When I got to the counter, I was met by a friendly enough Free guy (let’s call him A.) who told me it was no problem, I just needed my Free login and password and we’d be on our way. Cool! Adhering to password Best Practice, I store all my credentials in Lastpass, so I just had to login into Lastpass to get my stuff and go.

Now, being also mindful that having one big repo of passwords is valuable and high-risk, I have 2FA on this account with a Yubikey, so I can’t access it from e.g. my phone.

I didn’t have my laptop on me, but my fiancé did, so we tried to use hers to access Lastpass, tethered to her phone. Being secure and all, Lastpass realised this attempt came from a “new location” and asked me to confirm it was me by sending a code by email. Email which I couldn’t access from my phone, because, hey, SIM card’s broken.

Now thankfully, I keep my email password separate from Lastpass and do remember it, so I could just log into Gmail on the laptop and get that code!

But email is also a very valuable target, the backdoor to your systems used by password recovery mechanisms, so I have 2FA there as well! Instead of my Yubikey, I use Google Authenticator to provide TOTP (more factors, more good, right?). TOTP which sadly failed mysteriously — I realised later on that removing the battery to take the SIM card out had reset the date and time to factory settings, which breaks the Time in Time-based One-Time Password.

Thankfully, at this point A. took pity of me and told me he shouldn’t, but he could let me use the employee wifi to get the email from my phone (already authenticated = no 2FA), which could get the lastpass code, which could get the Free credentials. Success! My random 30-chars password was finally here.

When seeing the password, A. went a bit blank. “Oh… You’ve changed it”, he said – well yes, why? Because this password needs to be entered through a clunky touch-based interface on the kiosk. Five minutes and three tries later, and my new SIM card was finally here.

Next time, I’ll do it online.

Once you reach the quota, the DB is placed in read-only mode, although SQL `DELETE` commands do go through correctly, as we’ll see later.

So my first instinct was to see what was wrong, by going into the PhpMyAdmin that OVH gives to each shared DB owner. It confirmed that the database was too big, mainly because of two tables: the main culprit at 9MB was wp_comments, the comments on this blog, and the second one at 5MB was its related sibling wp_commentmeta. The root cause being, of course, spam: all these comments were properly intercepted and classified as spam by Akismet, but as long as I didn’t purge them, they were still taking valuable disk space.

So I thought I could just delete the comments that Akismet marked as spam (as that info is available directly in the table) and go on with my day, but unfortunately no – the deletion went through, but the table was still marked as being 9MB, including about 7MB of “overhead“. How do we reclaim this overhead? By running OPTIMIZE TABLE… Which we cannot do as we’re in read-only mode.

At this point, I took a dump of the database, and deleted it through the OVH admin interface, recreated a new database and reimported that dump: solved! The new DB clocked at about 14MB, enough for the foreseeable future.

Lesson learned: clean your spam.

(PS: in the few days that passed between the db clean and me writing this article, I got another 355 spam comments. Yay.)

The whole scheme was bad, but my colleague added “and they also use that strange padding scheme – because the plaintext length needs to be a multiple of 8 bytes, at the end of every message, they put seven “Bell” characters!”.

The bell character? That’s odd. I mean, it’s in ASCII, and not usually part of any plaintext, so it’s probably safe to use as padding, but… Wait a second – padding with strange characters, all the same? That rings a bell!

And indeed it does – it’s PKCS#7!

PKCS#7 is meant to pad a message until it reaches the next block boundary, to use with block ciphers. It works by appending n characters of ASCII value 0xn, and of course the ASCII codepoint of the bell character is 0x07!

“Oh, that explains a lot. Now I won’t have to add blank spaces until it reaches (x mod 8) + 1 bytes and pad with bell characters”, my colleague said. I guess that’s the danger when you’re given a bad scheme to implement: it’s harder to realise when they actually do something right.

(Hat’s up to the Matasano crypto challenges: despite doing only level 1 and 2 if the memory serves –it was a while back–, they’re super useful for these sort of cryptography basics.)

