PCI Compliance is a struggle for all merchants. The time, cost and knowledge needed is perhaps excessive when you factor in that no one is policing the rules. Having said that we have recently come across a really stupid pain in the ass new fail for scans from a few of the PCI scanning companies. The fail is simple.... Your Zen Cart contact form is now supposed to be protected under SSL.
So I argued this with the scanning company CSR on the phone, but the fact is, fail is fail and they are not budging.... even though they are using a GIGANTIC amount of imagination to interpret the PCI Standards. So yes it's completely asinine, it is NOT sensitive information and people using the form are not even necessarily customers who have or will checkout. In fact I suspect many are idiot spammers selling you PPC with their highly professional GMAIL business email =) .... But, even the stupid must be protected from nothing I suppose.
So, making your Zen Cart secure your contact page under SSL is a PIA.
The absolutely easiest thing to do is to secure the whole catalog front end under SSL. This is done by editing includes/configure.php and completing the following.
On lines 15 you will make the following edits.
On line 19 just verify that the value is true and not false.
Now this method while easy to accomplish has some pitfalls. Your urls will ALL change, some server's SSL config can be significantly slower and you'll have to properly secure all of your resources or face the "Broken Lock of Death". If you want to avoid these pitfalls, the task is a genuine, annoying PIA to complete.
Turning Your Contact Page to SSL the Hard Way
- First open up your admin and go to Tools >> Developers Tool Kit
- Now scroll down to the last field and enter zen_href_link(FILENAME_CONTACT_US and set it for PHP files only and Catalog only.
- This search is going to bring up all the link references for the contact us page, so we can hunt them all down and edit them like crazy people. I could just tell you where they are, but then you would miss template and override files.
For each of these instances you will change the code from
<a href="' . zen_href_link(FILENAME_CONTACT_US) . '">
<a href="' . zen_href_link(FILENAME_CONTACT_US, '', 'SSL') . '">
- No that the references are now trained to be SSL we have to change the actual form action to be SSL as well. In theory this is ALL that should be required, but the idiots at the scanning companies cannot teach their pet tool to recognize that the function itself is secured, so the page doesn't need to be.
In /public_html/includes/templates/your_template/templates/tpl_contact_us_default.php on line 17 locate the following.
<?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send')); ?>
replace it with
<?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send','SSL')); ?>
That's all, now you can rescan and have a beer, you earned it!
- Posted by Melanie
- 17 May 2010
- Zen Cart
This is a very serious issue that shop owners have little or no knowledge or concern for. Imagine that many/all of your shoppers are not receiving that new customer coupon, receipts and shipment communications.... Scary huh?
Scary or not, it is very true and many of you are affected already and don't even realize it. You see, your Zen Cart sends mail from the software. In many cases software generated email is less deliverable to begin with... add some bad hosting and Zen Cart configurations... and boom, very low deliver-ability.
There are several tools to check your email protocol and server/DNS setup, and we will get to those in a minute. But, for now, lets run a simple test that will identify one of the hardest mail networks to deliver software generated email to...
Go to Yahoo and create a brand new email account using a non-domain based email as the backup email address. Next go to your Zen Cart and create and account and order something using the new Yahoo email address. Now check your new mailbox to see if the account creation and confirmation emails were delivered. Most of you will find Yahoo sent these directly to spam.
Why would they do that?
Some time ago, Yahoo, who is owned my SBC (ATT) decided that they would do a "better job" of filtering email spam. In doing so they went over the edge and in a few days time blocked about have of the email addresses on the planet. In order to be unblocked from Yahoo, SBC, ATT and a few other small ones, you have to provide answers and requests on a laborious form. The level of questions on this form made it so hosting company would likely have to complete it for you.
Having screwed up so severely, they were then unable to keep up with the "unblocking" requests and mandated that every IP could only submit so many requests in a certain time frame. Crazy huh?
Our hosting company did an awesome job of creating proxy IPs to get the submissions done for ourselves and hundreds of hosted clients.... But did you get unblocked and un-spammed?
