Has Google Broken JavaScript Spam Munging?

Baxil writes "For years now, Javascript munging has been a useful tool to share email addresses on the Web without exposing them to spammers. However, Google is now apparently evaluating Javascript when assembling summary text for web pages' listings, and publishing the un-munged email addresses to the world; and spammers have started to take advantage of this kind service." Anyone else seen this affecting their carefully protected email addresses?

Mung

[Tokerat]

You keep using that word. I do not think it means what you think it means.

Re:Mung

[eikonoklastes]

See http://en.wikipedia.org/wiki/Mung

Re:Mung

[Aladrin]

Maybe you should read it yourself. Here's the first sentence.

Mung is computer jargon for "to make repeated changes which individually may be reversible, yet which ultimately result in an unintentional, irreversible destruction of large portions of the original item."

Again, check this out: "which ultimately result in an unintentional, irreversible destruction of large portions of the original item."

The email address is not munged, or you couldn't un-mung it.

Re:Mung

This has to be the most overused meme on Slashdot.

Re:Mung

The wikipedia page also links to munge - modify until not guessed easily - which I guess is what the original person intended

Re:Mung

[TheRealMindChild]

Yeah, no kidding. I was wondering where Chowder and Schnitzel were

Re:Mung

>The wikipedia page also links to munge - modify until not guessed easily -
> which I guess is what the original person intended

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rap your ears.

Re:Mung

Fwiw, munging is the gerund form of both mung and munge. However, mungeing would also be acceptable for the latter.

(c.f. Homonyms like "bass singer" which can refer to one who sings in a low key, or one who burns fish.)

Re:Mung

[pythonax]

Calm down. He meant http://en.wikipedia.org/wiki/Munge, which seems like it would conjugate to munging following the normal rules. The fact that it does not is an exception in the way normal English works, and as usual these are things which you need to memorize since there rarely seems to be a pattern in the exceptions. There is even a link to this at the bottom of the page you linked because this is a common error.

Re:Mung

[edittard]

He meant http://en.wikipedia.org/wiki/Munge, which seems like it would conjugate to munging following the normal rules.

What, just like sing does?

Re:Mung

You sir, are an asshole.

Re:Mung

Munging == mung + ing /mun-ging/ munge+ing = mungeing /mun-djing/ The e needs to stay to prevent the word from splicing towards the end and making the previous syllable long. runing (== rune + ing; running = run+ing).

The complication comes from the fact that ng went from a n,g sound to a ng sound (sing [sin-g] and singer [sounds like finger]) and thus the lexically complex syllable is now realized a simple short one.

The rules are simple and most people can figure them out internally (for native speakers of English), ESL students... best of luck.

Re:Mung

[digitalsolo]

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rap your ears.

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rape your ears.

You're right, just one 'e' and the whole thing changes.

Re:Mung

[pythonax]

I see your point, but there are plenty of examples on both sides. Change, lunge, and plunge all lose the e, while munge, tinge, and singe do not.

Re:Mung

[Ifni]

So which one applies to Kim?

Yes, I know there are a couple missing "s"es, but work with me here...

Re:Mung

[Megane]

Mung
Munge
Munge

Please turn in your card at the door on your way out.

Re:Mung

[twidarkling]

Yoeu're reight, juest onee 'e'e ande thee whoele tehing chaenges.

Re:Mung

[Geoffrey.landis]

If you aren't aware that adding ~e may change the meaning of a word, I should come round and rap your ears.

ROFL!

Re:Mung

[sootman]

It's also an acronym--it stands for mung until no good. :-)

Re:Mung

The point is that it "can't" be "un-munged" automatically. Obviously now that is happening, but you get the point.

Re:Mung

[larry+bagina]

And if you double it:

I should come round and rape your arse

Re:Mung

What happened to "Don't be Evil"?

Re:Mung

OH Yeah? Well I'm an asshole, too!