And the bottom of the issue was the 6000 spam emails sitting in the inbox, making the server crash at startup.

They’re now deleted, and everything is back up and happy. I’m currently thinking about different monitoring options, but given it’s all email-based, no solution that I know of seem overly practical to me. Any idea would be appreciated. :)

Spam like this is usually obvious. Thankfully, some spammers go out of their ways to create engaging messages to fool your filters, both automated (like Akismet, who dutifully collected all the ones exposed in this post) and human. I’ve been collecting the best of breed (I know, I live a very sheltered life), such as…

The Ones Sucking Up

Aaaah, the day-to-day of spam. “Magnificent”, nothing less!

“Famous”! Money! Girls! Bling! Bring it on!

“Amazing”, yay! Although I hope you realized you are trying to advertise train horns on a tech blog. Train horns.

The Confused Identities

Why thank you, Sabine — I mean Dave. Hmm, wait.

The Sarcastic

The colors on this post are amazing? Are you on drugs?

Ah, yes. Writing about SICP almost got me killed by M.I.T.’s own Secret Service. As a matter of fact, I’m hiding in Kazakhstan right now.

(On a serious note, I emailed Hal Abelson about a typo in the online version of SICP and received a very nice answer by him personally the very next day — hats off to you, sir!)

The Keyword Bingo

Gotta unlock ’em all!

The Compliment That Wasn’t

This starts well… Grow, trendy, extremely amazing, attractive… Yeah, classical spam. But at closer look, this is actually a poorly translated troll insinuating that my post is unworthy. Darn!

The Cringe-Worthy

It is very telling whether you consider “incite full” or the concept of high-waist shorts to be the worst part of this spam. I can’t really pick, they’re both frightening.

The Big-In-Japan

A slight variation on plain sucking up is doing so in different languages.

Google translating that last one gives:

Hello interesting post, I liked a lot, maybe we could become blog palls:) lol!
Aside from the jokes call me Navid and look like you publish on the Internet although the theme of my room … this is very different.
I study the pages on poker free bonus without risking your cash … …
Greatly enjoyed what I saw written on this second visit
I shall return:)
Ps: I have a bad Portuguese

Thumbs up for the politeness and the disclaimer at the end. That’s top quality spam. Not so much to say for the reading skills though, because I don’t remember discussing online poker strategies together with ncurses.

The Philosopher

Wow! That turns out to be an (unsourced) citation of the late John Enoch Powell, a conservative English MP who’s also quoted as saying “reading one’s diary is like returning to one’s own vomit”, which may or may not be a more appropriate metaphor for blogs. And spam. Oh well.

The Prescient

Apart from the fact that they fscked up the URL bbtag — HOW DO THEY KNOW ABOUT MY SECRET PASSION!?

–

–

–

–

–

pity the lolcat, by tizzie on flickr

What were your best ones?

No matter if it’s a major version change or just a small bump (let’s say… 3.0.4 to 3.0.5, uh?), I always end up downloading the whole thing and updating it manually because the update page stops responding and plainly goes blank.

Instructions for update are here, by the way. And after the steps to update, they include that little snippet of wisdom:

Consider rewarding yourself with a blog post about the update, reading that book or article you’ve been putting off, or simply sitting back for a few moments and letting the world pass you by.

How could anyone be angry at WordPress after that?

Tunalysis development is doing good, as sporadic as it may be. The next step is to rework/refine the algorithm giving rankings, in order to achieve better results. I’ll try to include the “Last Played Date” in the mix, and maybe also use the Date Added.

More good news: no need to install gems by yourself anymore, everything’s included by Bundler.

Tunalysis’s on GitHub!

First, a word of warning: Amazon IPs generally aren’t highly considered, spam-wise. Meaning that even if you take all the precautionary steps, your emails might end up in spam folders. If email is business-critical for you, you might want to consider other options: host your mail server somewhere else? Use something like SendGrid?

This said, let’s dive in!

