Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > HTML > Best email address encoding method for forms?

Reply
Thread Tools

Best email address encoding method for forms?

 
 
VestanPance
Guest
Posts: n/a
 
      10-08-2003
I have read tons of ost regarding this issue and am still not sure
what to do. I have a simple form that submits my addresses to
formmail. I have read about ASCII encoding the addresses...is this the
"best" way? I have also read about the java-script method...but I hear
that you lose the users that have this turned off in their browsers.

I know that there is NO way to absolutly prevent bots from havesting
my addresses but I would like to minimize the chances.

Thanks,

SP
www.sean-paul.com for Cinema 4d resources
 
Reply With Quote
 
 
 
 
David Dorward
Guest
Posts: n/a
 
      10-08-2003
VestanPance <> wrote:

> I have read tons of ost regarding this issue and am still not sure
> what to do. I have a simple form that submits my addresses to
> formmail.


> I know that there is NO way to absolutly prevent bots from havesting
> my addresses but I would like to minimize the chances.


If its a form, use something with the email address hard coded in to the
script. Then it doesn't need to appear on the client side at all.

--
David Dorward http://dorward.me.uk/
 
Reply With Quote
 
 
 
 
EightNineThree
Guest
Posts: n/a
 
      10-08-2003

<VestanPance> wrote in message
news:(E-Mail Removed)...
> I have read tons of ost regarding this issue and am still not sure
> what to do. I have a simple form that submits my addresses to
> formmail. I have read about ASCII encoding the addresses...is this the
> "best" way? I have also read about the java-script method...but I hear
> that you lose the users that have this turned off in their browsers.
>
> I know that there is NO way to absolutly prevent bots from havesting
> my addresses but I would like to minimize the chances.
>


Your best bet isn't to use Formmail
http://www.securityfocus.com/corpora..._q1_2002.shtml

"The Formmail package has become a favorite tool of spammers.

Formmail allows a website to email form submissions to an email account. If
left unpatched a malicious user can send spam simply by including the list
of target email addresses in an HTTP request to Formmail. This behavior
makes tracking down the origin of the spam difficult because the only place
the spammers IP address is saved is in the Web logs of the affected site.

FormMail is a widely-used web-based e-mail gateway, which allows form-based
input to be emailed to a specified user.

When the form is submitted, the commands will be executed on the host, with
the privileges of the webserver process. This might be leveraged by the
attacker to gain local access to the host. "


Use a better script for your contact form.
A good one is Phorm - http://www.phorm.com


--
Karl Core

At times one remains faithful to a cause only because its opponents do not
cease to be insipid.
Friedrich Nietzsche

eightninethree AT eightninethree.com


 
Reply With Quote
 
C A Upsdell
Guest
Posts: n/a
 
      10-08-2003
"EightNineThree" <(E-Mail Removed)> wrote in message
news:bm0r8t$47f$(E-Mail Removed)...
>
> <VestanPance> wrote in message
> news:(E-Mail Removed)...
> > I have read tons of ost regarding this issue and am still not sure
> > what to do. I have a simple form that submits my addresses to
> > formmail. I have read about ASCII encoding the addresses...is this the
> > "best" way? I have also read about the java-script method...but I hear
> > that you lose the users that have this turned off in their browsers.
> >
> > I know that there is NO way to absolutly prevent bots from havesting
> > my addresses but I would like to minimize the chances.
> >

>
> Your best bet isn't to use Formmail
> http://www.securityfocus.com/corpora..._q1_2002.shtml
>
> "The Formmail package has become a favorite tool of spammers.
>
> Formmail allows a website to email form submissions to an email account.

If
> left unpatched a malicious user can send spam simply by including the list
> of target email addresses in an HTTP request to Formmail. This behavior
> makes tracking down the origin of the spam difficult because the only

place
> the spammers IP address is saved is in the Web logs of the affected site.


It is trivial to patch Matt's formmail.pl so that, instead of accepting the
recipient's email address as a parameter, it accepts a code that is mapped
to the proper email address. This way (a) no email addresses appear on web
pages from which spammers can harvest the addresses, and (b) it becomes
impossible for spammers to hijack formmail.pl.



