Working with Mailgun Bounce Lists

Manipulate Mailgun Bounce Lists: Show, Add, and Delete Email Addresses. All from the terminal.

I recently came across a situation where a client reached their disk usage limit. As a result, they were unable to receive emails. This went un-noticed for a couple days (I didn’t manage the server at the time, I do now).

This client has a couple different WordPress sites with several employees receiving various notification emails. All their sites use Mailgun and the Mailgun WordPress plugin for sending emails. During the time they were unable to receive email, a few employee email addresses got placed on a Mailgun bounce list with a status of 550 Administrative prohibition.

For some background, here’s how Mailgun describes a bounce, as found in the Mailgun documentation:

Bounce list stores events of delivery failures due to permanent recipient mailbox errors such as non-existent mailbox. Soft bounces (for example, mailbox is full) and other failures (for example, ESP rejects an email because it thinks it is spam) are not added to the list.

Subsequent delivery attempts to an address found in a bounce list are prevented to protect your sending reputation.

I first noticed the bounce issue in the logs, like in the image below. After not being able to find a way to manage email addresses on the bounce list from the browser, I hit up Google and was pleased to find that you can interact with Mailgun bounce lists via their API.
mailgun-bounced

Show Email Addresses in the Mailgun Bounce List

To list email addresses on the bounce list, do something like this on the terminal/command line, replacing key-xxx-xxx with your actual Mailgun API key:

curl -s --user 'api:key-xxx-xxx' -G https://api.mailgun.net/v3/mg.longrendev.io/bounces

json-prettifierYou can find your Mailgun API key on the Mailgun dashboard, under API Keys. The Mailgun API will return JSON, which is a bit difficult to read in the terminal. I usually copy the output and paste it into this JSON formatter, which makes the data much easier to read, as you can see in the screenshot above.

Even when the formatted JSON in it’s raw form is easier to read. See, here’s the returned JSON, in it’s original form:

Now here’s the pretty, formatted JSON as raw text:

Much easier to read, right? Those of you using REST clients like Postman will have your results automatically prettified, removing the need using a site like the JSON formatter I typically use.

Delete an Email Address from the Mailgun Bounce List

If you’ve found an email address you’d like to remove from the Mailgun bounce list, or already know the email you want to remove, do this from a terminal and replace [email protected] with the real email address to delete. And of course, replace key-xxx-xxx with your actual Mailgun API key:

curl -s --user 'api:key-xxx-xxx' -H "Accept: application/json" -X DELETE https://api.mailgun.net/v3/mg.longrendev.io/bounces/[email protected]

Add an Email Address to the Mailgun Bounce List

Sometimes you may wish to manually add an email address to the Mailgun bounce list. This can be done very easily with the CURL command below. It will add [email protected] to the Mailgun bounce list, so make sure to change that to the email you really want to add to the list.

curl -s --user 'api:key-7g0wl66k2hxonzq5-0nbzhw68r2oc8n8' https://api.mailgun.net/v3/mg.longrendev.io/bounces -F address='[email protected]'

What Else?

Not much concerning Mailgun bounce lists specifically. It’s possible to add multiple addresses to a bounce list at once, but that gets a little more difficult from the terminal as it requires sending JSON to the Mailgun API. Using a client like Postman would be a better option if you intend on sending much data.

The Mailgun API can be used to do all sorts of stuff, like pull stats and to create new domains. It’s a powerful API and one of my favorites to work with.

How do you prefer to send emails from your websites?

View Results

Loading ... Loading ...

Giving Cloudbric A Try, But I Still Love Cloudflare

Going to try Cloudbric here for a while to see how exactly it compares to Cloudflare

Longren.io will be unavailable for possibly up to 48 hours. As soon as I’ve published this post, I’ll be updating my nameservers to point to Cloudbric, almost feels like cheating on Cloudflare, they’ve been very good to me.

I’ve been using Cloudflare for quite a while, nearly since it became available to the public. I love them and all the services they provide, especially with a Pro (or Enterprise) account. Cloudflare costs money though (if you want certain added protections), and many smaller websites don’t use a lot of bandwidth and aren’t provided the protections they should receive with Cloudflare.

