Christ Anchored Tabernacle – tools don’t make the man

Just as going out to the HomeDepot Lowe’s and buying a chainsaw doesn’t automatically make you a lumberjack, neither does using a blogging tool for your church website automagically make your church website easy to understand and navigate.

As many of you know I’m a big advocate, in both word an deed, of using blogging systems as a poor-man’s content managlment system for church and charity websites. So I’m always glad to see it, unless of course the tool is used to produce a site that is somewhat less than usable and/or effective. Such is the case of the Christ Anchored Tabernacle of, and I’m guessing, Brooklyn, NY.

The site employs MovableType as a means of displaying and maintaining the church’s website. Unfortunately, even though the webmaster at Christ Anchored has gone to great pains to successfully handle much of the hard-stuff of rendering – the content is less than well placed and in many cases missing some obvious information and usability options.

Let’s start with the <title/> tag by putting in the city and state where the church is located. Search engines love this, so do the people using them. Second, hyperlink the logo in the upper left hand corner of the screen — in this case the graphic metaphor of an anchor — so it takes you back to the homepage. Especially as there is no link back to the home page anywhere on the site; at least none that I could find.

Speaking of finding one’s place, I was unable to find where exactly the church is located. It is only by reading between the lines of the long mission statement / church history that occupies the valuable real-estate above the fold of the home page that I can surmise this church is located in Brooklyn, NY – which makes me want to ask, which subway train do I take and to which stop? And when, as in when do the services occur? Neither of which are answered anywhere on the homepage.

Instead, the home page is built in such a way that you never see any of the new or updated news items when re-visiting the site because you have to hit the page down button three times to get past the mission statement. Instead, I would suggest moving the above the fold-and-then-some paragraphs to the "About Us" page, while renaming the existing About Us page to "What we Believe."

I’d also ditch any text that says "this site best viewed at …" Especially when anyone using MoveableType should be able to create fluid two or three column layouts using any one of a number of CSS templates and/or template generaters out there.

Update: As I was wrapping-up this post, I viewed the Christ Anchored Tabernacle’s “Events” page. Upon clicking on an event of the calendar, then and there did I finally find a location and a time — but if I’ve never visited the site before, how would I know that?

It is clear to me that whomever designed this site is a very talented graphic designer who knows how MovableType works but one who might now be well-served by reading and then applying the common sense wisdom espoused in Steve Krug’s book “Don’t Make Me Think.” Other than that, I wouldn’t change a thing.

Posted in Uncategorized

Usability and the Harris Teeter’s self-checkout carousel

“Self-service checkout systems have to be flawless. It only takes one bad experience to create an an ex-customer” – Gotcha! The Problems With Self-Service Checkout Systems, Baseline.com

Four bottles of Harris Teeter seltzer, slab-o-jarlesberg lite, some rice-cakes, box-o-ZipLoc, I’m ready to check out and head home for a relaxing Sunday evening … that is until I ran into one of them automated, U-Scan, self-service checkout carousel contraptions. I press the “Start Here” icon on the screen and then obediently swipe my Harris Teeter VIC savings card key fob thingie … I carefully remove a 33.8 oz bottle of sodium-free, caffeine-free mandarin orange seltzer so as not to tip the hand basket … which is too large for the surface provided for me at the convenient self-service checkout robot. I swipe … nothing … nothing … nothing.

Clerk walks up and tells me I need to start over again and swipe my key fob again. I look down the aisles and think I might have a better chance with a human … no luck, only 2 lanes and backed-up by other individuals avoiding an interface with frustration.

Back to a different machine to “Start Here,” card swipe, and then again with the bottle – only now my wife is there to make sure the basket doesn’t teeter off the squirrel-sized perch. Nothing happens. My wife tells me I’m not doing it right, but I look at the scanner and I can see that someone with some sloppy milk has fouled the scanner. A different clerk walks-up, yanks the bottle from my hand and holds it over the scanner – waits two seconds, completely still – two seconds later – beep – he walks away without saying a word – his disdainful body language screaming ‘moron.’

I call over to him “do I have to do this [wait 4 seconds routine] for each item?” He looks at me then looks down at his command and control console ignoring me. So like a good monkey, I also hold a bottle over the scanner in stop-action animation style similarly simulate the clerk’s wordless instructions to successfully get it to beep after another 5 seconds of my life have been wasted due to a dirty scanner.

