The Tutanota Bluff

The Tutanota Bluff

I read around that those of Tutanota (the email provider that promises not to spy on you because it gets others to do it) are screaming for being banished from AT&T . And mine is not a "as you're a bad guy then they do well to ban you" type, but it's a "since you're a bad guy they do well to protect their users from you".

So first we need to understand why Tutanota's are bad. You will have heard of a "false sense of security", that is, of that phenomenon that leads you to think that you are safe while in reality you are in danger. And this false sense of security does nothing but lead you to danger more often.

Here, Tutanota does exactly that.

How does it do it?

They say "hey, we don't spy on you. Your email is all encrypted, and lallallero and lallala ', and we are open source (which we would also have to say about this) and therefore if you use us your email will NOT be read by anyone ".

This would be true if everyone had an account on Tutanota: if A and B have an account on Tutanota, in fact, the messages remain on their servers. So, ADMITTED that they can't spy on you, they would be safe.

But the problem is that A and B are not often on Tutanota. And so far, you say, they are your cabbages: if you are so stupid as to go to a provider who spies on you, then your fault.

Almost right. Because Tutanota urges you to go to a provider who spies on you. Like? By implementing blocklists that actually allow ONLY the most spy companies on the planet to pass.

The Tutanota Bluff
Tutanota is a German company, which has its services in Germany. The address of the SMTP setver was in the cloud of Hetzner, another German company.

The above log is a log made by sending the email from a German server in the Hetzner cloud (therefore, it has the same privacy legislation as Tutanota, which Tutanota uses as a "guarantee" for privacy)

The Tutanota Bluff

and show you one thing: Tutanota is blacklisting practically everyone, except the usual gmail,, etc.

Not even other German clouds (which would be "privaciosi" for the same constitution, GDPR, etc etc etc) are not acceptable. If you want to talk to a Tutanota user and care about privacy, either open an account on Tutanota or use a mail provider who spies on you.

In practice, if we look at the amount of blocks that Tutanota uses, we find that:

  • All residential and mobile IPs are banned. In practice, if you are the Snowden of the situation, you cannot keep your SMTP server in a raspberry in your home, or on your laptop connected to the wifi of an airport. No. You have to go through Gmail, or connect directly to their interface, which tracks your computer as usual.
  • Almost all clouds are banned. So if you are uncomfortable journalists or whistleblowers, you can't simply open an SMTP server somewhere, use it to send us emails, (maybe via SSH tunnel, so it seems to arrive from localhost) and then close it.
  • Many corporate mail servers are banned. Among the banned are banks, energy companies, and more. Moral of the story: if you are whistleblowers and want to reveal their wrongdoings, you have to go through gmail, outlook & others.

This is the cunning of the new "privacy" providers: data theft is evolving. It is evolving by creating honeypots. In practice, some e-mail providers are proposing themselves as "privacy saviors", but then cleverly exploit techniques that are ignorant of users to circumvent the problem.

Of course, the Tutanota user feels safe. He will therefore start to correspond with everyone using Tutanota, a pity that this forces everyone else to have an email address with a provider who spies on you. But you will say: hey, but you can always open an account on Tutanota and speak Tutanota-2-Tutanota.


And here it turns out that At & T blocks tutanota, showing the bluff. Showing the bluff means this: if the only way to communicate with a tutanota account is to have an account on Tutanota, in a rogue state to block everything just block a DNS record. And we are lucky, because in the end AT&T only blocked that server: what if it was spying on the traffic instead?

And especially, isn't it that the disservice is due, instead, to a clumsy attempt to spy on the traffic, if not to an espionage system that needs a little to get up to speed?

The answer is that we don't know, since the only SAFE way to use Tutanota is to go through the Tutanota web interface, and write to another Tutanota user who does the same: the alternative is to pass for a mail provider that spies on you, the only one authorized to send and receive emails from tutanota.

As I have already written, I am a great lover of the decentralization of the Internet, which was born precisely for that, but what I see is simply a blacklisting policy that requires the centralization of emails, that is, the great public blacklists.

Then now the frignoni will come and explain to me that spam exists. But to fight spam you don't need to ban residential IPs, nor do you need big blacklists, which everyone uses and yet you have your SPAM folder full of shit.

Banning spam is much, much, much easier. You can do this using opensmtpd simply with a configuration line.

The Tutanota Bluff

the last two parameters, "tls-require" and "verify", together form a terrible pair for spammers. First of all they force the server to accept mail only if encrypted. But the second, "verify", forces the sender to have a valid certificate (which today is also built for free, using Let's Encrypt).

The fact is that providing a valid certificate for each SMTP server is practically impossible for spammers. In theory they could do it, but the costs would be excessive. And in fact, they never do. Result: even if my server is visible, and it is probed by bots, I don't receive spam.

Similar configurations can be made on postifx and other servers, and are more than enough to eliminate "suspicious" SMTP servers from circulation. A serious person who wants to self-host in a residential IP, however, only needs a dynamic (free) dns and an ACME client to have a certificate. The spammer cannot because both dynamic dns and ACME servers have specific limits, so the spammer could create very few certificates and very few DNS records, too few to work.

So no: spam is not an excuse.

In my opinion Tutanota is one of those "new generation" data theft services: these services do not read the mail per se: they push, on a statistical basis, those who use email to rely on other providers who spy , blacklisting those SMTP servers that may actually be FREE.

In fact, data theft has evolved: we went from a situation where they said "give me your data in exchange for the free service", until the day they say "here's my free service, and I don't I'll get the data: simply, my friends will take it, since I force you to deal with them ".

An email service that aims to protect privacy, today should do the opposite, blacklisting the email providers that spy, in order to DISCOURAGE others to use them, and encouraging small SMTP servers, self-hosted ones, those in the clouds , those in domestic users.

That is, they should push decentralization.

But coincidentally, they use blacklists that do just the opposite.


Leave a Reply

Your email address will not be published.