Archive for the ‘Technical’ Category

Is Web 2.0 just a load of hype? I have my suspicions that it doesn’t make money, but some aspects do have potential for website owners. Both RSS Feeds and social bookmarking seem promising to me (at least, if it’s Facebook, now that so many people are on Facebook). So I thought I’d give it a go.

I can’t see much potential for it on my Devon businesses directory, as the articles are mostly duplicated RSS stories and press releases. (There’s a bit of off-site anchor text keyword targetting for it though ). My chocolate website has original content, with more potential for social bookmarking, but probably a less nerdy readership (hence the emphasis on Facebook, which seems the most widespread and least nerdy option available).

So I found a selection of plugins from extensions.joomla.org to test out social bookmarking on my Joomla sites. The first plugin didn’t like my PHP version so that went nowhere. The next one seemed great: a ‘Digg’ button appeared at the top and a row of little buttons appeared at the end of my content items, but it didn’t have Facebook. The final one did have Facebook but didn’t appear everywhere I wanted it to. So I’ve still got them both at the moment.

I found a great RSS module from one of the same authors, which offers not only the feeds, but the buttons to add them to aggregators like iGoogle (which I actually use, therefore I think it’s handy and useful!) It did annoy me a bit by causing some code validation errors. So far I have fixed them all, apart from a stray ‘r’ which appears after the embedded CSS, but only when the module is on the right hand side. Huh.

But I am straying from the point again, which is trying out the social bookmarking plugins, not tinkering with the code behind the scenes. So I added a couple of stories to Facebook. I was pleased with one of them, but the other site seemed to provide the home page as well as the story, and more confusingly, it gave the home page meta description instead of the story’s, even after I deleted it. I tried various options with Joomla caching, but didn’t see any difference: strange. Perhaps I’ll try Facebook again later. Meanwhile, I registered with del.icio.us and bookmarked a couple of stories, but can’t really see the point to it yet.

So I’ll be keeping them all for now, and seeing if any of them work out well. I can’t see my sites getting Slashdotted (thank goodness!) but you never know, it might bring in some readers and friends of my visitors And I’ll be trying out each of these social bookmarking services myself, so I know what each one is about.

Next step: WordPress social bookmarking plugins for the blog

Having previously written about the Google Adsense Heatmap, I was keen to try out adsense blocks in more successful locations.

Google Adsense Heatmap: darker colours are ‘hotter’ areas

My first opportunity came with a project of my own to develop a custom Joomla template for a new website about chocolate, ‘I Dream in Chocolate‘.

Website Screenshot showing Adsense positioning

I planned the main Adsense location to take advantage of the areas highlighted in the Google heatmap, and created the Adsense blocks in Joomla using mod_html modules.

I didn’t go for the ‘hottest’ area, which I think is between the main title and content, as I thought this location might be over complicated to manage separately for different content items, and also less nice to look at. The current design adds a kind of white chocolate stripe to the page layout, though it does push the main content down a bit far, especially as I also added a link unit right above the top menu.

By keeping them near the interactive options and menu items, I hoped to take advantage of the visitor’s attention (and mouse) being in that area. At the same time, by using a different style, I have avoided them being actually mistaken for menu items and on site links (which goea against Google’s guidelines).

It does seem to be paying off so far: the following screenshot shows clicks for this new site have already overtaken my more well established site Stairway to Devon, which has the Adsense more out of the way. Bear in mind, many of the page views for the new site will have been caused by me working on it, so it’s actually been more effective than the figures suggest:

Screenshot showing Adsense results for different websites is gone: can’t show the actual numbers – it’s against Google’s rules unfortunately!

Inspired by these more encouraging results, I decided to add some better AdSense locations to this blog while upgrading WordPress at the weekend, following the excellent instructions in this link: ‘Upgrading WordPress‘ and this one: ‘How to add Adsense to your blog‘

Adding AdSense to a WordPress blog involves editing the WordPress PHP template files. I had some odd experiences, with AdSense blocks sometimes not appearing in some locations, or only appearing after several minutes (which I think is a delay on the Google setup end). It also required a lot of fiddling about with the CSS. But eventually I was able to get the following units set up:

1. Link unit at the top of the screen
2. Adsense Referral link between the page header and content
3. Google Search box in the sidebar
4. 2 Adsense content units in the sidebar: first a small one, then a tall one
5. Adsense content unit in the top ‘hot spot’, between the content title and paragraph text on the single post pages (which don’t have the sidebar)

While upgrading, I also tried setting up the options to ping WordPress’s list of practically everything, which should promote the blog a bit more widely, so I will be interested to see how these changes all work out.

It took a village to make this (Devon directory) and it took me several months to complete it.*

I’d been experimenting with Joomla! and Drupal, and one of the first things I found was that Joomla! has several options for purpose built business directory extensions, and Drupal doesn’t have any (at least it didn’t at the time). Joomla also seemed a lot more user friendly. So I went for Joomla.
(more…)

The beginning of August was disrupted for me by an avalanche of Spam.

