According to the documentation for this feature, Per App mappings allows you to dynamically set "logical aliases for paths to directories on your server." This sounds great but the code example in the documentation is wrong and this leads to a lot of frustration.

The first problem is that the docs show how to set a mapping for an application but not how to use it. We could experiment a bit and eventually find out the exact syntax needed except for the second problem - the example code given to set the mapping is wrong.

The documentation says to use the following to set a mapping of "MyMap" pointing to the location "c:\inetpub\myStuff".

If we place a file called test.cfm into the "c:\inetpub\myStuff" directory we should be able to include it using standard cfinclude syntax. The problem is, no matter how we try, we can not get this to work. Every one of the attempts above results in an error. This leads to a ton of frustration and a search across the net for working examples. The problem with that is that there are no clear cut examples showing how to make this work.

The solution lay partially in a blog post by Sean Corfield (Scazu Powered By ColdFusion 8) where he shows how he created a number of dynamic mappings for his application. In his example code he added a forward slash before the name of the mapping, something not mentioned in the ColdFusion documentation. This is the key. This single character makes the difference between frustrating failure and a successful feature. Adding the slash we get an setting of:

and a usage of Frustration solved.

So to recap, ColdFusion 8 allows an application to have dynamic mappings. These are defined in the application.cfc using a syntax of this.mappings["/MyMap"] where MyMap is the mapping name. Once set, the dynamic mapping is used like any other mapping with a syntax of "/MyMap/...".

One fast note - We can use any name we want for a dynamic mapping even if the name is in use by a mapping set in the administrator. The only restriction is that if we try to set a dynamic mapping with "/", an error will be thrown. We always have to have some text after the forward slash.

We're coming out with a Flex magazine along the same lines as the Fusion Authority Quarterly Update. One of the first steps in publishing a magazine is coming up with a good name. Flex Authority is a great name. Problem is, it's being squatted on and the squatters (a European company being represented by moniker.com) won't even talk to us unless we offer at least $5,000.

On one hand I'm rather pissed as they're just sitting on the domain with the idea that it'll be worth something and they can sell it. On the other hand, it's much like buying a piece of land to resell later for a profit. The problem is, while waiting to resell, that land is barren and not only looks bad but brings the value of the community down. The same applies here.

Flex Authority was once an Adobe Flex site. It gave value to the community. Now it's a vacant lot gathering weeds and makes the entire community look bad. Unfortunately, spending 5k for a domain name has no return for anyone in the community at the moment and the domain is just going to waste. I'd buy or trade for it but the squatters aren't interested in anything but cash. I've offered 2k, free advertising in the Flex magazine, a trade for www.satanstool.com and the result was silence.

If I knew that the name Flex Authority would add to the success of the Flex magazine then I'd think seriously about buying it but publishing is like buying grenades in an alley. You never know if you got a good one till you try it. :)

And I really don't want to encorage squatters by giving them any money. Schmucks

I just posted an idea up to the iMS list and got back an email from a list member asking me to confirm that I'm a human making a post. I rarely respond to these requests but on a whim I decided to check the domain that was making the request. The result was a failure. No website for the domain the mail was supposed to go to. This got me thinking.

A spammer values confirmed email addresses over all others. In the past, this confirmation came from people trying to unsubscribe from a spammer's list. This was quickly seen as a verification ploy and few do this anymore. So how would a spammer go about getting verifications for emails? Easy.

They subscribe to every mailing list they can and then set up a 'confirm' script to capture any list posts. Anyone who posts to the list will get a confirm message and most people just click the confirm without thought. The result is a list of confirmed email addresses that can then be used or sold.

The more I think about this and the more I write, the more I realize that this is a very powerful technique that can easily be automated. Just find a site that tracks mailing lists and set a bot to subscribe to all of the high traffic ones. A bot monitoring Yahoo and Google groups will do the job. I'd say the code to do this from start to finish should take someone less than a day using CF.

Scary

Spam-bots are getting smarter. I've seen bots that fill out forms with close to perfect information. I've seen bots that copy blog comments and then add in their spam. I've seen bots that adapt to their situations. What I have not seen are bots that can look at a form like a human does.

