The Advisory Boar
My mother called to tell me that people were complaining that mail sent
to her address at one of my domains (menon-sen.com) was bouncing. Here's
an excerpt from the bounce message she sent me:
DNS Error: 27622840 DNS type 'mx' lookup of menon-sen.com responded
with code SERVFAIL
I thought it was just a temporary DNS failure, but just for completeness
I tried to look up the MX for the domain, and got a SERVFAIL response. I
checked WHOIS for the domain and was horrified to find this:
Name Server: FAILED-WHOIS-VERIFICATION.NAMECHEAP.COM
Name Server: VERIFY-CONTACT-DETAILS.NAMECHEAP.COM
In a near-panic (because this meant email to one of my work addresses
was also being bounced), I checked a bunch of stuff: No, the whois
details for the domain were not incorrect (nor had they been changed
recently). No, Namecheap had not sent me any whois verification mail
about the domain. No, Namecheap had not sent me any notification that it
was going to suspend the domain. No, the Namecheap admin page didn't say
anything about the domain having been suspended.
I couldn't find any relevant articles in the support knowledgebase, so I
opened an emergency ticket with Namecheap support. They responded in an
hour, and helped to resolve the problem immediately. They did admit that
I didn't receive a notification because of an error on their part:
We have double-checked contact details on the domain in question and
registrant details appeared to be missing on the domain due to a
one-time glitch at our end. That is the reason you have not received
verification email. Please accept our most genuine apologies for the
inconvenience caused you.
I have always found Namecheap support to be responsive and helpful. I do
appreciate their candour and the prompt response in this case as well,
but I am deeply shaken that their system has no controls in place to
prevent a domain from being suspended without any sort of notification
(especially since they were sending me notifications about other domains
registered under the same account in the same time period).
I don't know when exactly the domain was suspended. I have actually lost
mail because of this incident—and at least one of them was an important
response to some mail I sent. But thanks to my mother's correspondents,
I think the problem was discovered before very long. I cannot afford to
worry about this happening for my other domains that are up for renewal
in the near future. If the same thing had happened to toroid.org, it
would have been catastrophic.
I have been a happy customer of Namecheap for more than five years, and
recommended it to any number of friends during that time. Along with
(which is much more expensive), it's by far the best of the dozen or so
registrars I've used over the past two decades. I have no idea where to
move my domains, but I'll start keeping an eye out for an alternative.
Update, moments after writing the above: my friend Steve points
out that there's something to be said for having a vendor who admits to
their errors honestly; and only a pattern of errors rather than a single
incident would justify moving my domains away to an unknown registrar.
A few days from now, I hope to be able to properly appreciate Steve's
wisdom in this matter. Meanwhile, I'm saved from precipitous actions by
the fact that I haven't the faintest idea where to migrate anyway.
Before we installed a towel rail in the bathroom, we kept clean clothes
on an old newspaper on the washbasin counter while bathing. It kept the
clothes dry and kept me entertained while brushing my teeth for several
months (I would unfold and refold it differently every few days when the
top stories began to seem familiar).
“Pollution report malicious, incorrect: Javadekar”
dated June 7, 2016 quoted the reaction of the Union Minister for
Environment, Prakash Javadekar, to a paper that was widely reported
with headlines like
“Life expectancy in Delhi has
reduced by six years because of air pollution, reveals study”.
Here's a clipping:
The original paper, “Premature mortality in India due to PM2.5 and ozone
exposure”, written by scientists at
and published in Geophysical Research Letters, was not
immediately available for download. The Minister's scathing indictment
shows that he is only too aware of
the threat posed by Elsevier journals.
Of course, this is hardly the first attempt to maliciously target India
overblown pollution reports:
Volcanic activity in modern-day India, not an asteroid, may have killed
the dinosaurs, according to a new study.
Tens of thousands of years of lava flow from the Deccan Traps, a
volcanic region near Mumbai in present-day India, may have spewed
poisonous levels of sulfur and carbon dioxide into the atmosphere and
caused the mass extinction through the resulting global warming and
ocean acidification, the research suggests.
Barely a month after his astute recognition of this pattern, however,
a cabinet reshuffle
saw Prakash Javadekar reassigned to the Ministry of Human Resources and
“Javadekar does a U-turn after questioning pollution study”.)
A little over a month ago, our Glorious Leader eliminated corruption,
black money, terrorism, and poor people in one bold and innovative move
by declaring most of the currency in circulation to not be legal tender.
We are fortunate that we can get by without much cash in hand. We eat
mostly what we grow, or is grown nearby in the village, and what few
additional expenses we have (e.g., milk) have so far been met by the
ten— and twenty-rupee notes we had collected to save time by paying
exact tolls on the highway.
Our one visit to the nearest bank yielded a two-thousand rupee note and
a bag of coins each—the most the branch could spare per person, given
that they've received no cash for several days.
