Email Address Validation In Web Apps
If you’ve ever signed up for some sort of web-based application, you’ve likely been asked to supply your email address. Often, the email address isn’t used for anything more than sending you information on specials or sales or whatever. But in more and more cases, the email address you supply is used as a way to reset the password for your account on the web application. And in both these cases, if the web application doesn’t verify your email address (by sending you an email first) you should make darn sure that you enter in the correct email address. If you don’t believe me, read on.
Regardless of how the email address is to be used, a validation of some kind should be required before the user can continue and/or the email address is used. It’s a win/win situation for both sides; the user wants to ensure that his account on the web app is safe and that they can reset their password if required and the web app owner wants to ensure that they aren’t sending email to someone who doesn’t want it. That said, I’m sure most users get annoyed when they are forced to wait for some sort of validation email to arrive. Yes, I agree it’s a pain, but you’ll be much happy than the guy who signed up for an Expedia.com account and used my google email address as his contact email (in his defence, his first and last name are the same as mine).
It started on November 4, 2005 when I received confirmation of a trip to the Turks and Caicos booked via Expedia.com. The itinerary detailed the trip times, flight numbers and passengers. But it wasn’t my expedia.com account (I don’t have one) and I certainly didn’t book the trip to the Turks. In the interest of being a good citizen, I tracked down a support email address for expedia.com and sent them a nice note explaining that this user had obviously entered in the wrong email address. The reply from Expedia.com came six weeks (yes, SIX weeks) later, and they had this to say:
Please accept our apologies regarding the misunderstanding with your account. It seems that the account holder may have entered an incorrect e-mail address that is why you have been receiving confirmation e-mails from Expedia. You may keep getting more emails from Expedia.com in the future and it may take a while until they change it. Meanwhile, we ask for your patience in this matter.
I figured that meant that they would contact the customer and let the customer know that the wrong email address had been entered. It would then be up to the customer to change the email address. Okay, seemed fine. Except that emails from expedia.com continued to arrive telling me about various specials they were having… for another two months. And when another travel itinerary arrived yesterday, I decided enough was enough.
So I went to the expedia.com website and went to the sign in page. Lucky for me, Expedia.com has a link that allows me to reset my password and even sends the login account number to the email address they have on file. And mere moments later an email had arrived from expedia.com with my account number and a link that allowed me to reset his password. So I logged in and changed his email options so no more special offers or other similar information emails would be sent to me. But then curiousity got the best of me and I continued to peruse his account. I now know his phone numbers (he lives in New Jersey), the address of his emergency contact (also lives in NJ and has the same last name), and the name and phone number of his travel companion. This is where it gets interesting; the two trips he’s taken so far have been short trips to resort-type destinations on odd dates and it’s been with a woman who lives in Connecticut. Seems a bit suspicious to me and you’d think he’d be a bit more careful with that kind of information.
In any case, the story ends here. As of this afternoon, his account password is still the same as what I changed it to yesterday and I suspect that it will remain until such time as this other Douglas plans another trip. But the important thing here is to remember that when a web application imposes some constraints on you, whether it’s the length of your password or the need to have a number in your password or email validation, it’s very likely that the web application designers are doing it for your own good and not to annoy you.
How To Lose Five Hours
Wanna lose five hours of your life? If so, it’s easy. Simply fire up Enemy Territory and get into the zone. I’ve now done that several times over the past couple months. I’m not entirely sure how I feel about that, either. On one hand, I love playing the game and totally get right into things. While I do end up XP hogging a bit and try to move up the promotion chain, I also try to ensure I play an appropriate soldier ‘type’ that is needed based on the map being played. But on the other hand, as I write this close to bedtime, I feel like I’ve wasted some good programming hours. Perhaps I should simply be happy that I’m in a position to think about things like this.
As a side note, although I’d love to say that playing Enemy Territory is wasted flying time, flying as a hobby costs far too much money to do whenever there’s free time to be had.
Disneyland Trip - prep
Tomorrow, Ali and I are heading to LAX to spend three days at Disneyland. The best part, aside from actually visiting Disneyland again (I went a long time ago as a kid), is that Ali has _NO_ idea that we’re going. At this point all she knows is that tomorrow morning she needs a suitcase full of clothes. Here’s hoping it’ll all work out. It’s a surprise for her birthday so it should be fine.
