Author Archives: dheep

Replacing the Evap Purge Valve on a 2019 Ford Fiesta ST (US)

My Fiesta has been doing that stuttering/hesitation thing after a fill-up (and a few times quite a bit of time since my last fill-up).  The internets say that this is likely due to a bad evap purge valve.  The valve itself is a $30 part, but the valve is installed semi-permanently with what appears to be some kind of heat-shrunk tubing, so you have 3 options for replacement:

  1. Heat the tubing up and attempt to pull the valve off.  I tried this after the fact with no luck, but not much effort either.
  2. Cut the tubing off and use 3/8″ ID rubber hose and 2 hose clamps to connect the new valve.  This seems like a janky fix to me.
  3. Replace the entire evap purge valve assembly (solenoid valve + tubing + check valve + fittings)

I opted for option 3 despite many YouTube videos advising that one of the connections is a PITA to access.  I believe those videos are for older versions of the FiST, because changing the evap purge valve assembly on my 2019 was super easy.  So…here’s the process:

 

  • Buy the replacement part (F2BZ-9C047-C).  I paid $96 online right as of 2 weeks ago.
  • Remove the engine cover by carefully pulling each anchor straight up.
  • Remove the intake hose by loosening the 2 hose clamps (green arrows) and these 2 fittings (orange arrows).  You might find it easier to remove the downstream hose clamp if you remove the fitting marked with the blue arrow.  This fitting is removed by squeezing it at the ribbed part then pulling it straight off.
  • Disconnect the old assembly near the front of the car (see red arrow from previous image).  This is also removed by squeezing at the ribbed part then pulling straight off.
  • Disconnect the old assembly near the rear of the engine bay.  My pic of this sucks, so you’ll need to feel/look around until you see the fitting with the green clip (which should match your replacement part).  Sliding the green clip back will allow you to pull the fitting off of the tube it’s mounted to.
  • Disconnect electrical connector from the valve and pull the valve off of its mount.  Sorry, no pic, but this is an easy one.  Then snake the entire assembly out of the engine bay.  Installation is the reverse.

FYI…I decided to test the valve by blowing into one end while intermittently applying 12VDC to the solenoid valve leads, and it appears that the old valve is working just fine…so shit, this might not be the issue.  And running an OBDII scan shows no DTCs, so, well, I don’t know if this was a waste of $96 and half an hour of my time.  To be continued…

DMARC compliance for Office 365 Mail and SiteGround-hosted WordPress

Anticipating Gmail’s new requirements for email senders that are rolling out in February 2024, I started working on getting my 11 email-sending domains in compliance.  I quickly realized that most DMARC compliance guides are written for IT pros, which I am not.  After a few months of working on this project, I finally am happy with the state of my domains and I’d like to share what I’ve learned with those of you who are similarly pretending to be an IT professional.

This guide is most useful if you use…

  • Office365 for your email – I’m a big fan of Office 365 for email…great support, intuitive to use, and keeps you out of the Google ecosystem (but iOS doesn’t always play nicely with it).
  • SiteGround to host your WordPress websites – I’m a HUGE fan of SiteGround.  Once you get out of their intro period, they are pretty dang expensive, but worth every penny if you don’t have the time to deal with bullshit.  I’ve used at least a dozen hosts over the last 20 years, and SiteGround has not disappointed me once since I started with them in 2016.  Uptime is fantastic, their console is easy to use, and their support is absolutely top-notch.

But first, some basics (from a layperson’s perspective).  Basic authentication determines whether emails from your domain are from legitimate senders.  Otherwise, anyone is able to send fake emails from your domain.  The scheme relies on 3 different mechanisms:

  • SPF (Sender Policy Framework) – on a high level, this mechanism tells the world which email servers are permitted to send emails on behalf of your domain.  This information is conveyed to recipient email servers via your SPF record, which is saved as a TXT entry in your DNS records.  This is great, but unfortunately, because the way emails are encoded, if you forward an email from someone else of a different domain (or vice versa), the forwarded email will show up as non-compliant with SPF.
  • DKIM (DomainKeys Identified Mail) – this mechanism includes a digital signature with every email you send, and recipient email servers use a public key to confirm the digital signature is correct.  The public key is stored as either a CNAME or TXT DNS record.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) – this mechanism relies on the recipient email server to check if either SPF or DKIM passes.  If both fail, then your DMARC record will advise on what to do–either reject, quarantine (i.e. put it in someone’s spam box), or nothing (let the email through).  The DMARC record also tells recipient email servers whether or not, as well as where, to send reports about how they’ve handled email from your domain.  There are two types of reports:
    • RUA (aggregate reports) – these are summaries sent at some interval (several hours to days?) about emails received
    • RUF (forensic reports) – these are details sent for each email received.  Apparently, most email servers will not send RUF even if you request them.