It started when I checked my email early one evening and found over 30 messages in my Spam folder. I may have been lucky until now, but this was unusually high for me. So I checked the folder and was horrified to discover the dreaded bounced back spam mails were back: every single one was a bounced back spam email that had failed to be delivered and appeared to come from my domain name. (See my earlier post, Email spoofing – Spammers are pretending to be me).

But it was to get much worse.

I moved that first batch to save in a folder in case I needed to investigate them later. When my Spam folder refreshed itself, another 30 emails appeared. I tried refreshing it again, and the number of Spam mails went up to 60. Every time I refreshed my Spam folder another 30 spam mails appeared, and this went on for the next 6 hours until I had over 3000 bounced back spam emails. I dreaded to think how many other spam mails might have got through.

I put the ‘sorry but it’s not my fault’ type spam message back at the top of my home page, expecting fallout throughout the next couple of days, and started testing my SPF record. The SPF instructions are terrible, so not surprisingly it wasn’t quite right. This was annoying in itself, as every time I changed it via my web hosts the change would take at least 6 hours to propagate through the internet. I changed it several times after this until the testing script finally said it was valid.

In between testing my SPF records, I started checking through the spam mail headers to see if any of it could be traced or reported to anyone. I found the most complete headers generally came back from ‘qmail’ programs. I posted every one I could find into ‘Spam Cop’, which traced most of them to a server in Mexico and a couple to other servers as well, so I sent spam reports for all of these. I also reported as many as I could stand to the address that Gmail suggests for this purpose, which is: spam@uce.gov

I continued doing this as more and more of the spam mails came back. The next day I expected a second avalanche of angry responses from real people, but thankfully most of them seemed to either recognise spam without opening it or ignore it: I only had one reply from someone in Australia, saying ‘Please don’t send emails any more’. I felt bad that even one person would think I would send this rubbish.

I must have sent some of it to some kind of email address collectors as well, as I have been receiving a lot more spam myself since then.

A couple of days ago I found a lot of bounced emails in my ‘Spam’ folder. On closer inspection, I was alarmed to discover they were all spam that appeared to have been sent from my domain. The return addresses all began with different nonsense usernames like ‘Three_Nasrabi’ before the @ sign, and then ended with my domain name. The contents were various kinds of junk mail.

My home computer has a firewall and virus shield that is updated daily, and my email hosts also check for viruses, so I didn’t think that was the cause of the problem.

My first concern was that someone might have sent them by hijacking scripts on my website. I had recently been working on improvements to overall security, but what if I had made a mistake? I checked my website statistics, and the scripts did not seem to have been accessed more than usual. I deactivated them just in case while I contacted my web hosts.

They replied very quickly, offering to check the headers of any of the spam emails to see where they were coming from. Luckily, some of them had very detailed header information. But unluckily, it showed that the problem was nothing I could fix.

Somebody, somewhere else, had found that my domain name was a valid name, and was inserting it into their email headers as the return address for sending spam. They need to use a genuine domain name to get past the spam filters used by email accounts that receive them. Sometimes they use programs that put words together at random to make possible names and test them. Otherwise they just get a list of genuine domain names in other ways, such as automatically spidering the internet, collecting marketing information lists, and so on.

This is a form of identity theft known as ‘email spoofing’ and there is apparently no way to prevent people from doing this. The best protection currently is to add an ‘SPF’ listing to your DNS TXT record.

Using SPF

SPF stands for ‘Sender Policy Framework’ (here’s its listing in Wikipedia). The SPF record allows you to specify which computers are allowed to send email from your domain name, so that email applications that check this can reject the spoofed email as spam before they even receive the body of the message.

SPF records look approximately like this:

example.org. IN TXT “v=spf1 a mx -all”

Wikipedia explains them quite well. There is more information (though very technical and confusing) at the SPF Project Overview home page and an online tool to help you set them up at: http://old.openspf.org/wizard.html?mydomain=example.com&submit=Go%21
The tool will provide you with the code to add to your DNS TXT record. For the exact formatting, you will need to know whether your hosting uses BIND, Windows DNS or tinydns (djbdns). You will also need to change the DNS TXT record yourself via your hosting control panel or if you can’t access this, ask your web hosts to do it. Be aware that DNS changes can take several hours to work their way through the system.

Having taken immediate steps to establish the cause and protect (as far as possible) against further spamming, I thought I should do the responsible but embarrassing thing and warn my customers. The next day one of them told me their computers had had a virus, so that could have caused a small amount of bounced emails to addresses taken from their address book (fingers crossed).

What else can you do if your email address is being forged by spammers?

It’s important to tell your web hosts, so that at least they know it isn’t you that’s sending the spam. In some cases, if web hosts receive complaints of junk mail spamming, they may deactivate your hosting. In my case, I asked my web hosts to confirm that they wouldn’t be suspending my hosting or email over this, as the spam was not coming from the account itself. They replied, ‘No, unless we get serious complaints regarding it, in which case we will speak to you first.’ – not 100% reassuring, but at least it would give me the chance to make alternative arrangements.

