|
#1
12-14-2009, 06:53 AM
|
|||
|
|||
4 Methods to Protect Email
Make no mistake. You can't escape death, taxes, or spam. The only thing you can do is try to reduce spam and prevent spammers from getting your email address *easily*. The following briefly explains why this is, and offers a balanced solution to make getting your email address as difficult as possible for spambot harvesters, while still making your site friendly for users.
There are a couple email gold-mines for spammers to get your address. 1) Malware on other people's computers 2) Harvesting addresses from web sites. Malware on other people's computers harvests addresses and/or sends spam. The only way to stop that is for people to use anti-virus software and a firewall. But that's not anything that you can control. Harvesting addresses from web sites is where you can make it either impossible, or extremely difficult for a spammer to get your email address. Your options are: 1) Don't put any addresses on your site While this is obvious, it makes it pretty hard for potential customers to contact you. Not a good idea. 2) Use an email form Email forms force you to rely on someone to type their email address properly so that you can respond to them. Though it guarantees that spambots can't "get your address", for legitimate users it reduces email reliability, and spammers can still use your email form to spam you directly. If you cannot respond to a potential customer because they accidentally mistyped their email address, you end up looking like the bad guy. Again, not a really great solution. 3) Use a graphic Putting your email address in a graphic puts up an added barrier and forces your potential customers to type your email address. However, graphics do not offer any real advantage over obfuscation. The technology for OCR (Optical Character Recognition) and principles for cracking captchas are well understood and do not differ for what would be required to rip an email address out of a graphic. Combined with not being very user friendly, this is not the best option. 4) Use obfuscation Obfuscation is your best bet to put up the most difficult barrier possible while still balancing usability and ease for your web site visitors. You stop spambots from harvesting your address and you still allow users to click on your email address. Spam is all about numbers and costs have to be low to deal with the massive volumes that spammers need in order to get a sale/victim. CPU cycles are expensive. The more processing power you need, the more computers you need, and that all costs money and/or time. Obfuscation addresses this directly because it makes the processing power needed to extract an email address exorbitantly high. Getting "johndoe@domain.com" out of simple text is easy. But how easy is it to get "johndoe@domain.com" out of this: Perhaps just a little bit tougher? Actually, it's almost impossible for a spammer to get it. The script above isn't the real barrier. It's every other script on the Internet. If a spammer wants to get that address, their spambot email harvester must parse every single JavaScript on every page that they scan, and this costs processing power. What are the chances that a script contains an email address? Not very good. It's a total waste of time when there are already so many other people that don't protect their email addresses. I've written a simple free utility, the Renegade Email Protector, that obfuscates email addresses 4 different ways: 1) JavaScript Hybrid The first approach is simple for anyone to modify as it is human readable. It inserts random garbage into the email address and strips it out when someone hovers their mouse on the link: John Doe When a user then clicks, the RenegadeFix4E8tXtGz function has already replaced the garbage that's inserted into the address to reveal the correct address. Spambots will easily get "johndoe@4E8tXtGzdomain.com" out of it, but who cares? That wrong address will just waste their time. 2) Unicode Encoded (Entities) The second approach encodes the email address in unicode entities and looks like this: John Doe While a browser will easily decode the entities there and display the correct address, none of the spambots tested were able to do this. While not my first choice for protecting email addresses, this can easily be put in a noscript tag for visitors that do not have JavaScript enabled (see below). Unfortunately, this approach, like the next two, is not human readable and is extremely tedious if you're typing individual addresses while reading off of a chart. 3) JavaScript Obfuscation The third simply obfuscates the HTML with the mailto link. It's not human readable, but your browser can easily understand it. John DoeJohn Doe Your browser then understands that as 'John Doe'. Underneath that, the escaped text is just a simple function that uses 'document.write' to display the proper HTML in your browser. 4) Obfuscated JavaScript Hybrid Lastly, the ofuscated JavaScript hybrid uses a similar script to #1 above then escapes it as in the third method above: John DoeJohn Doe It is divided into 2 parts that are both required to get the proper address. (For the mathematicians out there: The order of complexity is linear and not a change in magnitude. Never-the-less, of the many spambots tested, none were able to harvest any email addresses from anything except the first script where the wrong address was harvested. A change in order of magnitude becomes a moot point if even simple examples can't be handled properly. i.e. The exercise is only academic.) To further make things difficult, you can take the JavaScript and put it in a *.js file then call it from the page like so: Last edited by bholus10; 12-14-2009 at 06:53 AM. 
|
|
#2
12-14-2009, 06:54 AM
|
|||
|
|||
|
Make no mistake. You can't escape death, taxes, or spam. The only thing you can do is try to reduce spam and prevent spammers from getting your email address *easily*. The following briefly explains why this is, and offers a balanced solution to make getting your email address as difficult as possible for spambot harvesters, while still making your site friendly for users.