 
Reply With Quote
 
Jukka K. Korpela
Guest
Posts: n/a
 
      10-08-2003
VestanPance <> wrote:

> I have read tons of ost regarding this issue and am still not sure
> what to do.


Presumably you don't yet understand what the issue is.

> I have a simple form that submits my addresses to
> formmail.


Why?

> I have read about ASCII encoding the addresses...is this
> the "best" way? I have also read about the java-script method...but
> I hear that you lose the users that have this turned off in their
> browsers.


What is your problem? If you wish to make it possible to contact you,
you should disclose your contact address(es). Simple as that. Naturally
this, as anything, can be abused. Either you pay the price (and, for
example, take suitable filtering actions against spam), or decide that
it's too high, and then the logical conclusion is not to have Web
pages, or any Internet activity for that matter.

(A contact form should be just an alternative, hopefully something that
has some added value to the _user_.)

> I know that there is NO way to absolutly prevent bots from
> havesting my addresses but I would like to minimize the chances.


Of course there is a way. Disconnect from the Internet _now_ and
never return. That is the safe way, and the only safe way. Naturally it
has its cost. But it's safe. Many other methods have been proposed, but
they are unsafe _and_ cause much more trouble than they could possibly
save.

Followups randomized as usual.

--
Yucca, http://www.cs.tut.fi/~jkorpela/
Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html


 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      10-09-2003
"Jukka K. Korpela" <(E-Mail Removed)> writes:
> VestanPance <> wrote:
>
> > I have read tons of ost regarding this issue and am still not sure
> > what to do.

>
> Presumably you don't yet understand what the issue is.
>
> > I have a simple form that submits my addresses to formmail.

>
> Why?
>
> > I have read about ASCII encoding the addresses...is this
> > the "best" way? I have also read about the java-script method...but
> > I hear that you lose the users that have this turned off in their
> > browsers.

>
> What is your problem? If you wish to make it possible to contact you,
> you should disclose your contact address(es). Simple as that. Naturally
> this, as anything, can be abused.


Jukka, what world are you living in? If you're like the rest of us,
the abundance of email worms and UCE have raised the bar so high that
it's no longer practical to leave exposed email addresses out on the
web and expect to maintain a productive email box.

> Either you pay the price (and, for example, take suitable filtering
> actions against spam), or decide that it's too high, and then the
> logical conclusion is not to have Web pages, or any Internet
> activity for that matter.


I maintain that's a nice ivory tower view that is no longer
applicable.

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
PeterMcC
Guest
Posts: n/a
 
      10-10-2003
Todd H. wrote:
> "Jukka K. Korpela" <(E-Mail Removed)> writes:
>> VestanPance <> wrote:
>>
>>> I have read tons of ost regarding this issue and am still not sure
>>> what to do.

>>
>> Presumably you don't yet understand what the issue is.
>>
>>> I have a simple form that submits my addresses to formmail.

>>
>> Why?
>>
>>> I have read about ASCII encoding the addresses...is this
>>> the "best" way? I have also read about the java-script method...but
>>> I hear that you lose the users that have this turned off in their
>>> browsers.

>>
>> What is your problem? If you wish to make it possible to contact you,
>> you should disclose your contact address(es). Simple as that.
>> Naturally this, as anything, can be abused.

>
> Jukka, what world are you living in? If you're like the rest of us,
> the abundance of email worms and UCE have raised the bar so high that
> it's no longer practical to leave exposed email addresses out on the
> web and expect to maintain a productive email box.
>
>> Either you pay the price (and, for example, take suitable filtering
>> actions against spam), or decide that it's too high, and then the
>> logical conclusion is not to have Web pages, or any Internet
>> activity for that matter.

>
> I maintain that's a nice ivory tower view that is no longer
> applicable.


Mail filtering deals with the problem of spam/viruses - the benefits derived
from using a legitimate email address are simply too great to lose because
of the relatively minor and easily overcome inconvenience caused by spammers
and the like.

--
PeterMcC
If you feel that any of the above is incorrect,
inappropriate or offensive in any way,
please ignore it and accept my apologies.

