Marketing & SEO Discussion List - LED Digest

======== CONTINUING ===============================

From: Richard Dudley

Subject: Secure servers

> ... why not discuss the different types / levels

> [of secure servers], how do they function, how

> to acquire a certificate, the cost and...how

> to get it installed on the host server.

        - Bill Davison, LED 2088

If you have any sort of managed hosting plan (such as ahared hosting

or managed dedicated servers), your hosting company will probably

handle this for you -- ask them if that's part of the plan.  You may

specify which certificate authority to use (VeriSign, GeoTrust,

Thawte, etc), or they may already be a reseller of one particular

brand.

I'm not sure about Apache servers, but in IIS, it's very simple to

generate a certificate request and install the certificate.  Your

main choice is choosing with certificate authority to use.  Some,

such as Thawte, require documentation that you are an actual

business, and will perform a check with your Secretary of State (for

the international readers, each business in each US state needs to

register with that Secretary of State, who maintains records of

names, business license numbers, tax information, etc).  It can take

several days to obtain an SSL with this type of background check,

and these are usually more expensive.  Other CAs, such as Instant

SSL, will run a query against a business database such as Dun and

Bradstreet, and generate a certificate quickly.  Certificates from

these CAs are usually much cheaper.

In my experience, consumers don't really care.  Many of them have no

idea what an SSL Certificate does for them, only that they've heard

you shouldn't shop at a site without one.  Other than that, few

people care.  This is spoken from a brick-and-mortar perspective; we

have a physical storefront, and have have one since 1998, so proof

if our business existence isn't as essential as a pure-play Internet

retailer.  You can call or walk into our shop, or maybe one of our

vans will pull up outside your house sometime.  That goes a long way

in validating our existance.

Something not to forget is that an SSL Certificate is only half of

the solution.  To date, I have never heard of anyone's credit card

information being intercepted and used.  This is a very difficult

task, even when security is lax, and it only yields one number.  The

database is really the pot of gold as far as thieves are concerned,

and these have been compromised on several occasions.  Once the

order is processed, you still need to account for the storage of the

credit card number in your shopping cart database.  Ideally, you

don't store the full number at all, only the last 4 digits and the

authorization code.  Most good shopping carts will zero out the

number after a few days, keeping only the authorization code and a

string of x's or 0's.  Anytime the full card numer is stored, it

should be encrypted using strong encryption algorithm, such as

Triple DES.  If this isn't a feature of your cart, I would suggest

demanding it or changing your cart, because you do open yourself up

to some liability by not confirming with set and accepted practices.

Rich Dudley

www.bloomery.com

------- new post - new topic -------

From: David Spahr

Subject: Abandoned Carts

> I suspect that one of the reasons people abandon

> carts is because the only way they can get the total

> cost of what they might order is by actually proceeding

> to the initial checkout phase.

        - Tom Aman, LED 2087

I think Tom is absolutely correct on this one. As an online shopper

I did exactly what he is saying just yesterday. I dropped the item

when I saw the shipping cost. The cost was not shown with the item

and it was pretty high. I think the shopping cart drop rate would

change quite dramatically if the shipping cost was shown with the

item. That might also mean fewer people click on your cart but

better conversion.

In many cases, I believe the shipping price is intentionally not

shown by sites intending to sandbag you at the final sale with a

somewhat inflated shipping and "handling" charge. You see this on

quite a few sites. I recently bought an item offered by multiple

sites by price shopping the shipping cost. There was close to a $10

difference in some site's costs. You really have to watch out about

your shipping charges on eBay too with different seller's "checkout"

services. I got tagged there recently. In an auction you cannot back

out (not easily anyway, without risking your good feedback rating).

Some folks may need to come to the reality that they need to rethink

their shipping processes and pricing. If shipping is a significant

part of your profit profile you may be signing your own death

warrant. If you sell the same item as other sites and your shipping

is higher, many people will figure this out. Most people not only

will not buy, but will resent it highly and never return.

David Spahr

stereoviews.info

------- new post - same topic -------

From: John Barendrecht

Subject: Cart abandonment

> Most firms are able to convert only

> 2-3% of online traffic to paying traffic.

        - Kevin Condon, LED 2086

This does not imply that 97 -- 98% abandon carts, only that 97% of

visitors don’t buy products for one reason or another. I wonder what

the conversion rate for visitors to a mall is, if you excluded the

food court. In a brick and mortar mall, it is easy not to count

staff, or security personnel, etc. but online it is not as easy to

determine bots or a 7 year old with no credit card from a person

with intent and ability to buy.

