Re: [WSG] Using PHP to hide email, script made, testing needed
No worries Mike, keep at it, if it's a good solution for you, then it's a good solution =8-)Personally I use captcha validated forms to send email internally.At least filtering on user agent is another level, and you might end up expanding on that. Bots will just make http requests and parse the output looking for anything matching an email address.One human can then scout discussions like this and websites looking for new implementations and usually just chuck in a new regular _expression_; matching [at] or span[at]/span is not a big stretch. JOn 09/06/06, Mike at Green-Beast.com [EMAIL PROTECTED] wrote: Lachlan Hunt [EMAIL PROTECTED] wrote:[...] Why do you think it's safe to assume that bad bots won't sendUser-Agent headers claiming to be IE, Firefox or any other browser they like?Even if some bots do send different UA strings, this script relies ona false assumption and, thus, provides a false sense of security. [...]---Hello Lachan,I'm not assuming anything (I try not to do that). I do know that 'bots can mask themselves, this has been on my mind. But I don't know how often thisis done or what the risk levels are. It's not like I'm distributing thisor billing it as a fool-proof method. It is an experiment; a test. I'm trying to make something useful. And I do have a disclaimer. That entiresite, mikecherim.com, is just for experiments. A sandbox if you will.It is for this reason I have posted here with the WSG: to test it in the field and to get feedback. To discover the problems and possible loopholes.I have that email address on one place on the web and that's on that page,so that is part of the test as well. My mailbox is waiting to see what happens.The sad part is, even if it can be made fully capable of its assigned taskand become a popular and accessible solution, new spam-bot builds wouldprobably have a work-around built into their new versions within months. Unfortunately, if people are allowed to communicate with us or post to oursites, we can only hope to slow down or stay just slightly ahead to the badguys.Thanks for your feedback.Sincerely, Mike Cherimhttp://green-beast.com/http://accessites.org/http://graybit.com/** The discussion list forhttp://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list getting help** **The discussion list for http://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list & getting help** **The discussion list for http://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list & getting help**
Re: [WSG] Using PHP to hide email, script made, testing needed
James Laugesen [EMAIL PROTECTED] wrote: Hi Mike, I could see the link correctly and sent you the email. My email body was not poopulated correctly (GMail notifier mailto handler) but I put the details in manually. I'm interested in discussion on this topic... how did you determine this was the best approach? Bots can always parse [at] and [dot] (assuming you didn't intend to replace with an image) and report fake user agents. J --- Hello James, Thank you for helping. I knew there would be problems with the body data so I appreciate you filling in the blanks, so to speak. That part, gladly, is just for the test. :-) Regarding best approach: I wasn't really satisifed with the JavaScript solution. (Plus I wanted to challenge myself with it.) And trying to do something server-side was just fraught with challenges without making the user interact by submitting something to reveal the email -- to make it passive and just work. This seemed to be the only viable solution I could come up with (this project produced a lot of saw dust). I didn't even think it would work and was actually surprised by the positive result, so far. I thank you kind sir, as I did not know that [at] and [dot] would be parsed, but I did have some suspicions because that formatting is fairly ubiquitous -- it's all over php.net. I wonder, for the sake of styling I wrapped each of those bits in a span. Will that further obfuscate it to the point of being effective? Example: acctspan[at]/spandomainspan[dot]/span An image worries me because then I end up with a potential accessibility barrier. Easy to overcome with an embedded image and alt text, but then that leads me to ask... will that email formatting be parsable within the alt attribute. If so it's back to the grindstone, but if not, hmm, that could lead to an even simpler solution. Your thoughts? Sincerely, Mike Cherim http://green-beast.com/ http://accessites.org/ http://graybit.com/ ** The discussion list for http://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list getting help **
Re: [WSG] Using PHP to hide email, script made, testing needed
Mike at Green-Beast.com wrote: I have written a PHP script which I hope will allow a person to post an email address on a site without worrying about it being found and exploited by bad'bots. [1] http://mikecherim.com/gbcms_xml/news_page.php?id=6 Why do you think it's safe to assume that bad bots won't send User-Agent headers claiming to be IE, Firefox or any other browser they like? Even if some bots do send different UA strings, this script relies on a false assumption and, thus, provides a false sense of security. -- Lachlan Hunt http://lachy.id.au/ ** The discussion list for http://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list getting help **