Prerequisites

I assume you have the following:

• A domain name, with control over the DNS records
• An EC2 account

Pick an AMI

Let’s start by creating an EC2 instance. I began with the vanilla AWS Linux micro instance, which seem to be somehow Fedora-based, and it was a pain. Now do yourself a favor and pick a Debian-based OS. It will make things much more easier.

Eric Hammond and Canonical themselves provides Debian and Ubuntu AMIs, which are a great first step. You can even bypass the whole Postfix config by using one of these AMIs.

Assign an elastic IP to the instance you launched. We will need it for the DNS setup.

Configure Postfix

Now’s the time to be very lazy and just redirect you to Ivar Abrahamsen‘s excellent howto on setting up Postfix. Actually, most of what I’m writing right now can be found on his howto, but let’s not stop at technicalities.

Configure your DNS

The most important step in having your email properly delivered is in your DNS configuration.

The first step is to define an A record for your Amazon Elastic IP, for example mail.mydomain.com. This will be used to set up a reverse DNS on your web server, so that other SMTP servers know that you’re not a spam relay.

Then add an MX record to the address you just defined, for example mail.mydomain.com. Now each SMTP server sending mail to mydomain.com will contact mail.domain.com, which in turn points to your EC2 instance. Awesome!

The next step is to modify your SPF record. I’ll let you work out the details with the spec and Ivar’s howto, and as an example here is the SPF record for remaildr:

remaildr.com.        1800    IN    TXT    "v=spf1 mx ip4:50.16.218.96 include:mx.ovh.com ~all"

This SPF allows MX servers and the IP address 50.16.218.96 (i.e. the EC2 instance) to send mail for remaildr.com. Only “MX” should be enough, no need for the IP in particular ? Well, I thought so, but it didn’t work so I added the IP address. Now it works. If anyone has an idea why, I’m all ears.

The include:mx.ovh.com is automatically added by OVH themselves and is not a problem in our case.

You can use the dig command to check if your DNS settings are properly set. For example, the SPF field was retrieved with a:

$ dig remaildr.com in txt

As a bonus, you might be interested in setting up DKIM (cryptographic email signing), a half of which takes place in your DNS. I’ll once again refer you to Ivan’s howto because it’s that good.

Tell Amazon you’ll be sending emails

By default, Amazon limits the amount of email you can send from an instance. You can ask them to remove that limitation very easily though, through that page.

This form also allows you to set up the reverse DNS I was telling you about. Go on, do it! Amazon usually answers to this form within 1-2 days.

Done!

That’s it!

Do you end up in spam folders? Try the test at AllAboutSpam, and check if everything’s alright. It covers about any issue your server might have.

“Hardware”

Remaildr is hosted on an Amazon EC2 micro instance, benefiting of the free tier offer. Apart from the static IP that will probably end up costing me something, remaildr should be about free.

— Edit: as of may, remaildr is now hosted on a VPS at OVH. The EBS volume of my EC2 instance blew up on me, and with the free tier coming to end, EC2 would be too costly.

Network

The remaildr.com domain is registered at OVH, because of the low price and the flexibility they allow on DNS. I added an A record for mail.remaildr.com pointing to 50.16.218.96 —the AWS elastic IP—, then modified the MX record for remaildr.com to point to mail.remaildr.com. That way, every email sent to any_address@remaildr.com will be sent to the right mail server. Having an A record also allows reverse DNS on the mail server, often used to flag spam.

Other DNS modifications included the SPF record, which allows the mail server to actually send emails in behalf of remaildr.com, and a TXT record for DKIM — cryptographically signing outgoing emails.

OVH provides a free 1MB web storage for each domain name subscription, which is more than enough to host the remaildr.com website, weighing about 30KB.

The mail server

The email server at OVH is a run-of-the-mill Debian Squeeze. It runs a Postfix server, configured to forward a few specific email addresses (for example abuse, postmaster and info) to my account, and let everything else go to a catch-all account called remind.

