«

dorayme wrote:
> Anyone here using methods to make it more difficult for spammers
> to garner email addresses from web pages. Mostly interested to
> hear from anyone using specific methods (rather than anything
> else like further reviews, analyses of the ultimate effectiveness
> etc, having things like "removeThis" inside the email address
> that is in the "mailto:").
>
> I had a client recently ask me to "do something" about the spam
> coming from his website. I want to do better than tell him to get
> the best spam filter he can, both on his local and on his server
> end via his host. There is a javascript thing I used to use but
> these days I am interested in being able to get by without it.
> so, any suggestions will be welcome, especially if they are
> actually being used by the suggester (not someone else they know
> or have heard of... take this as a compliment)

Several methods that work at least somewhat have been mentioned. Most
of us likely need several email addresses. I have noticed that many
large companies use addresses that can not be answered for contacting
people. All questions have to go to the main address. Some like to use
CGI feedback forms without a mention of a specific address. However
this is not without risk, since a virus can be fed to a server in this
way unless the CGI feedback is not very carefully constructed. There
are people who will put a scripted virus in the feedback box. Limiting
the size of the feedback and not allowing it to contain script helps in
this respect. And of course, do not use a good address on Usenet posts.
I use one at my domain for posting that does not allow any response -
everything is dumped. Then I have addresses used only for friends,
finance, etc. These seldom get spam, so I usually do not have to
configure to allow only mail from those on a list.

In article <xKudndrPlrGuJbHYnZ2dnUVZ8s->,
"Brian Cryer" <> wrote:

> "Nikita the Spider" <> wrote in message
> news:NikitaTheSpider-.
> ..
> > In article
> > <doraymeRidThis->,
> > dorayme <> wrote:
> >
> >> Anyone here using methods to make it more difficult for spammers
> >> to garner email addresses from web pages. Mostly interested to
> >> hear from anyone using specific methods (rather than anything
> >> else like further reviews, analyses of the ultimate effectiveness
> >> etc, having things like "removeThis" inside the email address
> >> that is in the "mailto:").
> >
> > I've set up several spamtrap addresses to study this. Eventually I'll
> > write a short article about my findings, but in the meantime I'll
> > summarize here. I have three email addresses all on the same page. One
> > is naked (i.e. just ), one is entity encoded (i.e.
> > &#x66;&#x6f;&#x6f; etc.) and one is added to the page by Javascript.
> > The number of spams each has gotten to date is as follows:
> >
> > naked - 715
> > entities - 2
> > javascript - 1
>
> Given how easy it is to translate I'm amazed that the encoded version is so
> effective. Just goes to show that spammers are stupid as well as sad.

I was also surprised by this result, but I can think of two reasons why
harvesting bots might ignore any non-naked addresses, even if they're
easy to translate. First, the harvesters might feel that anyone who is
savvy enough to obfuscate his email address isn't likely to respond to
spam anyway. Second, the harvesters might see no shortage of
un-obfuscated addresses, so why go to the trouble of harvesting the
small number of obfuscated ones? It's this latter theory that I prefer
because laziness is a powerful (and common) motivator.

--
Philip
http://NikitaTheSpider.com/
Whole-site HTML validation, link checking and more

In article
<doraymeRidThis->,
dorayme <> wrote:

> In article
> <NikitaTheSpider-
> t.rr.com>,
> Nikita the Spider <> wrote:
> > I've set up several spamtrap addresses to study this. Eventually I'll
> > write a short article about my findings, but in the meantime I'll
> > summarize here. I have three email addresses all on the same page. One
> > is naked (i.e. just ), one is entity encoded (i.e.
> > &#x66;&#x6f;&#x6f; etc.) and one is added to the page by Javascript.
> > The number of spams each has gotten to date is as follows:
> >
> > naked - 715
> > entities - 2
> > javascript - 1
> >
> > In short, the entities look pretty effective to me. They're nice because
> > they don't disturb one's visitors at all and you don't have to mess
> > around with any Javascript.
> >
> It would be nice to actually know how the 2 and 1 got through...

One of the two was a standard 419 scam (see http://www.419eater.com/ if
you're not familiar with these) so I could believe that an actual human
clicked on the link. But they one that got through to both the
Javascript- and entity-protected one was a garden variety spam. It
really surprises me that I got only one. I figured that once I was on
the list, the floodgates would open.


