There have been several people contacting me or commenting on this blog who have experienced problems with the ViralListMachine confirmation link which when clicked (e.g. through AWeber) showed a “403 Forbidden” message. This did not happen when the URL was called without all of the parameters passed by the AutoResponder.
The reason for this is not the VLM but Apache’s mod_security on your HostGator account.
According to this HostGator forum post the HostGator support can help you with this so that your VLM installation will work.
That should solve the problem 
Are we going to have to call support every time we install a new instance of VLM or should we start using a different host company?
My people were getting the same error and I thought it was just their cookies. Fixed it with Host Gator.
I found out that you need to call them each time you install VLM on a new domain and tell them “Rule #1234234 is hitting my domain name ________.com and I need you to whitelist it.”
@Steve: I’m really sorry that there is no way for me to prevent this error from hapening because it’s actually HostGator who have configured the Apache module that way. As the error occurs before the PHP code is executed – obviously it’s a filter on the parameters in the URL as passed by AWeber – there is no way to prevent it in the VLM.
Maybe I should make a list of web hosting companies where the VLM can be installed hassle-free.
It has nothing to do with Hostgator Sascha… Aweber is passing too many variable back to the confirmation page… Is there a way to add all of the extra variable aweber passes back to the software to see and except… Here is what aweber passes back.. http://www.vicsmillionaires.com/challenge/confirmed.php?email=selffmade%40yahoo.com&from=selffmade%40yahoo.com&meta_adtracking=473374463&meta_message=1&name=&unit=vicsweekly&add_url=http%3A%2F%2Fwww.vicsmillionaires.com%2Fchallenge%2F&add_notes=123.31.160.28
If you take out everything except for the email to pass back to the software… it excepts it…
Example: When I put this in the browser it successfully confirms and everything is fine…
http://www.vicsmillionaires.com/challenge/confirmed.php?email=selffmade%40yahoo.com
Thanks for the software Sascha. I have clients in Germany. Any help you can provide on showing me how to add the variable in the software? Is this where I possibly can add the extra variables and if so, I’m not sure what to write..
a:2:{s:8:”listname”;s:10:”vicsweekly”;s:15:”meta_adtracking”;s:9:”473374463″;}
This is the data for the aweber plugin.. Can you tell me what to add to get those extra variables aweber is sending.. I’m sure it would take a miracle for me to get aweber to change that for me..
Nevermind about the aweber plugin data.. that is the data to talk to aweber… What php code can I add to confirmed.php to allow the extra variables that aweber is sending? Sorry about the confusion is last email.. I think this is what we are looking for now… thanks…
Here is a easier look at the variable it is trying to send…
email=
&from=
&meta_adtracking=
&meta_message=1
&name=
&unit=
&add_url=
&add_notes=123.31.160.28
@Vic: Thanks for providing feedback. You are right in saying that it has nothing to do with HostGator directly. It is caused by a mod_security rule that aims to protect the server from malicious attacks. However in this case it is a false positive causing this error. mod_security is not a standard Apache module and HostGator is responsible for using and configuring it. It is correct that by taking parameters out of the URL that it will work. But this doesn’t mean that the error is found in the VLM or AWeber – it is just a false positive. Software is not intelligent enough to distinguish with 100% accuracy between good and bad requests.
To explain this in a metaphorical way: by looking at you and your clothes (parameters) from the outside mod_security thinks you’re a terrorist (hacker) so your solution would be to walk around almost naked (strip the parameters from the URL) so that mod_security can see you have nothing to hide. The right way would be do check the rules – maybe wearing specific clothes does not mean someone like that is a terrorist, right?
From the technical standpoint I don’t think it’s possible (read: I don’t think someone will be able to get them to implement something specific for this purpose) to get AWeber to pass only the email parameter – and I personally don’t see a reason for doing that. AWeber posts all parameters back to the URL – if you leave out the listname etc. AWeber will show an error.
Anyway, checking GET parameters in the URL with AWeber only makes sense if the underlying application who receives the parameters contains security problems. It doesn’t really help solve any problem.
Here is another link regarding HostGator: http://forums.hostgator.com/mod-security-and-403-errors-t71394.html
Thanks Sascha… Hostgator said it didn’t see any mod security problem. I called them. Not sure if this gives you any more puzzle pieces or are we just out of luck on this one?
