Archive for April, 2011

How to block requests by referrer using .htaccess

There may be times you want to stop site visitors from clicking from a link on another site. This is called blocking the “referrer”, it’s also used to prevent image hot-linking.

A “referrer” is another site that is linking to yours. When a user clicks on the link on the other site, they are considered the referrer. In a basic referrer block, you block the traffic by specifying what domains (referrers) may not send you traffic.

For example, the following code will block any visitors that visit by clicking on links at, or block any pages or images included in that are from your site (iframes, images, etc).

RewriteEngine On
# Next line may be required, uncomment it if you're having trouble
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} [NC]
RewriteRule .* - [F]

The thing about this is it does not stop someone from simply typing in your website address into their browser; it specifically stops traffic that originates from that other domain.

If you simply want to stop image hot-linking, we just block the file types, rather than all traffic. The only line to change is the RewriteRule line. You have two choices: To block the images completely, or to present an image that says that you don’t allow hotlinks.

Option 1: Forbid the request

RewriteRule .*.(jpe?g|gif|bmp|png)$ - [F]

Option 2: Redirect to something else

RewriteRule .*.(jpe?g|gif|bmp|png)$ [L]

Feel free to adapt this to your needs.

Questions, comments, or feedback? Got another method that you think is better, or am I missing something? Please feel free to share it in the comments below. Thank you!

Leave a comment

Day two with Ubuntu Unity: Mixed impressions

It’s day two with Ubuntu Natty, and while I’m impressed, I’m also somewhat annoyed. The sum of changes that came down in 11.04 have me asking “Why?” Here’s a list of some of the pros and cons I’ve seen so far in Ubuntu Natty with Unity:


  • The Unity Launcher has ‘keep in launcher’, which can be good for apps that you want 1-click access to.
  • It seems that Unity has a great deal of respect for screen space: moving all the menu bars to a single location, making the notification area smaller, and auto-hiding the Unity launcher all help you get the last bit out of your screen real estate.
  • Holding the Windows key shows keyboard shortcuts for the items in the launcher, allowing hot-key access to them.


  • Navigation can be cumbersome. Things are not where you expect them to be, and in some cases, are simply not there anymore.
  • The context-sensitive menu bar puts menus out-of-reach on larger monitors, and potentially on multi-monitor setups.
  • Navigation seems less intuitive than Gnome 2.
  • Any 1-click ‘view desktop’ / minimize all windows functionality is gone.
  • Adding too many items to the launcher can cause it to scroll.
  • There’s no way, that I can see right now, to edit the “shortcuts” that appear in the ‘dash’.
  • Some programs do not iconify to the launcher correctly.

I’m also seeing a handful of mixed bugs in Synaptic Package Manager, Empathy, and the Unity launcher itself.

The release of Ubuntu with Unity and Firefox 4 (which causes regressions in several websites) leads me to the opinion that this is perhaps the most drastic change with the most negative user-facing experience that I’ve seen to-date with Ubuntu. I’m confident that the Ubuntu developers will work quickly to resolve these issues, but I think a lot of these issues should have been fixed prior to release.

As an alternative, the GNOME interface is still available. If you want to use the GNOME interface, you have to make a settings change at the log in screen. After selecting your user name, and before entering your password, change “Ubuntu” to “Ubuntu Classic” using the session changer at the bottom of the screen.

Also, Windows users just got Firefox 4.0.1 which includes a lot of security fixes. While some of them are Windows-specific, Firefox 4.0.1 is still not yet available for Ubuntu Natty. This is something I think should be made available as quickly as possible. UPDATE: To Ubuntu’s credit, Firefox 4.0.1 came down today via update manager. :)

These are a few of the issues and annoyances I’m having with the Unity interface. Do you have any to share?

, , ,

Leave a comment

Quick list of useful SPF DNS records

Sender Policy Framework (SPF) is a DNS record that’s used to authenticate who is allowed to send mail appearing to come from a specific domain. It is used to help prevent email spamming and spoofing, and works by making available a list of what domains, mailservers, and IP addresses are authorized to send mail from a domain, and what to do with mail that does not match those rules.

SPF is a DNS text record, and is added to your DNS records for the domain that matches the part after the @ sign in the email address. For example, for, the SPF TXT record should be added to the domain.

I’m not going to cover every possible SPF setup, simply the ones I use most often and the rationale behind them. You can check the documentation links below my examples if you want to build more elaborate or specific SPF records.