Cloudbric aims to solve that by providing all the features Cloudflare provides (from what I’ve been told at least) for free as long as your site doesn’t use more than 4GB of bandwidth per month. I only have a few Pro sites with Cloudflare (longren.io being one of them), but am trying to cut back on the number of online services I pay for monthly, so this makes sense on a financial level if nothing else.

I’d never heard of Cloudbric until they got in touch with me via direct message on Twitter and introduced me to their services. They appear to provide everything that Cloudflare’s Enterprise service provides, glad they saw one of my tweets praising Cloudflare and decided to get in touch.

Cloudbric has been around for a while (15 years or so I believe) and I talked to one of their reps quite a bit about how what they provide is better than Cloudflare (other than the usage based cost, of course).

Here’s what he said:

1. Unlike other website protection services including Cloudflare, Cloudbric provides full-coverage website protection. Even though Web Application Firewall (WAF) and DDoS Protection features are crucial for website protection, these options cost at least $200/month from Cloudflare. Cloudflare’s free plan does not protect web application layer 3, 4, and 7, which makes it pointless.

2. Our usage-based plan, rather than options plan, allows even free users to enjoy the most comprehensive security service. There are no charges for extra add-ons or features for more security. Users can enjoy all the features for FREE up to 4GB of traffic monthly.

Here’s a handy table from the Cloudbric website showing a feature comparison with similar providers like Cloudflare, Sitelock, and Incapsula.

FEATURES Cloudbric Incapsula SiteLock Cloudflare
Advanced DDoS Protection(Layer 3, 4, 7) FREE $299 /mo Enterprise $200 /mo
PCI-Certified Web Application Firewall(WAF) FREE $59 /mo $299 /mo $20 /mo
Global Content Delivery Network FREE $19 /mo $99 /mo $20 /mo
Web Opimization FREE $19 /mo $99 /mo $200 /mo
OWASP Core Rule Set FREE $59 /mo $99 /mo $20 /mo
Reputation-based Threat Protection FREE $59 /mo $299 /mo FREE
Board Spam Protection FREE $59 /mo X X
Block Visitors by IP or country FREE $59 /mo X FREE
Login Protection FREE $59 /mo X X
SSL Support FREE $19 /mo FREE FREE

Figured I’d try it out on this site as it gets the most traffic out of my personal sites, and if everything’s cool, I’ll eventually be moving all clients over to Cloudbric. Just wish they had a way to import existing DNS records, some of my domain names have at least 50 sub-domains.

Longren.io subscribers will get this post via email, but longren.io could be down for up to 48 hours while stuff updates. I’ll update this post or maybe write a new one after I’ve used Cloudbric for a few days. You should at least check them out, especially if you’re using Cloudflare for a site that doesn’t get enough traffic to make it worth paying for.

I really don’t want to leave Cloudflare, but if Cloudbric stacks up, I’m afraid I’ll have to.

Update: After updating nameservers for longren.io to Cloudbric, an SSL issue was found. I went back to Cloudflare immediately, and within about an hour Cloudbric’s engineering team had a solution worked out. It sounds like they’ll be rolling the fix out on Monday June 29. So until then, longren.io will be on Cloudflare. I’ll post info about the issue in detail after Cloudbric has officially announced it or made the fix active.

Keybase.io: PGP For Beginners, With Invites

PGP for Beginners: A Simple Web Interface to PGP

Keybase.io is quite simple, basically a web interface and command line client that makes PGP more user-friendly. At the same time, it makes it easy to get someones public key, and know it’s the correct key.

Keybase.io allows you to encrypt, decrypt, sign, and verify messages to other keybase.io users. The Keybase.io homepage has an excellent description on the inner workings and how to make use of the command line client.

You can find me on Keybase.io at https://keybase.io/tlongren/.
keybase-tyler

I like how the purpose of the Keybase.io website, as opposed to the command line client, is described:

Keybase.io is also a Keybase client, however certain crypto actions (signing and decrypting) are limited to users who store client-encrypted copies of their private keys on the server, an optional feature we didn’t mention above.