Re:Mung

I believe a 'WHOOSH' is in order.

Re:Mung

[Midnight+Thunder]

Actually proper English indicates that you double consonant when adding 'ing' if it ends with one, or drop the 'e' if it ends with one:
    hop -> hopping
    hope -> hoping

so:
    munge -> munging
    mung -> mungging

Re:Mung

[jslarve]

See http://en.wikipedia.org/wiki/Mung

I'm heartened to see that they make a mention of the "South Park" version of Mung, as that's the one I thought of.

Re:Mung

[collinstocks]

From Jargon File (4.4.4, 14 Aug 2003) [jargon]:

    mung /muhng/, vt.

          [in 1960 at MIT, "Mash Until No Good"; sometime after that the
          derivation from the {recursive acronym} "Mung Until No Good" became
          standard; but see {munge}]

          1. To make changes to a file, esp. large-scale and irrevocable
          changes. See {BLT}.

          2. To destroy, usually accidentally, occasionally maliciously. The
          system only mungs things maliciously; this is a consequence of
          {Finagle's Law}. See {scribble}, {mangle}, {trash}, {nuke}. Reports
          from {Usenet} suggest that the pronunciation /muhnj/ is now usual in
          speech, but the spelling `mung' is still common in program comments
          (compare the widespread confusion over the proper spelling of
          {kluge}).

          3. In the wake of the {spam} epidemics of the 1990s, mung is now
          commonly used to describe the act of modifying an email address in a
          sig block in a way that human beings can readily reverse but that will
          fool an {address harvester}. Example: johnNOSPAMsmith@isp.net.

          4. The kind of beans the sprouts of which are used in Chinese food.
          (That's their real name! Mung beans! Really!)

          Like many early hacker terms, this one seems to have originated at
          {TMRC}; it was already in use there in 1958. Peter Samson (compiler of
          the original TMRC lexicon) thinks it may originally have been
          onomatopoeic for the sound of a relay spring (contact) being twanged.
          However, it is known that during the World Wars, `mung' was U.S.: army
          slang for the ersatz creamed chipped beef better known as `SOS', and
          it seems quite likely that the word in fact goes back to Scots-dialect
          {munge}.

          Charles Mackay's 1874 book Lost Beauties of the English Language
          defined "mung" as follows: "Preterite of ming, to ming or mingle; when
          the substantive meaning of mingled food of bread, potatoes, etc.
          thrown to poultry. In America, `mung news' is a common expression
          applied to false news, but probably having its derivation from mingled
          (or mung) news, in which the true and the false are so mixed up
          together that it is impossible to distinguish one from another."

See the third definition.

Re:Mung

[Sky+Cry]

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rap your ears.

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rape your ears.

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rape your ars.

Looks like it works the other way around too!

Re:Mung

[PearsSoap]

The email address is not munged, or you couldn't un-mung it.

You munged it; you can't un-mung it!

Stay tuned for more... Tales! Of! Internet!

Re:Mung

What happened to "Don't be Evil"?
 
This is tough love.

Re:Mung

[halcyonandon1]

http://www.urbandictionary.com/define.php?term=munge

My favorite definition of Munge:

"Munging is the act in which one jumps on the stomach of a dead corpse and eating through fallatio the embalming fluids which erupt out of the corpse in the jumping process. "

Re:Mung

[RivieraKid]

I knew it! I'm surrounded by assholes!

Re:Mung

[HTH+NE1]

I see your point, but there are plenty of examples on both sides. Change, lunge, and plunge all lose the e, while munge, tinge, and singe do not.

Chang, lung, and plung aren't verbs.

Basically, munging munge mungs it. Seems appropriate to me.