Having already tried to get the help of the clerk both in word and with a kind wave, I drop the seltzer into the bag – hoping the thump will finally get the clerk’s attention so he’ll at least give me some Windex and a paper towel to do the dirty work myself – after all, it’s not like Harris Teeter isn’t already paying me to do their work. The clerk briefly gives me an admonishing glance then finds something else important to look at.

More slow-motion scanning until I get to the rice cakes. I scan them, put them in the bag and get “please wait for assistance.” To me its clear that the 3.52OZ of the Quaker Rice Snacks didn’t register on the anti-theft scale. Instead, said clerk startlesmy 5-year-old daughter – putting his hands on her shoulders and asks her not to touch the carousel – which she wasn’t doing. An action towards a defenseless member of my family that might have earned said individual a whole new checkout experience had I not been a peaceable man of God.

I take the rice cakes out and place them in the bag with a bit more velocity than usual. That worked!

Now comes the bananas – of course I have to squint at the screen and look for a picture that doesn’t display anything as common as the banana. Instead have to guess “miscellaneous fruit” out of a choice of 5 or 6 other blurry and overcrowded 150 x 75px collages of tropical delicacies with not-so-descript black labels against a dark green background.

Finally the ZipLocs. I’m almost done but what I didn’t see was that as I was scanning the box, my wife was simultaneously removing the bananas into a second bag. Again, “please wait for assistance,” again the clerk walks over with his arms again aimed at my daughter’s shoulders – she cowers towards mommy until I bellow not to touch her and shoot him an expression I haven’t conveyed since riding on the double-G train through the bad parts of Brooklyn at 3 PM some twenty years ago. The young man sulks away, unsure of why I’m upset.

So what has this got to do with Church websites?

Glad you asked, it all boils down to customer-centric, servant-hearted usability. If your church website forces your readers through a similar set of flaming hoops, then you can expect fewer return visits and emptier pews. For just as I’m inclined to take my shopping business across the street, so too may seekers dissatisfied with your online presence take their gifts and talents elsewhere.

For example, in doing some research I found an interesting pattern. Trade magazines tout these self-service checkouts and time-savers, sometimes quoting happy housewives as they breeze through the checkout line at Jeff Gordon speed. Yet when I add the word usability to my search phrase, I find several articles and comments bagging on the coupon belching behemoths, along with one post by a clerk whose job it is to “monitor four simultaneous transactions, handling problems, making change, monitoring security, teaching the newbies, helping the eternally clueless …”

Hmmm … so that’s how they perceive me? Perhaps that’s why Harris Teeter has at least for the duration of our transaction hired me, an experienced and hopefully better-paid systems analyst/usability expert to do their job? But I digress. Point #1, don’t treat your users like idiots. They’re usually better trained, better educated and have more of a clue than you think – but even if they’re not, they’re still the ones who put the money in your paycheck … or collection plate.

Along those same lines – work to solve the customer’s problems – don’t tell them yours. The HT clerk had no business touching, my daughter let alone accuse her of something she didn’t do. His job was to facilitate my shopping experience, not make me feel like a moron nor my daughter feel like she was a ‘bad girl.’ Train the people who maintain your church website that the customer comes first – or at least remind them that machines were made to be the servants of men and not the other way around.

Third, keep your equipment (and systems) maintained, clean and in good working order. Yes, I know the real reason we have self-service checkouts is because the one time cost of $24k + 4k in annual maintenance is still cheaper than hiring someone at $10/hour … it also cuts down drastically on theft, however there is no excuse for not keeping these machines working in top shape. I don’t mean to cry over spilt milk, but many, if not all of my frustrations could have been averted with some basic period maintenance. At least put a timer on the software that bugs the clerk to check the scanner after several consecutive failed – or overly long scan attempts.

Fourth, spend some money on usability testing. I didn’t even get into the screens, but there are several stupid ‘Split-Focus‘ things like “Yes/No” buttons top-to-bottom that asks if you have any under my shopping cart, immediately followed by “Yes/No” buttons left-to-right asking if I have any coupons, followed by a matrix of colored buttons representing about 12 different payment types. Be consistent, in color, in fonts, in layout and in verbage. Similarly, do some other smart things like not asking me to press “Start Here” and then scan my card. Initiate a shopping transaction as soon as I scan my card. Likewise, after about 7 or 8 times, learn my language preference and default to it.