I booked everything months and months ago and it’s taken all my energy to keep it all a secret. And not just from Alison but from everyone, since who knows who Ali might talk to who might give it away, either on purpose or by accident.
I’m going to set up a personal blog site on Ali’s website so once I do, I’ll be getting her to blog her perspective of the trip.
KDE 3.5.1
I just noticed that KDE 3.5.1 was released this morning. As per normal, Gentoo is a little behind given that the stable version in the portage tree is 3.4.3. I feel like a bit of a broken record since this is a repetative story; I’ve been running KDE 3.5.0 on Gentoo since it was released with no issues. And as per normal, I will be building KDE 3.5.1 and expect few, if any, issues to pop up.
Update: I’ve been running 3.5.1 now for a week with no issues; if you run Gentoo and you’ve been waiting, I see no real need to wait. So start building.
Good things come to those who hack
I read this article about a hacker who ran a zombie network that he claimed contained as many as 100,000 computers. Now caught, the potential exists for this 20-year-old to spend four to six years in jail. While I realize that a need exists for the prison system, I wish that it wasn’t the case. More often than not I think people end up worse coming out of jail than they were going in. However, in this case, considering last weeks struggle with zombie network base referrer spam, I find myself giggling with glee and hope for nothing but the ’worst’ in jail for this guy. Perhaps that makes me a bad person, but then again, I always believe that 99.9% of the time, you ’get’ what you deserve. [You read into the italicized words as you see fit].
Dell NBD Service
I bought my Dell Latitude C840 notebook a little over three years ago and I was smart enough to get next business day service for it for a four year period. While I haven’t used the service all that much, I’ve used it enough that I feel it was worth the extra cost. Today I had my fans replaced for the third time. Normally I would think that this is perhaps a quality issue but when you consider that my fans are running almost all the time, I don’t feel that the quality is poor. They are little fans and they probably run 2500 hours or more a year. In any case, I called Dell on Friday and on Monday morning I had a contract tech from Dell replacing my fans. And when my BIOS clock was failing, they had a new motherboard for me the next day too. Compare that with warranty service where you take the laptop back to the point of purchase or worse, mail back to depot service. When you rely on your notebook to do your job, suddenly the extra $300 for three more years of coverage doesn’t seem so bad does it?
When at work, I have my notebook docked and because of a poor design, the docking station somewhat blocks the flow of hot air pushed out the laptop from the fans. As such, my notebook tends to run a bit hotter when docked. As such, the at least one of the fans are running throughout the day. Interestingly enough, the Dell BIOS doesn’t have the fans come on until the temperature reaches the mid sixties, which to me, seems awfully high. But luckily enough there is a nice set of utilities for Linux that allow me to monitor the temperature and fan speeds and thus keep the temperature much lower. I used to do that manually until I discovered an even cooler plugin for Gkrellm called i8krellm that monitors the temperatures and automatically turns on the fans as appropriate when certain temperature levels are reached. That ultimately means that my fans last longer since they only come on when needed and more importantly it means a longer overall life for my notebook.
And for the past year I’ve been considering a new Dell notebook. But I at this point I can’t see it happening. My C840 is a 2 GHz Pentium 4 M. But after the C840 was discontinued and they moved onto the D-series, they dropped the CPU speeds down to 1.x GHz on Latitude notebooks and it’s only recently that they brought out the D840 which finally has a CPU speed that rivals my three year old notebook. I guess most business customers (Latitude is mostly geared for business) don’t need high speed for compiling (and playing Enemy Territory) like I do.
Referrer Spam - Followup
I thought I’d follow up my referrer spam entries with some details on the results of my efforts. As of this afternoon, instead of the blog server being bombarded with referrer spam hits, only 1.3% of the hits are referrer spam that are getting past my new redirection setup using Apache’s mod_rewrite module. Apache (the web server) is still getting the same amount of hits from those zombie networks but thanks to mod_rewrite, the resulting bad referrer page is only 854 bytes in size and doesn’t hit the blog application whatsoever. This means less traffic for sure, but more importantly, it means less strain on Roller (the blog application) and as result less strain on the database user by Roller. And when spam sneaks past Apache, 99% of that gets blocked by Roller, which returns a 403 error if there’s no referring link back to this blog. And when I see those in the Apache logs, I adjust the Apache configuration.
