Host content on Android with reverse SSH port forwarding in Serverauditor

EDIT: JuiceSSH has fixed the keyboard issue on Samsung devices running Android 5+!

I’m back to using JuiceSSH since their app is more reliable to me (creating port forwards often failed in ServerAuditor and I could never figure out why, but they always work in JuiceSSH). I’m leaving this post here in case anyone wants to use ServerAuditor and needs these instructions.

ORIGINAL POST:

When it comes to SSH clients on Android devices, I was a fan of JuiceSSH until I began using the Note 5 and started having issues with the keyboard.

The short version is that JuiceSSH has a popup keyboard with ctrl/tab/arrows etc. that shows up when you tap the screen. I like it. But on the Note 5, that popup keyboard often/randomly shows up underneath (think photoshop layers) the regular keyboard, which means you can’t see both at the same time, so requires more keypresses to do a ctrl-x for example (hide the main keyboard, hit ctrl, bring up the keyboard, hit x, then hide the keyboard again to see the output which now shows up under the keyboard as well. You can tell the JuiceSSH popup keyboard to appear at the top of the screen, but then the popup keys are very far from the main keyboard, and worse, sometimes the popup keyboard shows up under the status bar (again, think photoshop layers), so you can’t touch the top row of buttons. Also none of this fixes the issue that the terminal drops under the keyboard so you often can’t tell what you’re typing. I’ve emailed JuiceSSH about this; I will update if I get one, as I am still a fan – and paid user of – JuiceSSH). It’s probably a Samsung issue unique to their setup (maybe multi-window?) or maybe relating to screen resolution, but I did try another keyboard and still had the same problem.

So I found Serverauditor in the Play Store. It has many of the same features in the paid (annual subscription) offering, including encrypted credentials/identities, a popup keyboard that works on the Note 5 (and is customizable!), and some great mappings for volume keys and single / double finger swipes. Down-arrowing through a long document in nano is almost a pleasure now with a double-finger down swipe (it’s mapped to PageDn). So I’m happy with it.

But there’s one piece missing from Serverauditor’s UI that JuiceSSH does correctly. I occasionally like to run services like web servers on my phone. Using KSWEB or Bit Server, for example, it’s possible to run a local LAMP (well, lighttpd or nginx at least) stack on your phone for a quick demo. With a reverse SSH tunnel you can offer up a port on an Internet-facing VPS that tunnels to your android device despite whatever NAT your provider is using. Kind of cool, but it requires a little trick to get working in Serverauditor. Continue reading Host content on Android with reverse SSH port forwarding in Serverauditor

Recent increase in spam from SPF authorized domains

Recently I’ve noticed a huge increase in spam from domains that are SPF authorized. They’re shilling everything from mesothelioma attorneys to home stairlifts.

After looking at the headers of a few messages I noticed something common to all of them that you can use to filter them out in Postfix (or any mail server, really):

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=138.99.217.231; helo=candixnigeria.caldwelleducation.com; envelope-from=patrickgraves-first.last=mydomain.com@candixnigeria.caldwelleducation.com; receiver=first.last@domain.com

See where it says “patrickgraves-first.last=mydomain.com@…”? The “first.last=mydomain.com” part was actually my email address (not on this server, in case you’re wondering why I’ve removed it). So I set up a rule in Postfix’ header-checks:

/envelope-from.*-first\.last=domain\.com@/ REJECT Permanently blocked for spamming.

Replace first\.last=domain\.com with whatever format your email address is (might just be something=domain\.com for example), restart postfix, and enjoy the NOQUEUEs.

RowPro 4.0 “No Trees” Mod

RowPro 4.0 No Trees Mod
RowPro 4.0 No Trees Mod

Update: This mod is no longer needed as current versions of RowPro offer the no-trees option with 3D graphics in the system settings menu.

This is a mod for RowPro Version 4 to allow live water mode with no trees (not available from the program options). From my testing so far this mod provides an increase in frames-per-second (fps) performance, most notably if your video card is able to handle standard 3D mode but not Live Water mode.

Do I need this?

Update: No, you don’t; see the “no trees” option in graphics system settings in RowPro.

If you turn on “All Scenery (Live Water)” and your graphics are jittery and unusable, or your frame rate (FPS) is much lower than 60 (like 15), then you might want to try this mod. For my older RowPro system this works really well; if you have a recent graphics card and a powerful PC then you may not need this. Continue reading RowPro 4.0 “No Trees” Mod

Who’s Who spam

UPDATE August 2016:

Obviously non-US email senders/subjects may use UTF-8 encoding, so there’s a risk here. Personally this doesn’t affect my server or business, so the rule below was doing well for me. However, legitimate mail services (looking at you, Paperless Post) are sending emails with UTF-8 encoding on the subject line.

I scanned my mail logs and since I’ve set up greylisting and a few additional RBLs, I haven’t seen any UTF-8 spam in awhile, so I’m going to turn this rule off and see how things go. It was fun while it lasted, but at this point I think the rule is too draconian even for US-only email systems.


ORIGINAL POST:

Getting lots of Who’s Who spam? They have a new trick; they are sending messages with UTF-8 encoding, which you can’t see unless you go into the server and really look at the mail or if you look at the subject field in the message headers.

