I recently noticed that the mail server was experiencing 4 times the typical number of SMTP connections. It didn’t seem to be under any stress, though, not as far as server load went. So I watched the log file trail, and saw a bunch of messages coming in to nonexistent users with the pattern, FirstnameLastname@alternativebrowseralliance.com.

My first thought was that someone was running a dictionary attack against the domain, trying many different addresses to see which might be valid. Then I noticed that they seemed to be coming from <> — in other words, they were bounce notices.

Great. A Joe Job.

I enabled a catch-all temporarily. That did cause the server to slow down, as it was now actually processing the quadruple load instead of kicking back 3/4 of it with a “User unknown” error. (I hadn’t thought to disable spam scanning on the domain first.) In the 30 seconds before I turned it off again, it picked up 25 non-delivery notices. And those are just the ones that got past the spam filter.

As it turned out, they were just random junk. Some spammer had picked the domain and was using it to forge random From: addresses, and we were getting the bounces. In the old days they made up the whole address, but it’s easy to check whether a domain exists. So now they pick some real domain and make up a fake address. That’s harder to detect unless the domain in question uses some sort of verification system like SPF or DKIM.

So it wasn’t a Joe Job: no one was trying to besmirch the site’s reputation. It still meant extra traffic to the mail server, though.

This problem is called backscatter, and it exists for two reasons:

  1. The sender address on an email message is easy to forge, like writing a fake address on an envelope.
  2. Many mail systems will accept a message first, then process it. If it then decides to reject it, it can’t respond to the actual sender, only to the one listed in the message—and in the case of spam, it’s usually forged (see #1).

I don’t send any mail using the domain. The only reason it even has mail pointed anywhere is so that I can receive mail sent to the webmaster for the Alternative Browser Alliance. I suppose I could set up a -all (no servers are authorized) SPF record, and hope some recipients decide not to send bounces. But I’m not sure how much it would actually accomplish.

Anyway, the two lessons to take away from this are:

  • Reject messages to bad recipients in the initial SMTP transaction. It’ll protect your server from backscatter (and dictionary attacks), because you won’t have to queue and process all the extra junk.
  • Don’t generate bounce messages after the fact based on something as easily forged as the supposed sender. Otherwise, you’ll be contributing to backscatter.

This server weathered its first Slashdotting last Friday, or at least the first I’ve noticed. But then, it was a mild one compared to some reports I’ve seen.

While writing up my commentary on IE dropping WGA last Thursday, I realized that the original story was perfect for Slashdot. It had Microsoft, anti-piracy methods with privacy concerns, Internet Explorer and browser marketshare. So I looked to see if the IE team’s post was on the Firehose already, didn’t see it, and wrote up a quick submission. I also realized that I had an opportunity to plug the Alternative Browser Alliance in the text of the submission—something that I hadn’t been able to do on previous stories I’d submitted. (This is my 6th Slashdot submission to be accepted.)

So I submitted it Thursday evening, got a couple of dozen hits from the Firehose, and it got accepted around 11:30 pm, local time. I took precautions in case the traffic spilled over onto the blog, like turning on WP-Cache and disabling a few plugins, then went to bed. Continue reading

Internet Explorer.Microsoft’s Internet Explorer Team reports on a new IE installer release. They’ve changed a couple of defaults, updated their tutorials… and dropped the requirement for Windows Genuine Advantage validation:

Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we’re updating the IE7 installation experience to make it available as broadly as possible to all Windows users. With today’s “Installation and Availability Update,” Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users.

As much as I prefer alternatives like Firefox and Opera, I’ve been frustrated at the relatively slow uptake of IE7. It’s just insane that 6 years after its release, we’re still stuck designing for IE6 as the world’s most-used browser.

So who’s still running IE6?

  1. People running older versions of Windows that can’t run IE7, and who haven’t switched to something else. (This is a pretty small percentage, judging by OS stats.)
  2. People who don’t know how to upgrade to IE7, or why they should.
  3. People who actually want to stay with IE6 (whether for technical reasons or just stubbornness)
  4. People who would be happy to upgrade to IE7, except they can’t/won’t run WGA (on principle, or because it’s broken on their system, or because their OS is pirated).

I don’t know how big each group is, but Microsoft seems to think it’s worth going after #4.

It’ll be interesting to see whether there’s a jump in IE7’s marketshare relative to IE6. Maybe we’ll reach that next milestone sooner than I expected.

Alternative Browser Alliance - New LogoI’ve been thinking about this for a while, but it’s time to refocus the Alternative Browser Alliance. Mozilla’s Asa Dotzler has referred to Firefox and Internet Explorer as the “mainstream browsers” for more than a year now, and it looks like that’s become true.

The web is no longer an IE monopoly. It’s become an IE/Firefox oligopoly. Firefox is no longer an alternative web browser. It’s sold out, its ads are everywhere, and it even allows people to build Firefox-only code.

So, starting today (April 1, 2007), the Alternative Browser Alliance will no longer promote Firefox.

So what will replace it? I thought about Opera, but most of its install base is on cell phones and PDAs, and we all know the mobile web browser is dead, right? Safari? Well, it turns out that WebKit is shutting down.

So the site will be putting its weight behind iCab. It’s as alternative as they come, and it’s guaranteed to remain that way (since it won’t run on Vista).

Update: Yes, it’s an April Fools joke.

Firefox.Opera.Opera Watch posted an interview with Firefox co-founder Blake Ross yesterday, in which he talks about Firefox, Opera, and the relationship between the two. When asked about the rivalry between fans of the browsers, he says, “I think it’s ridiculous. Millions of people out there rely on us to make the Web better, not have pissing contests.” I couldn’t agree more. In fact, I launched The Alternative Browser Alliance primarily in response to that rivalry.

I found it interesting that when asked to describe Opera in three words, Ross’ response was: “Our best ally.”