Fighting spam with spam
I've always found it mildly irritating when I get a response to an email message that says:
I'm protecting myself from spam. Please click the link below to complete the verification process. You have to do this only once.
When I receive one of these messages in response to email I did NOT send, it's not just irritating, it's infuriating.
It is a common technique of spammers to not only send spam to their harvested
addresses, but also to use them in forged
From headers. With this type of
spam verification, you get to be a victim twice.
Spam filters have gotten quite good. I rarely received spam in my inbox. Any spam filtering technique that generates unwanted mail itself should be shunned. They are just adding to the problem.
The message I received came from Spam Arrest. It not only came with the verification, but an advertisement for the service. Isn't that the very definition of spam?
I've added an email filter. All mail from spamarrest.com is automatically reported as spam. If you happen to use Spam Arrest—sorry—your mail is undeliverable here.
Peter let me know changes are in the works that will address many of my concerns. I am anxiously awaiting them.
I'm very impressed with the fact that Peter took the time to write a thoughtful reply to my post. It demonstrates that Geezeo is paying attention to its users. Companies that listen to their users deserve success.
Washington Mutual External Accounts
I recently opened an HSA
at another bank. That bank is out of state. I wasn't looking forward to
mailing checks to make deposits and writing checks on the HSA to reimburse
myself for medical expenses. The
external accounts feature makes that all
unnecessary. I can transfer funds between my WaMu accounts and my HSA from
the WaMu website without ever licking a stamp or signing a check.
To verify ownership of an external account, WaMu makes two small deposits of less than a dollar (then yanks them back out with a single withdrawal). When the deposits appear in your external account, you confirm the account on the WaMu website by entering those amounts.
I first saw this technique used by PayPal. Now it seems to be a standard account confirmation method.
If WaMu just offered OFX as one of the transaction download formats, I'd give them a perfect score.
Yesterday, I got an email from twitter notifying me that I have a new follower. I checked the page to discover my new follower is a complete stranger. It was apparent she was following me and others simply to drive traffic to her website. I say her, but there's a good chance the account is just a front.
Twitter is an extremely simple, interesting, and effective tool. I've really enjoyed the updates my friend Joe has been posting while in China. But like almost every simple tool on the Internet, people find ways to abuse it.
I'm not sure what the best policy is, here. Block followers you don't recognize and who don't provide any reason for following? Ignore the notice? Turn follower notices off?
A Google search for twitter etiquette will turn up literally thousands of pages of advice. I'm happy to simply not follow people whose posts annoy me. What bothers me about the new follower notices is that I really do want to know who is following me and I don't see any reasonable way to know that without being subjected to complete strangers whose motive is driving traffic to their sites.
I'll just have to see how it works out over time.
Geezeo, Mint, and Wesabe
I took some time over the weekend to experiment with the three personal finance web sites I discussed in my last entry. That changed my perceptions. Although I still have high hopes for Wesabe, I find that requires the most work to use, currently.
Mint appears to be the most useable
out of the box.
It did the best job of assigning useful names to the transactions I downloaded
and giving me some immediately useful information.
Geezeo had support for more of my accounts than the others. My biggest complaint about Geezeo should be easy to fix on their part: all the transaction names are in UPPERCASE. Yuck!
None of the sites handled all of my accounts. I use
thinkorswim for stock and options trading and was
unable to add it. Mint actually had an entry for thinkorswim when I searched
for it using the
Add Account feature. However, after providing my thinkorswim
username and password and watching the connection progress, Mint gave me the
disconcerting error message:
This just isn't going to work.
I have access to three checking accounts through my bank's website: my
personal checking account, my business checking account, and my daughter's
checking account. Of the three, I only want my personal checking account
aggregated. Only Wesabe allowed me to make that selection. Mint lets me
hide the other two accounts, or mark them
closed, but not until it has
downloaded transactions. Geezeo let me delete accounts after the initial
Here's a short list of pros and cons as I see them:
out of the box.Once you've renamed a transaction, the name is applied to similar transaction on subsequent, similar transactions. However, manually assigning names to each new, unique payee is time consuming and cumbersome.
