Category Archives: spam

WordPress vulnerabilities when allowing subscribers

I recently was twiddling bits in the WordPress Admin console and noticed that people were not allowed to register for my blog.  Now, I’m not sure why anyone would choose to register, but I didn’t see any reason to stand in their way, if they felt the need.  So, I checked the box (or unchecked it, I don’t recall), which opened up that possibility.

SVG version of Russian map
Image via Wikipedia

Well, it didn’t take long before I had a bunch of subscribers, most notably with .ru email addresses.  So, given that, I’m wondering what kind of cracking, spamming, or other exploits are exposed by WordPress.  I simply can’t imagine why else a bunch of Russians would be subscribing to my blog.

cyrilic alphabet with slovak equivalents
Image via Wikipedia

Please forgive the obvious prejudice of my question.  Perhaps my stream-of-consciousness simply speaks to the Russian mentality (albeit not in the Russian tongue).  Yet, somehow, I doubt it.

Enhanced by Zemanta

Google announces Priority Inbox, only six days too late

An ear of winter wheat.
Image via Wikipedia

I’ve come to the realization that email is destroying my productivity.  It’s not a distraction; it’s destruction.  There are days that I find I’ve gotten nothing done but handling emails.  It’s a completely victim-oriented approach to time management, having your day driven by what drops into your inbox.

So I began the process of separating all the chaff from the few grains of wheat.  I’ve created a dozen or so filters (they’re really all the same filter, but Gmail limits how long a filter can be) that move all the chaff out of my Inbox and assign a label named Subscription.  These are all the occasional reads, such as InfoWorld, NetworkComputing, etc., etc., etc.  My goal has been to have an empty Inbox, other than real emails sent to me by a person.

I’ve been at this for a week or so, and just when I’ve pretty much reached my goal, I see a little red link at the top of Gmail that says “Priority Inbox.”

Google is basically using their spam filter now to decide which emails are important to you.  The introductory video says that it’s based on things like what you open and what you reply to.  And you can train it by giving emails an “important” attribute.

A lot more elegant than my brute force filters.  But a week too late!  It will be interesting to see how my filters and Gmail’s Priority Inbox co-exist.

Which reminds me…

It sure would be nice if Gmail allowed you to deactivate a filter without having to delete it.  Of course, I can always mail myself a copy.  And mark it important.  ;-)

Enhanced by Zemanta

Free trial of Maileable

For years now, I’ve been managing my email, fighting spam, and spotting phishing emails through the use of an email routing system that I developed.  The problem with today’s email system is that anyone can put email into your inbox without anything more than your email address.  Yes, you can put things like filters, whitelists, and such into the mix, but they are, in my opinion, poor substitutes for a real solution to the problem.

My email routing system has to do with putting a configurable router in between all email senders and your inbox, so that no one has free, direct access to your inbox.  The key is to give different email addresses to different email senders.  As untenable as that may sound, it works extremely well and *is* absolutely manageable.  I’ve been doing it since a trip down the Colorado River in 2003 had me panicked about missing important emails because my 10MB mailbox was going to fill up with spam.

At that time, I devised what has evolved into today’s Maileable system.  Maileable is a turn-key email routing system that anyone can use to easily route emails from different sources to different destinations including the bit bucket.  And it can’t be spoofed.

Unlike email filters that try to ascertain an email’s legitimacy based on its content and other metadata (every bit of which can be fabricated), Maileable works on the To address of an email, the one and only thing you can count on to be correct.  If it’s coming to you, you know the email address it was sent to.  And that’s the only thing you need to know with Maileable.

This is the only system that works within today’s SMTP protocol and doesn’t rely on hope.  Filters make you hope that they catch the bad stuff and let the good stuff through.  Validation systems make you hope that the people and automated systems that send you email will go through the trouble of validating themselves to get past them.  Maileable is a solid system that puts the power in the email recipient’s hands, which is a place where it has never been before with SMTP.

The Maileable beta is now available for anyone to try.

The functionality is about 95% complete, but there are a few cosmetic improvements to be made.  Things will get prettier.  New and powerful features will be forthcoming, as well.

To understand what Maileable is and how it works, read the free Getting Started guide from https://www.maileable.com/GettingStartedWithMaileable.pdf.  It will walk you through the entire process in detail with dozens of screenshots.

If you’re a Windows user, you can download the free installer from http://maileable.com/prog/maileable-installer.exe.

If you use another operating system, I’m going to have to do some more research and coding before your version is available.  It would help me to know what operating system you use, so that I can prioritize my efforts.  If you want to weigh in on this, please send an email to Maileable support with your platform preferences.

I am eager to make this system widely available, so please feel free to tell others about the free beta.  I sincerely believe this is an important tool for protecting your identity, making your email work for you, and keeping you efficient.  It has certainly been all of that and more for me.

