Email address hijacking

I get the occasional hijacking of my domain name with some fake string in front of it and most of the auto responses from the spam filters come back to *my* Spam Quarantine folder. After being a bit paranoid about my system being compromised, I was told by a system administrator that it wasn’t me, it was someone/machine out there in the wild who thought my domain name would be a good one to attach ‘xcsewagtsyqhgv’ to and send off messages about body part enhancements for body parts I don’t even have. <sigh>

I’ve now learned to live with it and just delete those messages, and I no longer get paranoid.

However, others do, as evidenced by a discussion thread this past week on the Lone Writers list. Probably one of the clearest explanations of this was posted today by Lou Quillio. With his permission, here’s his response to the person whose Gmail account appeared to have been hijacked:

**********

In general there’s (almost certainly) not a problem, so you don’t need a solution. You just need information.

The phenomenon you describe is called “backscatter” or “outscatter”. It’s caused by mailer-daemons (you might say “email servers”) sending auto-responses when they identify spam. Spam is also called UBE, or unsolicited bulk email.

Here’s what happens:

A piece of spam is sent — to someone you don’t even know — with one of your email addresses as the ‘From:’ address. That *doesn’t** mean it was sent through your account or someone has stolen your login credentials. The ‘From:’ header in an email message is an arbitrary string, chosen by the sender. It isn’t authoritative in the slightest.

The piece of spam is received by the addressee’s mailer-daemon (pronounced “demon”), it’s identified as UBE, and blocked. The addressee never sees it.

Now the mailer-daemon has a decision to make. The matter can end there. Or, the mailer-daemon _could_ send an automated message to the ‘From:’ address, warning about possible UBE. That’s backscatter.

How useful are these auto-responses? Not very. Any knowledgeable sysop is aware that the ‘From:’ address is probably not the real sender.

But many send them anyway, and word them jarringly: “Considered Unsolicited Bulk Email FROM YOU”, etc. Uhh-huh. Why assume that, bub? Are you living in some innocent 1999 time warp?

Anyhow, this auto-response arrives at your GMail account and guess what? GMail marks it as spam. Because it is. Backscatter is spam. It’s unsolicited by you, the recipient, and sent in bulk.

Still with me? Spam sent + auto-response to somebody there’s no reason to assume sent it = more spam. Backscatter spam.

So there’s no _technical_ problem, just a network effect. Is there a _social_ problem? That, too, depends on how much information you and your peeps have, how well you understand what’s happening.

First concern: the spam sent under your name to Aunt Edna (or more likely to an utter stranger). What will Edna think of me?! Nothing. She didn’t even get it. Her mailserver blocked it. That’s why you got the auto-response.

Second concern: whomever (or whatever) warned you about sending spam apparently thinks you’re a bad girl. You don’t want _anybody_ thinking that. Relax. It was a machine, a rather dumb one.

Here are the take-aways:

1. Never trust a ‘From:’ address alone. You can’t. You never could. So forget that.
2. Ignore backscatter if you use GMail, Yahoo! Mail, or one of the other big services. If there’s a problem, it’s theirs. And there’s probably not a problem.
3. Ignore backscatter if you *know* your desktop email client isn’t compromised. Past experience has made Windows users paranoid. Updated Windows installs aren’t nearly as vulnerable. It remains a best practice *not* to use Internet Explorer nor Outlook Express. They were the egregious point of failure– and, however improved, are vulnerable by design and ubiquity.
4. Don’t fly into a tizzy and start spamming your peeps and your lists in shame. Windows trained this into you. You’ll have to train yourself out, and the first step to recovery is staying calm.
5. Never, ever retrieve or send email over an insecure connection. GMail won’t let you, cuz Google’s not dumb. Whenever you’re setting-up an account, connect with SSL/TLS. POP3, IMAP, SMTP … no matter. Always choose the SSL option and avoid providers who don’t offer one. Your email account’s username and password can’t be filched if they’re never sent over an insecure wire.
6. Send plain text email, and read messages as plain text regardless how they were sent. Why did the the Trojans admit the horse? Because it was fancy. You don’t need fancy. You’re a writer, not a formatter, and it’s your words that matter.

All that stuff about firewalls and virus scanners and changing passwords all the time … yeah, sure, that’s fine. But none of it’s related to your recent fear — which concerns a network effect and is cured with knowledge.