There are a couple email gold-mines for spammers to get your address. 1) Malware on other people's computers 2) Harvesting addresses from web sites. Malware on other people's computers harvests addresses and/or sends spam. The only way to stop that is for people to use anti-virus software and a firewall. But that's not anything that you can control. Harvesting addresses from web sites is where you can make it either impossible, or extremely difficult for a spammer to get your email address. Your options are: 1) Don't put any addresses on your site While this is obvious, it makes it pretty hard for potential customers to contact you. Not a good idea. 2) Use an email form Email forms force you to rely on someone to type their email address properly so that you can respond to them. Though it guarantees that spambots can't "get your address", for legitimate users it reduces email reliability, and spammers can still use your email form to spam you directly. If you cannot respond to a potential customer because they accidentally mistyped their email address, you end up looking like the bad guy. Again, not a really great solution. 3) Use a graphic Putting your email address in a graphic puts up an added barrier and forces your potential customers to type your email address. However, graphics do not offer any real advantage over obfuscation. The technology for OCR (Optical Character Recognition) and principles for cracking captchas are well understood and do not differ for what would be required to rip an email address out of a graphic. Combined with not being very user friendly, this is not the best option. 4) Use obfuscation Obfuscation is your best bet to put up the most difficult barrier possible while still balancing usability and ease for your web site visitors. You stop spambots from harvesting your address and you still allow users to click on your email address. Spam is all about numbers and costs have to be low to deal with the massive volumes that spammers need in order to get a sale/victim. CPU cycles are expensive. The more processing power you need, the more computers you need, and that all costs money and/or time. Obfuscation addresses this directly because it makes the processing power needed to extract an email address exorbitantly high. Getting "johndoe@domain.com" out of simple text is easy. But how easy is it to get "johndoe@domain.com" out of this: Perhaps just a little bit tougher? Actually, it's almost impossible for a spammer to get it. The script above isn't the real barrier. It's every other script on the Internet. If a spammer wants to get that address, their spambot email harvester must parse every single JavaScript on every page that they scan, and this costs processing power. What are the chances that a script contains an email address? Not very good. It's a total waste of time when there are already so many other people that don't protect their email addresses. I've written a simple free utility, the Renegade Email Protector, that obfuscates email addresses 4 different ways: 1) JavaScript Hybrid The first approach is simple for anyone to modify as it is human readable. It inserts random garbage into the email address and strips it out when someone hovers their mouse on the link: John Doe When a user then clicks, the RenegadeFix4E8tXtGz function has already replaced the garbage that's inserted into the address to reveal the correct address. Spambots will easily get "johndoe@4E8tXtGzdomain.com" out of it, but who cares? That wrong address will just waste their time. 2) Unicode Encoded (Entities) The second approach encodes the email address in unicode entities and looks like this: John Doe While a browser will easily decode the entities there and display the correct address, none of the spambots tested were able to do this. While not my first choice for protecting email addresses, this can easily be put in a noscript tag for visitors that do not have JavaScript enabled (see below). Unfortunately, this approach, like the next two, is not human readable and is extremely tedious if you're typing individual addresses while reading off of a chart. 3) JavaScript Obfuscation The third simply obfuscates the HTML with the mailto link. It's not human readable, but your browser can easily understand it. Your browser then understands that as 'John Doe'. Underneath that, the escaped text is just a simple function that uses 'document.write' to display the proper HTML in your browser. 4) Obfuscated JavaScript Hybrid Lastly, the ofuscated JavaScript hybrid uses a similar script to #1 above then escapes it as in the third method above: It is divided into 2 parts that are both required to get the proper address. (For the mathematicians out there: The order of complexity is linear and not a change in magnitude. Never-the-less, of the many spambots tested, none were able to harvest any email addresses from anything except the first script where the wrong address was harvested. A change in order of magnitude becomes a moot point if even simple examples can't be handled properly. i.e. The exercise is only academic.) To further make things difficult, you can take the JavaScript and put it in a *.js file then call it from the page like so: Just remember to strip the '' tags when you save the script in the file. Finally, for those visitors that do not have JavaScript enabled in their browser, you can use the unicode encoded method between noscript tags as follows: While more complex algorithms could be designed, the above 4 methods work sufficiently to protect email addresses from spambot email harvesters.
|
