PayPal fraud, part two

[PayPal Donate] I mentioned last week that I received a strange payment via PayPal that appeared to be fraudulent. I rejected the payment, and then the buyer decided to send me $1.20 instead of $0.20. I accepted that payment just to see what would happen.

Sure enough, it was fraud. I got email from PayPal today confirming my suspicion.

Dear Michael Radwin,

It has come to our attention that you may be the recipient of potentially fraudulent funds. We have initiated an investigation into this event. In the meantime, we have placed a pending reversal on the funds in question until the investigation is complete. This pending reversal will show as a deduction in your available balance. In the meantime, you are free to continue transacting using your PayPal account.

Transaction Date: Mar. 8, 2004 21:03:59 PST

Transaction Amount: $1.20 USD

In the past couple of weeks I’ve received several of these transactions (more recently they seem be sending $1.00 instead of $0.20), and many have the distinguishing feature that the person sending the money’s name is spelled out in CAPITAL LETTERS only.





Moreover, all of them have email addresses. If you’re going to try to commit fraud, you’ve gotta do a better job of looking like a legit user.

Advanced PHP Programming

Advanced PHP Programming I just got a copy of Advanced PHP Programming by George Schlossnagle. It’s the first good book published for PHP5, and an excellent read even for folks who are still using PHP4.

The book isn’t just about PHP. It covers many aspects of the development process used to produce a robust, fast, maintainable website. George covers a range of topics you won’t frequently find in a typical PHP book. For example, in Chapter 7 he spends a couple of pages discussing the different techniques for distributing files from your development environment into your production environment. He spends a large portion of the book discussing regression and unit testing, load testing and profiling/benchmarking. This isn’t an ordinary PHP book.

The last hundred pages of the book are for really advanced users. George covers the PHP extension APIs in more detail than the online documentation at You’ve gotta be a C/C++ hacker to appreciate this stuff.

My only possible complaint about the book is that it’s a little OO-centric. Most of the examples George presents use classes to provide some organization of data and grouping of functionality. His use of OO is a lot more palatable to me than the huge object hierarchies you find in some projects. I’ve never understood why people want something like log4php which adds 10k LOC to your application and adds little value over the built-in syslog().

$0.20 PayPal fraud?

[PayPal Donate] Recently I’ve been receiving a number of $0.20 PayPal donations via the Jewish calendar website that I maintain. I think this has got to be part of some sort of fraud.

Since PayPal charges up to $0.30 in fees, these donations don’t make me any money. Luckily, I’m not losing 10 cents apiece (PayPal is generous enough to charge only a 20 cent fee on these transactions), but it’s essentially a waste of my time if the donation is less than $1. I’ve been processing refunds manually, but I’m wondering if I need to go thru the effort to set up IPN and automatically reject them.

HTTP Caching and Cache-busting

oscon-logo.gif I have been invited to speak about HTTP caching and cache-busting at the O’Reilly Open Source Convention in July 2004.

Abstract of my talk:

A user’s web experience can often be improved by the proper use of HTTP caches. This talk discusses when to use and when to avoid caching, how to employ cache-busting techniques most effectively, and how to diagnose problems with caches.

In particular, this talk will cover:

  1. Overview of HTTP caches
    • Shared caches vs. private caches

    • Proxy caches and HTTP server accelerators
  2. How to encourage caching for static content
    • Reduction of network bandwidth usage

    • Improved browsing and page-rendering speed by avoiding network round-trips
  3. How to discourage caching for personalized or frequently-changing content
  4. How to disable caching for sensitive content
    • Cache-busting for accurate hit-metering and advertising statistics
    • Cache-busting for sensitive information (e.g. personal financial data)
  5. “Expires” vs. “Cache-Control” and other HTTP headers
  6. The best of all worlds: unique URL tagging techniques that defeat proxy caches but work gracefully with browser caches
  7. Sending HTTP headers
    • Apache’s mod_headers and mod_expires modules
    • PHP’s header() and mod_perl’s $r->header_out() functions
    • Using HTML <meta> tags
  8. Debugging HTTP caching problems
    • Using the Web Developer and Live HTTP Headers extensions for Mozilla
    • Diagnosing MSIE with Ethereal
    • Text-based debugging
    • Rolling your own HTTP proxy

Hope to see you there.