I would like to offer some ASP.Net and PHP software, as an Application
Service Provider. The software that I supply should be installed
automatically with each new account set-up, so in fact there will be
very little of the hosting aspect visible. Just a "Pay and Go"
operation, in other words.

I require:

- each client site to have a unique IP address
- the software to be installed automatically with each new account
- technical (hardware) support to be provided directly by the
  underlying hosting company.

FYI, I understand that a web site may be 'blacklisted' by a search
engine, and that other sites sharing the same IP address may also be
affected. Hence the requirement for separate IP addresses. I have no
intention of offering dubious sites, but as a potential ASP I have to
consider such things.

I have yet to develop the software, but I need to establish that such
hosting is possible. I have made several enquiries in vain so far.

Does any hosting company provide such a service? If so, please supply details.

---

Request for Question Clarification by hedgie-ga on 08 Apr 2003 02:45 PDT

Hi Rp

  Interesting project and questions. 

 Please clarify this for us: 

1) about clients:

Client is a person (or company) which wants to pay for use of a 
particular software?  (end-user client)
 This model is often used in technical fields, e.g. Finite Element
Analysis.

Or 

Client is software developer who will use your service to offer use of
their
software via your site? (software-owner-client).

2) About IPs:

Many private people, but some companies as well,
 use dynamic IPs. Do you want to exclude them?
Their number is likely to grow.

The blacklisting itself is a complex issue, some, like BlackHole 
works on e-mail (to suppress spam), some have to do with search
engines rank.
Those issues will not necessarily affect your service.

Do You want information on these issues as well?

3) Can you desribe the target audience (technical e.g. MEs,
   consumers  (taxes, WP ..),
    graphic artists, photo-processing ..
  (all of the above)??

hedgie

hedgie

---

Request for Question Clarification by mosquitohawk-ga on 09 Apr 2003 10:28 PDT

You may find a quick answer to your question by visiting
http://www.webhostingtalk.com/

Best regards.

---

Request for Question Clarification by kyrie26-ga on 14 Apr 2003 16:24 PDT

Hi rprosser-ga,

Some questions for you... 

1. Is it acceptable for your customers to use the software online with
no software installation required, assuming they can log in securely
to their online accounts?

2. Other than to prevent being "blacklisted", is there any other
reason you require separate client IP addresses?


Thanks,

kyrie26-ga

---

Request for Question Clarification by kyrie26-ga on 14 Apr 2003 16:25 PDT

Hi again rprosser-ga,

Another question - what is your budget for getting everything set up
and operational? Operational meaning new users can sign up for new
accounts and everything will be automated and working correctly.


Thanks,

kyrie26-ga

---

Clarification of Question by rprosser-ga on 21 Apr 2003 02:31 PDT

Thanks for the responses. Clarification follows:

* Clients are end-users, probably entrepreneurs or independent
publishers
* "Installation" may not be necessary, but account set-up will be
* Unique IP addresses are only required to avoid "black listing" (I
believe)
* I will be doing most of the ASP.Net development myself; PHP budget
is tbd

The critical point is that of the unique IP addresses. If search
engines do not penalise sites on virtual servers (shared IP address),
then I can use a dedicated server quite easily.

Thanks ...

Richard Prosser

Hi rprosser-ga,

Thank you for your question. I am a Web Developer myself, and have
built many Web applications on the ASP (Application Service Provider)
model. I would like to offer my advice in finding a solution to your
situation.

I believe that your question can be answered in two parts :

(1) Whether or not these application services that you provide can be
securely made available to the client as an online account without
requiring installation on the client's machine, thereby freeing you
from the requirement for such a capability from your Web hosting
provider.

(2) Whether or not search engines "blacklist" IP addresses or URLs,
and their criteria for this blacklisting.



+=====================================================================================+


In answer to part (1), the answer is, yes! You do not need this
"specialized" Web hosting provider that will enable software
installations because you can run these ASP.NET and PHP programs as
services for your users, and all the aspects involved - secure account
login and online application services - are handled as part of your
application. To give you an example, think of Monster.com. As a job
seeker, the application service here is "to enable you to build a
resume, to have that resume available to recruiters, and to search for
jobs and apply online". All you need is to register, and log in with
your user name and password. This is just one example of an
application service, there are many such online services, you could
even offer a graphics editing program online, or a spreadsheet, or a
fax answering service, for example.

The magic behind account-based online application services is made
possible by the use of "session variables". Here is a definition of
the concept of "session" :

+----

session - a searchWebServices definition
http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci541649,00.html

"In telecommunication, a session is a series of interactions between
two communication end points that occur during the span of a single
connection. Typically, one end point requests a connection with
another specified end point and if that end point replies agreeing to
the connection, the end points take turns exchanging commands and data
("talking to each other"). The session begins when the connection is
established at both ends and terminates when the connection is ended."

+----

In the case of your online application, a session would begin with a
user logging in successfully, and end when the user logs out, or there
is no response from the user for more than X amount of time, also know
as the session timeout. All interactions during this session would be
"remembered" by the server using session variables. More permanent
data would be stored on the application's database. There can be more
than one session at a time, therefore there can be more than one
online user at a time. In this manner you can have multiple users
using the same application running off the Web host, but each one is a
unique instance (session), even though theoretically the software was
only "installed" once (on the Web host server). There is no need for
the user to install the application software on their computer, and
they can run the application online by logging in and establishing a
session.

Here are some script samples of user management using session
variables. The basic idea is that you would protect the "members only"
pages with a line of code that checks to see whether a client is
logged in, and if not, then prompt them for the login info. The
application service you are offering would run within this protected
area, and thus lock out other users :

+----

DevScripts - ASP.NET User Management Scripts, ASP.NET User Management
Code Snippets, ASP_NET User Management Code Samples
http://www.devscripts.com/category.php?stId=179

+----

DevScripts - PHP User Authentication Scripts, PHP User Authentication
Code Snippets, PHP User Authentication Code Samples
http://www.devscripts.com/category.php?stId=252

+----

Programmers Heaven - ASP - ASP.NET Zone - Sourcecode Articles : User
Management
http://www.programmersheaven.com/zone26/articles/article39.htm

+----

Simple ASP.Net Login 
http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=561&lngWId=10

+----

Creating a Secure PHP Login Script : PHP
http://martin.f2o.org/php/login

+----


If you've never built session-based, account-based online applications
before, don't worry, it's not as complicated as it sounds. Try the
simpler scripts first and experiment with logging in / logging out.

You might like to also visit the following website, an excellent
resource for securing your Web applications :

+----

The Open Web Application Security Project
http://www.owasp.org/

"The Open Web Application Security Project (OWASP) is an Open Source
community project staffed entirely by volunteers from across the
world. The project is developing software tools and knowledge based
documentation that helps people secure web applications and web
services. Much of the work is driven by discussions on the Web
Application Security list at SecurityFocus.com. All software and
documentation is released under the GNU public licenses."

+----


Also, with regard to the "Pay and Go" aspect, these days it is very
easy to integrate with an online payment processing provider, such as
PayPal (www.paypal.com) which offers their Integrated Payment
Notification (IPN) service. This would be integrated with your
application, and your Web hosting provider would not be required to
set up anything (you as the developer build it). Visit PayPal for
technical documentation on how to do this. They have PHP and ASP
scripts ready to go. I have built such a "Pay and Go" service using
PayPal's Subscriptions. There are also other e-commerce providers, and
you can view the listing here :

://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=related:www.2checkout.com/



+=====================================================================================+



Now on to part (2) - unique IPs/URLs and the issue of "blacklisting".