I left everything in the url except for where it starts the &add… Not sure if the add paramater is doing it or if it really is just the mod security like you say… I have an autoresponder on my server,so I may just do as you do and just extract the emails from MySql… and say the heck with aweber. I hear they are closing accounts anyway for using scripts, because they have no IP Audit Trail…
@Vic: I’ve just sent you an email. You can believe me – or not
I’ve been creating websites since 1996 – that’s what I’ve been doing every day for the last 14 years (vacations not included
)
And I even compile Apache on my own web servers. I know what I’m talking about. Disabling mod_security completely will fix the problem with a 100% guarantee.
Thanks Sascha. I guess I didn’t get the hostgator techie that Steve got… I guess I will have to drive to Hostgator and get past their cheerleaders and go in there and figure out how to disable my mod security on my site…lol
Thanks. I will be calling them up today to probably get another $4 per hour guy that will tell me I have no mod security problems again.. Thanks for your help though. Once I finally get everything to work, I am planning on giving you a nice donation as long as Aweber don’t suspend my account for not having IP Audit Trails… Hopefully your software does that. We’ll see I guess.
Vielen Dank für Ihre Hilfe. Ich gehe jetzt schlafen.
I got the right person on the phone today Sascha at hostgator. Thanks.. She whitelisted the rule and voila… Now I have to figure out if Aweber is going to spank me about that IP Audit Trail that you won’t talk about so far…lol cya
@Vic: Great that you were able to solve the problem. If you can give me more information about the IP Audit Trail I might be able to help.
Here you go Sascha.. From Aweber:
Submitting subscribers to AWeber via a server-side script (PHP, ASP, ColdFusion, etc.) is not permitted.
This also applies to any membership software or server-side shopping cart software that you may have installed on your site.
Why Not?
Whenever a subscriber adds to your list, we need to establish an electronic Audit Trail for that subscriber.
The audit trail is necessary to prove to ISPs that the subscriber did come to you and request your information. It helps us to ensure the best possible deliverability for your — and all of our customers’ — messages.
When a third-party script attempts to add subscribers (by forwarding generated information), we are unable to establish that audit trail, because we are not collecting subscriber information firsthand.
Because of that, accepting subscribers from a third-party form or script would pose a risk to our ability to get your — and all customers’ — messages delivered.
If we couldn’t get messages delivered, we couldn’t stay in business. We like staying in business. So, we don’t allow subscribers to be posted to AWeber from third-party forms or server-side scripts.
What Can I Do Instead?
When subscribers fill out the AWeber web form, you can have it pass the information that they enter in it to your Thank-You page.
In addition to being a great way to personalize your Thank-You page, this offers you the opportunity to capture that information in your own local database, or do whatever else you need with it at that time.
I haven’t tested it yet Sascha at one of my friends houses, but I am going to go over there and see if the script sends aweber their IP which I think is all they want, or will it send them my IP that your software is on?
Here is the link Sascha where all this started in my head… This guy said his account was shutdown and tells his readers why–> http://www.guidonussbaum.com/index.php/aweber-account-suspended-is-yours-at-risk/
@Vic: There are no problems at all with the IP Audit Trail. Now I understand what you’re talking about. The ViralListMachine does not submit the AWeber form internally so AWeber wouldn’t see the client’s IP. The ViralListMachine catches the user’s form submission, sends the form data to the VLM server and creates the user, then submits the form again on the client side via JavaScript having the user pass all the data directly to AWeber. So it’s just as if the user would submit the AWeber form himself.
You can check this with your own installation by looking at the source code of your VLM Home page and looking for the form with the id “signupForm”. You can see that the form action is set to aweber.com. You can also use the Firefox addon “Live HTTP Headers” found on http://livehttpheaders.mozdev.org/ to check this.
Well Sascha, I do believe that you are a pure genius. I wonder why all of those other smart programmers in those membership programs don’t know how to do that? Seems simple enough to me the way you explained it… I believe you have a million dollar piece of software on your hand here that you gave away for free.
Were you able to monetize your lists you have built so far from the graphics packages? …or would you like my help on monetizing this? … or is it just basically free and you are hoping to get the upgrade money?
I’m not really sure why someone would want an upgrade. It does everything we need it to do right now. Genius piece of software. I was running GKLM, but when I found out that it was supposedly ripped off, I put an end to that, before any involvement with me might have transpired. I’m not sure if there is any validity to that, but I wasn’t going to take a chance and that’s when I came across your software in the warrior forum…
I’m off to bed. Will be traveling in the morning. The Fish are calling me.. lol
Thanks Sascha… You can email me with your response if you want.. goodnite
How much do I owe you?
When is VLM Pro going to happen?
Hey,
I’ve installed the VLM but when I click on the ‘autoresponders’ tab I just get a blank page.
All the other tabs work fine though.