I could go on along these lines, but I found several other articles that describe the usability issues in far better detail than I have time or space. For example, check out the experience of a usability expert over at ElectronicInk.com who evoked an AMEN out of me when he/she wrote:

“The other day, I had to pick up a few items from the grocery. I was with my 4-year old son, I was in a rush and I thought that I would save a few minutes by using the new computerized self-service check out lines. The experience was nothing like I expected it to be…

…I have enough stress in my life without being made to feel stupid at the checkout line in a grocery store!”

Of course my favorite find was the following snarky comment on the topic at the “Ravings of an Intermittent Fool:”

“I have not used – and WILL not use – a self-checkout aisle, until the stores provide me some sort of incentive (say a 10-15% discount on my entire purchase). My reasoning is that they are making ME do the job of the cashier, but they are still charging the same price as if they were paying a cashier. Until they spread the savings around, I will stubbornly stand in line to have my purchases rung up by a store employee.”

Here are some other interesting articles on the topic:

How about you? Like’m, hate’m, think they’re poorly designed? And would someone please tell me why these machines don’t use the hot-babe voice that came equipped with the computer on the Star Ship Enterprise (yes, I know, shopper demographics .. )?

Posted in Uncategorized

Yo Dawg, McLean Bible Church Busted

You’re not cool enough to Play with us!

IMPORTANT: We’d welcome you to the Mr.Clean Bible Church website but …
Yo dawg! Yu git dis ugly page ’cause yo’puter ain’t pimped-up wid da latest ‘n “plug-in ‘n’ playa” tech. Fool!
Instead, all you’re left with is when and where it all goes down.

Whatever, if you didn’t get the message the first time – you need to download Flash now (fool).
It is free and makes me look really cool.

> After you have successfully installed Flash, please visit www.mcleanbible.org.

Confused? Check out the 42k screen shot the non-Flash
homepage for McLean Bible Church, VA on which this parody is based.

Many individuals living in the ‘burbs about D.C. know of, about or someone who goes to the McLean Bible Church (MBC) in McLean, VA. For example, many of my 11th Graders who went on to become successful young adults could be found at MBC on a Wednesday night simply because they have a huge, furtive singles ministry – and that’s okay. It’s also not so bad that they’re a bit Willow Creek or SaddleBack in their seeker sensitive, pop-issues approach – in part to reach out to their younger congregation.

So I can understand how a webmaster for such a church might make the mistake in thinking that because so many of the people they see are high-tech, then everyone who either attends or wants to attend has got the latest and greatest in computer equipment, browsers and what-not. After all … isn’t the web just like TV … or at least should it be like TV for such a visually oriented audience?

Not!

Reality check – if your MTV audience wants to experience the latest in multimedia production, then they’re going to watch MTV – not attempt to use a media-rich plug-in to navigate what is essentially a text-based enterprise, namely the church website. Especially if the seeker is someone older, like my mother-in-law who thinks her computer will blow-up if she installs anything new.

And even if you disagree with the MTV-audience assertion, you must at least agree that taking up 3/4 of the space ‘above the fold’ of your web page to make Flash-impaired seekers feel they’re lame is NOT the best use of Flash auto-detection.

Sure, put up a little snippet up in the right hand corner that says something like “see what you’re missing,” perhaps that links to a page that gives them gory details about how and why an information-driven repository needs a graphics-based client … though I can think of one or two other topics on which I might first want to practice evangelism.

Posted in Uncategorized

Pilgrim’s Hope Baptist Church, Memphis, TN

It was just about this time last year ago that I published a post that has surprisingly attracted quite a few Google hits, a post entitled “The Coolest Church Website, Ever!” Yes my dear cult members, they call us zombies or mind-numbed-robots but at least our ship will not be seduced by the sirens of contrivance over content. Not so fortunate are those rowing the boat up Styks’ creek without a paddle at the Pilgrim’s Hope Baptist Church, Memphis, Tennessee.

“Enter by the narrow gate. For the gate is wide and the way is easy that leads to destruction, and those who enter by it are many…” – Matthew 7:13

Where do I even begin with this site other than suggest that even the stock templates that come with FrontPage would be an improvement? Yet perhaps it is precisely the wide and easy path FrontPage offers that has resulted in what is arguably the new poster child for the worst church website ever.