> But, this is not always acceptable. I have no idea how the robots
> work, how clever they are, whether they in fact look at source or
> output or both.

I'd be surprised if any do more than look through the source.

> Your stats would be more meaningful if you could
> say more about the implementation. Interesting experiment though,
> Spider. Look forward to your article.

Thanks, will explain methodology, implementation, etc. and post a link
to the article here eventually.

--
Philip
http://NikitaTheSpider.com/
Whole-site HTML validation, link checking and more

cwdjrxyz:

> And of course, do not use a good address on Usenet posts.

Rubbish.

--
Jock

In article <m4OdnWRVb->,
"Brian Cryer" <> wrote:

> "dorayme" <> wrote in message
> news:doraymeRidThis-...
> > Anyone here using methods to make it more difficult for spammers
> > to garner email addresses from web pages. Mostly interested to
> > hear from anyone using specific methods (rather than anything
> > else like further reviews, analyses of the ultimate effectiveness
> > etc, having things like "removeThis" inside the email address
> > that is in the "mailto:").

> I'm sure you already know this, but: Whatever technique you decide to use
> (unless you go the route of a better spam filter) be sure to ditch the
> existing email address. Once you are on spammer's mailing list its unlikely
> that you will ever get off it. So there is no point deploying a
> "super-anti-spam" technique with an email address that already gets tons of
> spam.

I know what you mean. Looking on the bright side though, after a
while, without any response, without fresh harvesting, there
would start to be a reduction perhaps... after the point of
encoding provisions being made.

--
dorayme

In article
<. com>,
"John Dunlop" <usenet+> wrote:

> [re e-mail address obfuscation]
>
> jojo:
>
> > You can improve that: use HTML-Entities for "mailto:" and hex-entities
> > (%41 for A) for the email-adress itself.
>
> ...the one going against if not the word then the spirit of HTML4.01,
> the other against the spirit of RFC3986. Character references were
> made for when it is inconvenient or impossible to enter a character
> directly, for example, when there is no key for it on the keyboard or
> the character isn't displayable.
>

Ah but you see, it is like this Jock, recall, for example,
Burning Mississippi. Gene Hackman, second in command of an FBI
hunt is rearing to bring in his team of ex-crim
mission-impossible not-totally-law-abiding but
now-on-the-side-of-the-good-guys to break the back of the
low-down no-good scumbag-leadership of the KKK responsible for a
triple murder. The FBI leader, Agent Alan Ward, makes your sort
of speech, and holds out for high principles and gets bloody
nowhere! Things start to happen soon as the fabulously
charismatic Hackman is allowed to follow his instincts.

> likewise attempts at
> obfuscating markup - are trivial to bypass, even by e-mail address
> harvesters. I should emphasize that I'm not saying that attempts at
> obfuscation will universally fail, only that it takes little effort to
> overcome them.
>

If it is so little effort, what is your theory about why it is so
effective (if it is as recent indications suggest)? Perhaps I can
help you:

Similar speeches are made like yours about the value of security
bars on windows and doors. "Ha", says my neighbour opposite, "I
could get through with a good crowbar in 15 secs!".

Sure he could - if he wants to die by the claws of my specially
and lovingly trained 16 year old cat.

The point is this though: robbers tend to go for the low lying
fruit first and there is plenty enough of that to go around. Do
you understand what I am saying? No need to crash through even
slightly heavier security.

--
dorayme

Scripsit dorayme:

> Anyone here using methods to make it more difficult for spammers
> to garner email addresses from web pages.

Removing all of one's web pages is sometimes suggested as the only sure
method, but even it isn't sure at all, of course. Think about
www.archive.org.

> I had a client recently ask me to "do something" about the spam
> coming from his website.

Tell them to contact a specialist on such matters if they can't handle it.
Spam isn't an HTML problem any more terrorism, lack of good sex, or poverty
is.

> I want to do better than tell him to get
> the best spam filter he can,

Why would you you want to do better than the real thing? I guess you are
thinking of suggesting something _else_, like "email address protection"
snake oil. I hope you now realize how ridiculous the idea is.