In the below examples, substitute with your web server’s IP address in dotted-quad format without a space. E.g. IP: You can also specify a CIDR range such as IP:

Allow from the domains IP, it’s listed mailservers, and a specific IP. Soft-fail all others (Messages that return a SOFTFAIL are accepted but tagged). The recommended configuration for most dedicated/VPS web server environments. Used when you send/receive mail at your domain, and software on your domain may send mail out as you, but no other mail server or mail exchanger will send mail as you. Users of shared hosting environments will probably want to ask their web hosting provider for the recommended SPF record to use.

v=spf1 a mx ip4: ~all

Include Google’s SPF records, if you use Google Apps as your domains mail. Add, similar in rationale to the above, but used if you use Google Apps for email, and your software on your web server may also send mail as you.

v=spf1 a mx ip4: ~all

Fail all mail. Used only if you send no mail. Example: a parked domain or a domain that is not used in email at all.

v=spf1 -all

In all the examples above except for the last, I denote soft-fail (~all) instead of fail (-all). This is because you may inadvertently make a mistake or misconfiguration, and soft-failing will not prevent mail from being delivered, it will simply flag it in the email headers. You can also specify neutral (?all) as an alternative.

Here’s an example email header from Gmail which includes the SPF record’s lookup result. I’ve edited the email address and IP, of course.

Received-SPF: pass ( domain of designates IP as permitted sender) client-ip=IP;
Authentication-Results:; spf=pass ( domain of designates IP as permitted sender)

By this example, you can see the SPF record matched and was passed.

SPF records are a good tool for many reasons. They give mail servers the ability to authenticate your email to your domain, which helps keep it out of recipient’s spam folders, and they help prevent others from spoofing your domain in email, which could cause serious trouble.

Also, SPF records do not decide whether or not to accept mail for delivery — they only serve as an authentication mechanism for who is allowed to send mail appearing to come from that domain.

Further reading:

Questions, comments, or feedback about the above SPF records or how they’ve been explained? Please share your thoughts in the comments below! Thank you.

, , ,

Leave a comment

Update on changes to Google Apps

Just a bit ago I received this email from Google Apps:


We recently announced upcoming changes to the maximum number of users for Google Apps. We want to let you know that, as a current customer, the changes will not affect you.

As of May 10, any organization that signs up for a new account will be required to use the paid Google Apps for Business product in order to create more than 10 users. We honor our commitment to all existing customers and will allow you to add more than 10 users to your account for (domain) at no additional charge, based on the limit in place when you joined us.


The Google Apps Team

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Apps account.

Google Inc. | 1600 Amphitheatre Parkway | Mountain View, CA 94043

© 2011 Google Inc. Google and the Google logo are registered trademarks of Google Inc.

Previous to this, Google Apps users were able to create up to 50 users for the free level of service. Now Google is cutting that back to 10. The paid service runs $50 per account per year. It’s a good thing Google is letting current customers keep their account limit, because otherwise having to pay out up to $2,000 a year for their Google Apps accounts would certainly have some people looking for alternatives.

That said, if you were thinking about signing up for Google Apps, you may want to do it now, before the new account limit kicks in. You can sign up here.

Feel free to share your thoughts on the changes to Google Apps accounts in the comments below!

Leave a comment

Ubuntu Natty Release

Today is the day that Ubuntu Natty released. While I haven’t yet done my upgrade, I’d like to hear thoughts from anyone who has.

Love it? Hate it? Run into an issue? I’d like to hear your thoughts on it. Please share them in the comments below! Thank you!

Leave a comment

PGP/GPG Keys in Ubuntu Gnome the easy way – Part 2

In part 1, I explained how to generate and manage your encryption keys in GNOME. Now I’ll explain how to use your keys to easily encrypt your email. I’m going to only address doing this in Evolution (the default email manager in GNOME). You can access the Evolution email account settings by going to System > Preferences > Email settings [Natty/Unity: System Settings > Email], and I’ll assume that Evolution is already set up for your email account.

Integration into Evolution is painlessly simple: You just need the Key ID of your key.

Go to System > Preferences > Passwords and Encryption Keys and look in the column under Key ID. The Key ID is hex, so it only uses the characters 0-9 and A-F.

Once you have the Key ID, start Evolution and go to Edit > Preferences > Mail Accounts and click your mail account and click edit. Then, go to the Security tab and enter your Key ID in the PGP/GPG Key ID field.

That’s it. Now whenever you compose a message, you’ll see the PGP menu which will allow you to sign and/or encrypt your email messages, and in the reading pane you will see the status of signed/encrypted messages sent to you.

Questions, comments, and feedback to this are welcome, as always.

, , ,

Leave a comment

PGP/GPG Keys in Ubuntu Gnome the easy way

For the security-minded, or anyone who simply wants to be able to exchange secure, encrypted email quickly and easily, GNOME offers a really user-friendly way to generate and manage PGP/GPG keys. This program is located at System > Preferences > Passwords and Encryption Keys. [Natty/Unity: System Settings > Passwords and Encryption Keys]

You can make a new key by going to File > New… > PGP Key. This guide explains some of the basic key management functions in this application.

