Re: cloak e-mail addresses!

Have you measured the CPU load from generating iamges in this fashion?

Alternatively, import text into a Flash object dynamically.  You then only need to store a single Flash object as everyone uses the same one.  On the server-side just pass in the email address to be displayed.

Get your UK business listed for free in the UK Business Index!

Re: cloak e-mail addresses!

No, I haven't but common sense tells me that involving any kind of image processing for every pageview of viewtopic.php is a BAD idea.

Flash is out of the question because then people will have to install the flash player.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: cloak e-mail addresses!

webstar: http://punbb.org/about.php - Read it, understand it

29 (edited by webstar 2004-05-14 22:34)

Re: cloak e-mail addresses!

Jansson wrote:

webstar: http://punbb.org/about.php - Read it, understand it

I have read it.  Is there a point in particular you think I'm missing out on?

BTW - You've just reminded me about an article I read earlier this evening...


SitePoint wrote:

"Didn't you read page 633 of the manual?" attitude that isn't any fun at all. Make your new members feel comfortable and at ease, answer their questions in a fast, polite, and friendly way, and they'll be more likely to post again.

I won't hold it against you though wink

Get your UK business listed for free in the UK Business Index!

Re: cloak e-mail addresses!

Rickard wrote:

No, I haven't but common sense tells me that involving any kind of image processing for every pageview of viewtopic.php is a BAD idea.

I would certainly agree with that, but didn't the OP specify the mailto links in the member profiles and not the thread pages?

mindplay wrote:

E-mail harvesters are collecting users' email addresses from the mailto links on the profile pages!

Perhaps add in some user-agent detection.  Although some harvesters may try to mimick genuine browsers it might block some.

Rickard wrote:

Flash is out of the question because then people will have to install the flash player.

If you believe Macromedia's statistics then the majority of people will have this plug-in already installed wink

Get your UK business listed for free in the UK Business Index!

Re: cloak e-mail addresses!

webstar wrote:
Jansson wrote:

webstar: http://punbb.org/about.php - Read it, understand it

I have read it.  Is there a point in particular you think I'm missing out on?

BTW - You've just reminded me about an article I read earlier this evening...

Hehe :P

Well, I wasn't trying to rude. My point was that PunBB is made to be simple and fast. And the idea of using GD is, as Rickard said, horrible.

Re: cloak e-mail addresses!

Jansson: Be nice! :)

webstar wrote:

I would certainly agree with that, but didn't the OP specify the mailto links in the member profiles and not the thread pages?

The OP? The e-mail address is visible in both the profile and in the topic view.

webstar wrote:

If you believe Macromedia's statistics then the majority of people will have this plug-in already installed ;)

Are you pulling my leg or do you seriously think outputting the e-mail address as a swf for the 1% or so who choose to have their e-mail address visible is a good idea?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: cloak e-mail addresses!

smile

It may well be proved to be too costly CPU-wise, but if it's confined to member profile pages only then maybe it wouldn't be so bad.  Anyway, it was just an idea.  Still, I wonder what the load would be like with a 'normal' amount of everyday traffic with perhaps a harvester or two onboard...

Get your UK business listed for free in the UK Business Index!

Re: cloak e-mail addresses!

Rickard wrote:

Are you pulling my leg or do you seriously think outputting the e-mail address as a swf for the 1% or so who choose to have their e-mail address visible is a good idea?

If it's only 1% then the load shouldn't be an issue then?  If you're suggesting that it's not worth coding something like this for such a small minority then I would probably agree that it's not really worthy.

I'm not suggesting it's a good idea.  It's just an idea for discussion!

Personally, I think the current system of using a form-to-email is a good idea and helps to protect those that don't know better.  It also protects against the smarter harvesters that might be able to perform OCR on images or even read Flash and embedded mailto links (I've seen some links that Google had indexed even though they were in a Flash object).

Get your UK business listed for free in the UK Business Index!

35

Re: cloak e-mail addresses!

Hey Rickard,

Would something like this work, without putting too much overhead on the server?

<?php $At="@";

$Alias="yadda";

$Suffix="yadda.net";

$WholeEmail=$Alias.$At.$Suffix;

echo "<a href=\"mailto:".$WholeEmail."?subject=Testing\">yadda</a>";
?>

Obvously, you would have to fill in the parameters with variables, but the you get the idea.  I'm not even sure this method would work.  It seems like it does.  Just curious if this would provide an adequate solution.

As for spammers being able to farm email from the bbs, I would have to say with an emphatic YES - that is a LARGE concern.

I recognize you're trying to keep PunBB as lightweight and "bloatwareless" as is possible, on the other hand, I would hate to see a potential user base shy away from PunBB because of spammers being able to farm clients email links from their website.

Please don't discount the importance of providing spam-proof links in PunBB, as a lot of users won't view the absense as a way to keep PunBB light, as much as an oversight.

Just my 2 cents.  :>)

Re: cloak e-mail addresses!

Raybo: You've misunderstood it. We want to prevent the e-mail address from being viable in the HTML code. Your code unfortunately doesn't change anything.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: cloak e-mail addresses!

