E-Mail Harvesting

Re: E-Mail Harvesting

SamMan wrote:[color=blue]
> May be a bit off-topic...[/color]

It's arguable; but it is discussed here from time to time.
[color=blue]
> When bots scan the web for e-mail address to use for spam, do they
> look at what the browser is displaying, or scan through the
> underlying HTML markup for e-mail addresses?[/color]

AFAIK, they look for mailto: links and for text that looks like an
email address, i.e., a series of letters and numbers, an @ sign, and
more letters and numbers, with certain punctuation.
[color=blue]
> At work, we have stopped displaying our webmaster e-mail on our
> pages and created a form that uses cgi to process and send the
> message.[/color]

Best practice is to provide both a form and an email address.
[color=blue]
> Our e-mail however, is hard coded as a variable in the form and
> sent to the script.[/color]

Which script are you using? The NMS formmail script allows one to
define an alias in config file outside of the directories accessible
by the web.
[color=blue]
> Will harvesters still be able to get the address, or does it have
> to be displayed on the page?[/color]

Yes.

--
Brian
follow the directions in my address to email me

Re: E-Mail Harvesting

SamMan wrote:
[color=blue]
>At work, we have stopped displaying our webmaster e-mail on our pages and
>created a form that uses cgi to process and send the message. Our e-mail
>however, is hard coded as a variable in the form and sent to the script.[/color]

Change the script so that it contains the address. If you have to use a
3rd party (ISP) script that you cannot control, then you may be able to
use character references in the form, like @ for "@" and . for
".", I do this and my ISP's script accepts it (using character
references is surprisingly effective against harvesting).

Having said that, I have no proof that email harvesters read form
parameter values, but better safe than sorry imo.

--
Spartanicus

Re: E-Mail Harvesting

Spartanicus pounced upon this pigeonhole and pronounced:[color=blue]
> SamMan wrote:
>[color=green]
> >At work, we have stopped displaying our webmaster e-mail on our pages and
> >created a form that uses cgi to process and send the message. Our e-mail
> >however, is hard coded as a variable in the form and sent to the script.[/color]
>
> Change the script so that it contains the address. If you have to use a
> 3rd party (ISP) script that you cannot control, then you may be able to
> use character references in the form, like @ for "@" and . for
> ".", I do this and my ISP's script accepts it (using character
> references is surprisingly effective against harvesting).[/color]

Try this page. (some days it is slow to load)

[color=blue]
> Having said that, I have no proof that email harvesters read form
> parameter values, but better safe than sorry imo.[/color]

Neither have I proof, other than to say that all addresses at my sites
that began life obfuscated in this fashion have never received spam.

--
-bts
-This space intentionally left blank.

Re: E-Mail Harvesting

Beauregard T. Shagnasty wrote:
[color=blue][color=green]
>>(using character
>> references is surprisingly effective against harvesting).[/color]
>
>Try this page. (some days it is slow to load)
>http://alicorna.com/cgi/obfuscator.cgi[/color]

It only takes 1 character to be converted to a character reference "@"
is @, easy to remember. There's no need to convert the entire
address to character references, that will only serve to make it
unreadable by humans.

--
Spartanicus

Re: E-Mail Harvesting

Spartanicus pounced upon this pigeonhole and pronounced:[color=blue]
> Beauregard T. Shagnasty wrote:
>[color=green][color=darkred]
> >>(using character
> >> references is surprisingly effective against harvesting).[/color]
> >
> >Try this page. (some days it is slow to load)
> >http://alicorna.com/cgi/obfuscator.cgi[/color]
>
> It only takes 1 character to be converted to a character reference "@"
> is @, easy to remember. There's no need to convert the entire
> address to character references, that will only serve to make it
> unreadable by humans.[/color]

Heh, humans rarely read the source of the page. <g>

--
-bts
-This space intentionally left blank.

Re: E-Mail Harvesting

Beauregard T. Shagnasty wrote:
[color=blue][color=green]
>> It only takes 1 character to be converted to a character reference "@"
>> is &#64;, easy to remember. There's no need to convert the entire
>> address to character references, that will only serve to make it
>> unreadable by humans.[/color]
>
>Heh, humans rarely read the source of the page. <g>[/color]

One may hope that the author is also human :)

--
Spartanicus

Re: E-Mail Harvesting

Spartanicus pounced upon this pigeonhole and pronounced:[color=blue]
> Beauregard T. Shagnasty wrote:
>[color=green][color=darkred]
> >> It only takes 1 character to be converted to a character reference "@"
> >> is &#64;, easy to remember. There's no need to convert the entire
> >> address to character references, that will only serve to make it
> >> unreadable by humans.[/color]
> >
> >Heh, humans rarely read the source of the page. <g>[/color]
>
> One may hope that the author is also human :)[/color]

Well, that certainly is a point. One could only hope then, that if the
author is smart enough to know how the obfuscation works, that is does not
present a problem. <more_smileys >

--
-bts
-This space intentionally left off to football.

Re: E-Mail Harvesting

"Spartanicu s" <me@privacy.net > wrote in message
news:7tnnpvslrq 4469q8234l19v93 q8aca0edm@news. spartanicus.utv internet.ie...[color=blue]
> SamMan wrote:
>[color=green]
> >At work, we have stopped displaying our webmaster e-mail on our pages and
> >created a form that uses cgi to process and send the message. Our e-mail
> >however, is hard coded as a variable in the form and sent to the script.[/color]
>
> Change the script so that it contains the address. If you have to use a
> 3rd party (ISP) script that you cannot control, then you may be able to
> use character references in the form, like &#64; for "@" and &#46; for
> ".", I do this and my ISP's script accepts it (using character
> references is surprisingly effective against harvesting).
>
> Having said that, I have no proof that email harvesters read form
> parameter values, but better safe than sorry imo.
>
> --
> Spartanicus[/color]


Thanks for all of the answers & tips.

On my personal site, I have a technique in place, and would like to know if
this is also good for obfuscation.

I have an external JavaScript file that takes each part of the email and
assigns it to a variable (beg, mid, end).
beg = myname;
mid = @;
end = something.com;

In the actual page, the values are written ... document.write( beg + mid +
end)...

Is this a good way to hide emails too?

Thanks again!
--
SamMan
Rip it to reply

Re: E-Mail Harvesting

"SamMan" <psf@psfdevri p-it.com> wrote in message
news:CfVmb.7500 4$%C5.73046@twi ster.rdc-kc.rr.com...[color=blue]
> "Spartanicu s" <me@privacy.net > wrote in message
> news:7tnnpvslrq 4469q8234l19v93 q8aca0edm@news. spartanicus.utv internet.ie...[color=green]
> > SamMan wrote:
> >[color=darkred]
> > >At work, we have stopped displaying our webmaster e-mail on our pages[/color][/color][/color]
and[color=blue][color=green][color=darkred]
> > >created a form that uses cgi to process and send the message. Our[/color][/color][/color]
e-mail[color=blue][color=green][color=darkred]
> > >however, is hard coded as a variable in the form and sent to the[/color][/color][/color]
script.[color=blue][color=green]
> >
> > Change the script so that it contains the address. If you have to use a
> > 3rd party (ISP) script that you cannot control, then you may be able to
> > use character references in the form, like &#64; for "@" and &#46; for
> > ".", I do this and my ISP's script accepts it (using character
> > references is surprisingly effective against harvesting).
> >
> > Having said that, I have no proof that email harvesters read form
> > parameter values, but better safe than sorry imo.
> >
> > --
> > Spartanicus[/color]
>
>
> Thanks for all of the answers & tips.
>
> On my personal site, I have a technique in place, and would like to know[/color]
if[color=blue]
> this is also good for obfuscation.
>
> I have an external JavaScript file that takes each part of the email and
> assigns it to a variable (beg, mid, end).
> beg = myname;
> mid = @;
> end = something.com;
>
> In the actual page, the values are written ... document.write( beg + mid +
> end)...
>
> Is this a good way to hide emails too?[/color]


.... of course, I for got to put quotes around my values... i.e. beg =
"myname";


--
SamMan
Rip it to reply

Re: E-Mail Harvesting

SamMan wrote:
[color=blue]
>I have an external JavaScript file that takes each part of the email and
>assigns it to a variable (beg, mid, end).
>beg = myname;
>mid = @;
>end = something.com;[/color]

That should work, as long as you have a fallback for when js is disabled
(such as a form).