Re:Mung

Nice try, but that rule only applies to "[^ng]g$" words.

beg + ing = begging
dig + ing = digging
hog + ing = hogging
rag + ing = ragging
tug + ing = tugging

but it doesn't apply "[n]g$", because the n modifies the sound of the g, and gg$ is uncommon enough that it's an exception in itself.

bang + ing = banging
bring + ing = bringing
(egg + ing = egging)
hang + ing = hanging
long + ing = longing
ping + ing = pinging
sing + ing = singing

Unfortuantely we don't have many examples of "ung$" because most of the words of that form are either nouns (e.g. dung, lung, young) or past participles (e.g. clung, hung, sung), so their present participles are generally formed from the present tense "ing$" form of word (e.g. cling/clung/clinging, hang/hung/hanging, sing/sung/singing), etc.

Note that we do have plenty of examples of "unge$" forming "unging$":

expunge + ing = expunging
lounge + ing = lounging
lunge + ing = lunging
plunge + ing = plunging
scrounge + ing = scrounging

So that's plenty of reason to believe that the rule is "unge + ing = unging", despite the fact that "inge + ing" can be either "inging" or "ingeing" depending on the word (and in some cases both are valid):

binge + ing = binging or bingeing (both are valid; look it up)
cringe + ing = cringing
impinge + ing = impinging
singe + ing = singeing
twinge + ing = twinging or twingeing (both are valid)

Therefore I strongly contend that:

mung + ing = munging
munge + ing = munging or mungeing (both are valid)

You may dispute the claim above, but there's no disputing:

mung + ed = munged
munge + ed = munged

:)

Re:Mung

I'll remove my pants so you can see how well mung I am.

Re:Mung

[Bigjeff5]

Incorrect.

The "gg" produces a hard "g" sound, but the softer "ng" sound must be preserved when adding "ing" to the end.

The clue is in the fact that mung and munge are pronounced differently. Mung is pronounced with an "ung" like lung or hung, however munge is pronounced with an "unj" like lunge or plunge.

Mung is very odd, because most words spelled this way seem to be nouns. Anyway, you can verify that munge should not be munging two ways: 1.) look at other words that sound similar - lunge, lungeing, plunge, plunging 2.) because mung is already munging. ;)

Re:Mung

[x2A]

is that the sound your farts make afterwards?

Re:Mung

[DragonWriter]

Actually proper English indicates that you double consonant when adding 'ing' if it ends with one, or drop the 'e' if it ends with one:
        hop -> hopping
        hope -> hoping

so:
        munge -> munging
        mung -> mungging

No, actually, proper English doesn't have regular general rules for spelling changes for different word forms like this. It has some "rules of thumb" that can be inferred from common patterns, but most of them have quite a lot of exceptions. And, inasmuch as there is a rule of thumb of the type you describe here, it would be more accurate to state it as "when adding the suffix -ing to a word, the final consonant is doubled if it is a single consonant preceded by a vowel, and a final 'e' is dropped if it follows a single consonant preceded by a vowel," though even in this form there are exceptions.

Examples:
    hop -> hopping but crack -> cracking (not crackking)
    hope -> hoping but singe -> singeing (not singing)

An exception (there are certainly more): binge -> binging (though bingeing is also acceptable in some dictionaries.)

The "rule" would suggest:
    mung -> munging and
    munge -> mungeing

Re:Mung

[Runaway1956]

I know that you didn't create that Wiki page, spur of the moment, then come back here to post the link to it. Mung. I spent 8 years in Uncle Sam's Navy, and never heard the term. You're part of the conspiracy, aren't you? You people just made up a new word, did the Wiki, and came here to post this article - AND SUN IS IN ON IT!!!

Re:Mung

But in English, "munged" and "munging" are acceptable ways to conjugate a verb ending in "e". (See "caved" and "caving".)

Note that the original summary never uses "mung" or "munge", but only the conjugated forms.

In fact, if it were "mung", then the typical pattern would be to add another "g" before the ending ("mungged" or "mungging", as in "bagged" or "bagging"), except where it's decided that it would be too confusing (as I submit that the word "mungged" in fact, is).

