Archive for August, 2007

h1

Email address hijacking

August 29, 2007

I get the occasional hijacking of my domain name with some fake string in front of it and most of the auto responses from the spam filters come back to *my* Spam Quarantine folder. After being a bit paranoid about my system being compromised, I was told by a system administrator that it wasn’t me, it was someone/machine out there in the wild who thought my domain name would be a good one to attach ‘xcsewagtsyqhgv’ to and send off messages about body part enhancements for body parts I don’t even have. <sigh>

I’ve now learned to live with it and just delete those messages, and I no longer get paranoid.

However, others do, as evidenced by a discussion thread this past week on the Lone Writers list. Probably one of the clearest explanations of this was posted today by Lou Quillio. With his permission, here’s his response to the person whose Gmail account appeared to have been hijacked:

**********

In general there’s (almost certainly) not a problem, so you don’t need a solution. You just need information.

The phenomenon you describe is called “backscatter” or “outscatter”. It’s caused by mailer-daemons (you might say “email servers”) sending auto-responses when they identify spam. Spam is also called UBE, or unsolicited bulk email.

Here’s what happens:

A piece of spam is sent — to someone you don’t even know — with one of your email addresses as the ‘From:’ address. That *doesn’t** mean it was sent through your account or someone has stolen your login credentials. The ‘From:’ header in an email message is an arbitrary string, chosen by the sender. It isn’t authoritative in the slightest.

The piece of spam is received by the addressee’s mailer-daemon (pronounced “demon”), it’s identified as UBE, and blocked. The addressee never sees it.

Now the mailer-daemon has a decision to make. The matter can end there. Or, the mailer-daemon _could_ send an automated message to the ‘From:’ address, warning about possible UBE. That’s backscatter.

How useful are these auto-responses? Not very. Any knowledgeable sysop is aware that the ‘From:’ address is probably not the real sender.

But many send them anyway, and word them jarringly: “Considered Unsolicited Bulk Email FROM YOU”, etc. Uhh-huh. Why assume that, bub? Are you living in some innocent 1999 time warp?

Anyhow, this auto-response arrives at your GMail account and guess what? GMail marks it as spam. Because it is. Backscatter is spam. It’s unsolicited by you, the recipient, and sent in bulk.

Still with me? Spam sent + auto-response to somebody there’s no reason to assume sent it = more spam. Backscatter spam.

So there’s no _technical_ problem, just a network effect. Is there a _social_ problem? That, too, depends on how much information you and your peeps have, how well you understand what’s happening.

First concern: the spam sent under your name to Aunt Edna (or more likely to an utter stranger). What will Edna think of me?! Nothing. She didn’t even get it. Her mailserver blocked it. That’s why you got the auto-response.

Second concern: whomever (or whatever) warned you about sending spam apparently thinks you’re a bad girl. You don’t want _anybody_ thinking that. Relax. It was a machine, a rather dumb one.

Here are the take-aways:

  1. Never trust a ‘From:’ address alone. You can’t. You never could. So forget that.
  2. Ignore backscatter if you use GMail, Yahoo! Mail, or one of the other big services. If there’s a problem, it’s theirs. And there’s probably not a problem.
  3. Ignore backscatter if you *know* your desktop email client isn’t compromised. Past experience has made Windows users paranoid. Updated Windows installs aren’t nearly as vulnerable. It remains a best practice *not* to use Internet Explorer nor Outlook Express. They were the egregious point of failure– and, however improved, are vulnerable by design and ubiquity.
  4. Don’t fly into a tizzy and start spamming your peeps and your lists in shame. Windows trained this into you. You’ll have to train yourself out, and the first step to recovery is staying calm.
  5. Never, ever retrieve or send email over an insecure connection. GMail won’t let you, cuz Google’s not dumb. Whenever you’re setting-up an account, connect with SSL/TLS. POP3, IMAP, SMTP … no matter. Always choose the SSL option and avoid providers who don’t offer one. Your email account’s username and password can’t be filched if they’re never sent over an insecure wire.
  6. Send plain text email, and read messages as plain text regardless how they were sent. Why did the the Trojans admit the horse? Because it was fancy. You don’t need fancy. You’re a writer, not a formatter, and it’s your words that matter.

All that stuff about firewalls and virus scanners and changing passwords all the time … yeah, sure, that’s fine. But none of it’s related to your recent fear — which concerns a network effect and is cured with knowledge.

***********

Thanks Lou!

Update (2 May, 2008): PC World just published an article on this backscatter problem too.

h1

Handy software development references

August 27, 2007

I *love* being a member of the Lone Writers Special Interest Group of the Society for Technical Communication (STC). Someone always has something neat to contribute, and in amongst all the helpful suggestions and discussions, there are the occasional gems of reference material… like these shared by one of the members last week:

I’ve put them here to share, but also so I have a central place where I can refer to them again (yes, I know I could use Del.icio.us, but I don’t—it’s just another place I’d have to remember to look for my ‘stuff’!)

h1

One way to document a confusing user interface

August 27, 2007

Someone on one of my technical writing lists posted a link to an unofficial user guide for a piece of software used to report building maintenance issues at the University of Pennsylvania. From reading this guide, it is clear that this software is far from user friendly. Called “The Legend of FacilityFocus“, this underground guide for students is written as though logging a maintenance issue is part of a role-playing game. For example:

This [software] provides wonderful new functions for automation and integration and tracking — but from the point of view of a College House resident trying to get a light-switch fixed or a sink unclogged, the … web interface is not exactly user-friendly.