Configuring your IT infrastructure so that your emails are in compliance will help to ensure that your domain’s “reputation” will be high, saving your emails from ending up in your recipients’ junk mailboxes.

So…let’s get started on getting you in compliance.  First you’ll need the following:

  1. Access to your Office 365 portal (https://admin.microsoft.com)
  2. Access to your DNS provider (for many of you, this will be your domain registrar, e.g. NameSilo, GoDaddy, etc).  I use DNSMadeEasy.  They are easy enough to use.
  3. Access to the user area in the SiteGround portal (https://tools.siteground.com)
  4. Access to the admin area in your WordPress installation (https://yourdomain.com/WhatEverYouNamedYourWordpressInstallationFolder/wp-admin)

Here’s what you need to do:

Setup SMTP Mail on your WordPress site

Your WordPress site sends emails for various reasons–to indicate plugins have been updated, to send you emails when users submit a contact form, etc.  Because a standard WordPress installation uses the PHP mail() function, the emails that your site sends will most likely fail SPF, DKIM, and DMARC.  Let’s setup SMTP mail to fix that.  Here’s how to do that:

  1. In the SiteGround user portal (https://tools.siteground.com), select the domain that you want to configure.  Navigate to Email | Accounts.
  2. Create a new email account and record the account name and password (might I suggest 1Password as your password manager?).  I recommend something like notifications@yourdomain.com.
  3. Click the 3 vertical dots and then click Mail Configuration.  Navigate to the Manual Settings tab of the popup.
  4. Record the information in the popup (incoming/outgoing server, SMTP port).
  5. Now open your WP console and navigate to the Plugins section.
  6. Click on Add New Plugin, and then search for “fluentsmtp”.  Install the plugin from the results titled “FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin”.  I chose FluentSMTP because it’s free and the support is pretty good for a free product.  Activate the plugin after installation.
  7. Now go to Settings | FluentSMTP in the WP Console, and navigate to the Settings tab.
  8. Click [something like] “Add Another Connection”.  Select “Other SMTP”.
  9. Enter the following details:
    1. From email: whatever you setup in SiteGround (e.g. notifcations@yourdomain.com)
    2. From name: I recommend “Notifcation: yourdomain.com”
    3. Click Force From Email, Set the return-path to match the From Email, and Force Sender Name
    4. SMTP Host: get from the SiteGround mail configuration
    5. SMTP Port: 587 (same as from the SiteGround mail configuration)
    6. Encryption: TLS
    7. Use Auto TLS: on
    8. Authentication: on
    9. SMTP username: whatever you setup in SiteGround
    10. SMTP password: whatever you setup in SiteGround
  10. Click “Save Connection Settings”
  11. Now navigate to the Email Test tab and do an email test (from the address you configured at SiteGround, to any email account that you have access to).  Note that the test email might fall into your spam box.
  12. Go back to the Settings tab and set these as you wish, but my preferences are as follows:
    1. Log all emails for Reporting: checked
    2. Delete logs: after 2 years
    3. Default connection: whatever is default
    4. Disable sending all emails: unchecked

Configuring your SPF record

  1. Go to your DNS provider.  In the TXT records section, there should already be an SPF record which you specified when you setup your Office 365 email.  It should look something like this v=spf1 include:spf.example.outlook.com -all which covers emails sent from Office 365.  But since we are now also sending emails from your SiteGround SMTP server, we need to combine the SiteGround SPF record (v=spf1 include:_spf.mailspamprotection.com -all) to make this final record for your domain: v=spf1 include:spf.protection.outlook.com include:_spf.mailspamprotection.com -all
  2. Save the updated SPF record.

Configuring your Office 365 DKIM record

  1. Goto https://security.microsoft.com/dkimv2
  2. Click on the domain you want to configure
  3. Record the information in the Publish CNAMEs section in the right flyout window.  This is the Office 365 DKIM info.
  4. Now go to your DNS provider.  In the CNAME records, add the records per the step above (these are examples–be sure to enter the information specific to your domain):

Host Name : selector1._domainkey
Points to address or value: selector1-yourdomain-com._domainkey.yourmaindomain.onmicrosoft.com

Host Name : selector2._domainkey
Points to address or value: selector2-yourdomain-com._domainkey.yourmaindomain.onmicrosoft.com

Now save the record, then go back to https://security.microsoft.com/dkimv2 and in the right flyout window, enable the Sign messages for this domain with DKIM signatures toggle switch.

Configuring your SiteGround DKIM record

Whereas the Office 365 DKIM records are in the CNAME record of your DNS, SiteGround stores it in your TXT DNS record.

