Gossamer Web Design Lake Tahoe

Although a new version of WordPress 3.0.1 is available we are delaying its introduction until the dust settles. We expect to remain with WordPress 2.9.2 for the near term.

A number of plugins have once again been updated:

• Akismet – Version 2.4.0
• Connections – Version 0.7.0.4
• Contact Form 7 – Version 2.3.1
• eShop for Wordpress – Version 5.6.3
• Exploit Scanner – Version 0.97.2
• Fast and Secure Contact Form – Version 2.9.1
• Google Doc Embedder – Version 1.9.6
• GRAND Flash Album Gallery – Version 0.51
• WP-EasyArchives – Version 2.0
• wp-forecast – Version 3.1
• WP-PageNavi – Version 2.73
• wp-weather – Version 0.3.9
• WP e-Commerce Plugin – Version 3.7.6.9
• WP Events Calendar – Version 6.7.5
• WP Google Weather – Version 0.5

Enjoy.

Over the last couple of weeks it seems that some email servers are strictly enforcing the rejection of email when a domain’s email address header does not have a matching SPF record. The problem is further compounded since very few ISP’s actually allow you to utilize your domain’s email server (smtp) directly if they are not hosting your domain.

While most ISP’s pass through the sender’s email address (user@yourdomain.com), the actual email header contains the address of your ISP’s smtp service.

Microsoft was the first to begin enforcing this proposed standard a couple of years ago. The SPF proposal has yet to receive endorsement and it is not an approved standard. The proper way to handle this situation is embodied in the approach taken by Qmail and the Open Source community. Qmail does not reject email on this basis although you can patch it to do so. SpamAssassin will add a small penalty to an email’s total score but this is usually not enough to cause an email to be flagged and rejected.

The problem is further compounded when openspf.org posts a seriously misleading statement of error regarding the cause. Their recommendation is to contact your email administrator with a recommendation that the postmaster fix the email server’s configuration.

Nothing could be further from the truth. It is the email recipient’s email server that is rejecting the email. It is highly unlikely that your postmaster has any control at all of the recipient’s email server, unless they run email service for both parties.

Secondly, the fix has nothing to do with an email server. The SPF record is part of your domain service records that are served up by a DNS server, not an email server.

Of course, just try explaining that to an irate customer.

The fix is to add a SPF record to your domain records which is accomplished by contacting your domain registrar.

The biggest problem I see with this issue, besides not being totally convinced that this is a solution that can or will reduce SPAM, is that the arbitrary enforcement of this proposed standard violates one of the fundamental tenants of computer science.

DO NOT CREATE CONTENTION WHEN NONE EXISTS!

The enforcement of this proposed standard creates contention on multiple levels, the most important level is that of customer satisfaction. Customers get angry. False impressions of SPAM are created. And your customer’s customers get angry.

I would hope that openspf.org would get it’s act together. They are giving out a lot of black eyes and I am none too happy about it.

I fully expect to field more customer complaints when their ISP arbitrarily changes the address of their SMTP server, which happens quite frequently. If SPF is to be useful, then ISPs will need to develop a way to relay requests from their customers to their customer’s email server so that the proper email headers can be generated.

Otherwise, SPF is just a waste of time and effort.

Facebook is warning its users on an ongoing BredoLab malware serving campaign using the well known “Facebook Password Reset Confirmation Customer Support” social engineering theme.

More details on the campaign can be found at ZDNet.

We processed another batch of plugin upgrades for WordPress. The following plugins were upgraded:

• All in One SEO Pack – Version 1.6.10.1
• Clean-Contact – Version 1.3.3
• eShop for Wordpress – Version 4.3.2
• Fast and Secure Contact Form – Version 2.0.1
• GRAND Flash Album Gallery – Version 0.39pl3
• Page Tree – Version 2.6
• Platinum SEO Pack – Version 1.3.2
• Wordpress Download Monitor – Version 3.3.3.5
• WordPress Exploit Scanner – Version 0.95
• WP-EMail – Version 2.51
• wp-forecast – Version 2.9
• WP-PageNavi – Version 2.61
• WP-SpamFree – Version 2.1.1.2
• wp-weather – Version 0.3.8
• WP Google Weather – Version 0.4
• YAK for WordPress – Version 2.0.7

Enjoy!

We have processed nother batch of WordPress plugin upgrades including:

• Clean-Contact – Version 1.3.2
• Collapsing Pages – Version 0.5.3
• Connections – Version 0.6.2.1
• Contact Form 7 – Version 2.1.1
• eShop for Wordpress – Version 4.3.1
• Fast and Secure Contact Form – Version 2.0
• GRAND Flash Album Gallery – Version 0.39pl2
• Page Tree – Version 2.5
• QuickShop – Version 2.2.1
• Wordpress Download Monitor – Version 3.3.3.3
• WordPress Exploit Scanner – Version 0.94
• wp-forecast – Version 2.7
• WP-SpamFree – Version 2.1.1.1
• wp-weather – Version 0.3.7
• YAK for WordPress – Version 2.0.6

Please enjoy.

Yesterday we received and applied a new security update contained in openssl-0.9.8l_2 designed to address “man in the middle attacks” which allows attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL.

As part of the upgrade, the shared object libssl.so.5 was deleted and replaced by libssl.so.7. Unfortunately this caused a number of services that depended on libssl.so.5 to fail. Services that were disrupted included email services, the restarting of apache2, and other services that make use of SSL or TLS connections.

Fortunately this problem was fixed by rebuilding all applications that depend on OpenSSL so that they pick up the new shared object. These applications include:

• Apache2
• Qmail
• SpamAssassin
• ClamAV
• Curl
• gnome-vfs
• gnutls
• neon28
• nmap
• ntp
• openldap-client
• p5-Crypt-OpenSSL-Bignum
• p5-Crypt-OpenSSL-RSA
• p5-Crypt-OpenSSL-Random
• p5-Crypt-SSLeay
• p5-Net-SSLeay
• php5-curl
• php5-ftp
• php5-imap
• php5-openssl
• proftpd
• soup
• subversion
• squirrelmail
• wget

We believe we have identified and rebuilt all applications impacted and we are continueing to monitor the situation to identify other possible failures.

UPDATE: 01/16/2009

We have completed a sweep of all of shared objects using ldd. This process identified a few more rebuilds (not listed above) to some packages not in general production use. The upgrade of OpenSSL is now complete.

WordPress was upgraded to the latest version this morning. We did skip the 2.9 upgrade due to some reported problems. The upgrade requires a database upgrade when logging in as admin. I have logged into all of our WordPress sites and run the database upgrade procedure.

I have detected no immediate problems with any of our WordPress installations. If you find a problem, please let me know.

A number of WordPress plugin authors have released new releases just in time for the New Year! The following plugins have been upgraded:

• Akismet – Version 2.2.7
• All in One SEO Pack – Version 1.6.10
• Google XML Sitemaps – Version 3.2.2
• GRAND Flash Album Gallery – Version 0.39
• Theme Switcher – Version 1.0
• WordPress Exploit Scanner – Version 0.93
• wp-forecast – Version 2.6
• WP Shopping Cart – Version 3.7.5.3
• Yet Another PhotoBlog – Version 1.9.24

We have delayed installing the latest WordPress 2.9 release until we have verified that WordPress 2.9.1 has fixed some of the problems found in WordPress 2.9.