On the website, all crypto is performed in JavaScript, in your browser. Some people have strong feelings about this, for good reason.

Keybase.io has it’s issues, though. Liz Denys makes very good points in her Refusing To Verify Myself post.

And back in March 2014, Evan Johnson discovered very serious vulnerability in Keybase.io. You can read more about it, along with examples and why it was so major, in his blog post.

There’s still serious debate that’s somewhat related to Evan’s discovery. An issue on GitHub is still open while the Keybase.io folks consider their options and best course of action.

Everything has it’s flaws, though. So for me, Keybase.io is an easy way for me to communicate securely with those I need to do so with. I’ll likely continue using it, but need more people I communicate with frequently to be members.

Invites

I do have invites for Keybase.io. I’ll only send them to people I know. If you’re a regular here, a client of mine, or old online friend, you qualify. Real world friends and family obviously qualify.

Just ask in the comments below.

Using Gmail SMTP Servers to Send Email From WordPress on DigitalOcean

Use Gmail SMTP Servers for Sending Emails from WordPress

After quite a bit of back and forth between sendmail, postfix, and exim, I’ve settled on using msmtp for sending emails from my servers/droplets at DigitalOcean (affiliate link).

MSMTP is very lightweight and has the ability to send emails via an existing SMTP server, like Gmail’s or Yahoo’s.

To get it working, there’s a few tricks. I’ve pieced this together from this post and this post. And when on DigitalOcean, there’s an IPv6 issue that causes major delays in sending the email, which there’s a fix for at the end of this post.

1. Install msmtp

sudo apt-get install msmtp

2. Configure msmtp to use Gmail

Open up /etc/msmtprc as root: sudo nano /etc/msmtprc, and add the following, removing whatever else is there:

# Gmail/Google Apps
account  gmail 
host   smtp.gmail.com 
port   587 
from   [email protected]
user   [email protected]
password  enter-password-here!
auth   on 
tls   on 
tls_trust_file /etc/ssl/certs/ca-certificates.crt 
 
# Default account to use
account default : gmail

You’ll want to replace the user directive with a valid Gmail email address, a Gmail account or a Google Apps email address will work, too. Don’t forget to change enter-password-here! to the actual password for the Gmail account your using.

Save /etc/msmtprc.

3. Remove Sendmail

Run this:

sudo apt-get remove sendmail-bin

4. Setup Some Aliases

Lots of software on Linux systems uses the sendmail command. Instead, we’re using msmtp, so we’re essentially invoking msmtp when the sendmail command is run.

sudo ln -s /usr/bin/msmtp /usr/sbin/sendmail
sudo ln -s /usr/bin/msmtp /usr/bin/sendmail
sudo ln -s /usr/bin/msmtp /usr/lib/sendmail

5. Tell PHP About msmtp

First, locate your php.ini file that’s being used by Apache. It’s typically in /etc/php5/apache2/php.ini. If that’s not it, use PHP’s phpinfo() function to find the location of your php.ini file.

Find sendmail_path = in php.ini and replace it with this:

sendmail_path = "/usr/bin/msmtp -t"

Now you should be able to send mail using PHP’s mail() function, which will use the Gmail SMTP server to send emails. Add this to a PHP file and access it through your browser to see if it works:

<?php
if(mail("[email protected]","A Subject Here","Hi there,nThis email was sent using PHP's mail function."))
print "Email successfully sent";
else
print "An error occured";
?>

6. Disable IPv6 If You Experience Slowness

Open up /etc/gai.conf like so:

sudo nano /etc/gai.conf

Now, look for a line that looks like this: #precedence ::ffff:0:0/96 100. Uncomment that line (remove the #) and save /etc/gai.conf. An explanation of why this helps can be found in this comment at the DigitalOcean article.

All Done

That should be it. If you run into any issues please do leave a comment, I’ll do my best to help you out. I may have missed a part, so no guarantees this will work for you. It does however work wonderfully on a DigitalOcean droplet that’s running Ubuntu 14.04 with a pretty standard LAMP stack.

You should now be able to send email from WordPress on DigitalOcean.

