Mark Niemann-Ross

My Spammer Friends

Spammers rationalize their behavior as simple commerce, but for most of us, they ignore the basic guidelines of polite society. Those of us that were paying attention in class learned that interrupting a conversation is boorish (as in "with tusks, crashing through the forest") and if you monopolize a conversation, you'll soon have an audience of one.

I like to engage in open conversation - but spammers believe open conversation is one-sided. If their comments were REALLY interesting, that would be good. But I REALLY have all the watches I need, and am uncertain about ordering non-prescription vi_A-gre from an international source with no return address. ("Does this have fresh goat extract?"). So I've taken steps to block them.

The spreadsheet shown above is a real-time list of unsuccessful attempts to post a message at http://www.niemannross.com/postoffice . If you go there, you can select a member of my family and send them a message. But you also have to recognize and type in two words supplied by a service called recaptcha . Machines don't know how to do this, and will therefore add a line to the above spreadsheet. (Note: some computers can now recognize these visual puzzles - so you'll see the visual puzzles getting more difficult)

Some interesting notes about the spreadsheet:

On Sunday, January 24th there is a sudden cessation of activity. That's the day I removed the postoffice link from this webpage. Spambots can't find it anymore, and hey presto, no more spam.

They used to be a lot more polite, including a saluation ("Hello! I like your thoughts") followed by their own thoughts about cheap watches. Now they just dump their paper bag of flaming feces on your doorstep and run.

The IP address indicates where the spam came from. The time and date indicate when it came from that address. Given these two pieces of information, an internet provider could track these guys down and give them the boot. But they don't because it's not financially rewarding to do so. As an experiment, I did notify a few internet providers, and the ones that I could actually contact did the right thing. But the job is un-ending, and until I automate the process, I have other things to do.

By the way - if you're not seeing the spreadsheet or links, you can view the original post at http://niemannross.com/nucleus/index.php?blogid=1&itemid=93

Ten Expensive Things You Can do to Foul up Your Developer Program

It appears that my personal and private lives are crossing. I suppose it was inevitable, and some business associates made the connection long ago.

Or perhaps having thirteen chickens scratching around the side yard colors everything I write and say. (I'll have to be more aware of that. Kind of like being at a Toastmasters meeting and having some guy clink their glass every time you say "and...um.")

Or perhaps my personal and private lives were never separate. That's probably the best explanation, considering I work at home.

In this case, my personal/private lives have collaborated on the title of a presentation for the Evans Developer Relations Conference. In November, I breezily suggested a presentation for the conference, titled "Ten Expensive Things You Can do to Foul up Your Developer Program." The clever title would have been "Ten Expensive Things You Can do to Fowl up Your Developer Program" - fortunately, my "don't be cute" filter caught that one and grepped out "/fowl/foul/g." But I do wonder about the feathered part of my brain slipping in a reference.

All bird references aside, I'll be in San Jose March 15th and 16th, condensing twenty years of experience into ten points (in 45 minutes!). I've already identified fifteen topics I'd like to cover - so I'll need to trim.

What about you? You're probably a developer, or have worked with developer programs. If you were my co-presenter, what three points would you put on the slide?

if you can't leave a comment, send me mail at http://www.niemannross.com/postoffice

My presentation at MAX 2009

A recording of my presentation at MAX 2009. Find out about the many languages and tools available for both designers and developers to customize and automate Creative Suite for integration in larger workflows.

MAX 2009

I'll be speaking at MAX

XMLRPC == hacker gateway?

Over the last few months, I've experienced a series of break-ins on this website. The hackers invade the site, set up a directory full of html files with names like "nude-agnes-bruckner-pictures/inflatable-sex-doll-pics.html" and then point search engines at these html files. The html itself either looks like a google search page, or re-directs to a phishing site. In addition, they insert a bunch of links designed to push their phishing sites up in the search engine ranks. Cleaning up after them requires looking for files modified with a certain date, and new directories created.

I've been puzzling over how they are getting in - their attack isn't obvious from any of the server logs. But I did discover some interesting activity that seems to happen at about the time of the intrusion, indicating that someone is interested in finding a copy of XMLRPC available on my machine.