Let me give you a situation. House of Fusion has a sign-up form that not only allows for the standard contact information but also allows for multiple alternate email addresses. I've been seeing some spam coming through that has multiple emails of the same value. This reminded me of something very simple about forms - multiple form fields with the same name become a comma delimited list on submit.

This means that two input boxes named email that are both filled with "spam@spam.com" will result in a variable of form.email with a value of "spam@spam.com,spam@spam.com". This is wonderful!

All we have to do to block some of these new 'thinking' bots is have a form with two input fields called email. The display for the first will be email while the display for the second will be alternate email.

On the action page we just have to check that the form.email has 2 items and if they are the same to block the post as spam.

This works great but there are always alternates. While giving this to Clark Valberg for use on the Developers Circuit contact form, he modified the idea into which led to another modification. The first is to take the second email input and label it as something other than email. Zip code is a perfect example as it is something not always required. To a human it looks like a standard form with zip and email but to a bot there's no zip but 2 emails. The second modification is to exchange form fields. Have the email form field labeled zip and the zip labeled email. A human will read the label and enter what is expected (zip in email field, email in zip field) while a bot will enter the wrong values.

These are simple checks that can defeat many of the spam-bots out there today and they all depend on the difference between how a human and a bot sees a page - something that will always be in our favor.

There are two more minor tweaks to this anti-spam approach that need to be implemented. The first is to go back into the blog.cfc and comment out lines 1489 and 1491. This CFIF limits the recent comments to ones that have moderated set to true (which should be the default). Without the CFIF removed, spam comments that have to be moderated will still show up in the recent comments section.

The second minor edit is to the adminlayout, commenting out lines 47 and 49. Now the admin can control the moderated comments.

The more I fix this technique the more I see I have to do it right. One thing that I really have to look at is those CFIFs that 'comment out' the moderated db value in queries. Every comment has a moderated value whether moderation is turned on or not. The only reason I can find for these CFIFs is to remove one of the sql criteria and possibly speeding up the query by some fraction of a millisecond. Unless there's something I'm missing....

There is one other step needed to make this work if your using the hack. There is a CFIF statement in blog.cfc that checks if moderation is turned on or not before displaying a comment. It does not matter if a specific comment is moderated or not, if moderation is not turned on, then the code I mentioned in the last post will just not work. The comment will be saved in the DB as being moderated, but it will still show on the site.

If your using the hack, all you have to do is remove the CFIF tag on lines 1074, 1357, and 1489. Leave the content of the CFIF alone, just remove the tags. Once this is done, moderation will be performed on a per comment basis. If a comment is set to be moderated, it will not be shown. If a comment is posted with an url, it will automatically be moderated. Otherwise, comments will be posted as unmoderated and shown. Basically a "mixed moderation mode".

When the code is done for real, these lines should be modified to check if either moderation is on OR if moderationforurlposts is on (or whatever you call the variable).

I've been getting some human posted spam to my blog and I want it to stop. The problem is, to stop a human you have to either moderate all posts, force a sign in to post or search the comment for one of a million odd keywords. None of those solutions appeal to me. Time to come up with something new.

Looking at the problem I see that almost all human posted spam involves a link to some outside resource. Ah, a pattern I can work with. If I can set moderation on for any comment that has a link, it would help block most human posted spam, at least in theory.

I can do this right or I can do it as a fast hack. As I don't have the time to do it right at the moment, I'm going to write a single regular expression and add it to the blog.cfc. I'll write myself a note to remember to go back and fix it correctly later.

The solution I came up with is to go to line 236 in the blog.cfc component and add in this line to the cfif statement:

This will force moderation on for any comment with a link in it. Great for stopping most form spam, great for letting most comments through, terrible for letting real comments with links through.

To do this properly I'd have to set a new variable in the blog.ini file to specify if I want to moderate based on urls. Then modify the initialization code for blogcfc to grab that variable along with all of the others. Once that's done, line 236 would be modified to look at the new variable to see if moderation should be on for the post. Rather straight forward.