So the next thing to do to protect your hosting (not to mention your personal or business name and reputation!) is to prevent these complaints by publishing information and an apology for any irate spam recipients that come to your website looking for an explanation. I’ve discovered several companies that have done this, and following their examples, I have posted my own page here: ‘Email Spoofing – please read on’, with a link from the start of my home page text as the email spam is so recent.

Click here for lots of useful advice from
Risky Thinking: Advice on how to protect yourself from Email Identity Theft.

This white paper from Artic Soft covers more technical information on
security and various kinds of spoofing threats.

Useful security tools, downloads and information.

This article from Webtech explains email spoofing in clear and friendly terms.

In rare cases, email spoofing is part of a coordinated deliberate attack of personal revenge or competitive sabotage, known as a ‘Joe Job’ after the first company that was closed down in this way. Here is advice on preventing and coping with a Joe Job.

Having read more about this recently, it appears the problem can become massive. So far, (fingers crossed), there has been nothing here on this scale yet, so I’m hoping the legal actions mentioned may have put spammers off using any domain too intensively, and also that the measures taken may help avoid the worst and keep us out of legal action ourselves.

Click here for a list of Spam lawsuits or legal actions.

In which Amazon UK Associates have finally paid me – Hooray!

Back in November I applied to be an Amazon Associate, and was lucky enough to make about £20 from the Christmas shopping season.

Later in January I received an earnings report from them, and when I logged into my Amazon Associates account it said they had paid me 2 weeks earlier, but nothing had arrived in my bank account.

I emailed customer support and we went back and forth 3 times with them asking me to check my account again each time in case the payment had turned up. In the meantime, I had figured out what must have happened.

My bank account, which is at one of the biggest banks in the UK, has a seven digit number. Many e-commerce websites apparently assume an eight digit number. In some cases, eg TradeDoubler, the company that owns the website obviously knows about this and either provides instructions or deals with the shorter account number in its own way, but in either case it works. In other cases, such as when signing up for PayPal UK, the data entry form includes data validation that does not allow a ‘non-standard’ account number to get through. The first time this happened, I emailed my bank’s technical support and got a helpful reply telling me to add an extra zero at the beginning of the number, and this has also worked. But the Amazon Associates UK application form just took my number without saying anything, and then 3 months later when it was time to pay me it didn’t work.

So I suggested to customer services that this could have been what happened, and I re-entered my bank account number with an extra zero at the start, and my query was eventually passed to the finance department.

A few weeks later I logged into my Amazon Associates account again and saw they had posted messages telling people about problems with bank account numbers, and that they should update their details if there had been payment problems they would email if a repeat attempt at payment didn’t go through. But I still hadn’t received my payment. So I updated my details again in case that would trigger off some new automated process that they had set up to deal with this sort of thing, and the message went away.

And then it took ages for my bank statement to arrive. Nothing had changed in my Amazon payment record, but when I eventually got my statement I found the payment had gone through on 4th April.

I was massively relieved, because I’ve heard of other big companies that just have a policy of not paying people.

I don’t know what was going on behind the scenes at Amazon UK – their application form obviously had a serious data validation error, and I never heard anything from their finance department, but to be fair their initial customer services people were polite and helpful, they kept their associates informed as a group, and they did get there in the end with the payment. I’d say my faith has been restored – perhaps I’ll go for the aStore after all!

I am so happy with TradeDoubler! I was having trouble getting their ads into my blog because the WordPress code was stopping their Javascript from working. I’d checked the WordPress help site, and the first thing I found out was that for anything involving Javascript, you need to turn off the default WordPress ‘rich editor’ and use the plain HTML editor instead. This is done by selecting the option ‘Users -> Profile’ and deselecting this box:

Deselecting the visual rich editor in the user profile screen

The WordPress website also advised creating an external javascript file and calling it from the WordPress PHP header template file (these are filed under a directory called ‘themes’). It was quite a trawl through the help site finding out how to do that, and once I’d done it it worked in Firefox but not Internet Explorer.

So I sent this message to TradeDoubler customer support yesterday using their website contact form:

Hi, please can you tell me how I can add adverts to my wordpress blog? I’ve tried adding them in the html editor and they don’t appear at all. I’ve also tried adding them using an external javascript file called in the header template (as wordpress suggest) and they appear in firefox but not internet explorer. Have you got any advice on this please?
Thanks

And today, just a day later, I got this reply, which not only fixed the problem but included a screen capture showing how to do it (code with IDs removed):

Hi Annabel

Thank you for contacting TradeDoubler.

I am afraid I am unfamiliar with the WordPress Blog software. What I can suggest is that when attempting to insert the links into the HTML editor you ensure the ‘Use case prevention’ option is deselected on the ‘Show Code’ page. The ‘Use case prevention’ element of the link scripted in Java Script and therefore may be causing you problems in the HTML editor. Please see image below detailing how to remove this feature:

If you have anything else I can help you with, please do not hesitate to contact me.

Kind Regards,

Mark Andrews
PUBLISHER EXECUTIVE

1) FAQ – Click here for online support
2) Account Manager Contact Details

So I tried it and it works – it produces a plain HTML link instead of the Javascript, and this can be added using the WordPress HTML editor.
I think they deserve another advert for that: