Michael J. Radwin's blog

Either We Kill Click Fraud or Click Fraud is Going to Kill the Online Ad Business

We got a little bit of good press today. See JackMyers Media Business Report: "Either We Kill Click Fraud or Click Fraud is Going to Kill the Online Ad Business." Anchor Intelligence Launches ClearMark.

I've been at Anchor Intelligence (formerly Fraudwall Technologies) for a little over a year now. Writing code to fight the bad guys is good fun.

Changing default Yahoo! language from English to Spanish

My cousin is spending quite a bit of time in South America, and he wants to change his Yahoo! Mail account to display user interface elements in Spanish instead of English. He asked me for help, and sure enough, there was nothing useful at the Yahoo! Mail Help site. I tried it out on my account, and these are the steps I had to go through to get it to work:

1. When you go to Yahoo! Mail, at the top of the screen next to the Yahoo! logo, you'll see a link that says "My Account". Click that link.

2. The next page says "Review My Account Information" and it has a section entitled "Member Information", right below the Name/Yahoo ID, Yahoo Mail Address/Password section. Click the "Edit" link to the right of the "Member Information" to go to the next page.

3. This page should say "Edit Member Information for: johnsmith" at the top. The third section says "General Preferences". It says "Preferred Content: Yahoo! U.S.". Click the "Yahoo! U.S." link.

4. On this page, find the "New Setting" pull-down menu and pick the choice you want ("Yahoo! U.S. in Spanish" or "Yahoo Argentina" or whatever). Click the "Finished" button.

5. Accept the new terms of service (which should be displayed in Spanish) by clicking the "Accepto" button.

6. Click the "Terminado" button to complete everything and go back to Yahoo Mail. It should be displayed in Spanish now.
   

It's good that you're able to do this (I imagine that some webmail sites won't let you change your language preference at all after registering) but it shouldn't be this hard.

Sorry for wasting your time. I'm just new with java.

Date: Thu, 08 Sep 2005 17:58:38 -0500
From: Richard ... <...@hotmail.com>
To: michael@radwin.org
Subject: Java.io and java.util

I know you don't know who I am, but I'm trying to get help with Textpad. I'm
trying to use java.io and java.util and can't seem to get it to work. Are
those classes that need to be in the same folder or what. Sorry for wasting
your time. I'm just new with java.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Photography & the Where 2.0 Conference

I'm at the O'Reilly Where 2.0 conference in San Francisco today and tomorrow. The conference is really interesting; Udi demo'd the A9 Maps product (which they finished at 2am last night) and we also got to see a splashy marketing-oriented preview of Microsoft's Virtual Earth poduct.

As a recent Flickr subscriber, I was intrigued by the use of Flickr to host Where 2.0 conference photos. It's a great way for the official conference photographer to post his pictures online, but other people can also publish their own images there, too. Kinda like a shared blog, or a visual messageboard, or something.

Adding EXIF data to Treo 650 cameraphone pics

I just got a Flickr Pro account and I've been uploading my digital photos. My Treo 650 doesn't stick EXIF data in the JPEG images it captures, so Flickr assumes that the "posted on" date is the same as the "taken on" date.

The file attributes of the Photo_MMDDYY_NNN.jpg files accurately reflect what time the picture was taken, so here's a short Perl script to embed that data into the EXIF part of each file:

#!/usr/local/bin/perl -w                                                        

use strict;
use POSIX ();

foreach my $file (@ARGV) {
    my $mtime = (stat($file))[9];
    my $ts = POSIX::strftime("%Y:%m:%d %T", localtime($mtime));

    system("exiftool", "-P", "-DateTimeOriginal=$ts", 
           "-Make=PALMONE", "-Model=Treo 650", $file);
}

exit(0);

I tried using the jhead tool to do this, but it won't create an EXIF header if one doesn't already exist. The Image::ExifTool perl module had the functionality I needed.

There's certainly a way to use the Image::ExifTool perl module directly, but it was easier to just shellout to the command-line utility.

Battleground, MN

I just watched the 8-minute web video of Battleground Minnesota. It's a Get Out the Vote documentary aimed at young voters which aired on public television last fall.

We didn't know why Gabriel had been so delinquent in updating his blog last year. We figured he was working on some other project. Now we know he was busy directing a rather cool documentary and inspiring Drew Barrymore to do the same.

If you like the video, vote for it at INdTV.

Or buy the video of the 30-minute version for $14 plus shipping & handling.

Perl or PHP modules for XLIFF?

Do you know of any good Perl or PHP modules for parsing XLIFF?

I've gotten a couple of emails from folks asking about making a French version of my Jewish Calendar Tools website. They've volunteered to do all of the translation work themselves if I send them a file to be translated.

Most of the site uses Perl CGI.pm, although parts of it are written in PHP.

The way I see it, I have a few options:

1. GNU gettext message catalogues. Easy interface with CPAN Locale::gettext module and PHP gettext extension.
2. Hack something together myself. Send the nice French people an Excel spreadsheet of all of the strings on the site and have them send it back to me. Export to CSV file, then import into whatever format I want (probably BerkleyDB or maybe some custom XML format). Repeat the exercise for a future Hebrew version.
3. Use XLIFF (XML Localisation Interchange File Format), which is a hip new standard and happens to be what ICU (International Components for Unicode) uses for its message catalogue format.

Option #1 has been around for a long time, but has its warts. Option #2 is what I would've done back when I wanted to write everything myself. But I want to learn more about ICU anyways, so I figured XLIFF would be the right place to go.

I expected to find a Locale::XLIFF module on CPAN or a Translation_XLIFF package on PEAR, and was surprised when my searches turned up 0 results.

Cygwin vs. UWIN

I got an email last week from AT&T Labs saying that UWIN 4.0 had been released.

I must've signed up for the uwin-announce mailing list a long time ago, because there hasn't been a message sent to that list in over four years. Last I remember, UWIN 2.2 was hot off the presses during the summer of 2000.

Does anyone actually use UWIN anymore? At one point, you had to pick between UWIN, the MKS Toolkit, and Cygwin. They were all brand new technologies, and all competing for mindshare. But it seems to me that Cygwin has developed the largest community over the years. It's what I still use on my Windows laptop.

Someday I'll be like all of the other cool kids and have a Mac laptop. Then I won't care about things like Cygwin or UWIN.

A new spin on Yellow Pages

A9 launched a beta of Yellow Pages this evening. They've got the same DHTML interactive map that Yahoo has, but differentiating feature is an image of every business listed.

For example, one of my favorite LA restaurants is Real Food Daily. Apparently they acquired these images by driving trucks with digital cameras and GPS around 10 major US metros. [Read more...]

Frequent Flyer

I got the following error message while trying to change an itinerary on the Southwest website:

southwest.com

What happened? This trip requires 35664 award coupons, but you only have 1 in the reservation. What you need to do: Go back to the previous page and modify your selection. Reference Number: 300067 Occurred:  12/21/04 10:40:38

Dead or Alive?

A side-effect of distributed editorial responsibility:

McWireless

Ariella and I are at McCafe on El Camino Real in Palo Alto. She's preparing materials for a lecture she's giving this week, and I'm writing annual performance reviews for my team. If you buy a coffee drink (I got an Americano for $1.45) you get a free hour of wireless internet access. 802.11b/g network is provided by WayPort.

According to the Bandwidth Place's Speed Test, I'm getting 316 kilobits/second. Not bad.

I am pleasantly surprised to report that the coffee is pretty good, too. And their baristas don't seem to have the same angst that I expereience so frequently at Starbucks. And they even bring the coffee directly to your table!

I'm not thrilled about giving my business to McDonald's (they have a bad track record for being vegetarian-friendly) but I just can't complain about this place. Their Chipotle mexican fast food chain is also quite good.

Open HTTP redirectors

There has been much discussion about open e-mail relays, but very little about open HTTP redirectors. An open redirector is hosted by foo.com, but will unintentionally send you to bar.com. This can have interesting effects on PageRank or can trick users into clicking on something that isn't what it seems.

After many months of abuse by spammers, the rd.yahoo.com redirect server is now closed.

Yahoo! has used a redirect server for a long time for tracking clicks from one Yahoo! website to another.

http://rd.yahoo.com/example/?http://travel.yahoo.com/

Last year, spammers started using rd.yahoo.com in email messages to trick unsuspecting users into thinking that they were clicking on a Yahoo! website. They started sending out emails with links that looked like this:

http://rd.yahoo.com/example/?http://204.92.99.152/

Users saw the yahoo.com domain name and figured it must be some official Yahoo! site, not realizing that the server would redirect to another IP address. So we started blocking those types of URLs (easy to do since we'd never use a dotted-quad for anything legit). So the spammers switched to something a little more clever:

http://finance.yahoo.com:80@204.92.99.152/

The trick here was a misuse of the clear-text "username:password@server" authentication feature. It made it look like you were accessing a yahoo.com URL, but in fact were going somewhere else. These were particularly insidious, since they didn't even go through our redirect servers, so there was nothing we could do to block them. Microsoft got rid of the problem for us with an update to Internet Explorer 5 and 6 that simply disabled the feature altogether. Mozilla followed suit by displaying a warning dialog box when this type of URL is used:

You are about to log into the site "204.92.99.152" with the username "finance.yahoo.com," but the website does not require authentication. This may be an attempt to trick you.

Is "204.92.99.152" the site you want to visit?

So the spammers went back to abusing Yahoo!, but this time with actual hostnames:

http://rd.yahoo.com/example/?http://www.online-casino.com/

This not only tricks email users, but when used on the web can (in theory) also influence PageRank-type algorithms.

We had no choice but to either maintain a whitelist (lots of server-side state to manage) or implement a digital signature algorithm. We went with the digital signature approach. So now you can safely click through to partner sites:

http://rd.yahoo.com/example/SIG=10knc8oqv/?http://www.hp.com/

But if you try to recycle the same signature with a different URL, you'll get a 403 Forbidden:

http://rd.yahoo.com/example/SIG=10knc8oqv/?http://www.online-casino.com/

Finally, rd.yahoo.com does what it's supposed to do and nothing else. Frustrated spammers out there have probably already started to abuse someone else.

http://www.google.com/url?q=http://204.92.99.152/
http://www.google.com/url?q=http://www.online-casino.com/

:-)

NFA 2.0

I had dinner with Jeske last night. Hadn't seen him in 3 years so we had a lot of catching up to do.

After doing the Never Fucking Again project he decided that he wanted to do something different.

But now he's back at it again with NFA 2.0. Or maybe that should be NFARIMITT (Never Fucking Again, Really I Mean It This Time)? I guess when you've got a great idea, you're destined to reinvent it more than once.

TNT: AIM for Emacs

TNT, an AOL Instant Messenger client for Emacs, released version 2.5 this week. I've used it on FreeBSD, Linux, and Windows 2000 and it's always worked like a charm. If you're not into the whole GUI thing, TNT is a superb alternative to Gaim.

WeatherPop 2.0

Glucose Inc. released WeatherPop 2.0 today. It's an $8 Mac OS X app (free 2-week trial) that displays the weather in the menu bar right next to your AirPort status and battery indicator.

What Will Happen When We're Always Connected?

Brown University VP of Research avd will be moderating a talk on Monday April 26, 2004 at 6pm entitled "What Will Happen When We're Always Connected?" The forum will be held at Macromedia Inc. in San Francisco, but there's also going to be a web simulcast.

Many people know Andy as co-author of the classic CG textbook Computer Graphics: Principles and Practice. I know him as the charismatic Computer Science professor who convinced me a decade ago that med school wasn't the right path for me.

PayPal fraud, part two

I mentioned last week that I received a strange payment via PayPal that appeared to be fraudulent. I rejected the payment, and then the buyer decided to send me $1.20 instead of $0.20. I accepted that payment just to see what would happen.

Sure enough, it was fraud. I got email from PayPal today confirming my suspicion.

Dear Michael Radwin,

It has come to our attention that you may be the recipient of potentially fraudulent funds. We have initiated an investigation into this event. In the meantime, we have placed a pending reversal on the funds in question until the investigation is complete. This pending reversal will show as a deduction in your available balance. In the meantime, you are free to continue transacting using your PayPal account.

Transaction Date: Mar. 8, 2004 21:03:59 PST
Transaction Amount: $1.20 USD

In the past couple of weeks I've received several of these transactions (more recently they seem be sending $1.00 instead of $0.20), and many have the distinguishing feature that the person sending the money's name is spelled out in CAPITAL LETTERS only.

KENT CORZINE
SHAWN STINGEL
MIHAIL NEHOROSHEV
DONALD BIGGS

Moreover, all of them have @yahoo.com email addresses. If you're going to try to commit fraud, you've gotta do a better job of looking like a legit user.

$0.20 PayPal fraud?

Recently I've been receiving a number of $0.20 PayPal donations via the Jewish calendar website that I maintain. I think this has got to be part of some sort of fraud.

Since PayPal charges up to $0.30 in fees, these donations don't make me any money. Luckily, I'm not losing 10 cents apiece (PayPal is generous enough to charge only a 20 cent fee on these transactions), but it's essentially a waste of my time if the donation is less than $1. I've been processing refunds manually, but I'm wondering if I need to go thru the effort to set up IPN and automatically reject them.

Would you believe an ID phishing scam like this?

I just got an identity theft lure via e-mail today:

Of course it looks completely fake (what bank would send out official email like this with so many misspellings?) yet American consumers lost $5 billion last year to ID theft [Public Enemy No. 1: Identity Theft, Wired 12.02, pp. 44-45].

There may be some good news. The latest IE 6 patch released by Microsoft this week disables the http(s)://username:password@server/resource.ext syntax in URLs. They shoulda done that years ago.

Mozilla LiveHTTPHeaders

Today (thanks to Jeremy and Rasmus) I learned about a tool that I never knew I needed but now can't live without: Mozilla LiveHTTPHeaders.

I've been debugging HTTP for years using trusty text-based tools like telnet and nc, but today a quasi-technical person stopped by my cube to ask for help with a caching problem and they really needed a GUI-based solution.

LiveHTTPHeaders lets you open up a separate window or tab to display HTTP headers in real time (while pages are being downloaded from various websites). It makes it pretty easy to see the various caching headers (like Cache-Control, Expires, and Pragma) and also follow trails of 302 redirects, Cookies, etc.

It also adds a cute Headers tab to the Page Info dialog box for information about the currently active page:

Absolutely brilliant. Probably something I'll use at least once a week.