***********

Thanks Lou!

Update (2 May, 2008): PC World just published an article on this backscatter problem too.

Handy software development references

I *love* being a member of the Lone Writers Special Interest Group of the Society for Technical Communication (STC). Someone always has something neat to contribute, and in amongst all the helpful suggestions and discussions, there are the occasional gems of reference material… like these shared by one of the members last week:

• The Software Development Life Cycle (PDF): An excellent 22 page summary of the various methodologies, as well as a detailed—but easy to read—description of the Waterfall methodology.
• Glossary of Software Engineering Terms (PDF): From the same company as the SLDC document above. 28 pages.

I’ve put them here to share, but also so I have a central place where I can refer to them again (yes, I know I could use Del.icio.us, but I don’t—it’s just another place I’d have to remember to look for my ‘stuff’!)

One way to document a confusing user interface

Someone on one of my technical writing lists posted a link to an unofficial user guide for a piece of software used to report building maintenance issues at the University of Pennsylvania. From reading this guide, it is clear that this software is far from user friendly. Called “The Legend of FacilityFocus“, this underground guide for students is written as though logging a maintenance issue is part of a role-playing game. For example:

This [software] provides wonderful new functions for automation and integration and tracking — but from the point of view of a College House resident trying to get a light-switch fixed or a sink unclogged, the … web interface is not exactly user-friendly.

In fact, you can win only if you know which screens to visit in which order, which fields to fill out and which to ignore, which secret codes to use, and so on.

… [later] OK, you might think that since you want to request work, you should click “Work Request”. But DON’T! That will lead you off into a series of twisty little passages, all alike, where you’ll be eaten by goblins.

Go on, read it – it only takes a couple of minutes.

Annual Report sense – finally!

I received some mail today from Telstra, the Australian telecommunications giant. I have shares in them (which I really should get rid of… they’ve never done well). In amongst all the puffery about how good they are was a slip of paper that was a welcome relief. To quote from it:

“Recent amendments to the Corporations Act allow companies to provide their annual reports to shareholders on the Internet rather than by hard copy. … commencing from the 2007 Annual Report we will no longer mail you a hard copy unless you specifically ask us to do so.”

At last! Some sense. An opt-in clause versus an opt-out one, and a massive saving for companies in not having to get these glossy tomes printed and mailed out. An even better saving for those shareholders who receive these missives because it’s required by law but who just throw them out without doing more than skim them (if that).

I only own a few small parcels of shares in a couple of companies, but it still bothers me to get these 100+ page documents every year. They all try and outdo each other every year in the glossiness, paper stock, fancy wancy bindings etc. So I’m very pleased that the lawmakers have seen fit to enter the 21st century and allow alternative corporate reporting mechanisms.

Of course, elements of the printing industry that have survived only because of this cash cow may be squealing in pain right now. But I’d suspect many ‘Mum and Dad’ shareholders may be cheering these changes.

Sore ears and neck

Earlier this week I was on a 90 minute phone call to Brisbane. Man! Holding the phone handset to your ear for that long really makes your ear sore and you get a crick in your neck! And you can’t type effectively (yes, I needed to type – the other person and I were discussing the development team’s Wiki and I needed to make changes there and then). If I’d realised the call would be that long, I would’ve used Skype.

Roll on to today… I get a reminder that there’s a 2+ hour meeting/conference call on Monday, so I decide to bite the bullet and purchase some SkypeIn credits. I already use Skype-to-Skype for computer phone calls, and SkypeOut for calls from my computer to landlines. SkypeIn allows landlines to call a standard phone number which comes to me on my computer. I get a real phone number for whatever country and area code I want, and all I have to do is be online to receive the calls. The big advantage is that I can use my headset, thus freeing up my head and so solving the neck pain and the purple ear problem, and freeing up my hands to do stuff on the computer at the same time.

What should’ve been easy to set up was thwarted by Skype’s pretty big ‘outage’ over the last 24 hours or so. It’s hit all the IT media, and even though Skype has kept people up-to-date, it’s caused a lot of people who rely on Skype to become pretty angry. So much so that it appears they’ve closed off the facility to comment on their blog.