Fill in the name, email, and an optional comment. PGP is considered a network of trust, so etiquette states you should use your common legal name (shortened versions are ok) and your primary email address (unless you have a reason to do otherwise). If you frequently go by a nickname, enter that in the comment field.

If you’re interested in the advanced options, you can change them by dropping down “Advanced Key Options.” I’m not going to go too much in to what the various options are, but here’s a quick run-down:

Encryption Type: RSA is generally considered stronger and overall a better choice than DSA. Choose “sign only” if you’re using this as a signing key, and not an encryption key. Only select that option if you know what you’re doing.

Key Strength (bits): The higher the number, the stronger the encryption, but the longer it takes.

Expiration Date: Set this if you want your key to expire at a predefined date/time, or set to never expire. Expiration keys can still decrypt messages, but no new messages can be encrypted to them.

After choosing your options, you’ll be prompted to enter your key pass phrase. DO NOT FORGET IT! Your key will be completely unusable (and you will be unable to revoke it) if you forget the pass phrase. On the same token, avoid making it too easy or guessable.

Next, the key will be generated. This could take a while depending on the key size and the speed of your computer.

Once your key is generated, your public keyring and private keyring will be stored in ~/.gnupgNEVER distribute your private keyring (secring.pgp). This is the decryption segment of your keyring.

Next, some more exploration through the Passwords and Encryption Keys application.

Right-clicking on a key gives you the following options, which I’ll explain briefly.

Properties: Here is where you can change your passphrase, add a photo, view your key’s fingerprint, and edit the expiration date and trust level.

Export: This is where you can export your public key for distribution to others (this is the portion of the key that you DO share). By selecting export, you will export an “ASCII-armored” file that can be pasted in email, etc.

Copy: Similiar to export, Copy copies your “ASCII-armored” public key to the clipboard. Makes it easier to post in email, web page, etc.

Delete: This deletes the key. Make sure this is what you want to do!

Sign Key: This is a core part of the key-sharing portion of PGP/GPG. This “signs” the key, using your key. This applies your signature to the key, explicitly stating that you trust the key to some degree. Once you’ve signed the key, you should export the key and send it back to the originator so they can begin distributing it with your signature attached.

So how do you sign a friend’s key?

First, have them export it and send it to you. Next, drag-and-drop the file into the Passwords and Encryption Keys window. It will appear under the Other Keys tab. Once the key has appeared, just right-click on it and click ‘Sign…’ Follow the prompts. Don’t forget to export the key and return it to the sender after you’ve signed it! Work this process in reverse for getting a friend to sign your key. Drag/drop the updated keys back into your key manager to add the new signatures. To verify signatures are present, double-click on the key and look at the Names and Signatures tab.

That’s a quick run-down of the key management functions.

Questions, comments, and feedback about key management are welcome and appreciated. Note that key management may be different in the Unity interface, which is shipped with Ubuntu Natty.

, , , ,

Leave a comment

Reenable the key sequence to kill the X server in Ubuntu

This was written more specifically for Ubuntu Maverick and previous, though Natty is just around the corner.

Previous Ubuntu versions, by defafult, had the key sequence CTRL-ALT-BKSP (Control-Alt-Backspace) enabled as a way to kill the X server in case a full-screen program was frozen beyond recovery. This key combination was turned off in Lucid, but can be re-enabled.

To re-enable, go to:

System > Preferences > Keyboard > Layout > Options [Natty/Unity: System Settings > Keyboard]

Drop down “Key sequence to kill the X server” and check the box next to Control + Alt + Backspace

That’s it! The key sequence is now re-enabled.

Questions, comments, and feedback is appreciated, as always.


Leave a comment

Ubuntu Natty Beta

We’re just a couple of days down the road from the official Ubuntu Natty release. While I haven’t yet tried the beta (I had a really bad experience a few versions back — a lot broke), I’d like to hear thoughts from anyone who has.

Love it? Hate it? Run into an issue? I’d like to hear your thoughts on it. Please share them in the comments below! Thank you!

Leave a comment

Invalid email addresses removed from comment subscriptions

Since I added the feature of subscribing to comments, I’ve noticed a large volume of people subscribing to posts without commenting. Tonight I went through the list and validated email addresses. About 210 email addresses failed validation and were removed. Some mail exchangers refused the connection and those subscriptions were given the benefit-of-the-doubt and left as-is.

I have also switched to a double opt-in method to help prevent subscription spamming. Users will receive a link in their email they will need to click on to confirm the subscription.

I have done this in an effort to prevent subscription abuse.

If you somehow notice that your subscription to an article has been removed, I apologize. Please feel free to sign up again. If you are getting email subscriptions, and are having trouble unsubscribing, please let me know and I’ll take care of it as quickly as I am able.

Questions, comments, and/or feedback is appreciated. Thank you.

Leave a comment