In a nutshell, this is a non-issue if you are merely offering
application services online that do not involve Web page building. The
issue of blacklisting (or greylisting, where a site is ranked poorly)
only applies to Websites that try to trick (spam) search engines. Here
is a definition :

+----

Optimisation - Search engine spam
http://www.4everweb.com/search_engine_spam.htm

"A search engine spammer is generally a person who is using unfair
techniques in order to better their own or a clients website within
the search results. The spammer is generally aware that the content
that they are promoting is less useful to the end user than they would
like. Because of this, they try to use methods that will make the
website appear above more relevant websites in the search engine
listings."

+----

If your online application does not result in new Web pages being
added to the Internet and made available for indexing by search
engines, then you don't have to worry about this. For instance, if you
are offering that online graphics editing program or spreadsheet, then
this is a non-issue.

Let's look at the factors that would cause a site to be blacklisted or
poorly ranked. Among them are mirroring, doorway pages, keyword
disguising, constant site submission (re-registering), and most
importantly, reciprocal links. Probably the most important measure of
a site's popularity (or lack thereof) can be determined using Google's
PageRank algorithm. Since Google is renowned as THE number 1 search
engine, lots of other websites refer to it to determine a site's
popularity. In other words, get popular on Google and you get popular
elsewhere. Get ranked poorly on Google and you'll probably be ranked
poorly elsewhere too.


Here is an excerpt from a good online article :

+----

Pagerank Explained. Google's PageRank and how to make the most of it
http://www.webworkshop.net/pagerank.html

[begin excerpt]

What is PageRank?
PageRank is a numeric value that represents how important a page is on
the web. Google figures that when one page links to another page, it
is effectively casting a vote for the other page. The more votes that
are cast for a page, the more important the page must be. Also, the
importance of the page that is casting the vote determines how
important the vote itself is. Google calculates a page's importance
from the votes cast for it. How important each vote is is taken into
account when a page's PageRank is calculated.

PageRank is Google's way of deciding a page's importance. It matters
because it is one of the factors that determines a page's ranking in
the search results. It isn't the only factor that Google uses to rank
pages, but it is an important one.

From here on in, we'll occassionally refer to PageRank as "PR". 

Notes:
Not all links are counted by Google. For instance, they filter out
links from known link farms. Some links can cause a site to be
penalized by Google. They rightly figure that a site cannot control
which sites link to it, but it can control which sites it links to it.
For this reason, links into a site cannot harm the site, but links
from a site can be harmful if they link to penalized sites. So be
careful which sites you link to. If a site has PR0, it is usually a
penalty, and it would be unwise to link to it.

[end excerpt]

+----


Continuing with this logic, if your application allows users to
publish dynamic pages (say for instance
www.yoursite.com/UserXPublicArea/pages.htm) and a particular user does
all the "wrong" things, then it MAY count toward the "penalization" of
your site (www.yoursite.com) as a whole. I say MAY because Google's
PageRank also looks at individual pages and subdirectory structures,
not just sites as complete units, and therefore a site like
"www.yoursite.com/UserXPublicArea" may be ranked differently from
"www.yoursite.com" .

A quick way to determine the PageRank of a page is to have Google
Toolbar installed as a browser add-in ( http://toolbar.google.com/ )
and to visit the Web page. The PageRank will be displayed on the
Google Toolbar.

Let's do a case study. ZyWorld is a Web page builder application
service provider (www.zyworld.com). Here are the PageRanks of several
of their member sites :

http://www.zyworld.com/crayfordgreyhoundtrack/ (PageRank of 5/10)
http://www.zyworld.com/ExeterSouthernhay/Home.htm (PageRank of 4/10)
http://www.zyworld.com/sschiller/Home.htm (PageRank of 4/10)
http://www.zyworld.com/quickguides/home.htm (PageRank of 3/10)
http://www.zyworld.com (PageRank of 5/10)
http://www.zy.com (PageRank of 6/10)

Zy.com appears on Google's first page for the search term "free
webpage OR 'web page' builder". Notice in this case how two different
domains are used, zy.com and zyworld.com. One is used for the "front
face" of the provider, the other is used to house the member pages,
and they have their own respective rankings.