What’s Wrong?
Now keep in mind folks, the object here isn’t to deride the PHBC nor even it’s webmaster – I’m sure these are good Christian folks who love and worship Jesus just as much as you or I. Rather the point in this excersize is to collectively learn good church web site design from our mistakes; of which the PHBC offers quite a few. In fact so many that I’m just going to rattle them off in list form as I find them:

  • The title tag should read the full name of the church and the geographic location so search engines will deliver it when someone new to town looks up the phrase “Baptist Church, Memphis, Tennessee.”
  • The image at the top of the page bearing the church’s name may look all artsy, but it too is search engine hostile. Remind me to write an article on how to use CSS image replacement to get the best of both worlds.
  • The clouds background – yes, I suppose that’s what it looks like from God’s perspective if God were an airplane pilot, but what we really get is a background that makes the text next to near impossible to read.
  • Mutli-color fonts with multiple font faces.
  • Everything all centered, all the time.
  • Kitschy gold “welcome”
  • Text so important, that you scroll it to make sure no one can read it.
  • Underlining an entire sentence instead of just the verb or noun in same.
  • A link to a “new site” without using meta tag or javascript redirects.

The ‘New’ Site – wait folks, there’s a New Site
Since they’ve indicated that there is a new site, let’s go there and see … oh … my … goodness. Okay, everything I just listed above, STILL applies, except they got rid of the Kitschy Gold “Welcome.” Instead, they’ve replaced it with a fire-engine red warning that reads:

” WARNING: This site contains Scripturally explicit materials and may prove to be offensive for any who do not believe the Bible to be the only and all-sufficient rule of faith and practice for God’s people. Enter knowing that you may be surprised or even shocked at what God says about such subjects as:”

Ahem … remember folks, its not just what you say, but how you say it. The PHBC prefers to shout the above text. We also now have scrolling white text against a white/gray clouds background as if to demonstrate that indeed, compelling content can be made yet even more unreadable – oh wait, it only appears white on white if I use FireFox. Let’s fire up MSIE and see, well list, what happens. Ah, white marquee text against a fire-engine red background, followed by a lime green/bright-red marquee.

All this is followed by 12 multi-colored subjects without the benefit of an ordered list tag — or hyperlinks to said ‘offensive articles.’ Speaking of lists, let’s continue our list from above, which still applies along with the items I list below:

  • And unreadable, unspeakable, hard-to-remember domain name
  • MIDI File? I sure hope that rendition isn’t copyrighted. Actually I would have wished they gave me the option to listen in instead of forcing it on me.
  • Lots and lots of JESUS JUNK in the form of spinning animated gifs. What was it Strong Bad said? Oh yeah, “… But you want as many of those as possible. Especially the rotate-y kind. Those are awesome, man. Nobody gets tired of looking at those.1
  • No “Alt” arguments for images
  • No “Title” arguments for hyperlinks
  • Lots of bold text, All Caps Text So It Sounds Like THEY’RE YELLING ALL THE TIME!
  • Beveled boxes
  • PDF Files
  • A counter
  • More of the same from all of the above

So what to do?
Punt and purchase a template – but only after someone or some group sits down and answers the questions:

  1. Why are we on the web?
  2. How can we use the web to effectively convey our message and mission?
  3. How can we use the web to get seekers in the door?
  4. How can we use the web to get important information to our members?
  5. How can we organize our ministries into an easy to navigate outline?

“Therefore I do not run like a man running aimlessly; I do not fight like a man beating the air.” – I Cor. 9:26

Posted in Uncategorized

Turning Spam Pings into a HoneyPot

As the BrownPau reports, the Trackback Ping Spammers have been relentless – expending hours and energy figuring out new ways to waste our bandwidth and to destroy the blogosphere. So pardon me if I offer yet another post and yet another approach in an attempt to encourage these crooks to earn an honest living. This time taking a honeypot approach to any successfully posted trackback ping spam.

The Wikipedia defines a honeypot as:

… a trap set to detect or deflect attempts at unauthorized use of information systems …

The primary value of a honeypot is in the information it provides, which can be used for things such as detection, early warning and prediction, or awareness.

So here is my thinking, even though my .htaccess solutions are turning away hundreds of trackback attempts each day, one or two are sneaking through. That said, I’ve noticed that most of these attempts, successful or otherwise are from a somewhat finite set of anonymous/open proxies. Yes folks I’m talking about IP blocking, but not in the conventional sense.