Protecting Yourself When Using BitTorrent, And The New Put.io

Stop receiving copyright infringement notices from your ISP because of BitTorrent

I like BitTorrent a LOT. I’ve used it since it’s release around 2001 or 2002. Recently, however, it’s become more risky to download torrents from your home internet connection.

Disclaimer: I am absolutely not condoning downloading copyrighted material, of any kind. This is aimed at giving casual BitTorrent users some things to consider and nothing more

A number of my friends have received copyright infringement notices from their ISP’s for downloading a movie, music album, or any copyrighted material, for that matter. Most ISP’s will terminate your service if you continue to infringe.

When you download a torrent to your computer, and you aren’t using a VPN, your IP address will be reported to the BitTorrent tracker (that’s just how BitTorrent works). Various groups (including anti-piracy groups) can gather IP addresses of people downloading any given torrent, so having your ISP provided IP show up there could result with you receiving a copyright infringement notice.

That’s where having a VPN comes into play. If you’re connected to a VPN while downloading a torrent on your computer, the IP address of the VPN server will be reported to the BitTorrent tracker, instead of your ISP provided IP.

Skip Protection Options and Go Straight to Reading About the New Put.io Interface

Protection Methods

You have a few options that offer various levels of protection, depending on how much money you want to spend, or how paranoid you are. 🙂 Three pretty simple options are detailed below. These methods aren’t guaranteed to keep you safe, but should be sufficient for most “casual” pirates. You’re still at risk using these methods, please read the clarification on protection part at the end of this post.

Option 1. Use a VPS for a personal VPN (aka: Poor Mans VPN)

I’ve referred to this as a poor mans VPN in the past. Basically, get a VPS from a hosting company, like DigitalOcean (referral link). You can get a VPS from DigitalOcean for just $5/month.

Once you have the VPS, just follow the steps I outlined in my Poor Man’s VPN post and you’ll be all set.

Option 2. Get a Paid VPN

A good way to hide the IP provided by your ISP is to use a VPN. There are many paid VPN services available, like IPVanish and ExpressVPN. I know a few folks who use IPVanish and are very happy with the service.

Option 3. Use Put.io

I’ve been using Put.io for around a year now and will never go back to running a BitTorrent client on any of my machines. Put.io is a cloud-based BitTorrent client, plus much more.

Put.io was a no-brainer for me, as it’d free me of the need to download files directly to my computer. The unofficial Put.io Android app from Steven Schoen supports streaming to Chromecast, which sealed the deal for me.

That means I can stream videos straight from Put.io to my Chromecast, without the need to ever download them to my computer. I’ve often explained it to friends as a sort of personal Netflix.

Put.io also has a feature that will download your torrent immediately. If another Put.io user has already downloaded the torrent you’re downloading, the files will be copied to your account, so you never even connect to the BitTorrent tracker to download data. It’s pretty awesome.

Another benefit of Put.io is that it frees up your home internet connection bandwidth, all the downloading and seeding is done on the Put.io network. This means you’d no longer have to waste your bandwidth to seed the torrents you’ve downloaded. This is a major factor for some people, especially those who don’t have very fast upload speeds at home (like me).

There’s also a pretty active group of third-party developers who make various apps and extensions for Put.io. Steven Schoen is one such example. He’s been updating his Put.io Android client quite frequently, and recently implemented Google’s Material Design into the app. And it looks amazing.

I’m surprised that Put.io hasn’t tried to hire Steven Schoen to bring his app under the Put.io umbrella, making it an official Android client. Maybe the have, who knows.

A couple screenshots from the Put.io Android app are below.

So, which method should I use?

If you have a Chromecast and an Android device, I’d suggest using Put.io. It’s a nice all-in-one solution, and plans start at only $9.99 a month, which gets you 50GB of storage. I have yet to find a Put.io iOS client that has Chromecast support, however there are Put.io clients for iOS, just not with Chromecast support.

Even if you don’t have a Chromecast, or don’t have the ability to stream from a Put.io client to a Chromecast, you can still benefit from Put.io. After a torrent is finished downloading in Put.io, you can download the files from Put.io to your computer. Just like downloading a file from your Dropbox account using the Dropbox website.