A set of two Daemonized Ruby scripts will then do all the work:

• receivr.rb will fetch the emails in POP, compute the send date, then put the remaildr to send back into a PostgreSQL database as a Base64-encoded marshalled ruby object (akin to how DelayedJobs works as far as I understand)
• sendr.rb will read the database and send all the emails who need to be sent

Of course, the code is on GitHub.

That’s about it! Feel free to ask any questions, and I’ll answer as well as I can. :)

http://sowhatcouldigetatmcdonalds.com/

The concept

The idea for this website popped up as I was chatting with fellow students; something along the lines of “hey, wouldn’t it be cool if you had a website that’d told you, like, you know, say, for $24 you can have a bunch of big macs, 12 large fries and a sundae? hu? pretty neat, heh?”.

Their answers, mostly “hmm yeah I guess” and related lukewarm comments were not that encouraging of a feedback; so if you don’t think it’s that neat, don’t worry.

But really, as you probably noticed, the concept of the website is pretty simple. I have some money, you have a McDonalds menu: let’s make that work!

NP-completeness

Well it turned out that this problem is actually NP-complete, as in an O(n^errr okay that shit is hard) kind of complexity – XKCD sums it pretty well. To be more formal, it’s a problem that cannot be solved both fast (in polynomial time) and accurately. A long line of people attempted to maximize their bang for the buck at any restaurant (I only remembered the XKCD strip after starting to code, did I unvolontarily plagiarized it?), and it’s called the ‘knapsack problem‘ – or ‘unbounded knapsack problem’, if you really want to shine at parties.

Algorithm

The best (known) ways of solving the knapsack problem involves some heavy and interesting stuff, like dynamic programming, or even what wikipedia calls a “fully polynomial-time approximation scheme” (I didn’t even check that out, search at your own risks). Considering developing that would already take a great deal of time, I opted for a quite simpler approach, to begin with at least: my algorithm tries to stuff random McDonalds items in until there’s not enough money left. Complex algorithms? To-mah-to, to-mae-to.

Prices

Prices at McDonalds aren’t the same everywhere in the US (let alone the world), considering it’s a franchisee system. Being a truly conscientious and precise man, I decided to use the prices from someone’s picture of a McDonalds menu found randomly on Flickr (I’ll give props if I ever find the original source again).

Behind the scenes

Programming langage: Ruby

Not a lot to say here — I wanted to learn Ruby (because all the cool kids use Ruby!) so I did it in Ruby.

Framework: Sinatra

At first I wanted to use Ruby on Rails, but a bit of digging showed that Rails doesn’t really make sense for a project that small. I still plan on learning it, but Sinatra is incredible to quickly design and launch websites.

Templates: Haml & Sass

Haml and Sass are really great templating engines. Following Ruby’s approach of simplicity, minimalism and DRY, they allow you to write darn clean code that will be interpreted in HTML and CSS at runtime by Ruby (using the haml gem).

Hosting: Heroku / OVH

Heroku is hands down the simplest way to have your Sinatra app online. I would gladly repeat their sales pitch, but their website looks cooler than mine (damn pro infographists): http://heroku.com/

I also list OVH here because I registered http://sowhatcouldigetatmcdonalds.com/ through OVH’s registrar. 7€ for a year is perfect for me, and apparently even cheaper than GoDaddy.

Deployment: Git

If it’s on Heroku, it’s on Git.

I wish I used Git more during the development itself (it’s designed for source control after all), but I ended up not using it much before actually pushing the application on Heroku and GitHub.

Show me the code!

Sure! Here it is: http://github.com/Pluies/sowhatcouldigetatmcdonalds

Misc

The XHTML Transitional code generated by Haml is all neat (yay!) and passes the W3C validator (yay!) – same for the CSS (yay!). The CSS code is a little messy in my opinion though because the parens are closed inline, but I guess it’s a matter of taste.

The little bit of Javascript used to highlight the divs and generate the whole “not lovin’ it” part uses jQuery (through Google’s CDN).

—

I’ll post more about the process of getting used with all the tools in a quite-near future. In the meantime, I’m looking for any comment, criticism or advice on that project. Tell me everything!