In Delhi, Ammu is not so lucky. Her landlord demands the rent in cash,
and in exam season, she has had to stand in queue for several hours at
an ATM to withdraw a quarter of her rent (which is the maximum one can
withdraw in a day). Strangely, the vegetable and fruit sellers in her
locality do not accept digital payments yet.
I was looking forward to hearing what the Supreme Court of India had to
say about demonetisation, but they haven't said much, because they're
busy with matters of real importance to the nation, like how
often the national anthem should be played and how straight one should
stand to properly demonstrate one's “constitutional patriotism”.
I wanted to buy a jacket from Decathlon, so I went to create an account
on their site, which involved wading through as convoluted and boring a
because it's just in a textarea on the account creation page.)
Most of the terms were unremarkable (obnoxious and officious, but still
unremarkable), until I encountered this gem about halfway down.
«11. The Buyers shall be responsible to up keeping the providing
information relating to the products proposed to be sold by Us. In
this connection, The Buyers undertake that all such information
shall be secured in all respects. The Buyers shall not defame the
attributes of such products or services so as to mislead other
Buyers in any manner.»
I created an account anyway (and the jacket is rather nice), but I
didn't want to be responsible for “up keeping” information relating to
the products they sell. So I wrote to their customer support to ask what
this ridiculous verbiage was supposed to mean. Much to my surprise, they
not only responded to my mail, but actually asked their lawyers for a
I had a word with our legal department and they mentioned that the
clause means if a customer has an issue with or an opinion about a
product, they contact us first for us to help them with their issue and
not post it on social networking sites or the media.
Not being a fan of idiotic and underhand (and poorly-written, to boot)
attempts to restrict what one's customers can and cannot say, I tried to
delete my account. The terms of service said I could delete my account
at any time, but I could find no way to do so on the web site. So I
asked Decathlon to delete my account.
First they said they had deleted my account. I could still login, so I
wrote back to ask them to delete it again. Then they said that I had
registered two accounts (which I had not; I had just changed my name to
"ABC" in my profile), and asked me to send them a list of addresses I
had used (which I did—one address). Then they stopped answering my mail.
Eight weeks later, I can still login to my account.
Technically, I don't think this post violates their terms of service,
because I did contact them for help first. But they do have a
stern profanity policy, so here's a little something to help the account
suspension process along: What the fuck, Decathlon? You're a bunch of
Update (2016-12-13): The account still works, but the “you may
delete your account at any time” clause has been removed from the terms
of use at some point. Of course, the vital “responsible to up keeping
the providing information” clause is still there.
An article about
reminded me of a problem I investigated last year when Hassath couldn't
send mail when connected through her phone's mobile hotspot.
My first response to any network problems is to run tcpdump, and I saw
the following EHLO response from my own SMTP server.
250-AUTH PLAIN CRAM-MD5
Vodafone is transparently proxying outgoing SMTP traffic and replacing
STARTTLS in the EHLO response with XXXXXXXA, so that the client doesn't
try to negotiate TLS. If you issue STARTTLS anyway—which no normal SMTP
client would, but openssl's s_client can do—the TLS negotiation fails.
So it's not just a downgrade attack, it's actively sabotaging TLS
This was the case in mid-2014, and it's still the case at the time of
writing. I wonder how many terabytes of email logs they have collected
in the meantime, how they are stored, and who is reading them.
While I was tethered to my phone, I did a bit more testing. Vodafone
India doesn't seem to mess with HTTPS connections, and IMAP connections
are not downgraded either (i.e., the server's STARTTLS advertisement is
not modified, and the TLS negotiation succeeds). Nor did it inject any
Update (2017-10-01): I
happened to read a 2014 post by Steve Atkins titled
STARTTLS and misplaced outrage,
which says this is a "very, very, very well known" problem with the
configuration of a PIX firewall feature named "MailGuard". He writes:
The most likely scenario, by far, is that the mailserver operator is
behind a PIX, and has it configured like that. As port forwarding is
specific to the interface that traffic comes in on, it’s quite possible
that it’s only misconfigured for traffic coming over some networks.
Drastically less likely is that there was a PIX installed – backwards –
on the cellular providers network.
Somewhat less likely still is that they’re simply lying about what
they’re seeing. But those are the only three options.
In this case, I'm the operator of the mail server in question, and I
know there is no PIX involved anywhere, and I know I'm not simply lying
either. I also know that the problem happens only on Vodafone's network,
so—unlikely as it may be—maybe there's a PIX installed backwards on the
Today's The Hindu—not for the first time—had an extra front page
devoted to an advertisement from IIPM, complete with gushing top-half
copy masquerading as news reporting. Over the past year or so, Arindam
Chaudhuri's snake-oil salesman grin has been a frequent visitor to the
back page of The Hindu, and many an innocent exclamation mark has been
sacrificed to extol the virtues of IIPM. I can't even begin to imagine
the amount of money that must change hands for this kind of coverage.