In that case, "munged" could be derived from either "mung" or "munge" (and as constructing alternate word forms from words that were originally acronyms is difficult as it is, I think everyone deserves a break here).

Re:Mung

[Thinboy00]

Basically, munging munge mungs it. Seems appropriate to me.

O RLY? Munging something mungs it? I never would have guessed.

Re:Mung

[Thinboy00]

It's also an acronym--it stands for mung until no good. :-)

See also sense three of that link.

Re:Mung

[Thinboy00]

An exception (there are certainly more): binge -> binging (though bingeing is also acceptable in some dictionaries.)

So what's the gerund form of the verb "bing" (to look up on bing)?

Re:Mung

[iggymanz]

I can't hear you because of ear whacks

Re:Mung

[SausageOfDoom]

It has been happening for quite some time.

I have always said that the only way to keep your e-mail address safe from spammers is to not give it out at all. Although Google may be doing it now, it's been perfectly possible for as long as computing power has been available cheaply to the spammers (ie botnets).

About 4 years ago I conducted an experiment with anti-spam techniques for the comments on my blog. One of the things I tried was a bit of javascript which added a validation field to the form. The spammers kept on as if it wasn't there, which meant they had to be evaluating javascript.

And the thing is, once your obsfucation measures are broken by the spammers, because of places like archive.org the internet never forgets - so you can't claw it back. You can update your obsfucation code on your site, but there's nothing stopping the spammers from simply trawling the archives and mirrors to find it there.

The only way to protect your e-mail address is to never send it client-side - always put it behind a form and a server-side mailing script.

Re:Mung

[Tokerat]

According to Wikipedia: "Mung is described as 'the stuff that comes out when you push down on a pregnant woman's stomach.'"

Re:Mung

[ssintercept]

For what it's worth - my grandfather used to refer to a couple of diseases - one being "Mung" and the other was the "Yellow Paparoo".

Re:Mung

[omnichad]

Wait...English has exceptions? I thought it just had rare coincidental correlations.

Re:Mung

[omnichad]

Mungeing something mungs it too, in this case.

Re:Mung

[Aceticon]

As if grammar nazis weren't bad enough, now we also have spelling nazis.

Re:Mung

A more accurate rule (but it's english, so there's ALWAYS exceptions) is that if the word ends with a single vowel, followed by a single consonant, double the consonant.

Re:Mung

Technically, spelling is a part of grammar. Also, 'Nazi' is a proper noun, so we should use a capital en.

Re:Mung

Larry, is it you?

Re:Mung

[Keeper+Of+Keys]

All that appears to be missing is an "s" and a space. But I bet she has, on occasion, burned fish.

Re:Mung

[Keeper+Of+Keys]

I thought their company motto was "Don't execute javascript".

Re:Mung

[the+JoshMeister]

Thanks for the grammar lesson, but in this case your argument is moot. Munging has reference to the word mung while mungeing has reference to the very different word munge.

See the correct usage at http://en.wikipedia.org/wiki/Munge and, if you wish, take a look at the article's history and note that the usage portion was written a long time before this Slashdot article.

Re:Mung

that should be asshol

*rolleyes*

Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

Re:*rolleyes*

[jollyreaper]

Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

You say you want a spam resolution
Well, you know
We all want to save our email
You tell me that it's obfuscation
Well, you know
That kind of security'll fail
So when you talk about Javascript munging
Don't you know that you can count me out
If it's on the net it ain't secure, all right?
all right, all right

You say you got a real solution
Well, you know
We'd all love to can the spam
You ask me for some retribution
Well, you know
The Russian Mafia's got a plan
When you spam the boxes
of people with minds that hate
All I can tell is brother you sealed your fate
That spammer's gonna be canned all right
all right, all right

Re:*rolleyes*

[eln]

Maybe he's merely advocating that the "obfuscation != security" people should form a line. You shouldn't be so quick to judge.

Re:*rolleyes*

[PMBjornerud]

Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

The issue here is not personal email, which obviously nobody puts on a web page.

Many people prefer it when companies have a simple "contact us" email instead of having to go through a web form for sending them emails.

Thus, some people & companies want to display an email address. They just want to make it harder for spammers to discover it. Javascript did a pretty good job at this, and Google seems to have provided a simple workaround.

Re:*rolleyes*

[hardburn]

Javascript did a pretty good job at this

No, it didn't. Google isn't doing anything the spammers couldn't have done themselves with a little bit of Perl.

Re:*rolleyes*

[Sciryl+Llort]

You say you want to make it rhy-ming
Well you know -
That's the really easy part

But when it comes down to the ti-ming
Well clearly you have no idea (and couldn't buy one if you won the lottery)
That it helps if you know what a syllable is and how to get roughly the right number on each line so that it sounds at least a bit like the original.

Re:*rolleyes*

[broken_chaos]

Spambots don't, and never have, invested enough time to include JavaScript parsing. One of the linked articles suggests this is due to a possibility of crashing when trying to interpret badly formed or incorrect JavaScript, but it could also be due to simple plaintext (maybe with stripping HTML tags) parsing has been producing enough results so far.

Most spambots have been proven, in several experiments, to not even parse hex/decimal HTML character entities, so JavaScript parsing was considered to be mostly safe for the moment. It's not like people assume this is a perfect spam-blocking method - just that it's good enough to not get thousands upon thousands of spam, limiting it to a reasonable number.

Re:*rolleyes*

[RJFerret]

Recaptcha has a service specifically for email addresses, no obfuscation needed... Which also has the added benefit of aiding book digitizing!

Re:*rolleyes*

[mlts]

One thing I use for my E-mail addresses is to have my address be a picture (take a snapshot with xwd, use the GIMP to crop the address). Unless spambots decide to grab every picture and run it through an OCR, the address is protected.

The downside is that Braille readers lose access to this information, so have some definite workaround for this, perhaps a Web form where the reader is told to solve a simple word problem and type the answer in a blank before sending.

Re:*rolleyes*

[repetty]

Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

Well, I'm glad you got that tiresome drivel out of the way. Hopefully no one else will post this type of statement.

Of course you are right -- everyone knows that you are right. The most effective way to secure anything is to hide it away and never use it.

That fact now out of the way, we can now proceed with productive discussions.

--Richard

Re:*rolleyes*

CUE motherfucker, cue.

Re:*rolleyes*

Captcha's suck, the only ones that are at all effective are overly difficult for humans. And even those aren't that effective. Capcha's would have been a great idea ten years before they were first introduced. ten years from now, the only ones that work at all will take humans 10 minutes to figure out.

http://arstechnica.com/security/news/2008/10/right-back-at-ya-captcha-bad-guys-crack-gmail-hotmail.ars
http://arstechnica.com/security/news/2008/04/gone-in-60-seconds-spambot-cracks-livehotmail-captcha.ars

Re:*rolleyes*

[NatasRevol]

That doesn't seem to flow very well....

Re:*rolleyes*

[twidarkling]

I dunno. Lining up works. After all, there's likely a large number of people who'd say that. You'd hardly want them all running amok.

Re:*rolleyes*

[Chabil+Ha']

To add:

Relying on the expected behavior (Google not processing JS) of something over which you have no control for your security is pretty silly as well.

Re:*rolleyes*

[jollyreaper]

That doesn't seem to flow very well....

My friends call me MC Frozen Toothpaste.

Re:*rolleyes*

Burma Shave.

Re:*rolleyes*

[hplus]

The question isn't whether or not it could be done - obviously it's possible. The issue is that spammers, for the most part, choose to go after the low hanging fruit rather than messing with perl.

Re:*rolleyes*

[hairyfeet]

So why not just use an email image maker and be done with it? This one even has the PHP source code if you want to add it to your site.As far as I know the spambots haven't gotten image recognition down good enough to tell that a .png is an email address.