It's worth noting that Wesabe has a very different security model from the other two sites. All three sites claim they do not store your sign on credentials for the various accounts they integrate. Mint and Geezeo don't store them—they pass them to a third party that does store them. Mint uses Yodlee and Geezeo uses CashEdge. Wesabe provides browser plug-ins that let your PC establish connections to your banks then feed the data to Wesabe—your credentials are stored on your own PC.
Since Mint and Geezeo ask for your credentials and pass them to a third party, you have to first trust Mint and Geezeo to abide by their security policy and never save or use your credentials. You also have to trust the third party providers they pass the credentials to, Yodlee and CashEdge. The security policies of all involved are disclosed and explained. I have no problem trusting them, but it does require trust.
The advantage of this approach is that it makes features like Mint's email notices possible. Mint can access your bank data even when you're not logged in. Getting notices about transactions that have cleared the bank when credit cards payments are due, without signing in, is a useful benefit.
With Wesabe's approach, you need to trust the plug-ins they provide. For the truly paranoid, and technically capable, that should be possible. It would require monitoring just what gets passed to Wesabe. I'm willing to trust their security policy and believe they aren't capturing my sign on credentials. On the other hand, I'm not sure having my credentials stored on my own system and using a plug-in is any safer that passing them on to Yodlee or CashEdge. It just seems more likely to me that some browser bug or flaw in the Wesabe plug-in might eventually be exploited, than Yodlee or CashEdge being hacked.
This is still a new application area and there's no clear winner, yet. If we could pick and choose the features of these three sites we would have a very attractive application. I'm sure we'll see a lot of progress with all three in the near future.
Personal finance management
My exploration of social networking software lead me to some interesting applications for personal fiance management:
These applications let you import data from bank, credit card, and other accounts and manage them in a central place. They provide help with budgeting, graphs and reports of spending, and tips and advice on spending and saving.
I haven't explored any of these applications in depth, yet, but Wesabe, initially, appeals to me most. The company seems extremely open and interactive with its customers. The CEO, Jason Knight, is available by phone seven days a week! Have a problem or concern? You can pick up the phone and talk to the CEO.
Wesabe also has an API. As a programmer, that appeals to me.
From user comments, it appears Mint may have some better graphs and reports and has a more business like demeanor. All three, in fact, have their particular strengths and weaknesses. Wesabe's open dialog with users leads me to believe they are likely to add missing features and incorporate feedback quickly, so I've decided to invest some time with it before pursuing the others in depth.
So, what's the social software tie in? These sites provide a variety of ways for users to interact with each other, from sharing tips and advice to comparing spending habits against averages. The social aspect is context sensitive, so, I might learn about a zero interest balance transfer option while dealing with my credit card bills.
Wesabe is on twitter, so you can keep tabs on some of the news and happenings at Wesabe by following along in twitter.
I used to meticulously enter every receipt in GnuCash. I still use it for business. But I've done little to manage my personal finances for the past 2 or 3 years outside of quick online reviews of my bank and credit card accounts, periodically. Perhaps Wesabe will help me be a bit more proactive.
Twitter, the simplest thing that works
Twitter, my most recent plunge, is conceptually the simplest and may turn out to be the most useful.
One of the tenets of good software programming is "Do the simplest thing that works." Twitter seems to epitomize that concept.
Twitter is simply a message routing system. Send a short message and Twitter
rebroadcasts it to your
followers. Unless you have opted out, the message
is also dispatched to the public time-line.
Prefixing special commands can alter the message routing. For instance,
prefixing a message with
d someuser dispatches the message to someuser,
only. Twitter calls it a direct message, thus the
What sets Twitter apart from IRC, email, IM, and other message dispatching systems is it's simple message routing control and its ability to work across devices: web, IM, cell phone.
You receive messages from those you are
following. As your family and
friends join Twitter, you can
follow them. When I'm at my computer, I
receive Twitter messages with my instant messenger. When I'm away from the
computer, I receive them as text messages on my cell phone. I don't receive
cell phone messages between 10pm and 7am—I'd rather sleep. In the morning,
I can check my Twitter web page to see any messages that arrived overnight.
This simple messaging framework supports some interesting applications. (Applications, here, meaning use cases rather than software products, although it does provide opportunity for those, as well.)