So how did I accomplish this successful referrer spam blocking. As I mentioned, I’m using Apache’s mod_rewrite module and started with a config file I got from Dave Child’s log. You can see that file over on Dave Child’s blog or if you want something more recent, you can the most recent referrer spam blocker file that I’m using.
Quake 4
I tried the Quake 4 demo, conveniently available for Linux, earlier this week using my poor Dell Latitude C840, with a 2.0 GHz Pentium 4, 768MB of RAM and a 64MB NVidia GForce4 Go. Unfortunately, the game was barely playable, even at the lowest resolution and with various special efforts turned off. Of course, even had the game been playable, I’m not sure I’d be all that interested in playing it like that. When you play any game associated with id Software you want to do so at high resolution with all the bell and whistles. Otherwise, you’re missing all the reasons to play the game in the first place.
So, I guess Quake 4 will have to wait until I get around to dropping some cash on a new home machine. And given that my laptop is under warranty for another year still, I can’t see it happening anytime soon.
Referrer Spam - Day 3
In the continuing saga of Douglas vs. the blog referrer spam, I think I can finally say that while the war continues, the initial battle is over. And the war is more of an Internet war, being fought by system administrators around the globe. In any case, for now I have given up trying to stop the referrers at the firewall level, though I have some ideas that I may pursue in my spare time. Until those ideas get implimented, I’ve settled on an Apache-based solution, in addition to the Roller changes mentioned yesterday.
Thanks to some Google searches, I landed on Dave Child’s page on blocking referrer spam using the Apache’s mod_rewrite. You can see the details on Dave’s site and I’ve taken his list and updated and modified it. If anyone wants my list, I will be updating it regularly and would be more than happy to share.
To see the way it works, simply go to an ’Airplane Fetish’ page that I set up. Apache doesn’t look at the page contents but instead looks at the referring URL, that in this case will be sent along with the browser. Apache will catch the “-fetish” in the referring URL and instead forward you to a friendly page explaining what just happened and giving you a few options. I did this on the off chance that my rules catch something that isn’t really referrer spam, such as the link above which is clearly just a page written by a guy who loves airplanes.
If you have referring turned off in your web browser, you won’t see anything but then again I’m not trying to stop that. A typical referrer spam looks like this in the logs:
216.203.40.167 - - [18/Jan/2006:14:48:41 -0700] "GET /roller/page/downey?catname=/Games HTTP/1.1" 200 854 "http://www.some-bad-domain.com/keyword1/keyword2/etc/keyword-N.html
The bad guys are trying to get their domain, www.some-bad-domain.com, to show up in my referrer list with the hopes that either someone viewing the page will click on the link or that when Google will slurps up the contents of the page, it will see the link to some-bad-domain.com and increase that domain’s rank in their search results.
The irony of this whole thing? We don’t ever have referrer lists on our blogs. Nice.
Referrer Spam Continues
I spent some time today adding IPs to the block list on the blog server’s firewall. Fun times. As fast as I could add one IP, another two would show up. I finally gave up and started looking at other options. The mod_evasive Apache module didn’t work because the referrer spamming program is smart enough to not hit the site from the same IP within 30 or more seconds. I’ve started looking at other options at the Apache level.
I’ve also enabled a few features on the blog server that should help, but only after the referrer spam has reached the blog application which can cause unnecessary drain on resources. The first of these options is that referring URLs containing various keywords are ignored and an error page is returned. This shouldn’t be an issue for any regular readers who read the Zymeta-based blogs via an RSS reader or a bookmark. The second option I enabled is Roller’s Linkback extraction, which means that if the referring URL doesn’t actually contain a link to the page being requested, an error page is returned. The downside to this option especially is that there will be a reduction in speed for accessing the page.
Regular readers shouldn’t notice much in the way of difference but if anyone encounters any problems, please let me know. Oh, and if any zombie network owners are going to be in Calgary anytime soon, let me know ‘cause my shotgun has a few words to say to you.