In conclusion, we can say that since Google ranks individual pages
accordingly, this should not be a big issue for you, but if you still
want to make sure that your "corporate" site is not "tainted" by "bad"
member pages, you can always use two separate domain names. We can
apply this generalization to all the other search engines out there
too, having used Google as our standard.

Also, it depends on what other functions your application service
performs. Will your application run a program or script that
participates in spamming activities, if so, then yes, this will be a
concern for a common (shared) IP address. For example, if your
application has a mailer that sends out mass emails via SMTP, and if
your clients misuse this, you will soon find your SMTP server
blacklisted. It all boils down to the type of functionality you have
available, and I believe that all this can be addressed by good
application design.



+=====================================================================================+



I hope this has been a helpful answer! I have tried my best to
understand your question, but if you feel that there are areas that
still need clarification or further research, please do not hesitate
to post a Request For Clarification and I will be glad to assist. You
have my committment to the solution you are looking for. Thank you for
using Google Answers.


Regards,

kyrie26-ga



+----

Google search terms :

asp.net login script 
://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=asp%2Enet+login+script+

asp.net "login script" OR "login scripts"
://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=asp%2Enet+%22login+script%22+OR+%22login+scripts%22

asp.net user login
://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=asp%2Enet+user+login

php "user management" OR login script OR scripts
://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=php+%22user+management%22+OR+login+script+OR+scripts

search engine blacklist OR blacklisting
://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=search+engine+blacklist+OR+blacklisting

google pagerank
://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=google+pagerank

free webpage OR "web page" builder
://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=free+webpage+OR+%22web+page%22+builder

+----

---

Request for Answer Clarification by rprosser-ga on 26 Apr 2003 01:22 PDT

Thank you for a very comprehensive reply - it will take some time to
digest!

I am concerned about the use of a shared IP address because I cannot
ultimately control what my clients will do with their sites, and I do
not want to be responsible for policing them. I will of course issue
stern warnings and disclaimers etc., and I will take the appropriate
action against those who break the rules, but I would rather avoid
such problems from the outset. I accept that they are very unlikely to
happen, but I would prefer to be on the safe side. Arranging a unique
IP address for each account does not seem to be practical however.

FYI, I had always intended that each client site would have its own
domain name. So it seems that I can go ahead with a dedicated server,
based on a single IP address, and I would have to accept the (small)
risk of all the sites being blacklisted due to the activities of just
one of them. Is that a fair summary of your response?

Thanks ...

---

Clarification of Answer by kyrie26-ga on 26 Apr 2003 01:38 PDT

Hi Richard,

The only activities that could possibly get you "blacklisted" due to
abuse are search-engine-spamming Webpage building (even this won't get
you blacklisted, only rated poorly), mass emailing and possibly
Telnet-related functions (Denial-Of-Service attacks?). Are any of
these functions available as part of your Web Application Service? If
not, then you don't have to worry. Perhaps I can help you better if
you give me a description of the type of service(s) you are planning
on offering. Or if you prefer not to say, you can give me the general
category.

In a nutshell, I wouldn't worry about the IP sharing issue. A good
application would be built in such a way as to prevent abuse in the
first place. If you can tell me more, I can tell you how I would build
it. I don't know anything about your application, but I suspect that
if it's like the majority of apps out there, then it's a non-issue for
you.

kyrie26-ga

---

Clarification of Answer by kyrie26-ga on 30 Apr 2003 14:14 PDT

Hello again Richard,

Thanks for the article you provided. I was unable to get in through
your link because I don't have a subscription, but found the same
article through another link via Google News, at
http://www.nytimes.com/2003/04/29/technology/29SPAM.html?ex=1052280000&en=edd6db2e3c97b37c&ei=5062&partner=GOOGLE
.