I agree, using Flash is overkill, and a bad idea for other reasons already mentioned here.

I still don't see the problem in using JavaScript though - yes, there are about 6% of users who have it disabled, but they will still be able to see (and thus copy/paste) the e-mail address displayed by the <NOSCRIPT> tag, and they will be able to use form-mail (again, use <NOSCRIPT> on the profile page) to contact persons.

With 60% of the world's email volume being spam today, I don't think it's a waste of time or effort for us to be having this discussion - being able to safely display your email address in public, without the fear of getting harvested by satan's little helpers, would be a great feature; it's simple to implement, and it's one of those crucial little features that could make PunBB stand out from the crowd smile

Re: cloak e-mail addresses!

so, what are the proofs that using javascript really 'disables' the spambots?

I would never ever publicate an email adress of mine on the internet if I never want spam in that...  I have one account that I use for non spam issues (employment contacts etc.), and a few that I have publically avaible, where I'm aware that I might get it spammed to death ...

but, I don't see why one javascript would make is "safe" ... safety is more or less just a time issue IMHO ... how long will it take for those that can 'sense' that this kind of javascript is in action, and still parse the email adresses? I don't think too long... as spammers make money, and they want to get new fresh mails ... and when parsing... it's easy to find that javascript ...

IMHO, there's only one way to be "safe" from spam, and that's not to show the mail in any way...

Re: cloak e-mail addresses!

Frank H wrote:

so, what are the proofs that using javascript really 'disables' the spambots?

well, we've been using the JavaScript cloak on this site for nearly three years now, and I have received very little spam on my email address which is shown there; sometimes maybe 1-2 mails per week or so, which is very good by today's standard, and I'm pretty sure these came from other sites where my email address might have been displayed. We do not use any kind of spam filtering on our server. I get as many virus mails as the next guy of course, but this will happen regardless, as anyone with your email address in their address book who gets hit by a virus, will start distributing your email address to other hosts and infect those etc., but that's another discussion really.

Frank H wrote:

I would never ever publicate an email adress of mine on the internet if I never want spam in that...

you and I are smart enough to know that this is the only way to be truly safe, but most people are not - so the question is, do we care about those less fortunate people, or is "their own damn fault"? I am passionately against spam, and anything I can do to screw things up for the spammers, I am happy to do wink

Frank H wrote:

but, I don't see why one javascript would make is "safe" ... safety is more or less just a time issue IMHO ... how long will it take for those that can 'sense' that this kind of javascript is in action, and still parse the email adresses? I don't think too long... as spammers make money, and they want to get new fresh mails ... and when parsing... it's easy to find that javascript ...

easy to find, but certainly not easy to run - I doubt if any of them will really make their own JavaScript parser just to get those few extra email addresses ... there are MASSES of completely unprotected pages from which they can rip billions of email addresses daily; a few hundred or even a few thousand email addresses won't make any difference to these people.

even if they did care enough to do it, I doubt they'd be able to do it in the first place - a JavaScript parser is not simple ... bear in mind, in order to get the email address, you have to not just parse, but actually execute the JavaScript, and if they did that, they'd also be running tons of other scripts; and there would be loads of other stuff they'd have to take into account then, like stopping popups, emulating the browser object and the entire DOM to keep scripted menus and effects from breaking the execution, etc.

Frank H wrote:

IMHO, there's only one way to be "safe" from spam, and that's not to show the mail in any way...

still true, but still not an excuse to sit back and not do anything about the problem - quite the contrary smile ... and if the only other option is to not allow people to show their email addresses at all, then I'd rather take the second-best option and at least leave them with a choice.

Re: cloak e-mail addresses!

On the previous page I wrote that I'm considering this. Going on and on about it won't affect my decision.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: cloak e-mail addresses!

So you're still considering it, but nothing can affect your decision - yeah, that makes sense wink

Re: cloak e-mail addresses!

mindplay wrote:

So you're still considering it, but nothing can affect your decision - yeah, that makes sense ;)

Yes. Not even money will affect my decision :)

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: cloak e-mail addresses!

mindplay wrote:
Frank H wrote:

so, what are the proofs that using javascript really 'disables' the spambots?

well, we've been using the JavaScript cloak on this site for nearly three years now, and I have received very little spam on my email address which is shown there; sometimes maybe 1-2 mails per week or so, which is very good by today's standard, and I'm pretty sure these came from other sites where my email address might have been displayed. We do not use any kind of spam filtering on our server. I get as many virus mails as the next guy of course, but this will happen regardless, as anyone with your email address in their address book who gets hit by a virus, will start distributing your email address to other hosts and infect those etc., but that's another discussion really.

Not much more than I get on my hotmail account I use almost everywhere (the mail I have here is a forwarder to my hotmail) ... and I have had this email for more than 2-3 years ... had a spam peak half a year ago(a total of 20 mails over 1½ week), but I forwarded a few to abuse@ISP ... and now I have usually fewer than 2 per week ... and I have done alot of "bad stuff" with that email ... some of the 'unsubscribe from spam list' things really seems to work ... but there are rumors that these is a 'confirmation' thingie wink

Rickard wrote:
mindplay wrote:

So you're still considering it, but nothing can affect your decision - yeah, that makes sense wink

Yes. Not even money will affect my decision smile

But I guess you wouldn't mind people trying big_smile



Well I just had to put this into the discussion ... that the cloak isn't "safe", nothing displayed on internet is safe, it can be abused ... just perhaps "safer" for some kind of spam bots, than with clear text ... as you say ... there's billions of emails ... so they first need to aim the bot at the right forum first wink

Whatever Rickard choose to do ... there's always a possibility to add a mod to add some JavaScript wink

Re: cloak e-mail addresses!