Either they do some spam filtering, or they don't. Either way, email address
obsfuscation does not protect them from spam but _will_ damage their
business by damaging communication, style, and impression.

--
Jukka K. Korpela ("Yucca")
http://www.cs.tut.fi/~jkorpela/

In article <fUeXg.4244$>,
"Jukka K. Korpela" <> wrote:

> Scripsit dorayme:
>
> > Anyone here using methods to make it more difficult for spammers
> > to garner email addresses from web pages.

>
> > I had a client recently ask me to "do something" about the spam
> > coming from his website.
>
> Tell them to contact a specialist on such matters if they can't handle it.
> Spam isn't an HTML problem any more terrorism, lack of good sex, or poverty
> is.
>

I have already said to do the spam filtering. It is the other bit
of what you say that I don't want to communicate. I don't
honestly. I know, you are right about an ideal world. If there is
something a little impure that helps, I will use it if all I see
are mainly theoretical objections.

> > I want to do better than tell him to get
> > the best spam filter he can,
>
> Why would you you want to do better than the real thing? I guess you are
> thinking of suggesting something _else_, like "email address protection"
> snake oil. I hope you now realize how ridiculous the idea is.

Well, yes actually. But it really does not seem to me ridiculous,
even though it is not really kosher. What I do find ridiculous is
the idea of being purer than the practicalities dictate. When a
pedestrian stop light is on, Australians will tend to wait till
it goes green, even if there is not a car in sight. French people
are not so ridiculous and express surprise at this behaviour when
visiting here.
>
> Either they do some spam filtering, or they don't. Either way, email address
> obsfuscation does not protect them from spam but _will_ damage their
> business by damaging communication, style, and impression.

Well, I would like to see the evidence for this as it might
relate to various cases in my patch. If you were right, it would
indeed be a reason not to.

I was aware of this response when I posted. And was not looking
forward to it. But I think you are right to have expressed it so
as to dampen any ideas that it is a wholesome thing to do. I have
no illusions: I am a fallen being.

As often though, I do think about what you say and will probably
end up further emphasising the proper way to go, ie. to put in
the best spam filters/blockers they can and to point them to
resources to do this... So, thank you.

--
dorayme

In article <doraymeRidThis-8ECD87.10273011102006@news-
vip.optusnet.com.au>, says...
> In article < >,
> Joe <> wrote:
>
> > In article <doraymeRidThis-BBFC72.08183911102006@news-
> > vip.optusnet.com.au>, says...
> > > Anyone here using methods to make it more difficult for spammers
> > > to garner email addresses from web pages.
> > > ...
> > >
> > I've been using the 'hash entity' method for years.
> > Anyway, check it at http://graspages.cjb.cc/emailme.php
>
> Thanks Joe. I found something to make your technique easier at
> http://www.wbwip.com/wbw/emailencoder.html and have already used

shiny! and arguably better than my usual 'back of an envelope'
technique, which involves memorising "At 64 dot 46". Then I normally
have to look up 'a'.


> his arm and hand stretched out to push all comers away as Rugby
> players do... (I know how analogies tickle you pink...)

pinking up nicely, ta.
>
> Just what I wanted, someone to say something to get me going!
my pleasure.

dorayme:

[re overcoming e-mail address obfuscation]

> If it is so little effort, what is your theory about why it is so
> effective (if it is as recent indications suggest)? Perhaps I can
> help you:

No help needed, dorayme, thank you. Someone in this thread has already
advanced a plausible theory: laziness. Even the slightest extra
effort is too much because unobfuscated e-mail addresses are plentiful,
easy pickings even. No need to stretch.

> The point is this though: robbers tend to go for the low lying
> fruit first and there is plenty enough of that to go around. Do
> you understand what I am saying? No need to crash through even
> slightly heavier security.

Yes, but I am merely pointing out that obfuscating e-mail addresses is
inferior to real security; I am not claiming to know what harvesters
actually do!

Mind that old axiom 'security by obscurity gives a false sense of
security'?

And, as I've explained, the techniques to obfuscate e-mail addresses
proposed in this thread run contrary to the spirit of Internet
specifications. That a construct is included in a specification is
hardly license to exploit it.

Deal with spam at your end; don't pass the buck.

--
Jock