I did an analysis of this article, and it is consistent with my
current knowledge and my posted answer to your question. I understand
your fears on this issue, and I wish to allay your fears, armed with
the objective truth.

Oh, before we get to that, I would like to suggest that you use the
"Request For Clarification" feature instead of posting your responses
on the Comments section, because I get notified instantly and will be
able to respond to you much quicker.


First of all, here is a related article :

Internet Week  Spam  Spam Leads To High Costs For ISPs  April 28, 2003
http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=9400084


Let's take a look at what happened in the US Moneywerx incident. The
way Internet service works is like a big tree. The government owns the
tree trunk. The main ISPs own the main branches. The smaller ISPs own
the smaller branches, and so on, until have small ISPs and resellers
in the picture. What happened was that someone "downstream" from US
Moneywerx, in this case NetGlobalMarketing, was accused of spamming,
and the ISP "upstream", Server Beach, decided to pull the plug on US
Moneywerx.

Now, whenever we talk about Internet services, we need to make a
distinction between email, Web, FTP, Telnet, and many other services
that make up the whole package. In this case, even though it was only
email (spam) that was involved, Server Beach pulled the plug on ALL
services including Web, which is why the 89 websites operated by US
Moneywerx were shut down.

Another important distinction to make : there are two possible
scenarios at work here :

1) NetGlobalMarketing purchased Internet services from US Moneywerx
which enabled them to run their own SMTP (email) server, which they
subsequently abused.

2) NetGlobalMarketing purchased a Web hosting account from US
Moneywerx, which includes a server-side application programming
language, which has automated email sending capability (Sendmail,
CFMAIL, etc.) via SMTP. They created a Web application that can send
out mass mail and either used this themselves, or made it available to
their Web account users, which was subsequently abused.

Now continuing on this thought, let's take a quick jump to your
question on why there is "a gap in the market". The reason is simple
enough. You have to own a branch to be able to give out the smaller
branches. You cannot give out branchlets off a branch that you don't
own. Therefore you can only assign "sub-IPs" to your customers,
clients or users, but not random "independent" IPs. Therefore you are
still responsible for anything that happens downstream.

Here's another jump, and another important distinction : whenever we
talk about software, we need to differentiate between :

1) Web-based software, which requires no installation, and runs on a
remote server, therefore using the remote server's IP address for any
network-related interactions. User accounts are managed using database
and session variables.

2) Desktop applications, which are installed on the user's computer,
and use the IP address of the user's ISP connection (e.g. AOL) to go
online on that computer.


Putting it all together, your role here would be similar to that of US
Moneywerx, hence your concern. Let's look at the above two scenarios
again :

1) Are you a reseller of Internet services (email, Web, FTP, etc.) who
will be providing your clients with their own SMTP (email) servers? I
don't think so, this doesn't apply to you.

2) Are you an Application Service Provider who provides a service to
your clients through a Web Application? If so, will you enable
server-side outgoing email capability? Here is an example - a user
logs on to his account on your website. They enter a whole bunch of
recipient email addresses on a web form, and compose the email, then
send it. Your application, on your server, then sends out this email.
This is possible BECAUSE YOU BUILT IT THAT WAY. If you do this, then
yes, as I mentioned before, it could get abused, and your server's IP
address could get blacklisted. Again, I maintain my stand, IT ALL
DEPENDS ON WHAT YOU MAKE AVAILABLE as part of your application
service.


Once, again, my answer remains the same! If you are concerned about
being blacklisted because of other "peer-level" users (i.e. NOT your
clients but rather, other customers of your ISP), then that is an
unavoidable risk. But if you are concerned about being blacklisted
because of your "downline", then that is a controllable risk - it all
depends on what kind of application service you are offering. You can
build your application so that there is ZERO RISK. To give you an
extreme example, a simple website that does not do anything except
serve up pure HTML. Such a website poses no risk because your users
can only view Web pages and nothing more. Now let's spice things up
with a server-side application. Now they can play games online. Or
submit their resume online. Or chat online. All still ZERO RISK. But
wait... now you're letting them send email online. Through your
server, your IP address. That's getting a little risky. Open it up and
let them send mass email! There you go! That's when all the problems
arise.