Happy Holidays from Angrybot

You have received a special Non-denominational Winter Holiday
Greeting from Angrybot.

Governor Arnold Schwarzenegger

On the morning of Monday, November 17th, Arnold Schwarzenegger was sworn-in as the 38th Governor of California on the west steps of the State Capitol.

My new Web Hosting ISP

I love DreamHost, my new ISP. I now have most of my domain names (hebcal.com, shtibl.com, and the rather stale utf-8.com) hosted there now.

JR convinced me to switch last month. Even though I've been absurdly busy with Rosh Hashana, Yom Kippur and Sukkot, I'm happy I initiated the switch.

For about the same price, DreamHost gives me more of what I want: more disk space, ability to manage fowarding email addresses without having to bother a sysadmin or trust myself to procmail, mod_php compiled directly into Apache, phpMyAdmin already pre-installed, etc.

Due to the complexity of the software that runs my High School Alumni Internet Directory, I haven't had the time to migrate radwin.org yet.

Front Page News

I saw this photo on the front page of Yahoo! today:

"The MTV Video Music Awards turned into a red-hot, all-girl smooch-fest last night as Madonna, Britney Spears and Christina Aguilera performed a raunchy, bump-and-grind dance routine that ended in explicit, open-mouth kisses."

I'm glad to see we still have our editorial integrity. :-)

Tribe.net: online communities redux

My friend Chris persuaded me to sign up for tribe.net, an online community/job networking website.

It's like 1999 all over again, and the web still sucks. Back then, PlanetAll promised to help you manage your contacts so you'd never need to update your address book every again; you just "linked" to someone's PlanetAll account and any changes to their contact info would propagate to your PlanetAll account. Amazon bought 'em, tried to use them as a vehicle for selling books, and then eventually shut the site down when they couldn't figure out how to make it profitable.

Then there was good ol' sixdegrees. That site was designed around the cute concept of "six degrees of separation" between any two people on the globe. You could sign up on the site, but you had to earn enough karma points (or something like that) by getting people to link to you and verify your membership in order to get any value out of the service. I don't need no stinkin' website to validate my existence.

Even my employer jumped in the online community game with Yahoo! Clubs. The site combined message boards with photo albums and member lists. I think the most popular section was the Hanson Club; the site was really just a place for 12-year-old girls to hang out and chat about their favorite bands. But after a year or so, folks got tired of having to remember to go back to the site to check for new messages. So we replaced it with Yahoo! Groups, an email-centric service, which is quite popular and still going strong. Mmmm, bop.

All quiet on the Online Community Front for a couple of years.

But now we've got the venerable Friendster, with 1.3 million users and a lot of buzz. I've seen a demo at the urging of a friend in Seattle, but right now it seems like a dating service in disguise. It claims to be much more than that ("It's a great way to meet people just to increase your social circle"), but I have my doubts. The site is free now, but they're going to start charging $8 a month; that's cheaper than other online dating services, but I lost interested in that scene several years ago.

This Spring, my friend Rachel introduced me to Meetup, an online/offline community site which helps you arrange in-person get-togethers at coffee shops or restaurants. The idea is that people in your geographic vicinity might interested in anything from stamp collecting or Howard Dean, and if only you knew about these other folks, you'd all start a club and become best friends instantaneously. All while drumming up some extra business for Starbucks. Online community meets offline community. Or something like that.

So now tribe.net shows up on the scene. Despite Chris' urging, I'm pretty hesitant to join. "Isn't this just Friendster all over again?" I ask. "I'm a married man, you know."

"No, it's not a dating service. This site has got a much bigger emphasis on professional networking," he replies. "You really oughta see for yourself." So while Ariella was studying for a Greek exam last night, I signed up and took a look around.

The site is still pretty small, but there's potentially some value. I even found a classmate of mine from BrownCS through the Brown "tribe". And a friend of a friend of Chris was hunting around for a JPS Commentary on the Torah. But the guy lives in Utah; wouldn't it be easier for him just to buy it online than for me to ship it to him so he could borrow my copy? I wonder what the value of a networking resource is (especially in the job market) when most of the contacts don't live in the my area.

Tribe.net does definitely do one thing right. Instead of using a rigid categorization scheme for things like interests or skills, it lets you enter free-form text. The software engineer in me realizes that almost every click on the website results in some full-text query (which has gotta put a burden on whatever search technology they're using), but the end-user in me likes the fact that I don't have create my profile based on someone's preconcieved notion of the universe. You'll never find choices like Egalitarian Hasidic or Conservadox on a drop-down menu.

If you're curious, drop me a line and I'll send you an email invitation to the site. For some reason I can't get a generic referrer link to post on my website. Hey, no surprise here; the web sucks.

I found the cure for hope

Avital laughed at my coffee mug yesterday at breakfast. Although familiar with the genre of "inspirational posters" from the SkyMall catalog, she had never come across the parodies of them. Obviously she had never seen Derek's cube.