  1. Go back to the SiteGround console and navigate to Email | Authentication.  Navigate to the DKIM tab.
  2. Click “copy to clipboard”
  3. If your DNS provider allows you to paste in a zone record, then you can paste your clipboard there (be sure not to append, not overwrite, your existing records!).  If not, add a TXT record named default._domainkey with a TTL of 14400 and a value containing all the text in your clipboard between and including the quotation marks, e.g. "v=DKIM1;k=rsa;p=AVeryLongStringOfRandomCharacters".

Configuring DMARC

Before we implement a DMARC policy (e.g. enforcing either reject or quarantine), you should monitor your RUF/RUA reports for a few weeks/months to see how recipient servers are liking your emails.

Microsoft has partnered with Valimail to offer free DMARC monitoring, but I’ve found their service to be garbage–they give you no specific data–only numbers indicating the percentage of emails that passed/failed SPF, DKIM, and DMARC.  Without knowing the data behind the numbers, all you can do is make changes, see if they result in any improvement in the percentages after you wait for weeks of reports to come in, and continue the “feedback loop”.  It’s like flying an airplane without knowing what the controls do and only getting reports of your altitude every 5 minutes.

So…I’ve been using GlockApps.  Their free tier has unlimited domains and handles up to 10k DMARC messages/month.  There are other free DMARC providers, but none with unlimited domains.  Here’s how to configure their service:

  1. Setup an account at https://app.glockapps.com/signup
  2. Go to the console and navigate to DMARC Analytics | Add Domain.
  3. Enter the domain you want to monitor.
  4. Set your DMARC policy to none
  5. Do not enable “Set a different policy for subdomains” (unless you have subdomains, in which case this guide does not exactly pertain to your situation)
  6. Do not mess with the advanced options.
  7. Click Next
  8. Click the copy to clipboard icon.
  9. Go to your DNS provider’s TXT record editor and add a TXT record with hostname _dmarc and value set to whatever is in your clipboard.

Depending on how much email you and your domain send, it may take a few days for your domain to show up in the GlockApps Domains Overview.  At this point, you’ll want to send several emails from your WordPress site (e.g. send test messages from FluentSMTP as we did above, submit contact forms on your site, etc).  Put on your patience pants.

Check to make sure all is correct

There are a few things you can do to ensure that you’ve configured your email authentication correctly–I recommend doing them all:

  1. Use https://mxtoolbox.com/dmarc.aspx, enter your domain, and click “DMARC Lookup”.  Aside from having a DMARC policy not enabled, you should have all green check marks.
  2. Send emails from Office 365 as well as from the FluentSMTP test email to ping@tools.mxtoolbox.com.  You’ll receive an email response with a detailed deliverability report.
  3. Within GlockApps, there are options for additional tests, but you only get 2 per month, so wait until the previous 2 tools give good results before you use these.

Monitor and adjust

Once all is configured as shown above, you’ll need to monitor the DMARC results in GlockApps.  With any luck, your compliance rate will be 100% and you’ll be ready to implement an actual DMARC policy (reject or quarantine).  You may see some emails failing SPF, which should (I think) correspond to the number of emails in the “Forward” column.  You may be surprised to see some emails in the “Unknown” column–and when you click on those, you may see that spammers all over the world are sending emails on behalf of your domain.  This whole effort that you’ve gone through will ensure that those spammers’ emails never make it to anyone’s inbox–and that your legitimate emails will always get to their intended recipients.

If you see other unknowns, then perhaps you are using another 3rd party email provider (e.g. MailChimp) for mass emails–in which case this guide will need some adjustment.

If you are able to maintain a compliance rate of 100% and/or the only DMARC failures are the spammers for several weeks, then you can modify the p=none part of your DMARC record to p=quarantine (spammers go to junk mail) or p=reject (spammers get rejected).  You can also gradually increase the percentage of emails that will get quarantined or rejected–but if you are hitting 100% compliance, then there’s no need to ease into this (I think).  As of time of publication, there are a few weeks until Google’s deadline, so I’m going to monitor for a bit longer before implementing the policy.

Well, shit, this turned out way longer and more complicated than I had hoped–but I still hope it helps anyone who’s in the same IT infrastructure boat as me.

Xfinity/Citrix Data Breach

I guess the new standard for companies handling their data breaches is to tell you it happened, telling you what bullshit measures they are doing to not-really rectify the situation, pushing the burden onto you to mitigate the damage of their fuckup, and not apologizing for the fuckup at all.

I’m no data security expert, but it seems to me that the birthdays, SSN digits, and secret questions/answers could have been hashed, and that would have significantly mitigated the potential impact of the breach.

Postmeds Data Breach

I received a letter in the mail today regarding a data breach that occurred between August 30, 2023 and September 1, 2023.  The breach may have included names and prescription information, including possibly the medication type, demographic info, and the prescribing physician.

Did you get this letter and have never heard of Postmeds too?  Well, Postmeds is either now known as or is doing business as TruePill…and if you use Mark Cuban’s Cost Plus Drugs (which I still highly recommend), TruePill is one of two companies contracted by Cost Plus to fill prescriptions.  And now you know how you got exposed.