I'm not sure if it's more depressing that IIPM has accumulated such vast
quantities of money by selling snake-oil, or that The Hindu is happy to
soak it up and print acres of whatever drivel is sent its way.
(For those who are wondering, IIPM is the
Indian Institute of Planning and Management,
an unaccredited business school that is in the habit of
anyone who points out that their advertisements are full of lies.)
An application I've been working on sends random challenge tokens by SMS
to confirm certain user actions. My client had an account with
Way2SMS already, so I used their
simple HTTP API to send out the tokens. Later, we discovered that
messages to some networks were delayed by fifteen minutes or more, and
we decided to find a backup provider. I relayed a friend's
recommendation of Air2Web to my
client, and they signed up for the starter package.
They got our account set up quickly, and I sent myself a message through
their HTTP API (which, like Way2SMS, was just a URL which took the phone
number and message as query parameters). The message never arrived, so I
wrote to "aircare" to complain. They replied promptly that my number was
on the Do-not-call registry, so they would
not deliver messages to it.
This morning, I got an email (and SMS) alert from Airtel:
Dear Airtel Customer,
You have consumed 100% of your high speed data transfer limit of 10000
MB. Now you will be getting a revised speed till the end of this bill
cycle (as per the bill plan subscribed by you) and the speed will be
back to normal at the beginning of the new bill cycle. You are still
on an unlimited plan and all your data transfer remains free.
Airtel was forced to institute a
Fair Usage Policy
for "unlimited" data transfer plans, because
A very small number
of customers use an excessive amount of the network bandwidth, to the
extent that it can impair the experience of others. But
…needless to mention, the usage levels set are very generous such
that most customers will not be affected. And remember, they're
only defining a "fair usage level", not a "limit".
I humbly apologise to everyone whose "experience" I unfairly impaired by
downloading 10GB at 512Kbit/s in one month. The strain on the Airtel
network must have been enormous.
But wait, there's more! The email goes on to say:
However, if you need a higher speed, you can visit www.airtel.in/sod
and subscribe to speed on demand - a service from Airtel where you
can increase your browsing speed by paying a nominal charge.
Oh good, I should have known a nominal charge could fix everything. I
feel so… unlimited now.
(P.S. airtel.in/sod says "Unexpected error" when you try to sign up.)
Ramit's police complaint (made by way of some suitable boffin) resulted
in the police going to the station the next day and arresting two people
expanding their cellphone collection by the same means as before. They
may not be the same people whom Ramit met, but the indications are that
at least ten people are involved and—as we suspected—this is something
that has been going on for a while.
I wonder if the earlier victims complained to the police. It's hard to
believe that none of them did; so perhaps their complaints arrived too
lown down the police hierarchy to prompt any serious action.
But I hope the cops find every one of the robbers now.
Ramit was robbed of his mobile phone by four armed men on two scooters
with no license plates at 0730 this morning, while waiting outside the
New Ashok Nagar Metro station for me to pick him up on our way to the
Okhla Bird Sanctuary. When he handed over his phone, they immediately
discarded the SIM (which he recovered), and left. Fortunately, Ramit
was not hurt.
We drove to the Police Chowki nearby, but there were no policemen there.
Some hours later, we returned to the Metro station and spoke to the CISF
personnel in charge of security. They said they would have tried to help
if we had reported the crime immediately, but that they were responsible
for security only inside the station premises. The CISF superintendent
told us to file a complaint at the Yamuna Bank police station, and also
said there had been other thefts in the area recently, but the Delhi
Police personnel deputed to patrol the outside of the station never
turned up as scheduled.
I submitted a report of the incident as feedback on the Delhi Metro web
site, and also called them up and spoke to a Ms. Rita Kumar at the DMRC
to report the robbery. She promised to "forward" the information I gave
her, for whatever that is worth, but again said that incidents outside
the station were solely the problem of the Delhi Police.
Aside: the Metro station in question is (like many others) an elevated
structure built around a platform. The road passes under it, and Ramit
was waiting there on the sidewalk in front of a pillar with a "Station
Entry" sign on it. While it may technically be outside the premises of
the station, it seems somewhat irresponsible for the DMRC to wash its
hands of security directly underneath the station, barely thirty metres
from the entrance.
Despite his traumatic morning, Ramit (who says he has been mugged before
in Nairobi) wanted to stick to our plan, and we had a nice bird-watching
session at Okhla and Khadar. Notable sightings include the first Citrine
Wagtail of the black-backed calcarata race this season, close-up
views of Black-breasted Weavers, four Ferruginous Pochards, and a number
of White-tailed Stonechats, Striated Babblers, and Graceful Prinias. I
also relished the opportunity to study various species of grasses in