Back in 1999 when Yahoo! was still a relatively small company, we did a deal with Despair, Inc. In exchange for free stuff (T-shirts, mugs, posters, calendars) we gave them some free advertising in the form of a BooHoo! web portal. They came by and took some photos in our cubes of us wearing their "I found the cure for hope" T-shirts.

The photos they took got heavily Photoshopped. Compare the expression on my face in the photo at the bottom of the phony press release with the original. They turned my smile into a frown!

Strong Bad: fhqwhgads

From Yoav Schlesinger's Blog: Everybody to The Limit.

McWireless

I read today that McDonald's is doing 802.11 in the San Francisco Bay Area.

"McDonald's and Wayport Bring High-Speed Wireless Access to 75 Restaurants in the San Francisco Bay Area... McDonald's is the first quick service restaurant to offer high-speed wireless access in a major market. The new Wi-Fi service will be available at approximately 75 McDonald's restaurants around the Bay area with the first 55 going 'live' today."

See also article on News.com.

I don't care. I won't eat there because they're not vegetarian-friendly.

Absurd interactive animation of the day

Local musician Craig Taubman recently posted an amusing kosher pickle animation on his website.

If LAUNCHcast had an absurd category for music, I'd be sure to rate it 100 so I could hear the music like the Kosher Pickle song every day.

How to consume RSS safely

Excellent reading for web engineers: How to consume RSS safely.

Mark lists 10 HTML elements that must be stripped to safely display HTML from an RSS feed. He mentions stripping style attributes from RSS, but fails to mention an even more imporant set of attributes: the JavaScript event attributes.

Sure, you'll want to leave <img> tags in the RSS feed, but what about those nasty onmouseover="..." attributes?

Damned if you, damned if you don't

I had a chuckle when I read these two bullet points in the Mozilla Firebird 0.6 Known Issues release notes:

• Form auto-complete is still an unstable feature and may lead to crashes.

Followed immediately by:

• Disabling of form auto-completion is not working.

Makes me wonder why I'd ever consider using something other than the World's Most Popular Browser.

Economic cost of the support@microsoft.com virus

Those wacky virus people have done it again. The big@boss.com virus (W32.Sobig.A@mm) has mutated into the support@microsoft.com virus (W32.Sobig.B@mm).

Ariella and I were chatting about this over lunch. She suggested that if the government simply bought the rights to distribute Norton Antivirus and legislated that it be installed on all computers, we could do the economy some good. Congress would probably be a little reluctant to write a check for $8 billion (back-of-the envelope calculation: ~200 million Windows PCs times $40 a copy), but it would probably pay off over the long term. The Slammer virus alone apparently cost $1.2 billion in lost productivity. And that was just in the first 5 days alone!

Think about it. The US Postal Service checks our snail mail for Anthrax. Why shouldn't the government check our e-mail for viruses?

In the meantime, perhaps we should invest in some SYMC.

Mikel Maron: Reactive Links

A superb idea today from Yahoo! alumnus Mikel Maron:

Reactive Links. Anytime someone click-thrus on these redirect links, the service records that action... more active links could be big and red and quiet links could small and blue, or whatever you like. These links change their character depending on their usage. [Brain Off]

It reminds me of a little bit of internal visualization our data mining group did where a modified version of the Yahoo! homepage showed a click-percentage count next to each hyperlink on the page. You could pretty easily see that people were always interested in clicking on certain elements on the page (such as the word "Free") and that you could also induce users to try different Yahoo! services by occasionally highlighting one of them (by displaying them in bold or with a background color).

Changing the size of the links is another interesting visualization technique, but it can throw off the page layout so much that it becomes distracting and less helpful.

Hebrew Computing on Mac OS X

We're thinking about buying a Mac.

One of the things that has been holding us up is lack of support for Hebrew software. Until Mac OS X 10.2 was released, the operating system didn't even offer native support for Hebrew. However, we're still waiting for some important applications (such as NisusWriter) to come out with OS X native releases.

Last week I saw an email to the hebrewcomputing Y! group which listed off a list of some good Hebrew software for "real Hebrew computing" on Mac OS X.

• Mellel for word processing (full Hebrew support)
• OS X Mail app for Hebrew email
• Safari and Camino for Hebrew web browsing
• iChat and icy juice for instant messaging in Hebrew
• iCal for calendar with Hebrew support
• OS X address book with it's built in Hebrew support
• Keynote with the Hebrew template and direction services for Hebrew presentations

Now all we need are OS X editions of the Gemara and Tanach.

Investment advice

I've gotten about 5 or 6 copies of this spam message today:

Date: Mon, 5 May 2003 20:28:48 -0700
From: Administrator <Admin@CorporateKiller.com>
To: <admin@r...>
Subject: Corporate Killer COOL 

Hello!

you must invest money in http://www.corporatekiller.com/

This good!!!
Very good!

Admin of
http://www.corporatekiller.com/

After such a persuasive argument, I'd be intersted in making an investment. Corporate Killer, I've got my checkbook ready!