I'm an avid cyclist. I don't mind riding alone. In fact, I do most of my riding alone. But it's nice to have companions to ride with, sometimes. Meeting up for rides with friends can sometimes be a bit problematic.
Imagine all my cycling friends and I using Twitter. No planning necessary. Joe sends a message:
Headed for Beacon with Bobby for a couple hours.
A few minutes later, Steve says:
I think I'll try to catch Joe and Bobby at Beacon.
And Cathy says:
Mark and I are going to ride to Rockford and back.
Great! I've got 3 options: head to Beacon for a mountain bike ride with Joe,
Bobby, and Steve, do a road ride with Mark and Cathy, or neither. Since
Twitter is a
low expectation interface, neither Joe nor Cathy is expecting a
reply from me. Whether I show up or not is immaterial. They've simply
notified the rest of us of their intent so we can join if we want to.
I think I'm up for a mountain bike ride:
@mtnbk1 Watch for me on Beacon, I'll head that way soon.
Joe may or may not see my message; he may already be away from his computer
and he doesn't carry his cell phone when mountain biking. The
mostly convention. It indicates I'm replying to Joe, using his username. The
message is routed to all my followers, so Cathy knows not to expect me. If
Steve sees the message, he'll be watching for me on Beacon, too.
Joe and I are training for a grueling mountain bike race in June. We do most of our training alone, but meet for a couple rides together each week. Joe's job will take him to China for a few weeks, soon, where he'll be running to keep in shape and may not have access to a bike. And he'll be 15 or 16 hours ahead of me on the other side of the globe.
Yet, keeping in touch with Twitter will help us both keep motivated to keep up with our own training. I look forward to messages from Joe, like:
8 mile run on the beach; running in sand is exhausting
And I'll be sending updates that will let Joe know I'm on track:
Finally cleaned the entire climb on Tower.
Now, I just need to get Joe, Steve, Cathy, and all my other cycling friends twitterized.
I found these articles on Twitter useful:
I discovered an ISP that allows DNS changes through a simple web form. To ensure changes are made by authorized personnel, they only accept changes from the Administrative Contact listed in the WHOIS records for the target domain.
Talk about a gaping security hole. Just find a domain with DNS hosted by this particular ISP, use the results of a WHOIS query to get the necessary credentials, and hijack the domain. Doing it from a public terminal at 5:30 PM on a Friday should minimize the chance of being noticed before the change is complete.
I discovered this flaw at work this week when I was asked to submit DNS changes for a client that moved their physical location necessitating an switch to a different ISP.
We had a technician on-site, but he had his hands full with the hard work: wiring, bring up systems, etc.
Initially, I submitted the changes using my own name and e-mail address,
explaining in the
special instructions box who I was, how they could
verify the authenticity of my request, and why it wasn't practical to
submit from the Administrative Contact's e-mail address: the mail server
was setting at the new location, on one of the new ISP's IP addresses,
which couldn't be reached by name until these very DNS changes were
The reply to my first submission:
For security reasons, we will only accept DNS requests from the administrative contact (WHOIS Lookup) of the domain name.
After hours of tail chasing with the ISP's support department (mortals are not allowed to talk to the DNS team directly), and rather frustrated, I just filled out the web form with the unreachable contact information. An hour later, the DNS changes were active.
No e-mail messages requesting a reply to authorize or a link to their website to verify the authenticity of the request was sent. The web page just generates an e-mail to the DNS team and a copy back to the submitter. The fact that the courtesy copy is undeliverable is overlooked.
The following morning, I got a call from the ISP with the account
manager and a supervisor on the phone. They were ready to conference a
member of the DNS team on the phone get the DNS changes I needed made.
Already done, I told them. "I walked through a gaping security hole
in your system and the DNS team happily made the changes for me."
I explained the situation. Hopefully they will fix the hole. I'd hate to see our client or any one else have their domain hijacked due to such stupid security.
This site is the personal weblog of Marc Mims. You can contact Marc
by sending e-mail to:
Marc writes here about cycling, programming, Linux, and other items of personal interest.
This site is syndicated with RSS.
CSS stolen from Tom Coates who didn't even complain.