Email tools provide some insight as to the DNS and server configuration for your domain based email accounts. These tools provide information regarding blocked/banned/blacklisted hosts and IP addresses.... as well as some metrics necessary in this day and age to ensure your emails are delivered.
Reverse DNS lookup
This method of blocking spam is very server intensive. The receiving email server performs a reverse DNS lookup on the IP address of the incoming mail connection and checks if there is a valid domain name associated to it. While this is not used for most ISPs as a wholly determining factor, AOL and their subsidiaries will refuse your emails without it. Check your rDNS here.
SPF Record or Sender Policy Framework is a method for preventing sender address forgery. Have you gotten those emails appearing to be from someone else, besides who they are really from? Spoofed. Your server's SPF record can help to prevent this...
- Suppose a spammer forges domain.com and tries to email spam you, the sender connects from somewhere other than domain.com.
- When the email is sent, you see MAIL FROM: <email@example.com>, but you do not have to take his word for it. You can ask domain.com if the IP address is really from their network.
- In this example, domain.com publishes a valid SPF record. That DNS record tells the mail receiving server how to find out if the sending machine/IP is allowed to send email from domain.com.
- If domain.com responds that they recognize the sending machine/IP, it passes, and you can assume the email sender is who they say they are. If the email message fails the SPF tests, it is a forgery, and likely a spammer.
More information on SPF, and how it works, visit the Sender Policy Framework site.
To check and see if your domain has a proper SPF record, use this SPF record tool. If your domain based email addresses do not, contact your hosting company and ask them to set it up. More and more email receiving servers are checking for a valid SPF response, this is crucial to your email deliver-ability.
Interestingly enough, some web hosts claim they do not have this ability, which is likely BS... But face it this is your business and if you web host cannot or will not set up a proper SPF record for their servers... then you are likely hosted with a bunch of spammers who can hurt your site's ability to rank and set off trust issues with McAfee and Norton in search results!. Time to move to a proper web host.
DomainKeys, DomainKeys Identified Mail (DKIM)
These are also used to fight against forged emails. The protocol uses encryption technology to verify that an email is really from the domain from which it appears to be. If a message has been verified through DomainKeys/DKIM (developed by Yahoo), many email programs and web mail will display an icon or message verifying the sender for your email recipients. DomainKey will likely need to be set up by your web host, but many hosting control panels, including cPanel have this ability at your fingertips... Click, click done. Then check it (be sure to follow the instructions).
Sometimes, you can be blacklisted (labeled as a spammer), when you did nothing wrong! What if for example your web host re-uses an IP that was previously blocked for spam and never resolved.... Well, now you are blacklisted too! Use this tool to check your MX record and blacklist status. If you find you are blocked on any, your hosting company ***should handle this for you, but if they won't you can try to contact the resource directly.
There are some things you can easily do to help ensure the deliver-ability of your Zen Cart's emails.
- Check and ensure a proper SPF record, DomainKeys and rDNS are setup on your server
- In your Zen Cart admin under Configuration >> Email options check and set the following
- Email Address (sent FROM) is set to a valid email address, preferably @yourdomain.com
- Emails must send from known domain? is set to "Yes"
- Email Admin Format? Set to TEXT, as it has the highest deliver-ability rate
- Allow Guest To Tell A Friend set to false, so that spammers cannot route email through your website
- Display "Newsletter Unsubscribe" Link? Set to True
- Use a proper service to send email marketing and newsletters
- Leave your CAN Spam policy and remove/unsubscribe instructions in your cart's emails
- Handle remove or unsubscribe requests immediately
- DO NOT check the newsletter to true on your create account form. Many will not notice and then later spam or report your emails. (Configuration >> Customer Details >> Show Newsletter Checkbox) set to zero or 1
- Set default email format to text (Configuration >> Customer Details >> Customer Default Email Preference) set to zero, text
Face it, the deliver-ability of your Zen Cart's emails is crucial to your business and is not something to be taken lightly.