If you want to download torrents to your computer using a more conventional BitTorrent client, like Transmission, I’d advise using a VPN. A paid VPN or the Poor Mans VPN setup will work.

Most paid VPN services have multiple VPN servers that you can connect to, so the IP being reported to the BitTorrent tracker can be changed pretty easily, just by connecting to a different VPN server. IPVanish has plans starting at $10/month and have hundreds of servers located around the world.

If you went the Poor Mans VPN route, changing your IP would be slightly more difficult because your VPS would likely have a static IP. But it’s still not your IP from your ISP. The BitTorrent tracker would see the IP address of your VPS instead of the IP provided by your ISP, giving you some level of protection. There’s still the possibility that a copyright holder could send a copyright infringement notice to your VPS host. Worst case there is you’d lose your VPS, which is far better than having your ISP terminate your internet service.

Just some things to take into consideration before you decide what the best solution is for you.

My Recommendation

Use Put.io.

Especially if you have an Android device and a Chromecast. Even if you don’t have a Chromecast or Android device to stream to the Chromecast, you can still download the files from Put.io to your computer.

Put.io is a bit more expensive than the other options, but is well worth it in my opinion. Put.io offers 4 plans:

  • 50GB of storage for $9.99 a month
  • 200GB of storage for $19.99 a month
  • 500GB for $29.99 a month
  • 1000GB for $49.99 a month

A Quick Poll

Do you use any method to obscure your IP from BitTorrent trakers?

View Results

Loading ... Loading ...

Now, On To The New Put.io

A couple months ago, Put.io released a new interface to their website, which also implements aspects of Google Material Design. The new interface is still being built and tested, but can be previewed at http://soon.put.io/.

Here’s a screenshot of the new Put.io interface (it’s the featured image for this post, too).
newputio

And here’s a screenshot of the old Put.io interface, which is still the default.
oldputio

The new interface is much easier to use than the old. It makes extensive use of AJAX, which makes for a much nicer user experience as far as not having to wait for a new page to load. It’s also much more visually appealing.

The new interface and the Put.io Android client from Steven Schoen look very similar to each other, providing a consistent look across the put.io website and the Android client. Not really important for functionality, but it’s nice to have a consistent look across the board for a specific service.

End

This post covered a lot of material and was written without much revising. If I’ve gotten something wrong, I’d really appreciate you letting me know.

If anyone knows of a Put.io client for iOS that supports Chromecast, please let me know! I’m an Android guy but my daughter has an iPad mini, and I’d love if she could cast from a Put.io client on her iPad to the Chromecast.

Comments are open if you have any questions or anything else to add.

Clarification on Protection

The protection methods listed aren’t full proof, something I thought was quite obvious. All methods listed can lead to your IP address being discovered, but they all add an additional step that law enforcement must do to find your IP. Some scenarios that would result in your IP address being discovered are covered below.

Scenario 1. A law enforcement agency could demand user information from a VPN provider, which would reveal your identity if the VPN provider complied. Same deal with the Poor Man’s VPN solution. Law enforcement could request information from your VPS host, and if your VPS host complied, your identity would be revealed.

Scenario 2. A Law Enforcement agency could demand user info from Put.io, which would also reveal your identity, provided Put.io complies with the request. Put.io says they respect the privacy of their users, but there’s still absolutely no way to prove that they wouldn’t hand over user information if it was requested. However, I tend to trust Put.io more than most companies, simply because they’re not based in the United States and the owner is a genuinely good guy.

In both scenarios listed above, your home IP would be revealed. But why not make law enforcement jump through some hoops to get your IP? Instead of just handing it to them like you do when downloading a torrent from a public tracker without using a VPN.

If you’re uploading new movies to public trackers or are downloading massive amounts (think terabytes a month) of copyrighted material, none of the protection options I’ve outlined will offer you enough protection. Those of you who would draw the attention of anti-piracy groups who would get law enforcement involved should be able to figure out better ways to protect your identity. And that’s not something I care to cover.