Ups and Downs and Everything In Between

I have the simplest personal email spam solution in the world. I use Apple’s Address Book and, in it, I keep all the email addresses I ever want to get mail from. In Apple’s Mail program, I simply tell it that email from an address in my address book is exempt from being treated as junk mail. Then I set up a Mail rule that says if the sender is not in my address book, the message should be moved to the Junk Mail folder.

Voila. This system is flawless. You will never be able to send me loads of spam that go anywhere but my spam box, and I hardly ever look in there.

Naturally, there is a caveat to using this technique, but I actually consider it to be an advantage. By necessity, this technique, keeps me pro-active about getting people’s contact information when I meet them (and want to talk again). If I don’t get that person’s email address, I’ll probably never see that person’s email unless I’m looking out for it. Nine times out of ten, however, that’s what I want to have happen anyway.

So this solves the problem of unwanted mail. However, what if I want to let people contact me that I don’t know ahead of time or have previous whitelisted? Well, in that case I rely on an out-of-band communication, such as an introduction from a friend, leaving a comment on my blog(s), or some other method such as an instant message to let me know that there is someone who wants to talk to me.

My contact information is so available (in so many places), and many IM services are now equipped with store-and-forward messaging that there really is no reason for email to be the first time I hear from someone. Even better, if I’m contacted over Google Talk (as an example), I automatically have an email address for that person.

Voila. Simplest. Spam. Filter. Ever.

In a previous post I wrote a small expect script to update a remote web server’s deployed code on a new commit to a Subversion repository using Expect and Subversion’s post-commit hooks. That first script was extraordinarily basic, so I’ve been wanting to add some sanity and error checking to it for a while. I finally got around to it today.

This improved version of the post-commit hook does the same thing as the last one (that is, it logs into your web server over SSH with the given user and password, and yes, I’m aware of the scariness of embedding a password in such a way, so you should really set up SSH to use public keys for authentication for this), except now it also produces useful output.

Here’s the same script as before, but improved:

#!/usr/bin/expect -f

#
# AUTHOR: Meitar Moscovitz 
# DATE  : Thu Jun 21 16:32:42 EDT 2007
#

set HOST my.web.server
set USER someuser
set PASS xxx

# the working copy we're going to update
set WC /path/to/working/copy

# the path to the svn executable on the remote web server
set SVNBIN /usr/local/bin/svn

# our network is slow, set a long timeout
set timeout 30

##### DO NOT EDIT PAST THIS LINE! #####

# POST-COMMIT HOOK
#
# The post-commit hook is invoked after a commit.  Subversion runs
# this hook by invoking a program (script, executable, binary, etc.)
# named 'post-commit' (this file) with the
# following ordered arguments:
#
#   [1] REPOS-PATH   (the path to this repository)
#   [2] REV          (the number of the revision just committed)
#
# Note that Subversion does not provide this program with an environment
# of any kind. That means this program lacks a current working directory,
# a home directory, a $PATH, and so on.

set REPOS [lindex $argv 0]
set REV [lindex $argv 1]

# Define error codes
set E_NO_SSH     1 ;# can't find a usable SSH on our system
set E_NO_CONNECT 2 ;# failure to connect to remote server (timed out)
set E_WRONG_PASS 3 ;# password provided does not work
set E_UNKNOWN   25 ;# unexpected failure

# find the SSH binary on our system
if {[file executable /usr/bin/ssh]} {
	set SSHBIN /usr/bin/ssh
} elseif {[file executable /usr/local/bin/ssh]} {
	set SSHBIN /usr/local/bin/ssh
} else {
	send_error "Can't find a usable SSH on this system.\n"
	exit $E_NO_SSH
}

spawn $SSHBIN $USER@$HOST $SVNBIN update $WC

expect {
    "continue connecting (yes/no)? " { send "yes\r"; exp_continue; }
    -nocase "password:" { send "$PASS\r"; }
    timeout {
        send_error "\nWe have timed out after $timeout seconds while trying to connect to $HOST!\n";
        exit $E_NO_CONNECT;
    }
}

