trog's haus

Either someone is doing an excellent job phishing for MBF member details, or they screwed up sending out their most recent email newsletter.

The newsletter’s subject is “Your chance to win 10K worth of prizes” and it contains the following text:

Hi William,

At MBF we want to help you get the most from your health insurance.

Register to receive our updates via email today and we can help to keep you healthy and happy.

To register click here, login to myMBF and make sure you complete your contact details and update your communications preferences to email. If you’re already registered, make sure you check your details in case anything has changed since you last visited.

Two things immediately jump out at me here:

1. My name isn’t William. Something has gone wrong with their mail merge and it’s put someone else’s name on my email. Embarrassing, but not fatal.
2. I have all my MBF communications set to ‘post’ – all email options (that I can find) are switched off.

To complicate things further, the links are all of the form: http://p1.eservicesesp.com/cts/click?q=randomcharactershere – no doubt this is a mailing service that they’re using to track newsletter click throughs, but to a casual observer, it looks like it might be a phishing attempt.

The net result of this email is that it looks like a phishing attempt. But it’s almost certainly just a screw-up on behalf of MBF and/or the marketing agency they’ve employed to handle their bulk emails.

To make things even more painful, there’s no easy way to report the problem to MBF listed in the email (a simple “if you believe you have received this message in error, click here” link would have done the trick, or on their website. Even logged in, you don’t get an option to provide feedback over the web or via email – you have to use the phone or write them something called “a letter”.

Sending newsletters to lots of people is hard. But it’s not that hard. We’ve done it at Mammoth every week for almost eight years, sending millions of emails to hundreds of thousands of subscribers, so if you need some advice on how to do it right, maybe you should ask us

This story does not make web advertisers look good, although it’s almost so obviously phony that it barely warrants mentioning.

I randomly clicked on an island ad on a site that I was visiting (I sometimes do this to give them a click-through and show some support).

I got sent to the URL http://www.newswebdaily.com/health/white-teeth/index1.php, which then redirects to a new URL with a few different parameters in the query string.

It’s an ad that tells the story of Becky Bell, a teacher who wanted to try a teeth-whitening product:

For a split second, I thought “wow, that’s weird – she’s in Brisbane, Queensland, just like me!” Then I decided that seemed a bit too much like a coincidence, so I activated my US-based proxy server (handy for web development and testing) and got the following page:

So, to be crystal clear – this ad changes based on the location that you are viewing the page from, presumably to give you some feeling of confidence that it was a “local gal” that benefited from this product. Clearly, Becky Bell is not from Brisbane and Dallas at the same time.

Moral of the story: beware of advertising that just so happens to have your exact city and country in it like this.

My brother needed to figure out how to do a “moving average” in some code he was writing a while ago. I’d never done this before and couldn’t find any really simple code examples so ended up on Wikipedia where I found it’s actually called a cumulative moving average.

Super simple code example follows:

<?php
$numbers = array(1,2,3,4);

// A simple function to calculate averages
function average($array)
{
	return (array_sum($array) / count($array));
}

/*
 * Simple function to calculate moving average with the following parameters
 * $datapoint - the most recently acquired new datapoint
 * $average - the current average
 * $count - the total number of items we're dealing with
 */
function cumulativeAverage($datapoint, $average, $count)
{
	return $average + (($datapoint - $average) /  $count);
}

// First let's print the average calculated normally so we can compare to the final result
print "Normal average:\t\t".average($numbers)."\n";

// $lastav stores the most recently calculated average
$lastav = 0;

// Loop through all the numbers in the array and calculate the cumulative average each time
for ($i = 0; $i<sizeof($numbers);$i++)
{
	$lastav = cumulativeAverage($numbers[$i], $lastav, $i+1);
}

print "Cumulative Average:\t".$lastav."\n";

>>

Over on AusGamers, we run a moderately popular download service for files. We push out around, oh, 30 terabytes a month of data (this is a lot).

Our file servers work pretty hard, but we prefer the work they do be related to just reading files off risk and throwing them down the wire at users. Unfortunately sometimes they have to do other things – like deal with bad requests from really terrible download software.

In this case, FlashGet is the bad download software. It is really annoying. Here’s a few reasons why:

• If you give it a URL that 404s or 403s (ie, a URL that doesn’t exist or is forbidden), FlashGet inexplicably wants to keep retrying that URL, over and over every two seconds.
• It incorrectly identifies itself as an IE5-based browser. This is just rude at best, and flat-out lying at worst.

I have written about this earlier, but now that I’ve seen the following data from a single month of usage on our file servers, I think the time has come to do something more:

The top entry here is FlashGet, with over 16 million hits to our server. The vast, majority of these hits are 403 or 404 errors from repeatedly trying to access files that are no longer there or that it no longer has access to.

At this stage the plan is to block FlashGet users. This is harder than it sounds because it is so stupid it ignores things like 403s and 404s and keeps retrying. What I am thinking we’ll do is detect FlashGet via the user-agent string and then redirect them to a different file. The file will be a little video file that explains why their download failed.

I’ve been getting the following email to a few email addresses:

Hi Everyone,
Alltern8 (www.alltern8.com) is gathering together a group of dedicated experts in MMO Games, LARP & Ren Faires, Tabletop and Collectible Card Games, Tabletop Wargames, PC & Console Games, Comics/Graphic Novels, Cosplay/Memorabilia, and Indie Music & Film to hire a brand new blogging and writing network! This is your chance to make your voice heard about the games you love to play and the events you love to attend.

… and so on in that manner. The subject is ‘Alltern8.com is hiring Writers & Bloggers’.

On the surface it seems like a legitimate email that I might have (inadvertently) signed up for. But I’ve never been to their site before, or heard of it. I have almost every single website sign-up email I’ve ever been sent – since 1999 – and I don’t have one from their site.

I look in the footer of the email where the unsubscribe options are, and I see this:

Alltern8.com only emails to addresses collected via it’s own site or one of it’s associated partner sites, we take SPAM seriously so please unsubscribe by replying with the subject UNSUBSCRIBE and you will no longer receive mails from us. This is the quickest way to stop getting mail via our site.

So maybe it was an associated partner site I signed up to. Possible.

But then – something happened! I got the exact same email to a QGL mailing list, which has long been targeted by actual real spammers.

Now the most likely scenario has changed. I think they’re spammers. I’ve replied to their email (for reference, always a foolish thing to do, because it can simply just highlight the fact that your email address is still active and ripe to be spammed).

It’s an interesting issue. If I was less anally retentive about emails I get and where they come from, I would have just accepted this as something I signed up for and moved on. So much spam I get these days just has a similar footer, a we’re-so-innocent routine that is rapidly becoming tiresome – “oh, you must have signed up for something with us at SOME point, how ELSE would we have gotten your email.

I’ll be making sure that we accurately track sign-up information so when users want to know why they got a newsletter, we can say “well, you can see right here that on the 15th of May 2009, you created an account and left the ’subscribe to newsletter’ checkbox ticked!”

edit: Shortly after posting this, someone from alltern8.com replied – check the comments for their thoughts.

We regularly get people asking us about issues (real and imaginary) on our websites. There are a variety of frustrating ways users can report problems with websites, including the favourite classic – “it doesn’t work”.

If you’re ever on a website and it has a problem or something isn’t working as expected, you should definitely take the time to report it. Problems often can go completely unnoticed by the development team, especially on large websites, and it’s only when they’re actually brought to someone’s attention that they are fixed.

However, if you are going to report a problem with a website, then there’s a couple of things you should try to remember to include, at an absolute bare minimum, to help the people at the other end know what you’re talking about:

1) A URL. This is the bit of text in the address bar that shows what page you are on. It looks like http://www.sitename.com/pagename/, and without it the site developers will probably have no idea what you’re talking about.

2) Some information about what you were doing at the time. Even simple things like saying what you clicked on or what you were reading can provide useful information.

3) Information about your computer, including what web browser you’re using (if you don’t know, it’s probably Internet Explorer) and what operating system you’re running.

Anything else you can add would be gravy, but including this data will greatly help anyone that is reading your request try to figure out how to help you!

I have never figured out the RPM package management system. It’s mostly because I haven’t tried hard, but it still makes me feel like a moron.

Every now and then I stumble across a package that, for whatever reason, is only distributed in .rpm form. Right now I wanted to install nano on godaddy.com’s shared hosting (because I’m also too lazy to learn vi), and the easiest way I could think of was to nab the .rpm and just rip out the nano binary.

Turns out this is really easy from a Linux shell:

# rpm2cpio [rpm filename] | cpio -idv

Another victory for laziness! It spewed out a bunch of stuff, I nabbed the nano binary, threw it on my godaddy shared hosting using wget via ssh, and now I have a fully functional and awesome editor (no matter what anyone tells you).

I signed up for the LinkSys forums ages ago to whine about the problems with the WAG-325N series of devices.

I’m usually pretty careful when signing up for new sites to uncheck all the “send me email” boxes – I get enough email already. So I was a bit surprised this morning when I received what looked like unsolicited commercial email from LinkSys to my Gmail address: “the first issue of Linksys by Cisco e-newsletter, Connections.”

Determining the difference between actual spam and sneaky company tactics is a little tricky. Most people probably don’t care and just hit the ‘report spam’ or ‘junk’ or whatever it is in their email client. As a discriminating email nerd though I take the time to figure it out, because it’s often only a few extra seconds of reading and thinking, which I can generally justify.

In this case I decided that this probably wasn’t real spam and instead was either LinkSys being a bit lame and sending me unsolicited email because I’d signed up to their forums, or perhaps I did check the box that says “send me your stuff” – or maybe I missed something in a 400 page Terms and Conditions document that said by signing up it means they can send me email anyway.

At this point, who cares, right? I either want to keep getting the emails or I want to ditch them. My usual practice then is to just scroll immediately to the bottom of the email and look for the unsubscribe link. I saw this:

At first I just saw “managed subscriptions” and groaned internally, because that generally means its a multi-step process to unsubscribe – slow and painful. Then I saw the “one-click unsubscribe” link!

Being able to immediately and simply unsubscribe from email services is really, really important. This sort of link – a clearly labeled link that actually does what it says, instantly and quickly, is something that should be in the bottom of every single email you’re ever sent from a service.

I was looking at other people’s Facebook profiles and kept seeing the “Interested in” where you declare your sexuality. Sadly this isn’t one of the free-form text entry fields.

Imagine it on your profile! “Interested in: Your Mother”! It’d never get old.

I have a Gmail account which is based on my real name. Since the advent of the Internet, I realised just how common my real name is around the world, which really should have come as no real surprise – but for some reason it did.

Gmail doesn’t pay attention to full stops in email addresses. That is, alicebob@gmail.com is the same address as alice.bob@gmail.com. This was reported ages ago and has been the subject of a lot of discussion, because it seemed like a bug – why would you want to get email that’s not addressed exactly to you?

At least one other person bearing my name has signed up for a Gmail account. Not an unreasonable thing for them to do. They no doubt got through the sign-up process with few problems and managed to create a Gmail account.

Or at least, they think they did. Unfortunately, they also think their email address is the same as mine (albeit with a full stop in the middle of it somewhere). Not a real drama, until they start giving that email address out to friends and family and using it for things like hotel reservations and business.

After all my time on the Internet, I’m long accustomed to getting email that I don’t want. I get literally hundreds of spams a day to my work and personal addresses that I ignore more or less completely.

However, emails like this tend to bust through my spam filter, because they’re often very similar to actual emails that I’d get myself. They’re definitely not spam, but they’re definitely emails that shouldn’t have made their way into my inbox.

I go to pains to NOT read these emails, and almost always hit reply to let the sender know (after a quick check to make sure they’re not spam that crept through) that their email was misdirected. When its a personal email or something from a business contact, I usually get a reply thanking me. But when its an automated email from a mailing list or some other non-human sending process, I’m a little bit torn about what to do.

I don’t really want to get any more emails from here, but often my only recourse from an automated email is to click a link in it that takes me to some sort of online profile, helpfully logging me in to someone else’s account. While there’s probably no real damage I could do (I’m sure, for example, that I couldn’t get my alternate namesake’s credit card details), if I was a little more malicious I could probably at least make his life a little uncomfortable or embarrassing.

Needless to say, I don’t want to do that. I just want the emails to stop. So this raises the question – can I ethically (and legally) claim some ownership of emails that are accidentally sent to an address that – while it isn’t mine per se, is still delivered to me – so that I can try to make sure the sender knows they’re sending it to the wrong person?

Case study:

My alternate namesake created a profile on an international dating site. He, no doubt, put in all sorts of personal information into this site. I could have probably gone in and messed with his profile and made him a she-male seeking furry companionship or something, but instead I went through this arduous and painful process of trying to contact the site through normal means to ask they take me off.

This process took weeks – they floundered around for a while trying to verify it, told me they’d removed me, I still got emails every few days, floundered around again, etc.

It would have been vastly easier for me to just log into the guy’s profile and delete his account. But I couldn’t do that – even though he’d used my email address to (somehow) create a profile, it wasn’t my account.

While I went through the process then, this guy just keeps signing up for services using my email address – thinking it’s his. I’m getting all sorts of stuff I don’t want. At some point, I’m just going to start deleting them, meaning they’ll go into a black hole until he finally figures it out.

I’m sure this is happening to a lot of other users. It’s crazy how much personal information I could have obtained from this guy without him even having the slightest idea about it – if I was maliciously inclined.

Obviously, you should be careful when deciding when to give someone your email address – the last thing you want is spam or more useless crap filling it up. But remember – also be careful that you’re giving it to them correctly, because it’s probably worse that your personal and private information is going to someone completely different.

David Harrison of the UK, I’m talking to you.

(Further – as a web developer-type, I find it somewhat objectionable that several sites have let this guy sign up to various emails and services without first verifying his email address.)