Spotify Luncy

Ever need to update your family plan address with Spotify, or simply enter incorrect information when signing up? Have no fear, they make you jump through hoops.

I tried signing up for a Spotify family plan because I wanted to get rid of Google Music, however I made a simple mistake. After signing up, they have you enter your name and address for the family account, and I accidentally put my wife’s name in there because I thought it was for an invite. I realized this was incorrect afterwards when I noticed that she wasn’t in the list of invitees, so I began searching for a way to fix this. I ran across this support page where they say that you need to contact support, implying that support can change this information.

As it turns out, that’s not the case. You’ll need to create a new account and support needs to migrate your music collection. Because, you know, why have one account when you can have two? Anyway, here’s the resulting conversation.

Spotify, you really need to fix this. Making your customers jump through hoops to do something simple like changing your address should be easy. And don’t give me the TOS BS because it says nothing about having to create a new account — and moving, together, all at the same time, is generally what families do, and you should support that without having to jump through massive hoops.

If you know of any good alternatives to Google Music and Spotify, please let me know. I still want to ditch Google Music because that was the whole point of this to begin with.

P.S. Arvin was nice about this and this is not a complaint about him. This is a complaint about Spotify’s “solution” on the matter.

Fry’s Electronics Bag Policy

Today I tried to go to the Duluth Fry’s Electronics store and was not let in because of my bag. I refused to leave my bag in the car or check it, and thus my only other option was to leave and find somewhere else to shop. I found what I needed at Micro Center, which I highly recommend over Fry’s Electronics. While they have a smaller selection of electronics parts, you won’t be treated like a criminal as soon as you walk in the door.

Update: I received a reply from John McGuffin, District Manager, indicating that the intent of their policy is not to deny people carrying bags from entering the sales floor. See the full reply below my initial email.

Continue reading “Fry’s Electronics Bag Policy”

Goodbye, Mandrill

I received the following email from Mandrill yesterday which unfortunately means that I will have to discontinue my usage of Mandrill for sending and receiving email. Specifically, I am currently using a free Mandrill account as the incoming email provider for Disposamail, and continuing my usage of Mandrill is not worth $20 per month for a paid MailChimp account. I will therefore have to revert to an older version of Disposamail which uses Haraka and update it to match the functionality of the Mandrill version.

I’ve also been wanting to update Disposamail to use Angular and this is a great opportunity to do so.

Update (3/10): Disposamail has been updated to receive and process raw email bodies from an external service such as postfix and no longer relies on Mandrill.

Continue reading “Goodbye, Mandrill”

Birthday Doodle


It appears that Google changes it’s Google Doodle just for you on your birthday, assuming that Google knows what your birthday is. While I like it, the only potential problem I see is that it effectively hides what the “real” doodle is for the day. For instance, today’s actual doodle was the following:


In other words, had I not used an incognito window to see what the doodle actually was for the day, I would have never known about Emmy Noether. Though to be honest, I never really pay attention unless it’s something cool and interactive like PAC-MAN.

Account Locked – Action Needed


For the second time in the last few months, GoDaddy has locked my account and forced a password change “for security purposes”. While I would expect this kind of behavior if someone managed to login to my account in another country or in an area that I’m not normally in, GoDaddy seems to be jumping the gun a little bit and generally being silly about how they’re handling this.

To give a little bit of background, I have two-factor authentication turned on as I do with all of my accounts that support it. If someone did manage to guess my password, I would have received a text message with a verification code; I have not, however, received an unwanted text which means that no one actually guessed my password. Therefore, asking to change my password is a bit premature; it’s as if I were asked to change the locks to my home because someone tried to get in with my neighbor’s key.

In other words, I was asked to change my password because it succeeded in protecting my account. Thanks GoDaddy.

