Working out karmic issues in WordPress

“Spam Karma” that is.

I’ve set up a couple of WordPress blogs over the last year or so. Some (unlike, say, this one) have become quite popular. Especially with comment and trackback spam.

Tried Dr. Dave’s Spam Karma 2 for awhile. SK2 comes with a host of modularized spam countermeasures. The good Doctor calculates a spam “karma” per module for each inbound comment. Comments with good karma pass through to enlightenment and… the dashboard. Those with outstanding karmic issues find themselves in purgatory to await ultimate review.

SK2 worked quite well for us, though there was the occasional false positive. And periodically reviewing hundreds of messages in comment purgatory was getting to be troublesome.

Recently however I’ve come across two plugins that seem to completely eliminate spam: WP Hashcash and Simple Trackback Validation.

Hashcash uses a JavaScript proof of work countermeasure to test that a browser, not a robot, is visiting one’s site. (Robots don’t run JavaScript.) STV uses two simple checks to confirm the validity of incoming trackback links.

Since implementing these two plugins last month, spam has gone from hundreds per day, to zero. What’s more, no missed comments.

All due respect to the good Doctor, but enough of karma. I’ve finally seen the light.

Sign of the Times

Right now I’m huddled against the rain in a tent somewhere in rural New York state, working on the damn blog.  Ever-expanding wireless networks and ultra-portable laptops with eight plus hours of battery life make this possible.

It’s either a sign of the times.

Or further proof that I need to seek professional help.


Ugh. Nobody seems to know what this thing is, though it seems to be some kind of PHP worm roving the internet looking for phpMyAdmin exploits. It appears to have been around since 2005 and searches for an exploit in the phpMyAuth class of older phpMyAdmin distributions.

I’ve seen it knock one of my servers on three seperate occasions; this from the first:

[05/Jul/2007:20:26:42 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 280 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 285 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /main.php HTTP/1.0" 404 268 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 285 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 285 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 285 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 285 "-" "pmafind"

Interesting that it looks for specific versions of PHP. And odd that it announces itself by specifying a user-agent. (“Hi, worm here. Please let me in. Got a bit of infesting to do.”)

Deadmoo has a good, recent-ish post about it, though mostly Google just returns random posts and stats pages listing the pmafind referer. Where do these things come from?

mootools madness

mootools is a spectacular little JavaScript framework, but the “tricks of the trade” you need to know to get anything done with it on a timely basis can be a bit maddening. Here are three examples:

  1. The API seems to change randomly, drastically, and constantly. In v1.00 we could getElementsByClassName(), but seemingly no more in v1.11. Looking ahead at subversion, lots of API changes seem to be coming down the pipe.
  2. When using the Accordion, don’t make the mistake of downloading the automatically selected dependencies from the mootools download builder and expect it to work. The Accordion demo illustrates how to use accordions with “domready”, for which you will also need Window.DomReady as well as Element.Selectors and it’s dependencies. (To complicate matters, Element.Selectors seems to have become a stand-alone Selectors class.)
  3. When testing in IE, make sure you have a doctype declared. eg:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">

    If not, the accordion will not collapse properly, leaving lower panels filled with vast tracts of dead space, and you with a rising stress level, and even less hair, and all because you can’t, for the freaking life of you, figure out what is different between your freaking code, and the virtually identical freaking stuff on the freaking mootools site and in the end it turns out it’s just a freaking missing freaking doctype.

    (I guess IE won’t fork over DOM support unless once declares the doctype.)

So, overall, great little JavaScript framework. But.. Freaky.

Keeping the Change

Bank of America is one of a few Bank Borgs (resistance is futile; your wealth will be assimilated) that continues to swallow up local banks across the US. I opened up my current account twenty plus years ago when the local branch was a BayBank. Since the nineties it has merged with Bank of Boston into BankBoston, which was then acquired by Fleet which has since been absorbed by Bank of America. Whew.

I’d always liked the Fleet incarnation best because the logo vaguely resembles an austere-ish-looking eagle spot-checking for underarm odor. So you get an idea of the weighty consideration I apply when electing institutions to steward my financial house. Or my financial motorhome, such as it were.

About a year or so back, BofA announced a new program called “Keep the Change”. Subscribers to Keep the Change automatically have sub-dollar remainders transfered to their savings account every time they use a BofA checking account debit card for purchases. So, for example, if someone buys a sandwich for $4.50, the remaining $0.50 gets transferred into a linked savings account.

I remember asking a bank representative one day why BofA was doing this. “Because we think it’s nice”, he said. Yeah, okay. I’m sure that’s how the board meeting in New York went. Suited executives sitting around talking in low voices about how nice this will be for account holders. “It will make them smile.. and think happy thoughts about unicorns and butterflies and rainbows.” Yes, BofA wants us to be happy.

Anyway, I chalked this up as a clever marketing ploy to get people using their BofA debit cards instead of cash. Makes sense.

Out of curiosity, however, I recently stopped to check the interest rate on the saving account into which I was having money trickled. I figured it would be about two percent or so. Sure enough, there was a two. 0.2%! I did a triple-take. Less than a quarter of a percent!