Herding Cats
Now I know blocking IPs is like using vice-grips to contain Jello but remember, security is about layering counter-measures. So using some IP blocking along with some other techniques I’ve discussed ealier continues to harden this site, hopefully to the point of getting the spammer too go away — or at least go bother someone else.

Similarly, they come in bunches, usually early in the morning, or as in this evenings case, shortly after the start of the SuperBowl. It is for these same reasons, I suspect there will be a spam attack sometime tonight, it being Sunday night.

IP Mining
A few night back, when my site got hammered, I decided to clean my blog by directly manipulating the database — in this case using phpMyAdmin. My first thought was to generate the names of the offending referrers so I could amend my .htaccess file using the following, rather inefficient but gets-the-job-done SQL query:

SELECT DISTINCT x.tbping_blog_name
FROM mt_tbping AS x, mt_tbping AS y
WHERE x.tbping_ip = y.tbping_ip
AND(y.tbping_blog_name LIKE “%texas%” OR
      y.tbping_blog_name LIKE “%poker%”);

But then I grinned and thought, “Hey wait, why not let those one or two out of a lucky hundred spin their wheels when they come back for more?” which was immediatly follwed by “Foo, I don’t want to hand-jam all those addresses from my email to MT.” Then I grinned and after making a backup of my database using MySqlDump, I typed in:

INSERT INTO `mt_ipbanlist`
(`ipbanlist_blog_id`, `ipbanlist_ip`,`ipbanlist_created_on`,`ipbanlist_modified_on`, `ipbanlist_created_by`)
SELECT `tbping_blog_id`, `tbping_ip`, `tbping_created_on`, `tbping_modified_on`, ’99’
FROM `mt_tbping`
WHERE tbping_blog_name
LIKE “%texas%” OR tbping_blog_name
LIKE “%poker%”

Viola, no more automated spam from the spammer’s favorite anonymous proxies. At this point I thought I might want to block these IPs from some other websites I administer, so I generated my own cut-n-paste to my .htaccess list:

Then Chuckled at:
SELECT DISTINCT CONCAT( ‘Deny from ‘, `tbping_ip` )
FROM `mt_tbping`
WHERE tbping_blog_name
LIKE “%texas%” OR tbping_blog_name
LIKE “%poker%”
ORDER BY `tbping_ip`

Once I had exhausted all the utility I could think of, then and only then did I:

DELETE
FROM `mt_tbping`
WHERE tbping_blog_name
LIKE “%texas%” OR tbping_blog_name
LIKE “%poker%”;

Which was followed by rebuilding my blog from the command line using mt-rebuild.

So where’s the Honeypot?
I haven’t build it yet. I had enough time to post the above article, or write the script. So if you feel so compelled to automate the above, then here’s my thinking:

  1. CRONTAB a point in time where you allow your site to get spammed by temporarily renaming the .htaccess file – or at better yet, using an .htaccess file that allows one or two well-defined spammer referrer in (e.g. texas-poker).
  2. CRONTAB a time to turn back on all your protections by putting the .htaccess file back in place and then:
    • run the MySQL scripts to insert IP blocks
    • run the MySQL script to clean-up the spam from MT database
    • use mt-rebuild to rebuild your messages sans comment spam

I think however in the future, I’m going to publish a blog and ask the big hitters to link me up. It will mostly post aggregated news, but it will also publish spam hit lists in text and XML formats for easy consumption by nice-people. But first I need to get some scripts working.

In the meantime, post anything related to the above scripts or ideas. I’m sure there’s some SQL that could be better written, for example, I noticed that run more than once, and you get duplicates … which means after backing up my data AND making a copy of mt_ipbanlist in the database, I needed to run the following:

DELETE mt_ipbanlist
FROM mt_ipbanlist t1, mt_ipbanlist t2
WHERE t1.ipbanlist_ip=t2.ipbanlist_ip
AND t1.ipbanlist_id I’m also sure I’ve overlooked some procedures that could be inserted to make the whole thing work better — or at least figure out how blackjack-123.com (64.234.220.141) plays into all this.

Of course if someone could point me to a poisoned and/or booby-trapped mt-tb.cgi, I’d be much obliged.

Posted in Uncategorized

Using .htaccess to deal with a recent flood of trackback ping spam

“Holy smokes, I’ve been hit!