One thing I noticed when writing this post is that I never posted my article on my technique to block all bot spam. I know I posted it somewhere, but I guess I never posted it here. I'll add a reminder to myself to do that as well. Oh, for a 48 hour day. :)

Lying is easy. Lying is fun. Lying is profitable. Lying is the way of life for those who want to hide the truth. The question is, how do you lie effectively? Let's look at an example of the best techniques in action. The company using these techniques at the moment does not have to be named.

The first thing you do when lying is to tell the truth -- not the whole truth, but just enough to make the lie itself seem true - a half or quarter truth. Truth: "I hate the auto-movie ads on the site as they blow my ears off or disturb everyone around me. The intrusive pop-ups are also a problem" Lie: "Michael Dinowitz doesn't want any ads on the site"

The second thing is to quote a person. Using some abstract entity in a lie is too impersonal. You need to give the lie a human face, make it feel like it's "one of us". Adobe is a massive company and is just too big and abstract for anyone to take personally. On the other hand, Michael Dinowitz and Sean Corfield are both people who can be identified with.

This brings us to the third point of a lie: Use named, recognizable people. You can use anyone you want in a lie to help make the lie more believable but if you use people whose names are well known in a community, then your lie becomes more personal and therefore, more believable. If you combine this with a half-truth (see point one) that might be heard from these people, then all the better. You don't even have to have the half-truth come from both as long as you group the people together. This makes the lie seem even more real as "they are both saying it," even though neither did.

Finally, take a disparaging quote against the named people from someone else and don't allow the quote to be challenged. This is the most powerful technique, especially if you can make the person quoted seem like an expert. He doesn't have to be, as most people don't bother to investigate who said what.

Oh, I almost forgot an important technique. Make your lie fit into a lie told by someone else. This falls under the theory that if something is said often enough, it is seen as true, whether it is or not. "ColdFusion is dying" is a lie told often enough to have gained a life of its own despite every fact that refutes the lie.

So there you have it. The techniques used to smear people and deflect blame. The techniques that should never be used against people who LOVE to expose lies for what they are. The techniques that fail when used against a thriving, intelligent community such as ours.

When will the company in question learn that simple fact?

Do you know the definition of Chutzpah? It's taking a magazine, destroying its content and quality, canceling it without warning and then saying that it's someone else's fault. Sys-Con is like an alcoholic who just can't admit they have a problem. Their latest insult to our intelligence is to try and salve our wounds by offering us a free subscription to one of their front-end technology magazines in place of their now canceled back-end technology magazine. All 17,600 subscribers to ColdFusion Developers Journal (probably 7,600 paid subscribers and 10,000 free ones) are going to get a year's subscription to either Flex Developer's Journal or Silverlight Developer's Journal.

But wait, this is not a year's subscription to a print magazine. No, that would be something akin to admitting that they've done wrong. What they're offering is a year's digital subscription to their magazine. That's right, you get the front-end technology magazine of your choice in digital format in place of the back-end technology magazine that you expected. And because Flex, Silverlight and ColdFusion are all so similar in Sys-Con's minds, they can repeat the canard that ColdFusion is dying. Of course, this is not true despite their best efforts.

Do they have any clue what these technologies are? Let me try to explain it to them in simple terms:

1. Ug want to make computer do work
2. Ug write back-end program to do work
3. Ug need to make program look nice for big boss who give Ug pretty stones
4. Ug uses pretty front-end technology to talk to back-end technology
5. Front-end technology look nice to boss
6. Boss not know what Ug do on back end. Boss see pretty pictures
7. Ug know difference between front-end and back-end
8. Ug laughs his caveman ass off for knowing what big publishing company not know
9. Big publishing company send Ug magazines Ug not want
10. Ug have supply of toilet paper

I really hope that helps Sys-Con understand the difference. Oh, and thank you for giving us all the new subscribers. We really appreciate it.

SYS-CON to Offer Free (digital) Subscriptions to ColdFusion Developer's Journal Readers

Fusion Authority Quarterly Update - The only ColdFusion journal in print

I was just looking over my post about CFDJ's shafting of the ColdFusion community when I noticed the date. Their press release about it is dated "Sep. 9, 2007 05:30 PM". My blog post (which broke the news) is dated "September 8, 2007 11:52 PM". I'm going to chalk the difference up to them not even being able to get the time right. :)