I was a law student who got sick of legal practice, and found my passion for programming through luck. I actually wrote a reflective blog piece on my journey recently if anyone is interested - https://medium.com/@fabianterh/celebrating-1-year-as-a-softw...
(It's not paywalled and I don't earn a single cent, so I hope this isn't against the rules)
Quarantine is really, really boring, and I wanted to count down to my last day with a way to visualize my progress. I didn't need event names, background images, or fancy functionality. I just wanted something stupidly easy to use that counted down with a visual progress indicator.
I couldn't find any website that had what I wanted, so I built my own.
No, you're not misunderstanding. I guess I made that statement with the implicit trust of AWS so I didn't think to qualify it.
You're absolutely right that if AWS is a bad actor it has access to all the information, but I'm working on the assumption that it's more profitable to AWS to be a good actor than bad.
> No, you're not misunderstanding. I guess I made that statement with the implicit trust of AWS so I didn't think to qualify it.
But that doesn't change that you are trusting a third party?! I mean, if that were to count as "you don't have to trust a third party", then anything does. Use gmail, so you don't have to trust a third party (except for the implicitly trusted Google)! Use Facebook, so you don't have to trust a third party (except for the implicitly trusted Facebook)!
There is nothing necessarily wrong with trusting any one of those. But then you don't get to claim "no trust in third parties required!"
> You're absolutely right that if AWS is a bad actor it has access to all the information, but I'm working on the assumption that it's more profitable to AWS to be a good actor than bad.
Well, for one, see above. But also: is it? Is it really more profitable to keep your data safe than to give the NSA access and in return get some of the good government contracts, say? Plus, trust isn't just about them not screwing you over intentionally, it's also about incompetence.
I'm working on the assumption that they have a contract with the CIA for hundreds of millions, and likely wouldn't get caught skirting the rules if it suits them - or can buy their way out if they did.
The trust reason is theoretical - in practice, I would trust most decently large services especially for unimportant marketing emails (main use case).
My primary motivation in doing this was to learn to use AWS and Serverless framework and also because I really enjoy working on pet projects :)
Could you explain why email isn't trusted? It's encrypted (vs SMS) so I'd imagine it's a far more secure way of communicating sensitive information (e.g. bank statements or one time passwords).
No worries, thanks for the feedback (I appreciate all feedback whether positive or negative).
A catch-all email address is actually less complex to build and test, but there are a couple of reasons I chose to use this approach:
1. It seems that in the workflow you described, there is some work to be done in setting up an inbox filter/black-holing the email address too. In a way, my workflow simply shifts this work to the start?
2. I don't think it's laborious because I don't really need new email addresses that often. It's also really easy to generate a new email address imo - no logins or portals required, just email generate@mydomain.com and you get a reply with an email address within seconds.
3. You're welcome to fork it and tweak it for personal use too if you want! :) I'd love that.
1. I don't really think your workflow shifts any work over the catch-all workflow, it simply adds another step. In my workflow I essentially already have that alias you create in your first step. Then, if that alias gets abused, both systems require shutting off that alias.
2. Yeah, that's definitely just a different usage pattern. I'm one of those folks that enjoys testing out different onboarding workflows, etc, so I'm constantly signing up for services, etc.
3. I'm quite happy with the alias approach, but best of luck with the project :)
Thanks for linking! I would have linked directly to the blog post but I believe it's against the rules of Show HN, so I chose to include a link in the readme instead!
Yeah and seems like the big providers don't like self hosted emails. I know someone who runs a hosting company using cPanel and his clients email go to spam a bunch even though not spammy emails, his answer is to just pay extra for Google Apps and that running a email server is too complicated. Not sure how true that is... For my own future projects I plan to run everything in containers, Node, etc so not PHP/MySQL so still need to host the email somewhere, kinda hate the idea of paying a third party and wonder how they would handle shared inboxes(like piping email to a script like you can with a cPanel server). Probably other email solutions though to look into though but haven't looked into it too much yet but kinda hate how we have to rely on large providers it seems for email.
Then sounds like people running WordPress or support help desk scripts with contact forms forwarding to their Gmail, etc is a problem too... Those services think your server is the source of spam.
But maybe it's worth paying for a third party email server for your staff and also a service with APIs for programmable sending/receiving since you don't want emails to customers like password resets, receipts, etc going to spam. I noticed even when I mark someones emails as not spam they keep going to spam, I don't check my spam daily but sometimes they have to send me a IM to let me know they emailed them...
I feel like might be forced paying though instead of self handling email. Kinda feels like giving the mafia some extortion money for protection though in away. Plus email is a bit broken in the first place, open and all is great but opens itself up to abuse to spammers and scammers.
Hosting company cPanel servers are a bit of a special case though. I've run these before and once customers start installing WordPress it can be a matter of hours before a bad plugin gets turned into a spam bot. It's at a point where blocking port 25 outbound is a responsibility imo.
WordPress contact forms are routinely abused - I regularly see forms where enter a victim as "my address" and then it helpfully copies the message to the spam recipient. There's always a web designer who wants it this way for UX reasons, even when I shown how it's abused.
Yep, contact forms in WordPress but even non WordPress sites too. Then of course if you got a plugin to detect brute forces, seem like WordPress sites get ton of them! Probably because you can detect if a site runs WordPress or not, so bots use that.
Sounds like the only solution to contact form spam might be rate limiting and/or captchas but even bots can bypass captchas too unless you use one like Google reCaptcha maybe but sucks your system has to rely on third party services then.
Oh wow, I was under the assumption that Google Apps(Now called G-Suite but I always remember it as the original) kinda gave you a guarantee if sending to other Gmail people and probably other big providers like Microsoft, Yahoo, etc would trust Google more too.
I'm far from shipping from what I'm working on though, but before going live want to get email setup for the main company website and product website for me and future staff, then want to be able to send email's for notifications, password resets, etc and then also have scripts receive and parse emails for replies to put into a database for the support portal part of the product domain but getting ahead of myself. Not sure if the product site would have users to people or just be all scripted sending/receiving while the main site is mostly emails hosted for humans.
I think one strategy would just run a mail server and have a script download the emails to the database and delete them, since doubt many solutions support a more of a webhoook type setup.
Yeah, this is an issue I'm planning to work on. The reason I chose to release it before supporting attachments is that for my use case for receiving marketing emails (this project is primarily for my personal use, rather than as public software), there are almost never attachments.
(It's not paywalled and I don't earn a single cent, so I hope this isn't against the rules)