Another tech industry recovery indicator?

I wrote back in March about the fact that Yahoo! is hiring and wondered aloud if that means that the tech economy is starting to recover.

I just got an email from a headhunter looking to hire a Senior Software Engineer in Menlo Park, CA.

We are seeking an experienced software engineer to build web based applications and backend services. The ideal candidate combines expertise in object oriented software development using C++ and Perl along with a strong background in web based technologies like XML, XSLT, etc.

Hey, if headhunters are starting to make cold-calls (or cold-emails), I guess this is a good sign...

I almost fell victim to an identity-stealing scam

I got this email today, and I almost believed it. It's a typical http://user:password@hostname/ trick. In this case, the user is tricked into thinking that http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/ is a PayPal URL when in fact it's actually a website served up by http://p9.da.ru/

Here's the full source of the email message:

Return-Path: <anonymous@m1.netfirms.com>
Received: from m1.netfirms.com (m1.netfirms.com [66.48.76.114])
        by netspace.org (8.11.6/8.11.6) with SMTP id h410rTR11497
        for <webmaster@hebcal.com>; Wed, 30 Apr 2003 20:53:29 -0400
Received: (qmail 48211 invoked from network); 1 May 2003 00:53:51 -0000
Received: from unknown (@192.168.60.10)
  by m1.netfirms.com with QMQP; 1 May 2003 00:53:51 -0000
Date: 1 May 2003 00:53:51 -0000
Message-ID: <20030501005351.31268.qmail@cgi1>
To: "" <webmaster@hebcal.com>
From: "PayPal Staff" <staff@paypal.com>
Subject: PayPal System Update *Urgent Please Read*
Content-type: text/html
X-Spam-Status: No, hits=3.7 required=5.0
        tests=CTYPE_JUST_HTML,DEAR_SOMEBODY,HTTP_USERNAME_USED,NO_FEE,
              PLEASE_READ,SPAM_PHRASE_08_13
        version=2.44
X-Spam-Level: ***

<P>Dear PayPal User,</P>
<P>Today we had some trouble with one of our computer systems. While 
the trouble appears to be minor, we are not taking any chances. We decided to
take the troubled system offline and replace it with a new system. Unfortunately
this caused us to lose some member data. Please follow the link below and log
into your account to make sure your information is not affected. Account
balances have not been affected.</P>
<P>Because of the inconvenience this causes we are giving all users that
repair their missing data their next two incoming transfers for free! You will pay
no fees for your next two incoming transfers*. </P>
<P><A
href="http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/">
http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/</A></P>
<P>
Thank you for using PayPal!</P>
<P><BR>* - If fees would normally apply, you will not pay anything
for the next two incoming transfers you receive. </P>
<P>PayPal Security</P>
<P>PROTECT YOUR PASSWORD<BR>NEVER give your password to
anyone and ONLY log in at PayPal's website. If anyone asks for your
password, please follow the Security Tips instructions on the PayPal
website.<BR></P>

I don't know who has the power to do this, but p9.da.ru should be shut down ASAP.

In the meantime, I'm going to crank up the score for HTTP_USERNAME_USED in my SpamAssassin user_prefs file.

Hebcal by Voice is going away

Got this email from Tellme today:

Date: Thu,  3 Apr 2003 01:10:11 -0800 (PST)
From: Tellme Studio <developer@tellme.com>
To: michael@...
Subject: Tellme Studio program change

VoiceXML Developer,

Tellme has made many investments in VoiceXML over the past four years. 
One of these investments was in the Extensions program, with the goal 
of making VoiceXML a more utilized public standard. Now with VoiceXML 
well on its way to standardization in the W3C and with hundreds of 
thousands of VoiceXML applications in production,  it is clear that 
investment has paid off. It is time for us to retire the Extensions 
program and invest in other areas. As of Wednesday, April 9th we will 
no longer host Extensions on 1-800-555-TELL or 
http://studio.tellme.com. Developers can continue to build VoiceXML 
applications on Tellme Studio.

Thank you for your individual contribution in making VoiceXML the most 
widely-used and successful voice standard in the world.

The Tellme Development Team

Damn, that sucks.

Yet another humorous but bogus eBay auction

For sale on eBay: UN Security Council Vote On Gulf War Redux

I wonder if the Chilean government will petition eBay to pull this from the site. :-)

Protecting email addresses, part 2

I wrote on Sunday about wanting to protect email addresses in the MVHS Alumni Internet Directory. I finally found some time to code it up.

The mailto: links have been replaced with a web form that alumni can use to send a message.

Since the website doesn't require a login, it's not totally spam-proof. I do include an MD5 hash of the real email address in the form as a hidden variable, so there's some guarantee that you've at least first fetched the form from my website before hitting submit. This isn't that much for security, but it means that someone writing a robot to abuse the site would have to do some extra work (fetch the webpage first, grab the hidden field, and then submit it back with the spam message).