My comment spam ‘secret code’ filter is working like a charm – no spam in weeks, but now they’ve decided to spam through trackback. The other day I had two new trackback pings on older entries, both spam. This morning I had 135, all spam. Yikes. So, later today I’ll be deleting away, but it will take a while…” – Salguod.net, February 01, 2005

Updates 2
Had to make some changes, the spammer decided to ‘teach me a lesson’ by adding healyourchurchwebsite to his referrer. I’ve tightened that up – and in the process, also snarfed some information from him/them – and am now in the process of filing a formal complaint to the Feds. Take note to the sections in yellow where my examples include healyourchurchwebsite…

The Problem
Like many of you, I noticed a spike in Trackback Spam pointing to various card-shark subdomains at terashells.com, chat-nett.com and other domains that are sure to change on a daily basis.

First thing I noticed: the same crap coming in from a variety of anonymous proxies. This mean blocking by IP would quickly become a full-time job. As a stop-gap, I employed a girthy but quick-n-dirty .htaccess solution offered at Aaron Logan’s Loblogomy blog.

I knew I’d have to find a more efficient approach, I also know that Mark Pilgrim’s ‘How to block spambots …” was causing some other issues on my server because I suspect my server is configured slightly different than his. This happens.

Still, I didn’t want snoopers like the one I saw from BranDimensions.com, not that I’m hiding anything, but they’re not paying me for my bandwidth even though they profit from it. I needed a solution to solve my short-term trackback spam issue, and take care of my long-term no-pay no play policy regarding the commercial abuse of my bandwidth.

The Not-So-Final Solution
With not all that much searching, I found that Parker Morse of Flashes of Panic offered an elegant .htaccess approach that would get me 98% of what I needed. Ina post entitled ‘A little meanness,’ Morse employs a Blocking Referer Spam – mod_rewrite technique developed by Ed Costello back in May of 2004.

The (obligatory) Warning
Before we go any further, I need you to understand that while this is an excellent approach, it is not without its dangers. Dangers made clear in an absolutely must read, related post entitled “Killing referrer spam,” Caveat Lector offer this excellent advice:

BE AWARE: YOU CAN BORK YOUR WEBSITE WITH THIS. I’ve done it. (In fact, I did it two minutes ago. Go me.) How will you know your .htaccess file is borking your site? Well, usually, when you browse to your weblog’s URL you’ll get a “500 Internal Server Error” page of some sort instead of your beloved weblog.

Always, always, always keep a last-known-good version of your .htaccess file! If you’re using FTP to place your .htaccess file and you bork your site, you just upload the last-known-good file, and you’re golden.

Or in my case, working from a jailed ssh session I was able to do the following:

wget http://www.flashesofpanic.com/htaccess.txt -O htaccess_parker.txt
pico htaccess_parker.txt #see modifications below#
cp .htaccess htaccess_02feb05.txt
cp htaccess_parker.txt .htaccess

The Modifications
After downloading Parker’s text file version of his .htaccess file, I gave it a quick inspection and modified the following line:

from:
SetEnvIfNoCase Referer .*flashesofpanic\.com.* !spam_com

to:
SetEnvIfNoCase Referer “.*(blogs4god|healyourchurchwebsite|redlandbaptist|mission4me) *” !spam_com

The script also needed to be modified because I found some problems when trying to enter a post using my crufty old version of MovableType, so I had to add a line to Parker’s otherwise excellent approach. A problem also described in Laurabelle’s Blog article “Die spammers die!“. So after adding a few more drug names to the kill list, I immediately followed with another line of code:

SetEnvIfNoCase Referer “.*(phentermine|diet-pills|p …
SetEnvIfNoCase Referer www\.healyourchurchwebsite\.com\/cgi-bin\/mt/mt\.cgi.* !spam_ref

I suspect this fix was necessary because the way the .htaccess file is set-up, everyone is considered a spammer until we say they’re not. More on how-to modify and the mechanics of how this all works can be found over at Caveat’s column.

Finally, you may want to block the user agent CandyGenius has identified in this delicious post which asserts:

The trackback spammer is leaving the same signature as the comment spammer. It’s the same guy. Use the code above to block it all. (psxtreme & freakycheats but that will change tomorrow.)

Testing
A quick-n-dirty test of this is to Google your domain using one of the forbidden words. This is because that word will now appear in the referrer header from Google and you should be able to block yourself. For example “healyourchurchwebsite poker.” Not the most fool-proof test, but close enough for government work.

Now if I could just get rid of those irritating 414 generators trying to hack into an IIS server … which I obviously don’t use … I’m sure there’s an .htaccess solution out there.