What is Postmeds doing about the breach?  Improving their security, training their employees in cybersecurity threats, regretting the inconvenience, and otherwise telling us to fuck off.  They couldn’t do us the courtesy of telling us how this information could be used to compromise our security–and how to guard against that–because that would be admitting the potential ramifications of this breach.

And I’m grateful that I’m not on medication for any embarrassing medical conditions.

BlueShield of CA Contracting out Telemedicine Services to Teledoc, who Employs a Physician Indicted for Telemarketing Medicare Fraud Conspiracy

Well, this is concerning.  A member of my family had a Teledoc appointment with Dr. David Antonio Becerril, who was indicted on “sixteen counts of conspiracy, fraud, and false statements in connection with Dr. Becerril’s participation in a telemarketing health care fraud scheme”.  I’m all about second chances, but I’m not a fan of my healthcare being in the hands of someone who has allegedly a clear preference for money over my health outcomes.  Oh, and the doc fucked up my family member’s prescription too.

Shame on Blue Shield of California for trusting Teledoc, and shame on Teledoc for improperly vetting their healthcare providers.  This is what I get for my $860/month health insurance (after a 20 fuckin percent increase in the upcoming year, after a 15% increase last year).

Bring back button fly jeans

Somehow, button fly jeans are nearly impossible to find these days.  Dear fashion designers, please bring them back–they are the superior option for these reasons:

  • While zipper fly jeans zip up faster than button fly does, button fly jeans come open much faster than zip fly.  Unless you are doing dumb things in life, you need speed getting your jeans off more than you need it getting them on.
  • Button fly jeans preclude the very real possibility of a There’s Something About Mary situation.
  • Button fly jeans have 3 double layers of denim protecting your package.  Zip fly only has 2 double layers.
  • The extra layer of denim gives your package a little extra bulk if you need it.
  • Button fly jeans do not provide an electrically continuous pathway to your frank and beans.
  • Zip fly jeans are put on with top button first, then the zipper—that leads to potentially forgetting step 2 and leaving your fly open.  Button fly jeans are closed bottom to top, so there’s very little likelihood that you’ll need to XYZ PDQ.
  • Button fly jeans rarely open on their own.  The zipper on zip fly jeans often will zip down on their own.
  • Zip fly jeans are much easier to break than button fly.  And if you break a zipper on zip fly jeans, you are in for an expensive repair and your jeans will not close until they are repaired—particularly inconvenient if you are in the middle of an important event.  If you break a buttonhole on button fly jeans, you can still button the rest of the jeans, and the fix can be done quickly and inexpensively with a sewing kit.

Really, the only benefit to zip fly jeans is the ability to light a match on the zipper….which you can do on your teeth, so no benefit here unless you are toothless.

So please bring back the damn button fly jeans already.

 

Capital One Virtual Cards could be perfect if they weren’t so dumb

Capital One has a nifty feature called virtual cards–these enable you to generate unique credit card numbers, expiration dates, and CVC codes that you can provide on an individual basis to each vendor you transact with (or at least the ones that will accept just a card number–not a physical card–like your online vendors).  You can have one virtual card for Amazon (ugh), another for Uber (ugh vomit), etc.  Each virtual card is associated with an actual physical card.

If Amazon suffers a data breach, then you only have to cancel the virtual card assigned to Amazon–at least that’s the way it should work.  But for some idiotic reason, Capital One will cancel your physical credit card whenever its associated virtual card is compromised–and it seems that you have to fight for them to not cancel all other virtual cards when one virtual card is compromised.

I’m not a IT security expert, but this makes no fuckin sense to me.  I attempted a purchase from a website using a virtual card on Sunday.  Turns out it was a scam site, and that one virtual card number was compromised.  The scammers had access neither to the physical card credentials nor any of the other virtual cards.  But instead of merely deleting my compromised virtual card, Capital One canceled my physical card, and I can’t use it or any of my virtual cards until the new physical card arrives.

Their own damn website (see link above) promises better:

This is the second time this has happened to me this year–it’s a total waste of time for Capital One customers, a complete waste of time for Capital One employees, and a demonstration of absolutely idiotic policy-making at Capital One.

Proposal: Law of Pushing the Limits

If you are pushing the limits of your rights, you are being an asshole. For example…
  • If you draw cartoons of someone sodomizing someone else’s God, you are within your rights, but you are being an asshole.
  • If you bring an AK-47 to an Applebee’s, you are within your rights (at least in some locations), but you are being an asshole.
  • If your testimony is largely compromised of “on the advice of my attorney, I exercise my 5th amendment rights”, you are within your rights, but you are being an asshole.
Don’t be an asshole, respect your rights.