In much the same way as we blocked Rick’s “I am a china based imaging” spam, we use a similar rule in Postfix’ header_checks to block messages with a UTF-8 subject line:

/^Subject: .*\?utf-8\?B\?.*/ REJECT Please do not use UTF-8 encoding to send mail here.

This will prevent them from getting through. Nobody else I know with legit mail uses UTF-8 encoded subject lines, so hopefully good riddance until they find the next thing to use.

Didn’t get a password reset email from the Franchise Tax Board?

So you clicked the “lost password” link on the California Franchise Tax Board web site and didn’t get the email you were supposed to get with a temporary password?

Here’s why. From the mail log of the receiving mail system (mine):

Jun 15 22:47:53 dallas postfix/smtpd[14986]: NOQUEUE: reject: RCPT from smtp.ftb.ca.gov[168.240.17.20]: 550 5.7.1 : Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=no_reply@ftb.ca.gov;ip=168.240.17.20;r=NOBODY@REDACTED.com; from= to= proto=ESMTP helo=

Looks like the Franchise Tax Board has an outdated SPF record. Servers configured to reject mail with an incorrect SPF record will do just that – reject the mail from the FTB. Either write to their IT department and ask them to update their SPF record to reflect the IP address or range they are actually sending mail from (good luck with that), or have them send the password to an email account that doesn’t check SPF records (or at least won’t fail them). You can choose that at the bottom of the page where you enter the answers to your security questions.

imap.gmail.com is not responding

Did you start getting this message out of the blue from an iOS device like an iPhone that was working fine just a few hours ago, and you haven’t made any changes?

Before you use the nuclear option of removing and re-creating the account, try this suggestion from faridbe on the Apple Support Forums. Sign into gmail using a web browser. Go to settings, POP/IMAP, then disable IMAP, save changes, then enable IMAP, save changes again.

Then try accessing mail on your device again – perhaps it will work.

Testing postfix header_checks with postmap -q

This post makes some assumptions, for example that you use Postfix, Ubuntu, and regexp format for your header_checks, etc. but I find that testing new rules isn’t all that well documented and I always forget how to do this.

Testing header checks with postmap -q:

For a single line:

postmap -q "From: my spammer" regexp:/etc/postfix/header_checks

If you match a “REJECT” line you should get “REJECT” as a response. If you get nothing, your rule isn’t working. You can make the switch -vq (has to be in that order) to get verbose logging, but I don’t find that really helpful. It either works or it doesn’t and you’re not going to get any special regexp help from postmap.

If you’ve saved spam message headers to a file (ex: /tmp/spam.txt), do this:

postmap -q - regexp:/etc/postfix/header_checks < /tmp/spam.txt

That second dash is important or it won't work.

Can’t access \\readyshare

Can’t access \\readyshare through a UNC path but able to ping the IP address? Try this. Log into the router web based admin interface, scroll down to “UPnP” under advanced, and turn UPnP on. The router will say “please wait” (or something like that) for a minute or two. Then try accessing \\readyshare again. Worked for me after nothing else did.

SoftException in Application.cpp:574: Could not execute script – HostGator

Do you have a HostGator shared account and you’re seeing Internal Server Errors intermittently on otherwise-working code?

I have a couple of domains at HostGator (not this domain). One of them experience this issue for several days. Randomly, loading any page on the site would generate “Internal Server Error” and the message in this post subject line in the error logs.

Nobody at HostGator could help me. I sat on with live chat for over an hour with a tech. During that chat session the site went down 3 times and they couldn’t tell me what was going on. I heard something about process limits, but traffic was zero (except for me, trying to load a page, and I wasn’t doing it 25 times). I asked to me moved to another node; they said they couldn’t do that. I have been so spoiled by ServInt and Linode! The problem disappeared on the first domain and hasn’t happened since.

This morning HostGator migrated another of my managed domains to a new host node. This required an IP address change, so I wonder if they changed datacenters. Right after the migration I’ve started having this error on this new domain.

If you’ve experienced this and have any information or just want to add a “me too!”, please comment. These are not errors in my code, because my code works most of the time on their server. There is nothing unusual in the access logs.

Android App Permissions

When installing Android apps, look closely at the permissions they are asking for. For example, OpenSignal wants to read my text/MMS messages, my call log, and my contacts. Why do they need that information? I’ve asked them; I don’t expect to get a reply, or at least a reasonable one. Probably something about “to improve service and the customer experience” or some similar line. No thanks.

Edit: here is their answer.

http://opensignal.com/blog/2012/11/29/new-permissions-in-version-1-99-and-how-to-check-whether-an-app-is-malicious/

Well written, and makes sense, but I still fundamentally disagree with an app billed to “find the best signal in your area” being morphed into something that tracks data usage. In the context in which OpenSignal is marketed by its own tag line – as a signal tracking tool – it has no business doing anything with SMS/MMS and contact information. The app should be repackaged as a signal and data tracking tool to better manage user expectations, or the new app should be split out so the user can reasonably expect to grant those permissions based on what the software is expected to do. Now it is all-or-nothing, and should the app developer change their mind about what they will do with the information they can collect, there is nothing users can do. They can uninstall the app, but once the data is collected and sent back to the developer, it is no longer in the user’s control.