Likewise, let me know if you have improvements or patches … I’d be interested in seeing them.

Update 11:54 AM
It is becoming evident that this trackback spamming is less about advertising, and more about denial of service. For about 2 hours this morning, my server was under attack – the information below thwarted all but two trackbacks out of several hundred attempts. In the meantime, I am pondering whether or not I should enforce my terms of service and provide the spammer a bandwidth test using a variation of the following wget command:

while [ true ]; do wget -r -nd –cookies=off –cache=off –proxy=on –delete-after –user-agent=”all your trackback spam is sucky” “http://online-poker.chat-nett.com”; done

However, if this is about denial of service, and since the spammer is abusing several anonymous proxies, it could be that the owners of the URLs are also innocent victoms. Your thoughts?

Posted in Uncategorized

Just got burned by an Internet scam

It’s called a phishing scheme, and it can happen to the best of us. Consider the recent account of a boardgame geek named Nimrods:

… it gave me a list of alleged security breaches and asked me to follow a link to EBay where I would reconfirm my account details. I actually got as far as entering my credit card number and security code before I noticed the lack of a padlock at the bottom of the browser…

Fortunately for Nim’, he immediately ran down the owner of the URL and canceled his credit card. Still, it is irritating in the least, and potentially financially catostrophic at the most. Imagine the poor church secretary who gets an email from what looks like a eBay, or Amazon, Citi Bank, Verizon or some other entity their church uses that says, click here or your credit will be ruined forever.

The email has the company’s brand or logo. It has an email address that contains the company’s brand name. It sound like it was written by someone who knows something about your account. Why wouldn’t an honest, hard working person get taken? And that my friend is exactly what these ‘phishers of men’ are hoping for.

What to do? Well here is exactly what the FTC, the nation’s consumer protection agency, suggests you do to help you avoid getting hooked by a phishing scam:

  • If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don’t ask for this information via email …
  • Don’t email personal or financial information. Email is not a secure method of transmitting personal information … no indicator is foolproof; some phishers have forged security icons (e.g. padlocks).
  • Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
  • Use anti-virus (and personal firewall) software and keep it up to date
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
  • Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov. If you believe you’ve been scammed, file your complaint at www.ftc.gov, and then visit the FTC’s Identity Theft Web site at www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft. Visit www.ftc.gov/spam to learn other ways to avoid email scams and deal with deceptive spam.

There have been times I have complained about my tax dollars at work, this is not one of them — the people at the FTC are correct. About the only thing I might add is to learn how domain names work, specifically subdomains – because most of the phishing schemes I’ve seen employ some sort an email address that includes some nefarious combination of a brand name for the subdomain such as ‘Amazon’, coupled with a slightly mangled $6.95 domain name such as ‘accountsrecievable.info’ to give you customerservice@amazon.accountsrecievable.info.

This coupled with the company’s logo and whammo, while they may not get everyone, they’ll get enough. Which is it wouldn’t hurt to familiarize yourself with some of the basics with the Secure Sockets Layer, or in plain English, Nimrod noticed the lack of a padlock to the bottom left of his browser. SSL, as it it is otherwise known, is the protocol that reputable companies, such as Amazon, eBay and the like use when they take your credit card information.

Like all methods of security, you need to understand that no one single method is fullproof – you must layer multiple methods. For example, recently Secunia reported an Internet Explorer exploit that allowed the phisher to fake the padlock – while other schemers just go ahead and employ a cheap SSL certificate.

In my house, we have standing orders – no financial information is disclosed to unsolicited emails and phone calls, period. I’ve upset one bank by demanding a phone number that I could call back the following day – the assistant manager got upset that I was so suspicious – the regional manager of the bank was not so upset when I explained my demands. Likewise, when my wife got hit w/a Verizon phishing scheme via email, she called Verizon using not a phone number in the email, but the support number on our bill – whatta great geek girl I’m blessed with! Especially because the phisher had generated email addresses that broadcasted to a range of verizon customers (e.g. vgz123@gtc.verizon.com).

Scared spitless? Best way to conquer fear is knowlege – and practice. Here are some links to get you started:

I realize this is somewhat out of context — though to some it might seem a form of persecution — regardless, lets we not forget the warning of the Christ in Matthew 10:16 where He says:

“Behold, I am sending you out as sheep in the midst of wolves, so be wise as serpents and innocent as doves…”
Posted in Uncategorized