It hasn’t affected me too much as I only just signed up for SkypeIn today. But it has meant that I can’t effectively test how well it works as the people I’ve asked to test the new number haven’t been able to get through as Skype is constantly connecting and reconnecting. However, they have been able to leave a voicemail and I’ve been able to set that up with my own message, and I’ve been able to set up call forwarding to my mobile phone – and that works!

Hopefully it will be fixed on Monday when I have the 2 hour conference call, otherwise it’s back to a sore neck and ear…

I do wonder about the people who rely on technology like Skype for EVERYTHING. Hello people! It’s technology over the internet. There are SO many ways it can fail. Relying on it for all your business calls etc. is a little stupid, in my not so humble opinion.

Update 21 August: Skype is now back to normal. Here’s their explanation, and an interpretation of that explanation forwarded to me by a good friend.

Crying over your work

A fellow technical writer, editor, and all-round great person wrote this to me in an email today, and all I could think of was “How true!”. Thanks Suzanne for making me laugh.

I’m writing text for a website that deals with death. Whenever I research it I find a really sad eulogy somewhere that makes me cry. Not many writing jobs make me cry. Lots of editing jobs do …

Get rich slowly…

Two months ago, I set up an Amazon Store with technical writing books I recommend. Since then I’ve added other personal recommendations of books, DVDs, produce, appliances, etc. to the store. It was never meant to be a ‘get rich quick’ scheme… in fact, I just wanted it to be a reference source for other technical writers out there. If I made a few dollars in the process, that would be a bonus.

Well, the “bonus” after 2 months is $10.01 from seven sales. Amazon don’t send me a cheque (they don’t do PayPal…) until my ‘referral fees’ reach $100. So I could be waiting a *long* time.

Social Bookmarking in Plain English

Another excellent video from the people at CommonCraft – this time on using Del.icio.us and similar social bookmarking sites.

(http://www.youtube.com/watch?v=x66lV7GOcNU)

Great error message

I have a new title: “Wiki gardener”! It’s a term used on JSPWiki.org for those who have the responsibility of keeping a Wiki weed and bug free, and it’s what I’ve been doing the past two days with a Wiki that was set up a year or so ago but that nobody’s taken care of since then. Just like an overgrown garden…

Anyhow, while I was reading the documentation over at JSPWiki.org (yes, Virginia – technical writers *do* read other people’s work!) and testing some stuff out on the Wiki, I got an error message. Standard incomprehensible stuff followed by some possible solutions, followed by this:

And don’t worry – it’s just a computer program. Nothing really serious is probably going on: at worst you can lose a few nights sleep. It’s not like it’s the end of the world.

It made me chuckle!

“Wikiphilia”

Thanks to a link on one of my technical writing discussion lists, I came across this great article written in 2005: “Wikiphilia – The New Illness“.

Normally, I’d just skim such an article as my only real exposure to Wikis has been via Wikipedia (as a user and very occasional editor) and on the periphery of Wiki implementations in software support and development teams.

However, for my new client I am likely to be very involved in organising one team’s Wiki. From the looks of it, this Wiki was set up about a year or so ago and since then it’s become a bit of a dumping ground—’disorganised chaos’ would seem to be the best description, even though it’s an oxymoron. And it doesn’t seem as if people use it to its potential. For example, I haven’t noticed much in the way of collaborative discussion, which is what I thought this Wiki was meant to achieve.

I’m having a teleconference meeting about it on Thursday, so we’ll see what comes from that. Meantime, this article is a good read and I think it summarises very well the inherent problems with a Wiki that I’ve observed from a distance. I particularly liked these two paragraphs:

“And so the Wiki becomes a dumping ground for fragmented and incomplete files, textual sound-bites and aborted attempts to catalogue. And therein lies the second great failing of Wikis as information repositories – the absence of accessible organization and indexing. Although the basic Wiki functionality includes a simple search facility, there is little to no built in support for indexing or cross-referencing below the page level. There is no reading path made available to newcomers so that they might work from fundamental to more advanced material. Cogent explanation does not result from snippets of conversations; and exchanges of opinion need not be illustrative or informative.

Attempts to collate existing “content” into more substantial portions are easily defeated by the free-for-all editing of others, and further inhibited by the user group’s conflicting notions of the worth of the content and the best means for its explication. Just try and find something when the content, un-indexed, is constantly changing under foot.”