I need a feed reader that recognises different reading preferences for different feeds.

Let me back up.

There are two kinds of feeds — feeds of content (blogs) and feeds of notifications (calendars, del.icio.us popular, digg, forums).  The first kind you want to read all of — even if I miss checking my feeds for awhile I want to see what the blogs I read said.  I won’t care tomorrow what was on del.icio.us popular today, there’ll be 100 new items!

Google Reader does a great job on the first kind of feed, holding content until I read it.  Firefox’s LiveBookmarks does a good job on the second kind, showing only current content.  What we need is a nice interface for both.

I’ve heard the new Bloglines might… perhaps I’ll check it out.

Posts and comments on your blog display in your timezone (usually). This sucks for your readers. What makes sense to them is their timezone. Trevor Creech and I have written a WordPress plugin to fix this. Using a technique suggested by Johan Sundström and the formatDate JavaScript library by Svend Tofte, this plugin shows post and comment timestamps in the viewer’s local timezone.

Get It Now
See Plugin Home

I have released version 0.20 of the YubNub LocationBar Firefox Extension.  This version incorporates some features and code from RubNub.  The next version of this extension will likely be a merger with RubNub (of both features, code, and branding).

This is a repost of the Pranketh avoid article.

The Problem

If Pranketh’s existence proves anything, it is that email is not the safest medium around. It has always been relatively easy to send an email that says it came from someone it did not, similar to the way one can write any return address on an envelope when sending a letter. So, now that Pranketh has made this problem very obvious, how can one determine if an email is what we call ‘spoofed‘?

Some email providers and programs show warnings on messages that may be spoofed, but the problem is that detecting spoofing is more art than science. A legitimate email may be spoofed (for example, if you write Pranketh and we write you back, we are actually writing you from our GMail accounts, but it will appear as though it came from Pranketh, which, in reality, it did) or a spoofed email may not be detected (because it also spoofs whatever the automatic detection system uses).

Message Headers

First of all, you’ll want to view what we call the ‘message headers’. Some of them (From, To, Subject) are always visible. Depending on your program, different ones will usually be hidden. The option to view them all may be called ‘View Message Headers’, ‘All Message Headers’, ‘Original Message’ or something similar. Below are some screenshots for two popular email services (more will be added as time goes on) :

View Headers in GMail

View Headers in Evolution

View Headers in Eudora

View Headers in Outlook

View Headers in Outlook Express

Now that the headers are visible, there are a few key things to check for. The first is a special header added by Pranketh to all emails it sends. If this header is there, we can be sure the email was sent using Pranketh! The line will likely be near the bottom and will look like this :

X-Joke: This email is not from whom it appears to be from. It was sent from pranketh.com.

What if someone is spoofing you without using Pranketh? Thankfully, there are other things you can check. You should see if there is a Return-Path header, similar to the following :

Return-Path: <singpolyma@sunkist.dreamhost.com>

The email-address-like part of that should be similar to who it says it is from (it does not have to be an exact match, but should be similar). If it is not similar at all (i.e., the above is on an email that says it is from bill@microsoft.com) then the email may be spoofed (see the next section for more on that ‘may’).

Another header to check for is ‘mailed-by’. For example, if an email claims to be from a GMail address it may have a header like the following :

mailed-by: gmail.com

That’s pretty simple.

If none of the above is present, or if it all checks out, you may want to checked the ‘Received’ section. It will look something like the following :

Received: from smarty.dreamhost.com (d06184b1.dreamhost.com [208.97.132.177])
by spaceymail-mx3.g.dreamhost.com (Postfix) with ESMTP id 8EF98188FC7
for <feedback@pranketh.com>; Wed, 16 May 2007 16:29:36 -0700 (PDT)
Received: from sunkist.dreamhost.com (sunkist.dreamhost.com [208.97.175.14])

by smarty.dreamhost.com (Postfix) with ESMTP id 7E510EE2C4
for <feedback@pranketh.com>; Wed, 16 May 2007 16:29:36 -0700 (PDT)
Received: by sunkist.dreamhost.com (Postfix, from userid 1429516)
id 81E63402A3; Wed, 16 May 2007 16:29:36 -0700 (PDT)

Notice how there are many references to dreamhost.com. That is because this email was sent from an address that lives there (actually, it was sent by Pranketh). A GMail email will have gmail.com, google.com, or googlemail.com there instead. A Hotmail email should have hotmail.com, etc.

Maybe Spoofed

Why in the above paragraphs did we say that if any of that was true the email ‘may’ be spoofed? Well, remember, detecting spoofing is more art than science. My email addresses all live on dreamhost.com and I send most of my email through GMail, but my email addresses are all at singpolyma.net. So how can you tell the difference between an email that’s spoofed on purpose by the person that owns it, or an email that is not from who it says it is? The best way is to check emails that you know are really from them. If they are spoofed in a similar way, then the email is likely legit. If they do not normally spoof their emails, or if the spoofing looks a lot different than normal, be very suspicious.

If you are not sure an email is really from someone, write them and ask if they sent it. That way, you can be absolutely sure.

Spread the Word

A lot of people trust email every day. It is our responsibility as people who know how to detect spoofing to spread the word. Link to this article, post it on your site, email it to friends, review it, translate it, anything that you think will get the word out faster!

We only ask that you give us credit and link back to this page according to the terms of a
Creative Commons Attribution-ShareAlike license.

How to Avoid Getting Pranketh’d, Scam’ed, or Phish’ed by Pranketh is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

I have updated this draft and released some code.

Regular readers of my blog know that I am obsessed with one thing: decentralisation. I hate having all my eggs in one basket. IMHO, if anyone has the ultimate power, then it’s not true Web 2.0. In my recent thinking this has extended to my view of social networks such as Facebook and MySpace.

One of the much-used features of these is personal messages. This can be public (ala Facebook wall) or private (ala Facebook message). I here intend to provide a TEP, which I will implement, suggesting a way to do this in a decentralised and RESTful manner.

Detecting the endpoint

I love XRDS! This format comes to us from the OpenID world but really provides a standard way to associate RESTful endpoints with a URL [example].

I think it makes most sense to have one type URL for this TEP and declare a namespace for extending XRDS to (optionally) tag endpoints with a ‘sub-type’. This could look like the following:

<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:dsn="http://singpolyma.net/dsn/xmlns">

<XRD>

<Service priority="50">

<Type>http://singpolyma.net/dsn/pmt

<URI>http://example.com/msg

<dsn:msgtype>private</dsn:msgtype>

</Service>

</XRD>

</xrds:XRDS>

(I will create these pages in a bit.) I would propose the following dsn:msgtype for now: private (only to you) and public (like Facebook wall). As this is a TEP, nothing is remotely final. I’m not sure I like msgtype as the tag name, for one thing.

Sending Data to the Endpoint

This part is easy. To support maximum compatibility with existing systems, either GET or POST data is to be accepted. All fields passed must be processed. The simplest system will simply take all data passed via both GET and POST and put the field name as a header and the value under/beside it in the message body. No data may be ignored (unless there is a particular value, such as a session ID, specific to your server which you want removed). The following is a list of fields which make sense to use in a special way. If you are going to do something special for one of these values you should use the name given here, but really any data can have anything done with it as long as it is included somewhere in the message.

subject, from (contact of sending user), cc, url (of sending user), name (of sending user), body

XHTML is allowed. Special data (such as calendar events) should be marked up with microformats where possible.

A way to contact the user back SHOULD be supplied. If either from or url is a URL, XRDS discovery can be performed on it in order to detect an endpoint for this TEP to use in replying.

I am going to write some code to implement this both for WordPress and independently soon. I may also create a simple service targeted at adding this capability to a blogger blog (or other locked-hosting website).