I'm also using the Email::Valid module to check to make sure that the return address is RFC822 compliant.

People have often asked why the website doesn't use a password/registration model like alumni.net or classmates.com, because it would certainly do more to discourage spammers. It turns out that spam hasn't been too big of a problem for the 1500+ alumni listed on the website for the past seven years, and the complexity of passwords and registration just make life things to difficult when all you want to do is send a quick hello to someone you haven't seen in 10 or 20 years. For the time being, the trust model is working well enough.

Usenet posts from 1993

At lunch today with Mike and David, we were talking about Google and whether the Pyra acquisition would be as successful as the Deja News acquisition. Both Mike and I had read somewhere that Google had managed to get Usenet archives going way back to the beginning, and how it's become such a valuable historical resource.

So just for kicks, I went and searched Google Groups for author:mradwin@tsoft.net and found 15 posts, all from 1993.

They're all related to desktop publishing. I used to love fonts. And you can see that I was interested in intellectual property ten years ago, even though I couldn't spell.

What a trip!

Protecting email addresses for my Alumni Internet Directory

I've been publishing the Mountain View High School Alumni Internet Directory online since 1995. Think of it as an free version of classmates.com, but just for my high school.

Since a group of us started planning our 10-year reunion, I've been thinking about the website more recently. I've had RSS feeds on the site since the summer of 1999 (long before I ever heard of blogging), but I finally added the orange XML icon () today.

One of the things that has always made alumni timid about using the site is the possibility of getting spam. The fact that their email addresses are published on the web makes them good candidates for email harvester bots. I originally addressed this problem by adding a <meta name="robots" content="noindex,nofollow"> tag to the site, hoping that bots would respect that.

Later, I started using the decimal HTML entity encoder trick (listing addresses like mailto:mradwin@yahoo.com) but I'm sure spammers will catch onto that soon.

So the only thing left to do is to create a "send email to this user" form and list the addresses in the same way that Y! Groups does. The links will look to the user like mradwin@y..... but instead of being a mailto:, they'll be regular hyperlink to a /bin/mail?to=<secret base64 encoded data> form which asks for an email address and sets the Reply-To header.

The 1500+ alumni registered on the site right now would definitely benefit from this feature. Plus, after changing the email links to use the email-protect form, I'd be able to remove the robots meta tag, which would allow Google and other legit search engines index the site better, increasing visibility to the larger alumni community.

I've just gotta find the time to code the thing.

[Update: I found some time to write the code. The mailto: links have been replaced with a web form]

JR Conlin wins the Favicon contest

JR Conlin has won the radwin.org favicon contest. Congratulations, JR! You'll get your Grand Prize tomorrow at lunchtime.

JR's entry pays tribute to the orange navigation bar present throughout the site. It's a good color. Some might call it #ffcc99, but I prefer "radwin.org orange", much the way Ray Sun describes the hue of the "e" on my desktop as "Internet Explorer blue".

Postscript: my good friend Scott, who started the whole favicon contest by nagging me, now has his very own blog. Can't wait to see what he writes.

Last chance to win $5 for artistic creativity

Hurry! The radwin.org favicon contest ends in four hours and forty-five minutes. Get those last-minute entries in and win the Grand Prize.

Favicon contest ends in 27 hours

The radwin.org favicon contest, announced a week and a half ago, is almost over. Although we've already received an overwhelming number of submissions, your entry could still win. But you can only win if you submit it by 5pm tomorrow.

Don't hold back! Here is your chance to show off your artistic talent on a 16x16 canvas!

New SpamAssassin

I just upgraded from SpamAssassin 2.42 to SpamAssassin 2.44.

So far so good, but then again, not much changed in the code. I don't run spamd/spamc, so a newer ruleset is the biggest change I can see.

Favicon contest: win $5

My good friend Scott has been bugging me for about a week now to get a favicon for radwin.org.

I'm not the artist type (I still haven't gotten past page 10 of Drawing on the Right Side of the Brain by Betty Edwards), so I need some help.

Therefore, in good capitalist tradition, I'm going to contract out the work to someone else. I'm proposing a contest: if I select your favicon for the site, you'll win $5.

Contest rules:

1. Contest begins Friday, 31 January 2003 at 12:00pm PST and ends Monday, 10 February 2003 at 5:00pm PST.


2. The favicon must be generic enough to work for the entire Radwin Family website, not just for my blog.


3. Employees of Michael J. Radwin and their immediate families (parents, children, siblings, spouse) are not eligible.


4. If a Canadian wins, he or she will be required to answer a skill-testing question such as "What is 613 in binary?"


5. If the winner and I hang out in person with any regularity, they can get the $5 prize in cold, hard cash. If not, payment will be sent via PayPal.


6. Only original designs will be accepted. You can't go and submit http://www.raysun.com/favicon.ico and expect to win.


7. Void where prohibited by law.

Good luck, and may the best favicon win!