When it comes time to pay for this service, around late June, I will be offering irresistable pricing to beta testers, so please try this out and help me confirm that it works for you.  Stay in touch if things go wrong by emailing Maileable support.  And I’d like to hear your feedback, good or bad, so that I can tweak and adjust to make this the best possible product.

What an accomplishment!

Who ever would have thought that moving a blog could be such a major endeavor?!

For about three years, I’ve been running my blog on Pebble, a Java-based web app, running in Tomcat. For some reason, though, Pebble sort of lost its mind many months ago. I’ve been unable to post, or I could post and it would then vanish. My catalina.log file is loaded with stack traces from Pebble. Sometimes they come every few seconds. You can imagine how that adds up over months.

So, temporarily, I started blogging at another site, http://urlinone.com/blog, running WordPress. And in my Pebble template, I put a big header that said my blog had moved. Ugly.

Over the last couple of months, I’ve been slowly dealing with this issue. The first problem was moving all the Pebble posts to a new instance of WordPress. Unfortunately, they have completely different URL schemes, so, even if I could move all the posts, all the links out there in the world would now point to pages that WordPress couldn’t serve. Enter Ruby.

I used Ruby to spider my own site, creating directories and HTML pages to mirror my Pebble blog. This was complicated by the fact that, as I mentioned, Pebble had lost its mind. So, many pages that should have had content actually did not. And the links were, therefore, missing, as well. So my spidering effort ended up being a multi-step process of spidering a bunch of smaller, disconnected webs, rather than one big one. I also took this opportunity to zap all the spam comments, so they didn’t end up in my legacy blog.

At last, I uploaded all these now static blog pages up to my web host, so that all the old URLs will still find a page present (albeit static). Unfortunately, I forgot to remove the “This blog has moved” header from all the static pages, so I’ll have to go back and take care of that.

Next, I had to do an export from the temporary blog at http://www.urlinone.com/blog, so that I could import it into the soon-to-be new WordPress blog for http://www.leegrey.com/hmm. That, I’m happy to say, went very smoothly. One interesting note… My first export was done before deleting all the comments that Akismet had caught. It was 237KB. Then I deleted all the spam comments and did another export. 38KB. Sheesh! If only I was as prolific as the spammers.

Now came the real fun. I had to figure out how to modify the DNS zone file for the web host where Pebble is running, so that I could essentially split my domain. I only wanted to move my blog to the other web host running WordPress. All my other subdomains and my email, FTP, SSH, and such needed to stay put. I had never tried to do anything quite this sophisticated in a zone file before, but I spent some time learning about DNS, and it turned out to be pretty easy. The key was discovering that CNAMEs are basically aliases for A records.

All I had to do was create a couple of new A records for leegrey.com. and www.leegrey.com., pointing to the IP address of the server hosting WordPress. Everything else was using a CNAME that didn’t seem to be affected by my changes. The most confusing part was the fact that there was a record identified as @, which, in this case, represented leegrey.com. I was afraid that everything was going to break when I changed that to point to the foreign web host. It seemed like moving the root of a directory tree, so that everything below it would also be moved. Fortunately, I was able to simply comment out the A record for the @, explicitly define the two new A records, and the rest stayed as is. So far, it all looks okay. My only concern is the propagation delay with DNS changes. I’m not sure if I’m seeing cached info that will break in a couple of days. I’m most worried about my MX records being hosed and my email suddenly going silent.

All I can say is, it was fun using Pebble for a while. And I’m so happy to be on WordPress now! It’ll be a long, long time before I change blog software again.

Can you identify the source of your spam? Can you shut it down?

It’s amazing what I can see, thanks to the use of domain-specific email addresses. I can see when one company uses another company’s mailing list. I can see when a company doesn’t honor its unsubscribe requests. I can also see when a company’s mailing list has been compromised.  Best of all, I have the power to do something about these things.
I’ve gotten at least five Nigerian scam emails from the yoursqueezepage.com mailing list in the past 24 hours. They’ve been hacked.

Since I know that, I can surgically shut down that address without having to go through extreme measures like changing my email address, so that I can keep the infected email away from the healthy stuff.  It’s a kind of quarantine that doesn’t rely on magic spam filters.  This system simply works, and I’m in total control.

You can learn more about it at http://www.phishproof.com.

What the heck is that?!

Weird CharacterI happened to spot this in my GMail spam folder. I’ve never seen a character like this in a browser before.  It reminds me of the old days, where individual characters could be constructed by setting each bit.

I don’t understand where my machine would get a font with such a character. I can only think of malevalent reasons for it being there. Any thoughts on how this can happen?  Is this a new virus vector?