Sam Newman's site, a Consultant at ThoughtWorks

Posts from the ‘Blogging’ category

I always had this blog to write, not to run a blog. I’ve written less and less over the last couple of years and part of this is down to the overhead of maintaining wordpress. My plan is to switch to a clean, hosted solution – and Tumblr is looking like what I want. I plan to migrate everything over ASAP, but ASAP is proving to be not quite as soon as I’d like.

The migration plan is looking like this:

  1. Setup to point to my Tumblr blog
  2. Start posting there, not here
  3. Write a script to export my posts from here to Tumblr.
  4. Write a script to export my comments from here to Disqus.
  5. Setup permanent redirects from the old posts to the new home at Tumblr.

I’ve been neglecting things here at Magpiebrain Towers since my move to San Francisco. Blame the sunshine, a demanding new client, or just a relapse of extreme apathy. Whatever the cause, it seems that my inattention has been rewarded.

Simon sent me an email the other day, wondering where the blog had gone. I brought up Firefox and checked – “No, the site is still there” I said. But it wasn’t as far as Google search was confirmed.

Redirection based on Referer

It turned out that via Google search, when you clicked on links for Magpiebrain then you were redirected to a suspected malware site called ‘’. I immediately blamed Google. Luckily, calmer heads prevailed, and someone far more knowledgeable than me pointed me at these interesting results:

$ curl -I
HTTP/1.1 200 OK
Date: Thu, 29 May 2008 18:00:52 GMT
Server: Apache
Vary: Accept-Encoding
X-Powered-By: The blood, sweat and tears of the fine, fine TextDrive staff
Served-By: TextDrive
Content-Type: text/html; charset=UTF-8
$ curl -I -H "Referer:"
HTTP/1.1 302 Found
Date: Thu, 29 May 2008 18:00:57 GMT
Server: Apache
Vary: Accept-Encoding
X-Powered-By: The blood, sweat and tears of the fine, fine TextDrive staff
Served-By: TextDrive
Content-Type: text/html; charset=UTF-8

So, it seems that if google is the referer, then the browser is redirected to some shitty spam site.

Cunning barstweards.

Lax WordPress Upkeep to blame?

When I found out that it was my site that was to blame, I immediately started poking around. I checked my .htaccess file – thankfully this was clear. Next, I disabled all the plugins in WordPress, but still the redirect worked. Finally, I moved index.php out of the way – thereby stopping wordpress from being invoked – and surely enough the redirection stopped. So WordPress was to blame.

However, my inaction in writing posts for the site has also extended to not actually keeping WordPress up to date. So my first course of action was to upgrade from 2.3.3. to 2.5.1. The upgrade process was seemless as always, but the referer hack remained.


A recent thread over at helped me find the solution. By poking around in wp_options and removing a row with an option_name of rss_f541b3abd05e7962fcab37737f40fad8 the problem went away. Right now it isn’t clear which exploit was used, or how many sites were affected, but the thread I found was pretty recent which implies this may be a new issue.

Insidious Hack

This really is quite a good use of what appears to be a WordPress exploit. The only way in which this hack becomes apparent is if you check your analytics frequently (which I don’t – my ego is already big enough without stoking it by looking at hits) or if so perform a google search for your own content, which happens rarely. What is in it for the hackers is harder to see, other than driving traffic to a bogus search engine that pushes prescription drugs.

Yes, it’s another “I upgraded my blog and aint I great” post only this time it’s in the form of thanks to a couple of different parties.

First off, I decided to upgrade the blog to Movable Type 3.2. On a Sunday evening. Right before bed. After a migrane. Without backing up the database. Note to everyone out there: do not hire me as your sys admin. Net Result? One mildly screwed install. The (apparently slicker) upgrade process hung tring to upgrade MT::Log without giving me any helpful information. Luckily some kind soul came to be rescue, and as a result you get to see a useful post like this.

Next up I installed a copy of Douglas Bowman’s photo gallery templates. The excellent documentation made installing the templates a breeze – and the result is fantastic. Anyone that can make my pictures look good deserves a medal – and the least you can offer him is a small donation for such stirling work.

Since I lost the use of the subscribe to post plugin (for reasons known only to the Perl gods) I’ve wanted to add some other way for people to stay tuned to changes made to interesting posts – especially to see if replies are made to comments they’ve left. The obvious solution was staring me in the face – RSS feeds for each post. Using phil ringnalda’s similar template, I’ve updated the template to RSS 2.0, added a full HTML version of the post itself, and using MTSimpleComments include both trackbacks and comments. So now if you see a post that interests you, you can subscribe and get updated when the post changes, or someone leaves a comment or trackback.