MovableType-2.6 release

Contrary to my pessimism yesterday about upgrading software, here's a release I'm actually interested in:

Version 2.6. Version 2.6 is right around the corner. Some new features and improvements included in this planned release [Movable Type News]

Most of it doesn't interest me too much, but I'd probably use Sanitize. I've already got an RSD file. I doubt I'll license these ramblings via Creative Commons, but I'm interested in seeing what they mean by "support". Leave it to technology to push the IP envelope.

Maybe jzawodn will upgrade from 2.21 so he can finally get TrackBack auto-discovery working.

New cartoon from Brian Frisk

Brian Frisk, creator of the We Are Robots cartoon series, has just published another cartoon entitled Off My Lawn#2: The Terrorist.

"Flag-waving is a fun, colorful pastime that's great exercise for your arms while helping to stick it to the terror organization of your choice. But sometimes it isn't enough. Thank God for Clyde. He's one of the heroic few working to make sure that in this brave new world, you're always innocent until proven different-looking."

I am still AngryBot.

big@boss.com virus update

If you search Google for big@boss.com, you'll see that I'm #2 today. And the #1 site is in German.

It's been a week and a half since I first wrote about the fact that I couldn't find any information about the big@boss.com virus, and the blog comments keep streaming in. One of them even claims that big@boss.com is an MIT conspiracy!

Maybe if the anti-virus vendors stopped calling it the W32/Sobig@MM virus they'd move higher up in the Google search results.

big@boss.com virus

I just got another email from big@boss.com which looks to me like a virus. This is the 3rd or 4th in a couple of days. So I went to both Symantec's and McAfee's anti-virus pages, and didn't turn up anything.

Then I tried a Yahoo! search for "big@boss.com virus". Nothing. For kicks, I tried a Google search for "big@boss.com virus" but that turned up no search results, either.

Google AdWords to the rescue

SoBig Virus Information big@boss.com emails may contain a virus attachment. News and Links. bcstx.com/sobig.htm Interest:

Someone bought an ad on Google to help spread the word faster than the Google search engine can index pages about the virus! That's really generous of them! They should add a PayPal donations button to their page. (No such helpful advertisements were found on the Yahoo! search results.)

Hunting around a little further, it appears that this is the W32.Sobig.A@mm virus (the subject line of Re: Movies and attachment of Document003.pif matches what I've been getting). But no mention of big@boss.com on the Symantec page. Bizarre.

Recapping the scores: Symantec 0, McAffee 0, Yahoo! 0, Overture 0. Google AdWords: 1.

Adding content previews to MT Main Index

I simply changed this:

<a
href="<$MTEntryPermalink$>"><$MTEntryTitle$></a><br />

to this:

<a
title="[<$MTEntryDate format="%x"$>] <$MTEntryExcerpt$>"
href="<$MTEntryPermalink$>"><$MTEntryTitle$></a><br />

If you've got a modern web browser, simply hover over the links and the first few words of the entry will appear in a tooltip.

Keeping my blogroll up-to-date

My blogroll (the list of RSS feeds I subscribe to, which appears in the right-hand column of my blog page) is now going to be more consistently up-to-date. Here's how I did it.

First, I set up a cronjob to fetch mySubscriptions.opml from my Radio Userland page. Next, I'm using Jeremy's opml2html.pl script to convert from OPML to a list of HTML. I've actually tweaked it slightly since I sent patches back to Jeremy to clean up some charset issues.

I went into the MovableType management UI and clicked on Templates. I clicked on the Main Index template and changed the Ouput File to index.shtml. Next, I edited the Template Body and added a <link> tag to the top of the page:

<link rel="subscriptions"
type="text/x-opml" title="Subscriptions"
href="<$MTBlogURL$>mySubscriptions.opml">

Below the Archives section on the page, I added the following:

<div class="sidetitle">
<a title="RSS channels I read in XML format"
name="blogroll" href="mySubscriptions.opml">My
Subscriptions</a>
</div>
<div class="side">
<!--#include file="mySubscriptions.html" -->
</div>

And that was it! Now my blogroll will get updated daily without me needing to edit the HTML by hand.

Top 10 Web-Design Mistakes

Jakob Nielsen's Top Ten Web-Design Mistakes of 2002:

"Every year brings new mistakes. In 2002, several of the worst mistakes in Web design related to poor email integration. The number one mistake, however, was lack of pricing information, followed by overly literal search engines."

As usual, Jakob is right on the money. Did you notice how radwin.org borrows the "trail of breadcrumbs" style navbar from useit.com? Imitation is the most sincere from of flattery.

The Metaverse for $9.99/month

The metaverse, more-or-less as described in Neal Stephenson's Snow Crash, now exists. It's called The Sims Online.

As mentioned in the Wired article, game's inventor is playing acharacter named Alan Greenspan. Maybe I could play Terry Semel?

Would you like clean underwear with your fries?

After seeing Amazon suggest purchasing clean underwear with almost every item we put in our shopping carts, Ariella and I have wondered if the Internet superstore's rec