In fact, you can win only if you know which screens to visit in which order, which fields to fill out and which to ignore, which secret codes to use, and so on.

… [later] OK, you might think that since you want to request work, you should click “Work Request”. But DON’T! That will lead you off into a series of twisty little passages, all alike, where you’ll be eaten by goblins.

Go on, read it – it only takes a couple of minutes.

h1

Annual Report sense – finally!

August 23, 2007

I received some mail today from Telstra, the Australian telecommunications giant. I have shares in them (which I really should get rid of… they’ve never done well). In amongst all the puffery about how good they are was a slip of paper that was a welcome relief. To quote from it:

“Recent amendments to the Corporations Act allow companies to provide their annual reports to shareholders on the Internet rather than by hard copy. … commencing from the 2007 Annual Report we will no longer mail you a hard copy unless you specifically ask us to do so.”

At last! Some sense. An opt-in clause versus an opt-out one, and a massive saving for companies in not having to get these glossy tomes printed and mailed out. An even better saving for those shareholders who receive these missives because it’s required by law but who just throw them out without doing more than skim them (if that).

I only own a few small parcels of shares in a couple of companies, but it still bothers me to get these 100+ page documents every year. They all try and outdo each other every year in the glossiness, paper stock, fancy wancy bindings etc. So I’m very pleased that the lawmakers have seen fit to enter the 21st century and allow alternative corporate reporting mechanisms.

Of course, elements of the printing industry that have survived only because of this cash cow may be squealing in pain right now. But I’d suspect many ‘Mum and Dad’ shareholders may be cheering these changes.

h1

Sore ears and neck

August 17, 2007

Earlier this week I was on a 90 minute phone call to Brisbane. Man! Holding the phone handset to your ear for that long really makes your ear sore and you get a crick in your neck! And you can’t type effectively (yes, I needed to type – the other person and I were discussing the development team’s Wiki and I needed to make changes there and then). If I’d realised the call would be that long, I would’ve used Skype.

Roll on to today… I get a reminder that there’s a 2+ hour meeting/conference call on Monday, so I decide to bite the bullet and purchase some SkypeIn credits. I already use Skype-to-Skype for computer phone calls, and SkypeOut for calls from my computer to landlines. SkypeIn allows landlines to call a standard phone number which comes to me on my computer. I get a real phone number for whatever country and area code I want, and all I have to do is be online to receive the calls. The big advantage is that I can use my headset, thus freeing up my head and so solving the neck pain and the purple ear problem, and freeing up my hands to do stuff on the computer at the same time.

What should’ve been easy to set up was thwarted by Skype’s pretty big ‘outage’ over the last 24 hours or so. It’s hit all the IT media, and even though Skype has kept people up-to-date, it’s caused a lot of people who rely on Skype to become pretty angry. So much so that it appears they’ve closed off the facility to comment on their blog.

It hasn’t affected me too much as I only just signed up for SkypeIn today. But it has meant that I can’t effectively test how well it works as the people I’ve asked to test the new number haven’t been able to get through as Skype is constantly connecting and reconnecting. However, they have been able to leave a voicemail and I’ve been able to set that up with my own message, and I’ve been able to set up call forwarding to my mobile phone – and that works!

Hopefully it will be fixed on Monday when I have the 2 hour conference call, otherwise it’s back to a sore neck and ear…

I do wonder about the people who rely on technology like Skype for EVERYTHING. Hello people! It’s technology over the internet. There are SO many ways it can fail. Relying on it for all your business calls etc. is a little stupid, in my not so humble opinion.

Update 21 August: Skype is now back to normal. Here’s their explanation, and an interpretation of that explanation forwarded to me by a good friend.

h1

Crying over your work

August 16, 2007

A fellow technical writer, editor, and all-round great person wrote this to me in an email today, and all I could think of was “How true!”. Thanks Suzanne for making me laugh.

I’m writing text for a website that deals with death. Whenever I research it I find a really sad eulogy somewhere that makes me cry. Not many writing jobs make me cry. Lots of editing jobs do …

h1

Get rich slowly…

August 14, 2007

Two months ago, I set up an Amazon Store with technical writing books I recommend. Since then I’ve added other personal recommendations of books, DVDs, produce, appliances, etc. to the store. It was never meant to be a ‘get rich quick’ scheme… in fact, I just wanted it to be a reference source for other technical writers out there. If I made a few dollars in the process, that would be a bonus.

Well, the “bonus” after 2 months is $10.01 from seven sales. Amazon don’t send me a cheque (they don’t do PayPal…) until my ‘referral fees’ reach $100. So I could be waiting a *long* time.