Anyway, here is the template – if you don’t have MTSimpleComments you’ll have to replace it with standard Movable Type tags:


    <title>: </title>

    Copyright  by the authors
    Movable Type



        <title>Trackback from <a>"></a></title>


        <title>Comment: </title>



SpamLookup’s DNSBL Configuration

I was about to roll me sleeves up and get busy with mod_security this weekend with a view to further tackling my trackback spam issues, but luckily (for my Apache install if nothing else) Movable Type hacker extraordinaire Brad Choate has released SpamLookup to save me the effort. Where Jay Allen’s well-known MT Blacklist plugin uses centralized URL filters to block spam, SpamLookup concentrates instead on looking at where the trackbacks/comments come from. First among its arsenal of spam fighting techniques is the ability to talk to DNS-based blackhole lists such as the default Blitzed list and the Blog Spam Blocklist. These services publish a regularly updated list of IP addresses – in the case of blitzed and the blog spam blacklist, these IP addresses are known open relays which spammers love to use to cover their tracks.

SpamLookup also checks incoming trackbacks to make sure that the originating IP address matches the weblog the ping is supposedly coming from – it even goes so far as to allow blocking or moderation depending on how close a match there is between the IP address of the trackback and the weblog. Throw in blocking or moderation based on the number of URL’s in the comment, word lists, pass-phrases and support for TypeKey and you have a variety of powerful features.

SpamLookup - Test Form.jpg

The build-in test client

To round the whole package off, Brad has thrown in the excellent test feature. Once you’ve configured SpamLookup (although the defaults are probably good enough for most), you can use the test to see how SpamLookup reacts to a variety of trackbacks and comments. Some default test cases are provided, or you can roll your own – with the sheer number of configurations possible being able to test your individual setup is very important.

SpamLookup - UI Features.jpg

It’s spam prevention features aside, I’d still consider using SpamLookup because of a simple UI feature. When looking at either comment or trackback views, you can select all those entries which have ben moderated. After a wave of trackback spam, I can often have several moderated trackbacks (thanks to MT Approval) to remove – the ability to select all of them with a click of a button is greatly appreciated.

I’ve put an additional anti-spam measure in – comment preview is now forced. I’m having probems with the preview comment template right now (it looks very rough and ready) but I’ll put it right soon.

Once again comments seemed to be missfiring, which I only found out thanks to a helpful soul out there (thanks Shane!). This stumped me a bit, as I’d assumed the problems I was having was down to MT-Blacklist not working with my ISP’s Perl install. The other odd thing was that I was still recieving comment spam (which thanks to MT Moderate was not reaching the actual site). A quick poke around showed that I’d fooloshly left mt-comments.cgi in place, which was obviously how the spammers were getting in.

That left the blame at the door of sub-to-com.cgi, the subscribe to comments plguin I’ve been using for a while now. Backing that out seems to of fixed the problem. Now I need to find some time to see if both MT Blacklist and sub-to-comments was to blame, or if MT Blacklist was blamless after all…

A quick post those people reading this site via JavaBlogs. You might like to know that you’ll no longer be receiving my “ links)”: links spliced in with my feed. If you still want to get them, you’ll need to subscribe to my “FeedBurner feed(magpiebrain – summary posts with links spliced in, RSS 2.0)”: All available feed-types are listed on my “feeds page(magpiebrain – available RSS feeds)”:, or are available via the normal “auto-discovery techniques(”:

Updated: Fixed some typos and the table formatting

Jumping belatedly onto one of the recent blogging bandwagons (by now looking quite unsafe, with peeling paint and all those credible bloggers long since having abandoned…well, wagon) I thought I’d have a look at the browsers people use to view the site in the wake of the release of Firefox 1.0.

Lets look at Analog’s results:

Continue reading…

A friend of mine pointed out that under “RSS Bandit”:, links to my posts are broken. I took a look, and it seems as though it is using the @@ element from my RSS 2.0 feed as a link, rather than the more usual @@. My @@’s are fairly standard (in an MT sense), and look a little like this:


Thinking that RSS Bandit was misusing this value, I thought I’d do a little research.
Continue reading…

I’m not sure how I missed this (although I suspect a recent spring clean of my subscribed feeds is to blame) but I managed to miss the announcement that both “NetNewsWire(NetNewsWire and Bloglines)”: and “FeedDemon(FeedDemon 1.5 Beta 1 with Bloglines Integration)”: are to integrate with “Bloglines”: I wasn’t wowed by the original “announcement”: of the Bloglines web services API – I just saw it as an obvious move to enable the development of notifier tools and the like, as well as reducing bandwidth usage, but I certainly welcome the move of commercial rich-client aggregators to use Bloglines to enable synchronisation across multiple machines.
Continue reading…