Hmmm. It would seem to me then that Keep the Change, in addition to encouraging use of digital cash, is potentially even more effective at obscuring how the Bank Borg are paying all of diddly-squat to use my money. I keep the change, they keep the interest. Clever indeed.

I’ve since asked around the net for banking recommendations. Both ING Direct and HSBC Direct (with no extra-bank transfer fees) come highly recommended. Savings interest rates bordering five percent plus. That’s more like it.

Now if one of them would just get a good logo.

Rules of thumb for creating HTML emails (in Japanese)

This always turns out to be much more difficult than it should be. Part of the problem is that there are many, many more email clients out there in common use than there are web browsers. And all of these email clients either use their own subset of HTML or, in the case of webmail, special filters that attempt to convert HTML-ized messages into a “sanitized” format.

Here’s some basic rules of thumb to follow:

  • Drop the doctype and head section.
  • Keep it simple. No fancy table nesting.
  • However, do use tables for positioning, rather than CSS.
  • If using CSS, keep it inline, or better yet avoid CSS altogether and use tags to apply style. (Pretend that it’s 1998 and stylesheets don’t exist.)
  • Avoid background images.
  • Call images from the server; don’t attach.
  • Don’t link to documents secured by SSL.
  • Use images as links if you want them to stand out in a color other than blue.
  • Encode Japanese in JIS (iso-2022) for widest email client support.
  • Before you hit that send button, test, check, test and check again, and.. Pray.

Unlike a correction to a web page, you can’t do a quick edit and “take back” what you just put out there. And because you’re pushing information at people rather than allowing them to pull it on their own terms, if the information is not relevant and easy to see, some folks could even become a bit angry. Or potentially very.. very… angry. Expect a call or two. Hoo boy.

For more information, Xavier Frennette has a terrific blog post outlining the types of CSS support in various webmail clients. The folks at Campaign Monitor have followed up with an increadibly thorough chart of all the popular clients. Definitely worth a look.

Finally, consider marketing webmail service. I am. More and more of these are popping up; for a small fee you can offload much of this heavy design lifting to them.

Passive FTP on IIS6

Lately I find myself wading through a lot of IIS-related issues and the IIS6 FTP server has been driving me crazy.

I’ve never really worked with IIS before. Given Microsoft’s bent to make things as simple as possible, I’m surprised at the amount of time I have to spend figuring out basic configuration issues. The various Microsoft GUIs contain no way to set a passive FTP port range, or even a range of ports in Windows Firewall for that matter.

I’d originally assumed that I could just add the FTP server .exe to the list of exceptions in the firewall Exceptions tab: This way any ports that the server opened would be automagically accepted by Windows. From the running services it appears that Inetinfo.exe is the FTP server, or at least encapsulates an FTP service along with other services. An article here tells me that adding Inetinfo.exe to the list of exceptions would be rather naughty, so I have resorted to the tedious, manual means of configuring and opening passive FTP ports. I wonder if there’s a real FTP server binary somewhere in there that I could make an exception.

Anyway, the manual process in a nutshell…

  1. Set some passive ports in the IIS Metabase:
    C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange "5000-5010"
    (note that you cannot explicitly tell IIS to use active or passive.. it wants to figure that out for itself based on the available ports and what the ftp client is requesting)
  2. Open same ports in Windows Firewall:
  3. Restart IIS:
  4. Go back to doing more productive things.

Unless you have a lot of people FTPing in and out of your server, ten or so open ports should work.

Thanks to New Age Digital for their straightforward article on this. Some may also want to read the Slacksite article, the definitive explanation of Active/Passive FTP.


For as long as I can remember it’s been a royal pain in the butt to log into a Linuxy server from a Windows box and get work done in Japanese. Tera Term, with fairly good multiple-encoding support, was fine back in the days when password authentication was still thought to be secure and most of us associated ssh with testy librarians.

I recently had high hopes for a reincarnation of Tera Term as UTF-8 Tera Term Pro with TTSH2. Though there seems to be a lot of activity, I could never get key-based authentication to work and had to go back to a rather clumsy, hacked version of PuTTY.

I’d downloaded Poderosa some time back but never really played around with it; for the most part I thought it was tabbed, scalable Cygwin. Recently, however, I noticed it’s nifty little encoding pulldown.



Rather than just launching Cygwin I tried out it’s SSH key wizard, maneuvered a login, broke the window into three or four tabs and then split them again vertically, horizontally, and wow.. this thing is really easy to use.

What’s really amazing is that the Poderosa project seems to be sponsored by the Japanese government. Brilliant, as this is a hugely powerful tool for Japanese engineers; many of whom suffer post-traumatic multiple encoding disorder. (“Ok, so if I cat this text through recode maybe I can see what’s going on here, as long as the hankaku doesn’t mojibake..”)

That said, I’d really love to know which section of the government they convinced to cough up funds, and how on Earth they presented it. Someone higher up must be a Linux engineer.

sudo sanity

How to have to punch in your password only once per day (or less):