Here's another solution, if you're still intent on selling your users
applications that are truly "independent". You would build Desktop
Applications that they can download and install themselves. Whatever
network interactions these applications make, would be through the
client's own Internet connection, unrelated to your Web server. This
is not the same as a Web application, you would not be using PHP or
ASP.NET, but rather a desktop application programming language such as
Java or C++. But, in answer to your question, there is no such ISP
that will do the "installation and registration" part for you, because
it is simple enough for you to program your own e-commerce site where
you would make the software available for downloading only after the
customer has registered and paid, and logged in securely. Of course
that is another topic in itself.

However, I still maintain that Web Applications are the way to go, and
whatever risk you have to face is dependent on how you built your
application.

A very good example at hand is the Google Answers service. It is a Web
Application, and I, as a registered Researcher, am a user who logs
into my user account every time I answer a question. Notice that no
matter what I do, I cannot "cause spam" in the context that we are
talking about. Sure, if I decide to post low quality answers, that may
be considered "spamming" and cause me to lose my Researcher status,
but I cannot cause Google to be blacklisted due to my actions.

As a seasoned Web Developer I stand by my answer. However I would also
like to open this question up to the other Researchers if they would
like to add their opinions.


Thanks, and don't hesitate to Request For Clarification if still
needed! Have a great day.


Regards,

kyrie26-ga

Rprosser

    This was a difficult question, partly because the issue itself is
    complex and partly because the question  is still very general. 
     
    Kyrie provided good coverage of the developers aspect.
    The blacklisting indeed seems to be not an essential issue
    for you service as websites are ranked or dropped based on
    their domain names, not according to an IP.
    The blacklisting 'crosstalk' does happen when legitimate e-mail
    is not delivered because IP of the ISP's IP was blacklisted - but
    that is a different issue. Details of that depend on technical
    details of the service, such as 
            will the server be shared, or dedicated?.
     The owner or operator of the web server decides what IP's he
    wants to limit (blacklist) and what blacklisting service to use.
    We need to differentiate between user's IPs and the IP associated
    with your domain. Unless a user can abuse your service, e.g. to send
    a spam from your server, your IP will not be affected - BUT as any
    internet service provider, it will be your responsibility to guard
    against that. Here we may an issue of user's ID, where static IP may
    be useful - even though the best method.
     There is a lot of literature on that aspect 
    of internet and you may want to post that as a separate question.

    There is also literature and studies on different type of services,
    some provider the power to do number-crunching  and specialised
    software for small engineering firms, some 'public data base' service
    such as the 'monster board' cited by Kyrie. There are few startups
    which serve authors or publishers by providing 'as service' ability
    to store e-goods, such as ebooks and deliver it on-demand to customers
    after a payment. These have many interesting and specific issues 
   which can be researched and summarised in a response to more specific question.

Comments from a discussion forum (www.bmyers.com):

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Scores of websites were taken off the Internet over the weekend
because of new pressures on a commercial Internet service provider to
stop unwanted marketing e-mail, or spam, and the companies that use
it.  See http://www.nytimes.com/2003/04/29/technology/29SPAM.html

It seems that most of these web sites that were shut down were
innocent bystanders that happened to share an IP address with a spam
sending site.

The spammer IP was added to the spews blacklist, and all sites on the
host were shut down by the company leasing the server to a affiliate
hosting company.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


So it appears that there really is an issue (with spam), and my
questions have not been adequately answered. So, are there any hosts
which can automatically install software with each new account
registration, and/or assign a unique IP address for such an account?

I haven't been able to find any, and I can't understand this gap in
the market.

Richard