Tag Archives: Alternative Browser Alliance

The Spammers, The!

I recently noticed that the mail server was experiencing 4 times the typical number of SMTP connections. It didn’t seem to be under any stress, though, not as far as server load went. So I watched the log file trail, and saw a bunch of messages coming in to nonexistent users with the pattern, FirstnameLastname@alternativebrowseralliance.com.

My first thought was that someone was running a dictionary attack against the domain, trying many different addresses to see which might be valid. Then I noticed that they seemed to be coming from <> — in other words, they were bounce notices.

Great. A Joe Job.

I enabled a catch-all temporarily. That did cause the server to slow down, as it was now actually processing the quadruple load instead of kicking back 3/4 of it with a “User unknown” error. (I hadn’t thought to disable spam scanning on the domain first.) In the 30 seconds before I turned it off again, it picked up 25 non-delivery notices. And those are just the ones that got past the spam filter.

As it turned out, they were just random junk. Some spammer had picked the domain and was using it to forge random From: addresses, and we were getting the bounces. In the old days they made up the whole address, but it’s easy to check whether a domain exists. So now they pick some real domain and make up a fake address. That’s harder to detect unless the domain in question uses some sort of verification system like SPF or DKIM.

So it wasn’t a Joe Job: no one was trying to besmirch the site’s reputation. It still meant extra traffic to the mail server, though.

This problem is called backscatter, and it exists for two reasons:

  1. The sender address on an email message is easy to forge, like writing a fake address on an envelope.
  2. Many mail systems will accept a message first, then process it. If it then decides to reject it, it can’t respond to the actual sender, only to the one listed in the message—and in the case of spam, it’s usually forged (see #1).

I don’t send any mail using the domain. The only reason it even has mail pointed anywhere is so that I can receive mail sent to the webmaster for the Alternative Browser Alliance. I suppose I could set up a -all (no servers are authorized) SPF record, and hope some recipients decide not to send bounces. But I’m not sure how much it would actually accomplish.

Anyway, the two lessons to take away from this are:

  • Reject messages to bad recipients in the initial SMTP transaction. It’ll protect your server from backscatter (and dictionary attacks), because you won’t have to queue and process all the extra junk.
  • Don’t generate bounce messages after the fact based on something as easily forged as the supposed sender. Otherwise, you’ll be contributing to backscatter.

Survived a Mild Slashdotting

This server weathered its first Slashdotting last Friday, or at least the first I’ve noticed. But then, it was a mild one compared to some reports I’ve seen.

While writing up my commentary on IE dropping WGA last Thursday, I realized that the original story was perfect for Slashdot. It had Microsoft, anti-piracy methods with privacy concerns, Internet Explorer and browser marketshare. So I looked to see if the IE team’s post was on the Firehose already, didn’t see it, and wrote up a quick submission. I also realized that I had an opportunity to plug the Alternative Browser Alliance in the text of the submission—something that I hadn’t been able to do on previous stories I’d submitted. (This is my 6th Slashdot submission to be accepted.)

So I submitted it Thursday evening, got a couple of dozen hits from the Firehose, and it got accepted around 11:30 pm, local time. I took precautions in case the traffic spilled over onto the blog, like turning on WP-Cache and disabling a few plugins, then went to bed. Continue reading

Will Internet Explorer 7 finally put IE6 to rest?

Internet Explorer.Microsoft’s Internet Explorer Team reports on a new IE installer release. They’ve changed a couple of defaults, updated their tutorials… and dropped the requirement for Windows Genuine Advantage validation:

Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we’re updating the IE7 installation experience to make it available as broadly as possible to all Windows users. With today’s “Installation and Availability Update,” Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users.

As much as I prefer alternatives like Firefox and Opera, I’ve been frustrated at the relatively slow uptake of IE7. It’s just insane that 6 years after its release, we’re still stuck designing for IE6 as the world’s most-used browser.

So who’s still running IE6?

  1. People running older versions of Windows that can’t run IE7, and who haven’t switched to something else. (This is a pretty small percentage, judging by OS stats.)
  2. People who don’t know how to upgrade to IE7, or why they should.
  3. People who actually want to stay with IE6 (whether for technical reasons or just stubbornness)
  4. People who would be happy to upgrade to IE7, except they can’t/won’t run WGA (on principle, or because it’s broken on their system, or because their OS is pirated).

I don’t know how big each group is, but Microsoft seems to think it’s worth going after #4.

It’ll be interesting to see whether there’s a jump in IE7’s marketshare relative to IE6. Maybe we’ll reach that next milestone sooner than I expected.

Firefox and IE Users: Time to Upgrade

Are you still using Firefox 1.5 or Internet Explorer 6? If so, it’s time to start seriously thinking about an upgrade.

Firefox.Firefox 1.5 reached the end of its life today. That means that security and other fixes will only be available for Firefox 2 and later. Firefox 2 will run on all the same systems as the version you have right now, plus it gives you enhancements like spell check, phishing protection, and improvements to the features you already use.

Internet Explorer.Internet Explorer 6 is outmoded. It has limited support for the languages that make up the web (particularly CSS), and often disagrees with every other browser out there, forcing developers to write complicated code so that it will work on IE6. If you’re running Windows XP, you can upgrade to Internet Explorer 7. If you’re running an older version of Windows, you can benefit by switching to an alternative browser such as Firefox
or Opera. Whether you switch or upgrade, I highly recommend moving away from Internet Explorer 6.

Update: Mozilla has extended Firefox 1.5 support through mid-May.

Firefox too mainstream for Alternative Browser Alliance

Alternative Browser Alliance - New LogoI’ve been thinking about this for a while, but it’s time to refocus the Alternative Browser Alliance. Mozilla’s Asa Dotzler has referred to Firefox and Internet Explorer as the “mainstream browsers” for more than a year now, and it looks like that’s become true.

The web is no longer an IE monopoly. It’s become an IE/Firefox oligopoly. Firefox is no longer an alternative web browser. It’s sold out, its ads are everywhere, and it even allows people to build Firefox-only code.

So, starting today (April 1, 2007), the Alternative Browser Alliance will no longer promote Firefox.

So what will replace it? I thought about Opera, but most of its install base is on cell phones and PDAs, and we all know the mobile web browser is dead, right? Safari? Well, it turns out that WebKit is shutting down.

So the site will be putting its weight behind iCab. It’s as alternative as they come, and it’s guaranteed to remain that way (since it won’t run on Vista).

Update: Yes, it’s an April Fools joke.