I just got an interesting mail for 3 of my domains:

Dear site owner or webmaster of [domain],

We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.

Below are one or more example URLs on your site which may be part of a phishing attack:

http://[domain]

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//[domain]

We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content

If your site was compromised, it’s important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.

Once you’ve secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer
and reporting an “incorrect forgery alert.” We will review this request and take the appropriate actions.

Sincerely,
Google Search Quality Team

Wow. That’s interesting. That sites are absolutely not phishing sites, one of those even has no formular on it! Does anyone have an idea how Googles algorithm works?

Luckily dennis-schubert.de is not on the list of the kicked out domains. The domains Google kicked out are just some kind of “private projects” nobody should take care of. But that’s still interesting…

2011 was a interesting year for all of us. We worked a lot, we learned a lot and we made mistakes. I realized there are some people who helped me in various situations and it seems to be very unusual to say “thank you” nowadays. Let’s do it.

Thanks to:

• Markus Abrell and Sebastian Gruhler for helping me doing all the Diaspora work I could not do alone. Also thanks for providing great days and funny train rides. ;-)
• Angelo Gründler for providing a save Swiss infrastructure and for spending a lot of time keeping it running.
• Jonne Hass for taking over tons of work to protect at least 1% of my free time. ;-)
• Karsten Janke for helping me designing various stuff. I can recommend him for business cards, logos, websites, whatever!
• Marius Şucan for showing me awesome art and providing his own uncensored oppinion whenever I asked for.
• Mihai Şucan for teaching me some things about technologies and discussing about them.
• Ilya Zhitomirskiy for motivating and talking about various nerd stuff. R.I.P.
• Daniel Grippi, Sarah Mei, Maxwell Salzberg, Raphael Sofear and all the other Diaspora dudes for developing an open source, decentralized social network. You guys rock!

I am pretty sure there are people I forgot to put on that list. Please ping me!

Guess what would be nice? More people saying “thank you” to each other. I am going to ask the people I mentioned above to write a list like that, too. It’s your turn!

Have a nice day.

Ilya Zitomirskiy, a 22 years young hacker and co-founder of Diaspora* died today. He was one of that always-motivated guys and he always shared his motivation with all his friends and contacts. My sincerest condolences to Ilya’s family, friends and everyone else out there.

Ilya motivated me to work at Diaspora* and he was the guy answering all my questions regarding Diaspora*’s development. We had contact on a nearly day-to-day basis – not always regarding Diaspora* and I really can say: he was just awesome. I cannot describe what I am feeling right now.

Recently I worked on a little project and I wanted to control a special device remotely. I am using XMPP for my daily chats and I had in my mind XMPP is extendable and so I decided to use XMPP for that.

Unfortunately my knowledge of XMPP wasn’t that huge, so I read a lot about that protocol. I ended up reading the RFCs 6120, 6121 and 6122

I got a lot of input and I had some long telnet-sessions with my XMPP-server. ;) As I’m sure I cannot remember everything in a year, I’ll write some blogposts describing XMPP a bit.

XMPP? What is it?

XMPP is short for Extensible Messaging and Presence Protocol and that’s what it is. XMPP is a decentralized system for sending messages around the world. That’s pretty cool as you can set up your own chatting server – privacy wins. (You know, I’m one of the coders and supporters of Diaspora* – it’s decentralized, too.) All data are XML – easy to use and easy to expand.

How XMPP works

XMPP is a decentralized network. Because of that, there are Server-to-Server-connections and Server-to-Client-connection. I’ll only write about stuff regarding the Server-to-Client-connections as I don’t want to write a XMPP-server.

XMPP’s user names look like email-addresses: user1@example.com – in that example there is a user1 on example.com. user1 is able to connect with guys from other servers, so user1@example.com can chat with user2@foobar.com.

XMPP is able to handle multiple logins with the same user at the same time. So you could leave your PC logged in, take your smartphone to the balcony and continue chatting outside. The differentiation is getting done by “resources”. A resource could be “balcony”, “android”, “pc” or whatever. You cannot use a resource multiple per user, of course.

Imagine you are outside and chatting with your android. It would be nice if you can receive all the incoming stuff at your phone, your PC should continue idling around, huh? That’s why there are priorities in XMPP. It’s an interger between -128 to +127. The server should deliever the messages to the client with the highest priority.

A basic XML-snippet

Let’s take a look at a very basic thing – let’s send a message to a friend over XMPP:

<message type='chat' id='123abc123' to='user1@example.com'>
  <body>Hello my friend!</body>
</message>

That is awesome, huh? Let’s analyse it a bit. I think there’s no need to explain what the opening <message> does. But let’s have a look at its attributes:

• type: In our example it’s set to chat, because we want to send a direct message to another user. Other possible values are
  • error: You’ll see this when something goes wrong. Every client should provide an error-dialog for that.
  • groupchat: A message which belongs to a groupchat. Groupchats are not supported by default, they are an extension, I’ll write about it in another post.
  • headline: Similar to chat, but that will be delivered to all available resources, ignoring the priority.
  • normal: It’s like chat, but out of the context of any conversation. The client should provide an interface which allows the user to reply a message, but it should not log anything.
• id: The id is used for tracking any response and/or errors in relation to the message you just send. For <message/> and <presence/> stanzas an id is recommended, for <iq/> stanzas it’s required. An id has to be unique – usually the id gets incremented.
• body: Contains the message. :)

That’s enough for a little introduction. More to come soon.

As you maybe noticed I released my new blog today. One of the problems you need to solve when coding a blog is how to protect your commenting system against spam. There are a lot of different methods and I was comparing them in the last few days so I’m going to write a bit about what I learned. Let’s start…

Captcha

One of the most used ways to protect systems against spam is a captcha. You know those funny pictures with numbers and chars in it. In my opinion they are pretty much annoying. I visited sites with captchas I was unable to solve – and that’s not the way a bot-protection should work. Additionally I read about methods for spammers to avoid problems with captchas:

A lot of the captchas out there are pretty easy for bots to solve. That’s why people are trying to make captchas hard enough for bots – but then a lot of people will be unable to solve them… A second way is to find users solving the captchas for spambots. I’m not kidding, I’ve read about sites paying users for solving captchas. Ha – a pretty easy way to make money, huh?

Blocking user-agents

Some systems are trying to block special user agents to lock out bots. Well… it’s easy to change the user-agent, we all know this.

Services like akismet

I’ve read about services like akismet. You can use that service over an API – you’re going to push a comment to their server and you’ll get a “spam? yes/no!” answer. I have no clue how that systems are working (I have not inspected them enough) but I kinda liked the idea.

I thought about using a system like that but after I read the documentation I decided to not do this… All system I have found wanna have stuff like the users IP, referral links and so on. Heh – I’m not even collecting that information…

Ask silly questions

Nope, I’m still not kidding. I was using that method in my old plattform and I’m using them here, too. I realized I can lock out bots by simply asking questions like “What’s the name of the big, grey animal living in Africa?”. At least they worked for me when I asked them in German – let’s see if that works here, too.

[Update:] Ask content-related questions

MrZYX just suggested to ask a content-related question (like “What’s the first mentioned method for spam protection?” instead of random questions. This could be easily done by adding another field into the blogpost to define the questions. That kind of questions should be very hard to answer for bots as they have to read and understand the blog-post itself.

I’m always thankful for other ideas. :)