcoming, making Iceland a haven for freedom of the press and freedom of expression in general." [1]
[1]: https://www.1984.is/about/
Looking at guerilla mail, there is no way to contact them and no information about who runs the service. It's a shady company with no legal information as far as anyone can tell. (nothing in the about us or the terms or service pages).
If the police wanted to investigate some users/mails, they would have to get a warrant to OVH to figure out who to contact in the first place (who runs that thing?). It's a fair guess that OVH receiving anything of that sort would shutdown the account immediately.
It's also possible that the police would purposefully shutdown the service and/or seize the servers but rather unlikely. Either way, all the roads lead to the site being dead.
It would certainly be nice to have more information on what exactly happened.
But what can you do? You can't police the messages for every potential form of abuse. (I've only ran an automated spam filter to make sure that the service is never used for blatant spam. I've also blanket-blocked some domains whenever I noticed a pattern in any abuse reports, and finally recipients were able to easily do a permanent block themselves). In any case, running a messaging service even more difficult if you're a small guy and not Facebook or Google.
I've added more information about the details of the suspension in another post on here: https://news.ycombinator.com/item?id=24998922
Seriously, cut the ability to reply to emails and that should be fine.
There's no use case to send replies for an anti-spam. Never seen a registration process that required to reply to complete the registration.
Tip: The google postmaster tool can show you the reputation of your domain and how much of your outbound emails are going to spam. That shall give you an idea how well it's abused. https://www.gmail.com/postmaster/
The service has been sending out emails since about 2013. It only lets out a limited number of emails, and there's an anti abuse policy in place. The IP address always has a good reputation with Google and Microsoft, I am well aware of all the feedback loops.
There should be nothing even slightly surprising about this. OVH is a shitty company that will let anyone do anything they want until enough complaints are made. They don't communicate.
Guerrilla Mail should colocate some servers and/or find a company that is small enough to have humans with whom they can actually communicate.
I'm surprised that Guerrilla Mail havent at least put a temporary status web page up on their domain yet though..
I've been hosting the site on OVH since 2016. The site hasn't changed much during this time, and I've been quite happy with their services until now.
A little bit about Guerrilla Mail: It its' first and foremost, an anti-spam solution. Nowhere on the website it says that's an "anonymous email" provider. In fact, the email sending feature prominently warned the user that their IP address would be included in the headers of the email sent. (The sending feature was not for anonymous email, but for the rare chance that a user needed to send an email from there or reply. Guerrilla Mail is mostly used for receiving)
The timeline for the suspension went like this:
On October 12th, I received what seemed like a canned message from the OVHCloud Abuse team, saying that my server was (quote) "used for a fraudulent activity" and threatening termination within 48 hours.
There was no further details about the nature of the "fraudulent activity". I've replied to the message asking to give more details.
On October 16, I've received a reply, but still no details about the specific case. They mentioned that, their quote: "the problem here is clearly, that your service is too easy to use for fraudulent and illegal activities. ", further threatening to shut down the service within 7 days "if the situation does not improve". They also suggested a list of measures that the site should take.
I've replied informing that most of measures that they suggested were already taken, plus some other measures including an anti-abuse policy that has worked well over the years.
On October 19, I received a reply, this time hinting that I should pay them for an additional service, their quote "Maybe you see an option in using a service which lets you customize the Whois-Record, so your contact details can be mentioned for abuse instead of ours.".
I've started to deeply consider such a service, but before I would take it up, I wanted to get more info about the alleged law enforcement requests they receive, that are never forwarded, so I've asked them for more information about these once again.
On November 2nd, I received a reply, but still no details about the specific case, or the rate of such requests, questions that I've asked previously were ignored. Again, they were offering the additional service, their quote "change of infra to have your own abuse contact in registry info".
At this stage I was ready to buy whatever they were offering. I've replied to the email with only two sentences "Is there someone I can speak with directly on your team? Let's do a 30 minute call and reach an understanding."
On November 4th, I received a reply notifying that the server has been suspended.
Btw, if there's anyone at OVH that wants to look at the issue, it is WTLXFRCVSG.85a1
However in that type of case, OVH swap your boot to a rescue mode : https://docs.ovh.com/gb/en/dedicated/ovh-rescue/
You should be able to swap it to a normal boot mode.
You're right, currently the server is sitting in "rescue mode" and under OVH's instructions, I'm not allowed to swap it back to the normal hard disk boot. That's ok, I can still mount the disks manually via SSH and move everything out. So at least that's some good news - the server hasn't been seized.
The hosting bill has been paid up until December, so I'll will be looking to get a partial refund hopefully.
Anyways, gotta roll with the punches I guess. Thanks for your comment.
If you would like a free, temporary rsync.net account to assist in offloading or parking data just email info@rsync.net.
You can just rsync (or borg) over ssh to us.