I ordered business cards a few weeks ago from VistaPrint.com. I used a unique email address like I always do. I opted out of allowing them to share my info. I also (like anywhere I give my address, phone number, credit card number) opted out of any sharing. For now I also allowed Vistaprint to email me special deals.

Well, between placing the order on March 29, 2007, and today. I’ve received 16 email offers for various things. That’s a ton, but not a problem. I signed up for them.

But just now I received a telemarketing call from Web Site Pros. Luckily the sales lady mentioned they got my info from Vistaprint. I asked her to put me on their do not call list. (Hey - they violated the DNC! I had no prior relationship with them.)

I then checked my account preferences at Vistaprint. The only option there is for email opt out. I called Customer Service, spoke with Martin. I explained my frustration that they sold my phone number, and said I had opted out. He said, no you only opted out of email sharing. There is no option on the web site to opt-out (or opt-in) of phone and address sharing. I have closed my account with Vistaprint. Martin said he closed the account, but I can still access it from the web site.

Here are the relevant sections of their privacy policy:

If you check the applicable box on registration or in updating your account, VistaPrint may also share personally identifiable information about you such as your name, telephone number, e-mail address, and/or mailing address with carefully selected third-party organizations such as retailers or direct marketers to enable those organizations to inform you about products or services that might be of interest to you. If you do not wish to have your information shared with these organizations, simply do not check the applicable box on the registration form or on the “Account Update” page on our website.

The only boxes on the Account Update” deal with email.

We will not share your personally identifiable information, such as your e-mail address or name, with unaffiliated organizations for them to use to inform you about their or other companies’ products and services unless you consent to this sharing on registration or in updating your account preferences. You may opt in by checking the appropriate box during registration or, following registration, by logging into “My Account,” selecting “Account Update,” and checking the applicable box.

I never opted in to allowing them to share my info, so they have violated their policy. Shady dealings, violations of their own privacy policy, and having a third party break the DNC. That’s enough. I encourage you to not use Vistaprint, I do not believe that they can be trusted.

Vistaprint sucks.

If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike

A List Apart is conducting a survey of web professionals. It took me less than 5 minutes to fill it out.

Lorelle asked “What Blogs Make the Best Podcast Blogs?”

I have two podcasts: ShowBizRadio.net (theatre information for the Washington DC area) and ChristmasMusic247.com. Key things I’ve learned:

1. Pick a publishing schedule and then keep it.
2. Bandwidth usage can increase exponentially. For some reason China loves my ShowBiz podcast. I hit 32GB of downloads in March. Disk storage space increases linearly.
3. iTunes directory is a great way to get exposure. It’s by far the most used directory for my podcasts.
4. Audacity is open source audio recording and editing software, works very well.
5. Get a Mac.
6. Transcripts work well when starting out, to help seed your content into search engines. We use Transcriva from Bartas Technology. Transcripts are a pain in the rear once you start publishing new podcasts more regularly, but your audience will grow to expect the transcript.
7. It will take longer than you think to get a huge following.
8. Before publicizing your podcast, have at least three complete episodes recorded and in the podcast feed. Be aware that this also sets the listeners expectations of what to expect in the future. But 3 episodes gives you enough info to decide if you really want to make a commitment into the future.
9. If you are doing discussion only, you don’t need a high encoded bit rate. 40Kbps is fine for discussion. Including music would probably need a higher bitrate, which directly converts into larger files, hence a larger storage and bandwidth bill.
10. Listen to some of the existing podcasts in your field (your competition). Note what you like and don’t like about what is already being done.

Bonus tip: Audio or video demands more time of your subscribers than does text. See above note about transcripts.

There’s a lot more, but that’s definitely enough to get started.

(Off topic to Lorelle: I think the Bookmap was comment spam, via a human instead of an infected Windows system.)

Back in January I tried renaming the wp-comments-post.php file to avoid comment spammers. That worked for about 10 hours, then they started using the new file name. So I switched back to the default filename. Like I said back then “So unless you change the comment post filename regularly, it doesn’t do much good.”

Well, duh, how about if I change the filename regularly? Over the last week I’ve been experimenting on a couple of my blogs. I manually changed the filename about once a day. The new filename got picked up and used, although there were still a lot of hits to wp-comments-post.php. Any ip address that attempts to “POST” to a non-existent wp-comments-post.php file should be firewalled.

I started wondering about the possibility of (1) changing the filename for every request; and (2) preventing spammers from storing that filename. So I’ve come up with the code to change the filename on every request. Here’s how I am currently doing it. Each request makes a call to the user’s ip address.php (e.g. 1.2.3.4.php):

1. Rename your wp-comments-post.php file to something random-ish. This new filename will never be visible to the public. This is called security by obscurity.

mv wp-comments-post.php roses-are-red.php

2. Create a new directory, accessible under your blog directory. You can call it anything you like.

mkdir kittens

3. Change to that directory

cd kittens

4. Create a .htaccess file

vi .htaccess

Put these two lines into it:

RewriteEngine onRewriteRule ^.*$ /roses-are-red.php

The filename at the end of line 2 should be the same filename you used in step 1 above. What these commands do is any request to any filename in the kittens directory, will actually be calling the renamed wp-comments-post.php file.

5. Edit your template’s comments.php file. This will be in (your blog directory)/wp-content/themes/(theme name). Look for the line that sets up the form to the comment submission page. In the default Kubrick style, this is on line 72. Comment that line out by adding <!−− before it and −−> after it:

<!--<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">-->

You comment this out so that if the spammers’ spiders are looking for the post page, they’ll find it, and not the “real” post page. Then add these lines after the commented line:

<form action="<?php$ip = $_SERVER['REMOTE_ADDR'];echo get_option(’siteurl’); echo “/responses/”.$ip; echo “.php”; ?>” method=”post” id=”commentform”>

And now if a comment spammer spiders my site and later tries to send spam through the comment submission page, all I have to do is check to see if the IP address matches the filename. If they don’t match, someone is storing the comment submission page URL and trying to spam through it.

So for example, this line was in my log file this morning:

192.107.152.61 - - [02/Apr/2007:07:00:16 -0400] “POST /kittens/72.36.205.226.php HTTP/1.1″   302 - “http://www.example.com/2007/04/01/exampleurl/” “Mozilla/4.0 (compatible; MSIE 5.5; Windows   NT 5.0; H010818; InfoPath.1)”

Note the request came from 192.107.152.61, but the comment was submitted to 72.36.205.226.php. So when I grep through the log for the ip address “72.36.205.226″ I find this line:

72.36.205.226 - - [02/Apr/2007:06:52:22 -0400] “GET /2007/04/01/exampleurl/ HTTP/1.0″ 200   16942 “-” “topicblogs/0.9″

Googling topicblogs shows lots of references that topicblogs may be a spammer. Well, there’s the proof.

The commands in step 5 above could very easily be tweaked to include whatever information you want to store. I started out by creating an MD5 hash, but decided I would start out easy and work up to a more complicated tracking system.

I also tried to create this as a WordPress plugin, but it looks like there isn’t a system call for the filename of the wp-comments-post.php file.

If a user is using some kind of a proxy to surf the web, it is possible that they may be caught by this. Their original request would generate an ip-address.php submission page, but in the few minutes it would take to enter their comment, their proxy system may change their IP address. So their comment would come from a different IP address.