 
Reply With Quote
 
Chris Morris
Guest
Posts: n/a
 
      10-10-2003
http://www.velocityreviews.com/forums/(E-Mail Removed) (Todd H.) writes:
> "Jukka K. Korpela" <(E-Mail Removed)> writes:
> > What is your problem? If you wish to make it possible to contact you,
> > you should disclose your contact address(es). Simple as that. Naturally
> > this, as anything, can be abused.

>
> Jukka, what world are you living in? If you're like the rest of us,
> the abundance of email worms and UCE have raised the bar so high that
> it's no longer practical to leave exposed email addresses out on the
> web and expect to maintain a productive email box.


Hmm. My address is on every usenet posting I make, and on quite a few
web pages. Between the server-side spam/virus filters and a few pages
of simple procmail filter at my end, I'm currently seeing only single
figure junk actually make it through each day.

That seems manageable to me.

--
Chris
 
Reply With Quote
 
Adrienne
Guest
Posts: n/a
 
      10-10-2003
Gazing into my crystal ball I observed (E-Mail Removed) (Todd H.) writing
in news:(E-Mail Removed):

> Jukka, what world are you living in? If you're like the rest of us,
> the abundance of email worms and UCE have raised the bar so high that
> it's no longer practical to leave exposed email addresses out on the
> web and expect to maintain a productive email box.
>
>> Either you pay the price (and, for example, take suitable filtering
>> actions against spam), or decide that it's too high, and then the
>> logical conclusion is not to have Web pages, or any Internet activity
>> for that matter.

>
> I maintain that's a nice ivory tower view that is no longer
> applicable.
>


I use my real email address as well. I also use Mailwasher
[http://www.mailwasher.net], and Pegasus mail client. The only real spam I
get is from my website, and Mailwasher automatically takes care of that,
and very rarely do I get spam at my regular address. Pegasus also has a
good spam filter, and I also filter HTML email to go to a special folder
that I usually delete anyway.

I have never gotten a virus/worm from an email, simply because I do not
open any attachments I am not expecting, and my mail client does not
"preview" messages in such a way that it can be exploited.

I think of it this way. Do you go to the beach without sunblock? If you
do, you know you can get burned. That's just the nature of the sun.

--
Adrienne Boswell
Please respond to the group so others can share
http://www.arbpen.com
 
Reply With Quote
 
Big Bill
Guest
Posts: n/a
 
      10-10-2003
On 10 Oct 2003 13:44:19 +0100, Chris Morris <(E-Mail Removed)>
wrote:

>(E-Mail Removed) (Todd H.) writes:
>> "Jukka K. Korpela" <(E-Mail Removed)> writes:
>> > What is your problem? If you wish to make it possible to contact you,
>> > you should disclose your contact address(es). Simple as that. Naturally
>> > this, as anything, can be abused.

>>
>> Jukka, what world are you living in? If you're like the rest of us,
>> the abundance of email worms and UCE have raised the bar so high that
>> it's no longer practical to leave exposed email addresses out on the
>> web and expect to maintain a productive email box.

>
>Hmm. My address is on every usenet posting I make, and on quite a few
>web pages. Between the server-side spam/virus filters and a few pages
>of simple procmail filter at my end, I'm currently seeing only single
>figure junk actually make it through each day.
>
>That seems manageable to me.


I'm seeing an average of 4000 emails a week, 99% of which are spam.
Lordy me, it takes forever to plough through the headers but it has to
be done.

BB
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I get the email address of the person who clicked the link inthe email? Zeynel Python 1 12-06-2010 02:26 AM
Reading Text File Encoding and converting to Perls internal UTF-8 encoding sln@netherlands.com Perl Misc 2 04-17-2009 11:22 PM
My own email address as a SIP address? UK VOIP 24 01-10-2006 07:22 PM
changing JVM encoding; setting -Dfile.encoding doesn't work pasmol@plusnet.pl Java 1 10-08-2004 09:50 PM
Encoding.Default and Encoding.UTF8 Hardy Wang ASP .Net 5 06-09-2004 04:04 PM



Advertisments