Re: [WSG] Using PHP to hide email, script made, testing needed
Lachlan Hunt [EMAIL PROTECTED] wrote: [...] Why do you think it's safe to assume that bad bots won't send User-Agent headers claiming to be IE, Firefox or any other browser they like? Even if some bots do send different UA strings, this script relies on a false assumption and, thus, provides a false sense of security. [...] --- Hello Lachan, I'm not assuming anything (I try not to do that). I do know that 'bots can mask themselves, this has been on my mind. But I don't know how often this is done or what the risk levels are. It's not like I'm distributing this or billing it as a fool-proof method. It is an experiment; a test. I'm trying to make something useful. And I do have a disclaimer. That entire site, mikecherim.com, is just for experiments. A sandbox if you will. It is for this reason I have posted here with the WSG: to test it in the field and to get feedback. To discover the problems and possible loopholes. I have that email address on one place on the web and that's on that page, so that is part of the test as well. My mailbox is waiting to see what happens. The sad part is, even if it can be made fully capable of its assigned task and become a popular and accessible solution, new spam-bot builds would probably have a work-around built into their new versions within months. Unfortunately, if people are allowed to communicate with us or post to our sites, we can only hope to slow down or stay just slightly ahead to the bad guys. Thanks for your feedback. Sincerely, Mike Cherim http://green-beast.com/ http://accessites.org/ http://graybit.com/ ** The discussion list for http://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list getting help **
Re: [WSG] Using PHP to hide email, script made, testing needed
I suggest it wouldn't be too much of a stretch for a spambot to do a bit of regex matching... I'll put it in php because that's what I know. First you'd preprocess the page using a javascript processor. This is an effort but quite possible - perhaps steal some firefox code to do this, which would conveniently send a request indistinguishable fro real fx. Then you save the rendered code into the variable $code. $code = preg_replace('/.+alt=([']|).*($1)/siU', '$1', $code); preg_match_all('/[a-z0-9_.+-]+(\b*(.+|@)\b*[a-z0-9_.-]+)+/iUs'... That should match most email addresses obscured most ways, I'd say. You might get SOME garbage, but I don't think that necessarily bothers spammers. The best protection seems to be slashdot-esque translation, though this is by no means unbypassable, just not worth bypassing ;). You don't have to run faster than the bear, just faster than the other guy. EOE, by the way. -michael On 6/9/06, James Laugesen [EMAIL PROTECTED] wrote: No worries Mike, keep at it, if it's a good solution for you, then it's a good solution =8-) Personally I use captcha validated forms to send email internally. At least filtering on user agent is another level, and you might end up expanding on that. Bots will just make http requests and parse the output looking for anything matching an email address. One human can then scout discussions like this and websites looking for new implementations and usually just chuck in a new regular expression; matching [at] or span[at]/span is not a big stretch. J On 09/06/06, Mike at Green-Beast.com [EMAIL PROTECTED] wrote: Lachlan Hunt [EMAIL PROTECTED] wrote: [...] Why do you think it's safe to assume that bad bots won't send User-Agent headers claiming to be IE, Firefox or any other browser they like? Even if some bots do send different UA strings, this script relies on a false assumption and, thus, provides a false sense of security. [...] --- Hello Lachan, I'm not assuming anything (I try not to do that). I do know that 'bots can mask themselves, this has been on my mind. But I don't know how often this is done or what the risk levels are. It's not like I'm distributing this or billing it as a fool-proof method. It is an experiment; a test. I'm trying to make something useful. And I do have a disclaimer. That entire site, mikecherim.com, is just for experiments. A sandbox if you will. It is for this reason I have posted here with the WSG: to test it in the field and to get feedback. To discover the problems and possible loopholes. I have that email address on one place on the web and that's on that page, so that is part of the test as well. My mailbox is waiting to see what happens. The sad part is, even if it can be made fully capable of its assigned task and become a popular and accessible solution, new spam-bot builds would probably have a work-around built into their new versions within months. Unfortunately, if people are allowed to communicate with us or post to our sites, we can only hope to slow down or stay just slightly ahead to the bad guys. Thanks for your feedback. Sincerely, Mike Cherim http://green-beast.com/ http://accessites.org/ http://graybit.com/ ** The discussion list for http://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list getting help ** ** The discussion list for http://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list getting help ** -- http://mine.mjec.net/ ** The discussion list for http://webstandardsgroup.org/ See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list getting help **