New Beginnings

After almost six years of working at Overgroup I have decided that it is time to move on; not that I dislike any of the work I was doing however it was time to start something new. I started at TalentQuest on Friday which I am very excited about; there are lots of big projects in the queue and lots of decisions that need to be made. One of the great things about this move is that it’s still within walking distance, though I’m opting to take Atlantic Station’s “free ride” bus instead.

I’ll miss everyone that I’ve worked with at Overgroup over the last 6 years, though, as I’ve truly enjoyed working with everyone and consider them all part of my extended family; we’ve been through a lot together.

That said, during my job search I learned a few important lessons:

  • Don’t take the first offer that is thrown at you. Evaluate your options and take some time to think about each one. The good places to work will allow you to take some time to make your decision than ones that are just trying to fill a slot as fast as possible. It’s really a good indicator of the culture you’re going to be a part of.
  • Don’t get your hopes up on any specific opportunity, even if you believe you’d really love it. Getting your hopes up make any other opportunity seem worse if you end up not getting it, even if you were excited about it from the beginning.
  • If anyone is giving you any kind of open test (i.e., there’s not one right answer), ensure you know what they’re looking for going into it that way you don’t get hung up on anything they’re not interested in or anything they don’t want you doing.
  • If during an interview you decide it’s not the place for you, find a way to gracefully end the interview. If it’s not a position you’re interested in then there’s no sense in wasting anyone’s time, including your own.
  • Don’t stop looking or accepting interview requests until you’ve accepted an offer; you never know what is right around the next corner.

Hopefully the next 6 years will be just as good or better than the last.


I released a small project this morning, Disposamail, which I created between last night and this morning. Disposamail is a web application that allows you to grab a temporary email address and use that address while you’re still on the Disposamail website. Once you leave the website, the address is released, the mail server stops accepting mail for the address, and any emails that were received are lost forever.

Disposamail is written in Node.js and uses several third-party modules that provide a lot of the functionality:

  • Haraka – Haraka is an SMTP server with an extensive plugin architecture which ultimately made this entire project possible.
  • – makes sending data between the server and the client easy, using the best method possible.
  • MailParser – Used for parsing raw emails into its various parts.
  • Phonetic – Generates phonetic names for easy to remember email addresses.
  • forever – Making it easy to keep a Node.js script running in the event something bad happens.

The best part of this project, though, is that I’ve released the code under the AGPL. You can checkout the code on GitLab.

Update: Disposamail can now handle attachments!

Verizon Email API Vulnerability

A critical vulnerability has been found in Verizon’s email API which basically allows any user to access any other user’s email, given they know how to properly send the requests to Verizon’s server. Randy Westergren noticed this vulnerability when he was proxying requests from his device (presumably to see what some apps were sending to their motherships) and found his Verizon user id within the request headers. By changing his user id to the user id of another user, the server responded with that user’s information.

This is why you should always sanitize user inputs, and by “sanitize” I don’t necessarily mean preventing things such as SQL injection (though you should do that as well), I mean that you should check any and all input to make sure that the user can actually do the action requested, even if that input came via your own app and wasn’t technically “user input”. Had Verizon properly checked the username against the user’s session, or better yet not even sending the username and just use the user id that is in the user’s session (assuming they’re using some kind of session functionality), then this would have not been an issue. At least they took care of fixing it quickly once the issue was reported to them, which was two days according to the article.

One last thing is that you really shouldn’t be using your ISP-provided email in the first place as you’ll most likely lose this email address when you switch to a new provider. Please, just use something like Gmail instead. Switching to a new ISP shouldn’t be like moving in regards to updating your information literally everywhere.

Email Tracking

In both my personal and professional life I’ve had people ask me how to be able to determine the status of an email, or to use a service that can determine the status of an email. While being able to check what the status of an email is, such as if the email was delivered to the user’s inbox, if the user has read the email, or if a user has clicked a link within the email, all of the methods of doing so produce so many false positives and negatives that it’s really not worth going through the effort to implement such a system. The following are the general methods for checking the status of message as well as their downfalls.


