Comments on: Obfuscate no more: why your email address should go au naturale http://jasonpriem.com/2009/05/stop-obfuscating-email/ Sun, 20 Dec 2009 21:10:43 -0600 http://wordpress.org/?v=2.8.4 hourly 1 By: Bobby http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6607 Bobby Sun, 20 Dec 2009 21:10:43 +0000 http://jasonpriem.com/?p=228#comment-6607 I'm extremely inexperienced in javascript and web programming in general, so forgive me if this sounds dumb, but what do you think about using a text field and emailing yourself whatever text the user has entered? Is there a way to make this method more impregnable (as far as maintaining email address secrecy is concerned)? I know it doesn't take much to write a bot that spams such a system with messages, but methinks this presents a more controllable environment. On a different note, is there some way to use raw IP addresses instead of URLs that could throw a bot scanning for "x"@"y"."z" off balance without overly confusing a desirable emailer? Another possibility is the use of email aliasing. Maintain a single account for which you keep the direct address secret. Create an alias on an email server and use that alias "au naturale" in your sites, forwarding messages sent to it on to your central account. When you start to get too much spam through that alias, create a new one and repeat. Is this a reasonable solution, or am I misunderstanding some easy-to-foil step in this process? Finally, a comment: I notice you keep mentioning that even the most complex obfuscation methods are easily discovered and routed if someone just looks at the code. Well... since there are so many possibilities, any spammer (hell, any programmer) would be hard-pressed to write a bot that could break them all by automation. A spammer would have to look at the code personally for each potential address to be certain of even (I'm guessing) 50% success... why bother, when the spammer could just look at the email address directly as the browser renders it on the page? What I'm trying to say is, I don't see how "they can figure out how your code works by looking at it" is a reasonable argument against javascript-powered address obfuscation. The goal of obfuscation is to necessitate a human individual's involvement in the identification of your email address with minimal confusion to that individual... methinks a sophisticated javascript obfuscation method accomplishes that goal. I’m extremely inexperienced in javascript and web programming in general, so forgive me if this sounds dumb, but what do you think about using a text field and emailing yourself whatever text the user has entered? Is there a way to make this method more impregnable (as far as maintaining email address secrecy is concerned)? I know it doesn’t take much to write a bot that spams such a system with messages, but methinks this presents a more controllable environment.

On a different note, is there some way to use raw IP addresses instead of URLs that could throw a bot scanning for “x”@”y”.”z” off balance without overly confusing a desirable emailer?

Another possibility is the use of email aliasing. Maintain a single account for which you keep the direct address secret. Create an alias on an email server and use that alias “au naturale” in your sites, forwarding messages sent to it on to your central account. When you start to get too much spam through that alias, create a new one and repeat. Is this a reasonable solution, or am I misunderstanding some easy-to-foil step in this process?

Finally, a comment: I notice you keep mentioning that even the most complex obfuscation methods are easily discovered and routed if someone just looks at the code. Well… since there are so many possibilities, any spammer (hell, any programmer) would be hard-pressed to write a bot that could break them all by automation. A spammer would have to look at the code personally for each potential address to be certain of even (I’m guessing) 50% success… why bother, when the spammer could just look at the email address directly as the browser renders it on the page? What I’m trying to say is, I don’t see how “they can figure out how your code works by looking at it” is a reasonable argument against javascript-powered address obfuscation. The goal of obfuscation is to necessitate a human individual’s involvement in the identification of your email address with minimal confusion to that individual… methinks a sophisticated javascript obfuscation method accomplishes that goal.

]]> By: Rory http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6587 Rory Mon, 14 Dec 2009 11:11:29 +0000 http://jasonpriem.com/?p=228#comment-6587 Another thumbs up for gmail. On average a lottery win or african millionaire only gets through about once a month and to my knowledge (i do check my spam folder periodically), I have not missed any valid emails. Another thumbs up for gmail. On average a lottery win or african millionaire only gets through about once a month and to my knowledge (i do check my spam folder periodically), I have not missed any valid emails.