Beth Ann (issue 2088) makes a good point about brick and mortar cart

abandonment. A couple of days ago, I went to Wal-Mart. To get a hair

cut, you must walk at the rear of the tills and there were at least

25 carts filled to the brim with abandoned items. Clerks were adding

items as I was trying to maneuver around the carts. Cleanliness and

tidiness are not Wal-Mart’s strong point but that’s another thread

or is that like page layout on the web?

Like Mark Roberts, I usually abandon carts because of a lack of

pricing on the site. You must add the items to a cart to determine

the price. On our site, we clearly mark all items and have a link to

shipping costs on the bottom of every sale page. As we ship to 75+

countries, putting shipping costs on the page would not be

practical. Even with the shipping cost link, we get at least 1

inquiry per day about shipping costs.

Rather than spamming visitors for abandoning the cart, we should be

trying to prevent cart abandonment.

Best regards,

John Barendrecht

Centralhome.com Company Inc.

http://www.centralhome.com

==== BILLBOARD ===================================

From: Tom Aman

Subject: Fighting Spam - Part 2

Next I looked at Challenge-Response filtering.  In this scenario, an

incoming email from someone you do not know has a "challenge" sent

to the "from" or "reply-to" address.  Since valid senders are

expected to answer the challenge and SPAMmers are not expected to

answer, this seems a really good solution.  But if you think about

it for awhile, you will see it is full of problems.  If A and B both

use less than perfect Challenge-Response systems, the following

scenario can occur:

1. A sends an email to B.

2. Since B has never corresponded with A, B's system sends a

challenge.

3. A gets the challenge, does not know B, so A's system sends a

challenge to B.

How are A and B ever going to talk?

Another scenario:

1. C sends spam or a virus to B, using A's address as the sender

address.

2. The C/R filter sends an email to A, who has no idea what's going

on.

3. If A does not reply, he won't find out why he received the C/R

mail, because to ask B any question he has to get on B's whitelist.

In fact, B won't see the reason for the C/R mail to A either until A

has confirmed his address. If A ignores the challenge his address

may even get blacklisted by B, so he can never contact him.

4. If A successfully responds to the challenge, he will permit a

spam or a virus mail to be delivered to B.

5. Whether or not A responds, B has sent unsolicited bulk email. If

B receives 100 spams a day and 80 of these use fake senders, B will

turn these 100 into 180 spams a day.

The problem is that the "from" or "reply-to" in a low-life SPAM

email is usually faked so the challenge is going to the wrong

person.  Basically, the user of the Challenge-Response system is

using everyone else to filter his email to eliminate SPAM directed

at him.

Also, some people HATE challenges. Consider this quote from an eBay

seller as it appears in the info about his items:

--------------------

"Some earthlink customers have a filter that requires one to fill in

a form to be allowed to contact the user. If you have this, please

do not win, as it infuriates me."

--------------------

Another comment I ran across in my research was

--------------------

"If I get a challenge caused by SPAM because someone faked my

address in an email, I always send a response.  Let the challenger

deal with his own SPAM".

--------------------

Use of Challenge-Response also creates the possibility of the user

being branded as a SPAMmer (All those challenges going to faked

"From" addresses.)  For more info on the problems with

Challenge-Response filtering, check out

http://www.joewein.de/sw/spam-challenge-response.htm and

http://kmself.home.netcom.com/Rants/challenge-response.html

Finally, there is the CAN-SPAM act.  Many believe that it is not

working.  I disagree.  You have to use it if you expect it to work.

CAN-SPAM essentially says SPAM must contain a means of

unsubscribing, and if that doesn't work, report the SPAM to the FTC

at http://www.ftc.gov/bcp/conline/edcams/spam/index.html.

The problem here is that the conventional advice you get from the

"experts" is to never, never send an unsubscribe because that will

just confirm your email address and you will end up getting more

SPAM.  That advice has always bothered me.  So following advice that

appeared in a magazine that one should "follow the money" to see

where spyware really originated, I applied the advice to SPAM. It

seemed to me that the person / company that most benefits from the

"don't unsubscribe" advice is the spammer or the seller of the email

lists used by the SPAMmer.  If the CAN-SPAM act depends on sending

unsubscribe requests to achieve its results you cannot expect any

benefit if you do not unsubscribe. Think about that.