expect {
	-nocase "password:" { ;# if we are asked for the password again, then we have provided the wrong password
		send_error "\nCan not log in to $HOST because the password provided for user $USER has been rejected.\n";
		exit $E_WRONG_PASS;
	}
	-re "revision (\[0-9]+)." {
		if {$REV == $expect_out(1,string)} {
			send_user "\nSuccessfully updated $WC on $HOST to revision $REV.\n"
		} else {
			send_user "\nUpdated repository to revision $expect_out(1,string), but svn reports that we are at revision number $REV.\n"
			send_error "CAUTION: Repository updated to revision $expect_out(1,string), but committed revision $REV.\n"
		}
	}
	default {
		send_error "An unexpected error has occured. The process at spawn ID $spawn_id has produced the following output:\n"
		send_error $expect_out(buffer)
		exit $E_UNKNOWN
	}
}

Something from tonight that I said that I want to remember:

The thing about being strong is that being strong means not getting what you want or what you need and yet being okay anyway. When I was young and, of course, even these days, I don’t always get what I want or need. I can do it, but I don’t like it. When I was young, my father would regularly tell me to be generous. The thing about being generous is that it makes it easier to be strong. That’s what my father was trying to teach me, I think. That’s really a very smart thing to teach a child.

Bah. It is beautiful outside but I can’t remember how to smile at the weather.

My crappy ISP (named after a cartoon character) has been spotty all week, frustrating my attempts to be productive except in the case of playing with nmap. So I find myself playing with the WordPress to LiveJournal crossposter instead. This amuses me because now my posts from this blog will be posted to LiveJournal which will be fetched back to my LiveJournal mini-blog, and which will also appear on FaceBook. That’s what you get for unleashing content syndication on a restless boy.

Mostly, though, I want to shake this icky feeling and playing with technology can kill a lot of time.

One of my favorite Bash.org quotes goes something like this:

“I lost my computer.”

“Can you ping it?”

“No, I mean I lost my computer. It responds to ping, I just can’t find it in my room.”

I had the opposite experience today while at work. Sometimes I like to access my home machine over SSH to check local mail or grab a file I was working on, but when I tried to do that this morning, my computer wouldn’t respond. The other day my (crappy) ISP experienced a service outage in my area and I bet that when the service was restored my modem was served a different IP address from my segment’s DHCP server. Now, since I use a dynamic DNS service to map my IP address to a host name (so that I don’t have to remember it’s sometimes-changing IP address), the IP address in DNS for my machine was wrong.

There I was at work, wanting to connect to my home network, but the host name no longer resolved properly. I had lost my computer somewhere out on the Internet. I wanted to find it again, but how?

Well, I knew a few choice things about my network:

• I run an SSH server on a certain port. For the sake of example, let’s say it’s the standard 22.
• I run a Web server on a certain port. Again, let’s say that happens to be 80, the default.
• My router does respond to WAN-side ICMP echo requests (”ping”s).
• Every other port is being stealthed by my router.

So using this information, I can accurately describe what a network fingerprint of my computer might look like. Now, where could it be? This was a job for Nmap, the network mapping (and network security analysis) tool. That sounds really fancy but it’s actually not. In fact, it’s basically just good old ping on steroids.

Firstly, to find the IP address that was still in the DNS system, I needed to run

host my.old.hostname

My first guess was to simply check the logical address space around my old IP address. So assuming an old IP address of 66.65.51.145 (I don’t actually remember the old one anymore), I could simply check the surrounding IP addresses:

nmap -sS -p 22,80 66.65.51.0-255

This command runs a pretty standard SYN scan directed at ports 22 and 80 at all the IP addresses between 66.65.51.0 and 66.65.51.255. However, it first sends a single standard ping to the target IP address to see if it is up and will only commence the SYN scan if the target replies to the ping. What am I looking for? Well, I’m looking for a machine that answers with both scanned ports open, like this:

Interesting ports on some-machine (66.65.51.34):
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Indeed, this found a few machines, so I next tested the SSH server to see if it was even an appropriate match. SSH servers output a plain-text string identifying their version and optionally their OS before encrypted communications begin:

telnet 66.65.51.56 22
Trying 66.65.51.56...
Connected to cpe-66-65-51-56.nyc.res.rr.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.9p1

Naturally, one of those few machines was me. :)