]]> By: Carter Cole http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6486 Carter Cole Fri, 13 Nov 2009 15:04:56 +0000 http://jasonpriem.com/?p=228#comment-6486 and the fact that foo@cool.com auto links as a mailto: anchor really helps... and the fact that foo@cool.com auto links as a mailto: anchor really helps…

]]> By: Carter Cole http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6485 Carter Cole Fri, 13 Nov 2009 15:04:03 +0000 http://jasonpriem.com/?p=228#comment-6485 with gmail any address that has periods in it are ignored as well as anything after the plus (+) so c.a.r.t.e.r@cartercole.com is the same as carter.@cartercole.com is the same as c.a.rter+spam@cartercole.com so i can filter or send any form of my address to spam and know where it was harvested from to get around this you could find addresses with gmail domain and remove everything after the + and the periods so its the clean version (unless the normal address has a period like carter.cole@dadada.com) with gmail any address that has periods in it are ignored as well as anything after the plus (+) so

c.a.r.t.e.r@cartercole.com is the same as
carter.@cartercole.com is the same as
c.a.rter+spam@cartercole.com

so i can filter or send any form of my address to spam and know where it was harvested from

to get around this you could find addresses with gmail domain and remove everything after the + and the periods so its the clean version (unless the normal address has a period like carter.cole@dadada.com)

]]> By: jason http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6142 jason Mon, 14 Sep 2009 00:02:04 +0000 http://jasonpriem.com/?p=228#comment-6142 Elton, I agree with you that "once the email is out there everyone can harvest it." In fact, my point is that we should be trying to make it easy to get. Most obfuscations challenge users more than spambots. I also agree that, for the time being, Javascript-based obfuscation holds the most promise. It's not a silver bullet, though, as I discuss in my post. The ATG product you mentioned (and <a href="http://www.pjapplications.com/software-antispam-mailto-tag-generator-email-obfuscator.php" rel=nofollow rel="nofollow">sell on your site</a> as a downloadable exe) is a good example. Let's take a look at what ATG cranks out: <code> <script type="text/javascript"> function SLMEJMBF(A){ var S = String.fromCharCode(109,97,105,108,116,111,58,116,101,115,» 116,64,101,120,97,109,112,108,101,46,99,111,109); A.href = S; } </script> <a href="#" onmouseover="SLMEJMBF(this);" onfocus="SLMEJMBF(this);">mail example</a> </code> For starters, if the client has javascript disabled, it breaks completely. That means tough luck, <a href="https://addons.mozilla.org/en-US/firefox/addon/722" rel="nofollow">NoScript</a> user: no email for you. This isn't an insurmountable problem, though; check out <a href="http://pipwerks.com/2009/02/01/obfuscating-email-addresses-revisited/" rel="nofollow">Philip Hutchison's</a> gracefully-degrading script, for example. Second, the "encryption" you use is pretty trivial. You rely on Javascript's "fromCharCode" method to read the munged address--<em>so can the harvester</em>. I added a simple function to my <a href="http://jasonpriem.com/obfuscation-decoder" rel="nofollow">de-obfuscator demo</a> to show how easy this is (it's example 11). If I can break this munge with a 10-line function in a few minutes, trust me: someone else already has. Granted, this gets a lot harder to beat if you get just a little trickier; for instance, you might try breaking the address down into 10 strings and then concatenate them out of order--now a simple regex isn't enough. But the basic problem hasn't gone away: your server dishes out your unencrypted Javascript to anyone who wants it, no questions asked. That makes it a fundamentally bad place to put secrets. Thanks for your comment, and good luck with ATG! Elton, I agree with you that “once the email is out there everyone can harvest it.” In fact, my point is that we should be trying to make it easy to get. Most obfuscations challenge users more than spambots.

I also agree that, for the time being, Javascript-based obfuscation holds the most promise. It’s not a silver bullet, though, as I discuss in my post. The ATG product you mentioned (and sell on your site as a downloadable exe) is a good example. Let’s take a look at what ATG cranks out:

<script type="text/javascript">
function SLMEJMBF(A){
var S = String.fromCharCode(109,97,105,108,116,111,58,116,101,115,»
116,64,101,120,97,109,112,108,101,46,99,111,109);
A.href = S;
}
</script>
<a href="#" onmouseover="SLMEJMBF(this);" onfocus="SLMEJMBF(this);">mail example</a>

For starters, if the client has javascript disabled, it breaks completely. That means tough luck, NoScript user: no email for you. This isn’t an insurmountable problem, though; check out Philip Hutchison’s gracefully-degrading script, for example.

Second, the “encryption” you use is pretty trivial. You rely on Javascript’s “fromCharCode” method to read the munged address–so can the harvester. I added a simple function to my de-obfuscator demo to show how easy this is (it’s example 11).

If I can break this munge with a 10-line function in a few minutes, trust me: someone else already has. Granted, this gets a lot harder to beat if you get just a little trickier; for instance, you might try breaking the address down into 10 strings and then concatenate them out of order–now a simple regex isn’t enough.

But the basic problem hasn’t gone away: your server dishes out your unencrypted Javascript to anyone who wants it, no questions asked. That makes it a fundamentally bad place to put secrets.

Thanks for your comment, and good luck with ATG!

]]> By: Elton Hoxha http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6140 Elton Hoxha Sun, 13 Sep 2009 16:48:35 +0000 http://jasonpriem.com/?p=228#comment-6140 Just like everyone else I got attacked by unwanted emails on a daily bases, so I went on a quest to find a solution to stop it. Part 1 The first step I took was jumping on the other side of the river and think like a spammer. I started to search for software that does the harvesting of emails on the internet. Using keywords such as "emails, harvest and extract" on Google and I ended up looking at hundreds of software listings, offering an easy way to attack unprotected emails in a few steps... I picked up software, called EmailSpiderGold to test. Within a couple of hours I ended up in harvesting 15000 webmasters emails to use on my discretion. Along the way I learned that, on the open are several ways to verify that those emails are active as the very developers also offer Email Verifiers which along many characteristics it checks the validity of recipient's e-mails addresses by connecting to SMTP-servers and simulating the sending of a message and they work pretty smart too as they disconnect as soon as the mail server informs the program whether the address exists or not. On this conclusion we end up thinking that once the email is out there everyone can harvest it and use it without discretion for their own purpose. Part 2 Solutions... I came across to several solutions being offered to prevent the emails from harvesting campaigns. Amongst them I found some interesting ones using java scripts to obfuscate the coding on the page. Strangely, I didn’t come across with anyone using their own encryption to publish their email on the web page. Their lack of confidence was the answer for me. Accidentally I got in touch with an old time software developer that shared the same frustration named Peter Johansson; together we joined forces and experiences to develop a shield to the issue. Only recently we had a winner called ATG, an Anti-Spam Tag Generator with advanced features that hides the real address from robotic harvesters. We tested it and it has proved to work. E.Hoxha Just like everyone else I got attacked by unwanted emails on a daily bases, so I went on a quest to find a solution to stop it.
Part 1
The first step I took was jumping on the other side of the river and think like a spammer. I started to search for software that does the harvesting of emails on the internet.
Using keywords such as “emails, harvest and extract” on Google and I ended up looking at hundreds of software listings, offering an easy way to attack unprotected emails in a few steps…
I picked up software, called EmailSpiderGold to test. Within a couple of hours I ended up in harvesting 15000 webmasters emails to use on my discretion.
Along the way I learned that, on the open are several ways to verify that those emails are active as the very developers also offer Email Verifiers which along many characteristics it checks the validity of recipient’s e-mails addresses by connecting to SMTP-servers and simulating the sending of a message and they work pretty smart too as they disconnect as soon as the mail server informs the program whether the address exists or not. On this conclusion we end up thinking that once the email is out there everyone can harvest it and use it without discretion for their own purpose.
Part 2
Solutions…
I came across to several solutions being offered to prevent the emails from harvesting campaigns. Amongst them I found some interesting ones using java scripts to obfuscate the coding on the page.
Strangely, I didn’t come across with anyone using their own encryption to publish their email on the web page.
Their lack of confidence was the answer for me.
Accidentally I got in touch with an old time software developer that shared the same frustration named Peter Johansson; together we joined forces and experiences to develop a shield to the issue. Only recently we had a winner called ATG, an Anti-Spam Tag Generator with advanced features that hides the real address from robotic harvesters. We tested it and it has proved to work.