I will review mindplays suggestion from the previous page and see if I can't make it a little more "neat".

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: cloak e-mail addresses!

Frank H wrote:

some of the 'unsubscribe from spam list' things really seems to work ... but there are rumors that these is a 'confirmation' thingie wink

I'd say about 90% of them are. But it's probably not a big deal as you're using Hotmail, I hear it has really good spam filtering smile

46

Re: cloak e-mail addresses!

General comments (from a little experience).

1. Percentage of browsers with javascript disabled is nowhere near 8%.  Maybe in years gone by - but not now.  Probably in the 1-3% range.  The web (commercial websites) is pretty much useless without javascript.  *Most* users are not techies like us and, unfortunately, we make up much less of a percentage than we used to wink

2. Graphic versions - no way - I agree with most - this is such oerkill.

3. I'm seeing a definate tendancy to want to ignore this.  I can see mindplay's argument - spam is a problem.  I can also see Rickard's desire to keep things simple (tho I think you're pushing the credibility by the 'read html source' angle).

4. As has been commented - it is only a matter of time before spammers look to decode javascript emails, however there is a cost/benefit argument.   They are not doing it now, and it doesn't pay them to do it.  Maybe when more people start obfuscating their address (be honest, this one is still pretty much a 'techie who is aware' area) then spammers might take notice.   When they do, the first one to fall will be the 'mailto;' + '....  simple javascript method.

5. This isn't such a big hit on performance (or in php code) to do. See: http://www.pgregg.com/projects/encode/htmlemail.php  Source code available on that page.   If Rickard wants to use the code there, please do.

Paul.

Re: cloak e-mail addresses!

pgregg wrote:

1. Percentage of browsers with javascript disabled is nowhere near 8%.  Maybe in years gone by - but not now.  Probably in the 1-3% range.  The web (commercial websites) is pretty much useless without javascript.  *Most* users are not techies like us and, unfortunately, we make up much less of a percentage than we used to ;)

I got the 6% number from a recent A List Apart article. I might be a little high. I just had a look at the global stats at thecounter.com and according to them it's currently 4%.

http://www.thecounter.com/stats/2004/April/javas.php

pgregg wrote:

2. Graphic versions - no way - I agree with most - this is such oerkill.

Still way to high to disregard.

pgregg wrote:

3. I'm seeing a definate tendancy to want to ignore this.  I can see mindplay's argument - spam is a problem.  I can also see Rickard's desire to keep things simple (tho I think you're pushing the credibility by the 'read html source' angle).

Me? Pushing? :D

pgregg wrote:

5. This isn't such a big hit on performance (or in php code) to do. See: http://www.pgregg.com/projects/encode/htmlemail.php  Source code available on that page.   If Rickard wants to use the code there, please do.

I think this might be overkill. If I decide on implementing some kind of e-mail obsfuscation, it will likely be something like what mindplay suggested on the previous page.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: cloak e-mail addresses!

pgregg wrote:

5. This isn't such a big hit on performance (or in php code) to do. See: http://www.pgregg.com/projects/encode/htmlemail.php  Source code available on that page.   If Rickard wants to use the code there, please do.

Unfortunately, this particular example probably won't increase safety much - lots of harvesters probably already decode %xx to chars before scanning for email addresses ... it's the simplest and most widely used hack, and it's only a few lines of code to decode all chars, before scanning the source for email addresses ... you must assume they're pretty dumb? I expect they'll put in at least a TINY bit more effort than that wink

For added safety, you have to make the source unreadable, which means you have to format the data, in the source, as something that can't be read directly out of the HTML source - what I did, for example, is a very simple solution, but will require the script to be parsed and executed ... probably the safest would be a technique similar to yours, but with some sort of added twist, for example XOR'ing all the values, or just adding one or subtracting two from each value - already then, the script would have to be parsed and executed to decode the result.

49

Re: cloak e-mail addresses!

Now now mindplay, you didn't look at it too deeply now did you? wink

You just described the non-default non-javascript option of that page.  The default javascript one creates a javascript function where the data has every alternate character transposed and then the whole thing is escaped. smile

Paul.

Re: cloak e-mail addresses!

pgregg wrote:

Now now mindplay, you didn't look at it too deeply now did you? wink

You just described the non-default non-javascript option of that page.  The default javascript one creates a javascript function where the data has every alternate character transposed and then the whole thing is escaped. smile

Paul.

aah, now I see - didn't notice the eval() call, I thought it just said unscape() ... well yes, this would be safe, although the output is sort of lengthy - but that's of course no problem if the email address is only displayed on the profile page.

yes, this looks safe smile