--
Spartanicus

Re: E-Mail Harvesting

Easy for spambots to pick up, too :-/

On Sun, 26 Oct 2003 16:24:27 +0000, Spartanicus wrote:
[color=blue]
> It only takes 1 character to be converted to a character reference "@" is
> &#64;, easy to remember.[/color]

--

..

Re: E-Mail Harvesting

SamMan wrote:
[color=blue]
>At work, we have stopped displaying our webmaster e-mail on our pages and
>created a form that uses cgi to process and send the message. Our e-mail
>however, is hard coded as a variable in the form and sent to the script.
>Will harvesters still be able to get the address, or does it have to be
>displayed on the page?[/color]

Are you stupid enough to allow mail to any email address? Expect to be
hijacked by spammers.

<http://www.html-faq.com/cgi/?secureformmail >
<www.monkeys.com/anti-spam/formmail-advisory.pdf >

[color=blue]
>When bots scan the web for e-mail address to use for spam, do they look at
>what the browser is displaying, or scan through the underlying HTML markup
>for e-mail addresses?[/color]

Well, for now, it looks like only unencoded addresses are being scanned.
When everybody starts using this trick, I expect spammers to catch up...

--
Bart.

Re: E-Mail Harvesting

Vigil wrote:

Stop top posting please.
[color=blue][color=green]
>> It only takes 1 character to be converted to a character reference "@" is
>> &#64;, easy to remember.[/color][/color]
[color=blue]
>Easy for spambots to pick up, too :-/[/color]

1) If a harvester can decode 1 character reference then it can decode a
1000 with no extra bother.

2) No one has produced any evidence of any harvester being able to
decode character references, see this study:


--
Spartanicus

Re: E-Mail Harvesting

On Sun, 26 Oct 2003 08:07:58 -0600,
"SamMan" <psf@psfdevri p-it.com> wrote:
[color=blue]
> When bots scan the web for e-mail address to use for spam, do they look at
> what the browser is displaying, or scan through the underlying HTML markup
> for e-mail addresses?[/color]

I'd say that they'd be directly looking at the HTML source for anything
resembling an e-mail address.
[color=blue]
> At work, we have stopped displaying our webmaster e-mail on our pages and
> created a form that uses cgi to process and send the message. Our e-mail
> however, is hard coded as a variable in the form and sent to the script.
> Will harvesters still be able to get the address, or does it have to be
> displayed on the page?
>
> Or do e-mails get harvested in this way at all?[/color]

If your address is webmaster@ (your domain name), then you're going to
get spam, even if you don't publish it. That's a well known account.

Spammers search for mail forms to abuse, I'm sure they search for
anything that they can abuse.

People have suggested munging in one way or another, and while
harvesters may not currently unmunge addresses, there's no technical
reason why they can't do that (i.e. eventually, they probably will).

Encoding the address so that it's not plain text may stop some
harvesters, but they're also "able" to decode that, just the same as
browsers are. It'd be a poor browser that couldn't send a form to an
character-encoded address, but I've seen a few systems which cannot pass
an e-mail address to a mail client that's been encoded (the mail client
gets it "as is," and doesn't know what to do with it).

Harvesters are just as "able" to just JavaScript, even if they currently
don't. But using JavaScript will mean that many people browsing can't
write to you.

There's really only one good way to limit spammers abusing you, in the
ways you're thinking about: Use an ordinary form to let people mail
you, but don't have the mail address anywhere in that form. Have the
form mention what configuration details to use from your server, and
have those details where only your system can read them (i.e. somewhere
with no access to anybody on the internet). That'll let almost anybody
manage to write to you, without them needing to do anything special.

--
My "from" address is totally fake. (Hint: If I wanted e-mails from
complete strangers, I'd have put a real one, there.) Reply to usenet
postings in the same place as you read the message you're replying to.