E.Hoxha

]]> By: anmari http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-5547 anmari Fri, 10 Jul 2009 02:41:58 +0000 http://jasonpriem.com/?p=228#comment-5547 Yes!! Stop obfuscating and Yes!! Use Gmail... I left Gmail for a short period for various reasons (I am using IMAP to have best of both worlds, and temporarily unforwarded my personal domain from my gmail for awhile) - after a week or so of dealing with the spam, I was running back to gmail - it is far away the most accurate spam detector around. Yes!! Stop obfuscating and
Yes!! Use Gmail… I left Gmail for a short period for various reasons (I am using IMAP to have best of both worlds, and temporarily unforwarded my personal domain from my gmail for awhile) – after a week or so of dealing with the spam, I was running back to gmail – it is far away the most accurate spam detector around.

]]> By: jason http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-5272 jason Thu, 25 Jun 2009 20:01:19 +0000 http://jasonpriem.com/?p=228#comment-5272 @Gmail guy: now that's some impressive putting your money where your mouth is. @Jeremy: "It is hard enough to get users to contact...anything that gets in the way...is too much." Exactly. Because contact is so important, I would think this is the last place you want to put <em>any</em> kind of obstacle in front of the user. @Gmail guy: now that’s some impressive putting your money where your mouth is.

@Jeremy: “It is hard enough to get users to contact…anything that gets in the way…is too much.” Exactly. Because contact is so important, I would think this is the last place you want to put any kind of obstacle in front of the user.

]]> By: jason http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-5271 jason Thu, 25 Jun 2009 19:57:27 +0000 http://jasonpriem.com/?p=228#comment-5271 Baxil, I see where you are coming from; I staked out a pretty extreme position in my original post partly for the sake of argument. That said, though, I'm not I'm very convinced by your case. You say that "spam *filtering* is a problem for your users;" I don't see how that's true. You offer two choices: <blockquote>either to a mailbox full of crap that users’ letters get lost in, or to aggressive filtering that prevents you from seeing their messages in the first place.</blockquote> But I see at least two other options: <ul> <li>better spam filtering or</li> <li>more permissive spam filter settings and more "eyeball filtering"</li> </ul> True, manually scanning through lot of spam is a pain for you--but that was my whole point. It's a pain for <em>you</em>, not your users. Baxil, I see where you are coming from; I staked out a pretty extreme position in my original post partly for the sake of argument. That said, though, I’m not I’m very convinced by your case.

You say that “spam *filtering* is a problem for your users;” I don’t see how that’s true. You offer two choices:

either to a mailbox full of crap that users’ letters get lost in, or to aggressive filtering that prevents you from seeing their messages in the first place.

But I see at least two other options:

  • better spam filtering or
  • more permissive spam filter settings and more “eyeball filtering”

True, manually scanning through lot of spam is a pain for you–but that was my whole point. It’s a pain for you, not your users.

]]> By: Jeremy Chatfield http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-5244 Jeremy Chatfield Wed, 24 Jun 2009 11:57:14 +0000 http://jasonpriem.com/?p=228#comment-5244 I'm with Jason; the burden should be on the spammers, not the users. I am worried about false identification - I tend to regularly scan my caught spam as I do find too much real stuff trapped. However, that's *my* burden, nor the sender's burden. Having managed Tech Support and been engaged in customer service and marketing, it is hard enough to get users to contact with queries, problems and purchases. Anything that gets in the way, including a few seconds of checking and rekeying, is too much. I’m with Jason; the burden should be on the spammers, not the users. I am worried about false identification – I tend to regularly scan my caught spam as I do find too much real stuff trapped. However, that’s *my* burden, nor the sender’s burden.

Having managed Tech Support and been engaged in customer service and marketing, it is hard enough to get users to contact with queries, problems and purchases. Anything that gets in the way, including a few seconds of checking and rekeying, is too much.

]]>