Checking to see if an email was delivered to the mail server is easy, it’s a simple as checking your SMTP logs to see if the mail was delivered to the receiving mail server. It’s not really much harder than that.

The problem with this, however, is that servers may “accept” the mail only to put it in a user’s spam folder, or worse yet drop the email without notification. Dropping email after can happen without notification if the mail server doesn’t check it for spam, etc., until after closing the connection with the sending mail server, and the reason why you won’t get a notification back is to reduce backscatter. As for the spam folder, you can’t really do anything about that other than ensuring your SPF and DKIM records are set appropriately, signing your emails with said DKIM keys, and ensuring that the content of your emails don’t look “spammy”.

The only good notification you may get is a bounce message if the user’s mailbox doesn’t exist, if it’s full, etc., however you’ll normally only get those within the same connection the email is being sent with. If you do happen to get them after closing the connection you should probably contact their administrator as they’re contributing to the backscatter problem.

Read, Click, etc.

You may also want to check if a user has read your email or not, which could be useful in some circumstances. The following are the methods to do so and their downfalls.

Read Receipts

One way to accomplish this is via read receipts. Basically, a read receipt is an email sent via the users mail application when they open an email which is sent back to the sender. The senders email application then links this back to the original email to display a notification to the user indicating that the mail has been read.

While this sounds great, the problem is that this method does not always work. Read receipts can be turned off in the majority of circumstances, and additionally most systems default this setting to off (i.e., it had to be explicitly enabled), or do not even have the capability to do this at all. For instance, Google’s FAQ about read receipts indicates that read receipts are only available on Google Apps accounts if an administrator enables it, and is not available on personal accounts. Additionally, Google’s FAQ states the following:

Do not rely on read receipts for certifying mail delivery. Although read receipts generally work across email systems, you may sometimes get a receipt for an unread message or not get a receipt even though the recipient has read the message.

Remote Images

The next trick is to use a remote image within the email to signal to a server that the email has been read. When the email is opened, the users browser or mail application will load the remote image allowing a server to tell if the email has been read.

The flaw with this method is that most mail applications will not display remote images, and most webmail systems will not display remote images either. Google’s FAQ for Gmail indicates that images may be shown, however that’s only after Google determines them to not be malicious. What this implies is that, while images may be displayed, Google checks the images before ever showing it to the user, and therefore it’s possible the server gets a notification that the user has opened the email when in reality the user never actually opened it.


I’m not even going to go here as including JavaScript within emails is a good way to get yourself blacklisted, and it’s not going to work anyway because most providers will strip any scripts out of the email before displaying it to the user. See the Super User question about this.


You could use links that contain a unique identifier in them, and then when he user clicks on the link, the server would be able to see that unique id and mark the email as read. This is about the only method that may actually work and make sense, however it has some of the same problems as remote images. The mail server could check the links to see if it’s linking to malware or something malicious, and your mail server may treat that as the user clicking on the link if that’s not accounted for.

The problem with this, however, is that if the user got this far, they’re probably on your site doing whatever it is you emailed them about, which you should be able to track already, so it’s kind of pointless short of email marketing campaigns that link to somewhere you do not control.


Email “status” tracking is inaccurate with false positives and negatives all throughout the process. If you understand these limitations and still want to track your users, then by all means go right ahead, just don’t get mad when your numbers are a little off from what you thought they would be. Lastly, if you’re running a third-party mailing service please make sure your users understand this as well.

CyanogenMod 11

CyanogenMod has been working on version 11, KitKat, for almost a year now, and decided that it was probably stable enough to use day-to-day. Therefore, my phone (Samsung Galaxy Note II) got upgraded to CyanogenMod 11 M9 a few days ago.


So far it’s been pretty stable. The only snag I ran into was having to upgrade to TWRP 2.7 or higher due to KitKat’s SELinux requirements, which versions of TWRP prior to 2.7 did not support. See my previous article for information on how to get CyanogenMod on your Note II.