Since I had considered abandoning the one email account anyway, I

had nothing to lose, so I decided this account would make a really

good test case.  For 30 consecutive days, I kept track of the

numbers of SPAM emails I received and kept a most recent 10 day

moving average (this smooths out unusual highs and / or lows).  I

established that I was receiving an average 295 SPAM emails per day

and this remained relatively steady.

Next, I started following unsubscribe instructions when they

appeared in a SPAM - not always for all of them in a day, but an

average of about 10 a day.  Many SPAM emails will have two

unsubscribe options, one to unsubscribe from the list for the

particular company sending the email, a second to unsubscribe from

all the companies using that particular list.  This is the better

option to use.  Many responses to the unsubscribes say you will be

removed in as little as 24 hours or as long as 7 or 10 days so you

may continue to receive SPAM from that source for that long.  I

didn't worry about keeping track, I just did the unsubscribe so many

lists would have received multiple requests from me.

I continued with the 10 day moving average.  The results were

dramatic as the 10 day average dropped to 210 within the first 10

days.  After 35 days, the average was down to 151 SPAM emails per

day, 51% of the original number. This is the exact opposite result

that the convetional "expert" advice would lead you to expect.

Of the remaining 151, an average breakdown was as follows:

- 45 foreign (Russian, Brazilian, Chinese, Indian, etc.) that I

could not read.

- 45 no form of unsubscribe offered.

- 8 variations of the Nigerian 419 scam or phishing emails.

- The remainder (53) were for things like "genuine Rolex replicas",

Viagra, Cialis, mortgage offers, etc.  Many contained unsubscribe

options, but the unsubscribes were ignored (and did not result in

any added SPAM, either).

An "unsupported by solid data" observation:  I was getting so many

"genuine Rolex replica" offers that one day I got really, really

annoyed.  So I went to the real Rolex site, found an address to

email, and sent an email that essentially said that I knew Rolls

Royce used to be extremely proactive in defending their name and

would take legal action if necessary to prevent others from using

Rolls Royce as any part of a product name or description. I

suggested that, since a Rolex replica must involve trademark and

copyright infringements and possibly patent infringements, looked

like the real thing but was of unknown quality, that maybe, to

protect the Rolex name, the company should be more proactive in

coming down on these fake producers / sellers.  I have no hard

numbers, but I am positive that the number of these offers I receive

now is less than half what I was gettng last fall.  Maybe Rolex has

taken action.

I keep an eye on the incoming SPAM and will occasionally still get

one with a valid unsubscribe (I recognize them now), so I

unsubscribe.  Also, some of the foreign ones contain links that are

recognizably intended for unsubscribing and I use these when I see

them.  Mostly they seem to work.

This past 2 weeks, I checked out the average number of SPAM I

receive again and it is now at 138 so I would have to conclude that

CAN-SPAM does work *provided you use it*.  Having established that

it works, my next phase in my personal SPAM fight will be to

regularly report selected SPAM to the FTC, mainly the scams,

phishing, Rolex, Viagra, mortgage, etc. low-lifes.

Also, in the case of Nigerian 419 scam variations, since many of

these give a public type email address for the response (using

netscape, yahoo, hotmail, walla, gmail, etc.), I usually forward a

copy with complete headers to that hosting company (if you can't

find a reference at the host site, just try This email address is being protected from spam bots, you need Javascript enabled to view it - it

usually is all you need).  I often get an almost instant response

that the email account was closed.  Same with phishing emails.  If

you move your mouse pointer over the link you are asked to click,

the host or IP should show in your browser status bar.  It becomes

relatively easy then to track down the host owner and / or an

appropriate abuse email for reporting the attempted scam and the

faked site will usually be closed in hours (or sometimes even in

minutes - my personal record is 4 1/2 minutes, including a thank-you

from the hosting company for reporting the abuse).

So don't sit back and live with SPAM.  We can all fight SPAM.  We

may not be able to totally win, but all of us together can probably

make a big difference.

Tom Aman

Aman Software

http://www.cyberspyder.com

-------------------------------------------------------

The LED Digest is sponsored by pair Networks:

pair.com for Hosting | pairNIC.com for Domains

© Copyright 1995-2006 Orange Wheel, LLC. All Rights Reserved.

-----------------------------------------------------------------

"If you were to ask me to name three geniuses, I probably wouldn’t

say Einstein, Newton... you know. I’d go Milligan, Cleese, Everett.