POST /nucleus/xmlrpc/server.php
GET //nucleus/xmlrpc/server.php
GET /nucleus//nucleus/xmlrpc/server.php
GET /nucleus/nucleus//nucleus/xmlrpc/server.php HTTP/1.1
GET //xmlrpc/server.php HTTP/1.1
GET /nucleus//xmlrpc/server.php
GET /nucleus/index.php?catid=10&blogi%20...//xmlrpc/server.php
GET /nucleus/nucleus/xmlrpc/server.php
GET /xmlrpc/server.php
GET /nucleus/xmlrpc/server.php
GET /nucleus/index.php?catid=10&blogid=1/xmlrpc/server.php
GET /nucleus/index.php?catid=10&blogi%20.../xmlrpc/server.php
GET /nucleus/index.php?catid=3&blogid%20.../xmlrpc/server.php
GET /nucleus/index.php?catid=10&blogid=1/xmlrpc/server.php
GET /nucleus/index.php?catid=3&blogid=1/xmlrpc/server.php
GET /nucleus/index.php?catid=3&blogid=1/xmlrpc/server.php

wikipedia has an interesting write-up which describes xml-rpc as a precursor to SOAP. In any case, it appears that I've had a interpretive server available on my website since I installed Nucleus. There is also a discussion about the XML-RPC vunerability here.

On further research, xml-rpc is used by blogging software to allow for commenting and other blog activities. That would explain why it is included with nucleus, which is what I use to run this blog. I've also noticed miscreants searching for the serendipity blog versions - see the following:

69.57.190.234 - GET /nucleus/serendipity_xmlrpc.php
69.57.190.234 -GET /serendipity_xmlrpc.php

Since then, I've removed xml-rpc from my website. If I don't repost on this topic, then that probably fixed the problem.

Did you know I have a "work" blog too?

As if you're not reading enough of me, you can also catch my professional side. I blog for Adobe at http://blogs.adobe.com/notesfrommnr. Strictly developer stuff - but if you're working in the computer field - you'll find this interesting...

List of mm tags used by Mailman mailing list software

I'm setting up a template for Mailman software, and looked for a list of all the template tags. Google doesn't seem to be finding this, so I'm going to reprint the information found at this mail archive post.

These tags can be used by list owners to modify the html pages that you can edit on the General Options Page->Edit the public HTML pages and text files.

If someone knows how to post this onto the mailman wiki, please feel free to do so.

Formatting heads up - I've had to insert some spaces in the tags to keep my blog from going crazy. When you use these tags, there are NO SPACES in between the "<" and ">" brackets.

This is an Open tag used to create a link to the mailing list archives. Proper use would be...

here's a link to the mailing list archives

Typically this brackets the MM-List-Name tag

A mystery tag. Appears on the subscriber information page, but is blank in my installation. Appears to be used with

and

Checkbox used on the subscriber information page. Use this inside of the subscription change form. When enabled, will change the email address for all lists subscribed to on this list server.

Used on the subscriber information page to send a password to the user. Looks like it needs to be part of an anchor. Use it like this...


Forgotten Your Password? Click this button to have your password emailed to your membership address.

Appears to be the public name of this list, identical to the above - but I may be mistaken

Used in the email address change box to change name

The name of the server hosting the list

The terse phrase identifying this list as entered on the General Options Page

The introductory description as entered on the general options page

The public name of this list as entered in General Options

Produces a box with a listing of all supported languages

A message to list subscribers telling them to expect a confirmation email

Used on subscriber information page. Creates a logout button. Be sure to enclose in with form start and form end tags, shown like this...

A preset footer that includes the list name, a mailto link to the owner, email address, a link to the administrative interface, and a list of all the public lists on your server

Used in the subscriber information update form. Enter a new email address. Use

to confirm the address. Probably not optional, but I didn't check.

Number of subscribers who are reading the digest

Total number of subscribers

Number of people on this list getting all emails (non-digest subscribers)

A pre-formatted form that allows subscribers to log in and edit their options. It appears that the text is probably included in the administrator template, and is out of reach to list owners.

Email address of the owner of the list

Number of days the system will remember a request for subscription changes. Option on main page - "Discard held messages older than this number of days. Use 0 for no automatic discarding."

Email address for posting contributions

Used on the subscriber information page. Produces "email, first name last name"

"Once a month, your password will be emailed to you as a reminder."

Email address to send subscribe/unsubscribe/administriva requests

If you marked the archives a private in the privacy options, then this tag will include the following text: "(The current archive is only available to the list members.)"

This sets up a form that allows registered subscribers to review the list of other registered subscribers

Starts the subscription form. Use the following tags inside this form:

Subscribers email address
```
< mm-fullname-box>
```
Subscribers full name
```
< MM-New-Password-Box>
```
mild security password
```
< MM-Confirm-Password>
```
Confirm the above password
```
< MM-list-langs>
```
Choose a language
```
< mm-digest-question-start>
< MM-Undigest-Radio-Button>
< MM-Digest-Radio-Button>
< mm-digest-question-end>
```
This sets up two radio buttons that allow the subscriber to choose their digest mode. Insert explanatory text inbetween the radio button tags
```
< MM-Subscribe-Button >
```
The subscribe button you'll need to add to this form
Don't forget to close with
```
< MM-form-end >
```
at the end of your form

Colored by Kuler

You'll notice that this blog changes color each time you visit. I've been experimenting with the Kuler Website and have set up a php script that randomly chooses a color scheme, and then assigns color to the various objects in the CSS.

Here's the php code that drives it...

First - here's the function that sorts the hex color values from lightest to darkest. It does this by breaking the hex string into its RGB components, then sorting on the sum of the three values. Therefore, #FFFFFF will be lighter than #000000

	function hexColorCmp($aValue,$bValue) {
	 	$aValueSplit = str_split($aValue, 2);
		$aValueSum = hexdec($aValueSplit[0]) + hexdec($aValueSplit[1]) + hexdec($aValueSplit[2]);
	 	$bValueSplit = str_split($bValue, 2);
		$bValueSum = hexdec($bValueSplit[0]) + hexdec($bValueSplit[1]) + hexdec($bValueSplit[2]);
		return $aValueSum - $bValueSum;
	 	}

This is the function that gets the rss feed from kuler, converts it to xml, then grabs the color data and theme information.

	function init() {
		do {	
			$thisThemeID = rand(11,16065);
			$kulerURL = 'http://kuler.adobe.com/kuler/API/rss/search.cfm?searchQuery=themeID:' . $thisThemeID;
			$kulerRoot = new SimpleXMLElement($kulerURL, NULL, TRUE);
			} while ($kulerRoot->channel->recordCount == "0") ;
		$kulerItem = $kulerRoot->channel->item->children('http://kuler.adobe.com/kuler/API/rss/');
		$this->previewKulerURL = $kulerItem->themeItem->themeImage;
		$this->nameKuler = $kulerItem->themeItem->themeTitle;
		$this->themeURL = 'http://kuler.adobe.com/#themeID/' . $thisThemeID;
		foreach ($kulerItem->themeItem->themeSwatches->swatch as $swatchValues) {
			$this->swatchHexValues[] = $swatchValues->swatchHexColor ;
			//echo $swatchValues->swatchHexColor;
			}
		usort ($this->swatchHexValues,array($this, "hexColorCmp"));

		for ($i=0;$i<5;$i++) {
		   if (empty($this->swatchHexValues[$i])) $this->swatchHexValues[$i] = dechex(16777216/($i+1));
		   }
	 }

$swatchHexValues[] is then used to assign colors.

Sometimes it looks good - sometimes not. My algorithm for choosing foreground vs background color is pretty simplistic.

XML, php, XML_Serializer and SimpleXML

I just finished up a project that required exporting XML from a mySQL database, using php as the driving language. I approached this several different ways, and found a few things that you'll maybe find useful.

First I tried writing XML by hand. Not that hard - but messy, and requires a lot of notes to make sure you are closing everything you open.

Second, I tried the pear package called "XML_Serializer" ( http://pear.php.net/package/XML_Serializer ). At first, this looked promising - but then I realized that it wouldn't allow me to create multiple nested groups. [Read More!]