Re:*rolleyes*

[NewWorldDan]

Yep, the keyword there is most spambots. It just takes one motivated enough to write a parser for javascript for common munging techniques. Or in this case, finding an app out there that does it automagically for them. I would expect that email addresses stored as an image would be less subject to abuse for two reasons: First, it creates a much larger download causing a bottle neck and second, it's much more computationally intensive. Still, it can of course, be done. After all, it may only be a matter of time until Google or MSN parse it and save the results for the rest of the world.

What I find works best is to use a web form for submitting messages on our company website. That only gets spammed about once a month, and usually for something almost relavant to what we do. Then again, 2 years ago it never got spammed.

Re:*rolleyes*

[Chyeld]

Which is more likely, bad guys targetting the captcha for Gmail, thus allowing them to register 1,000s of spam boxes, or the bad guys targetting the captcha for a single contact me/email address on a lone site?

And if the argument for the javascript crap was "it's proven the spambot scrapers don't do even that much work", why is the arugment against the captcha "well, if they poor effort into it, they might break it"?

Capatcha's, even the most simple of them, are what people should have been using in the first place.

Re:*rolleyes*

[interkin3tic]

The question isn't whether or not it could be done - obviously it's possible. The issue is that spammers, for the most part, choose to go after the low hanging fruit rather than messing with perl.

Choose to, or that's all they have the brainpower for?

Re:*rolleyes*

Oh yeah, I'll tell you something
I think you'll understand
When I say that something
Don't wanna get no spam
Don't wanna get no spay-ya-yaam
Don't wanna get no spam

Oh, please, say to me
You'll let my addy be
and please, say to me

You'll let me have no spam
Now let me have no spay-ya-yaam
Don't wanna get no spam

And when it's mungey i feel happy, inside
But when you de-munge
from script code
it can't hide
it can't hide
it can't hide

Yeah you, fucking Google
I thought you'd understand
When I say that something
don't wanna get no spam
don't wanna get no spay-ya-yaam
don't wanna get no spam ...

Re:*rolleyes*

[hplus]

Do you really think whipping up a perl script is beyond the abilities of somebody who has the ability to run a spamming "business"? It's all cost/benefit. Running the javascript costs more CPU time, which would be better spent on other tasks. Whatever gets them the most emails/hour (further complicated by "quality" of email address and such) is what they will do.

Re:*rolleyes*

[interkin3tic]

Do you really think whipping up a perl script is beyond the abilities of somebody who has the ability to run a spamming "business"?

Maybe you mistook that for a rhetorical question, sorry for that misleading question, it was semi-honest. I really don't know how much effort goes into a spamming buisiness. Never met anyone who identified themselves as a spammer, so I don't know if they're as dumb as they seem. For that matter, I've never written a perl script.

Just seems to me like if you have a decent head on your shoulders you'd be doing more than the equivalent of agressively begging for change on the sidewalk.

Re:*rolleyes*

[mad_robot]

Section 508?

Re:*rolleyes*

[Bigjeff5]

I don't know what pool has to do with this...

Re:*rolleyes*

[david.given]

Seriously, queue the obfuscation != security thing.

<pedent>

'Cue', actually. A queue is a data structure and something you stand in in the post office. A cue is a tool for playing snooker with and a signal indicating that it's time for an actor to go on stage and perform. Hence, 'it's your cue', which is the sense in which you're using it here.

Don't get me started on hear vs. here and less vs. fewer...

Re:*rolleyes*

[david.given]

<pedent>

This, of course, is the traditional spelling/grammar flame typo. I think it's a law of nature.

Re:*rolleyes*

[raju1kabir]

I doubt the Section 508 Police are any less impressed by imagified email addresses than they are by Javascript-obfuscated ones.

Re:*rolleyes*

[enoz]

You miss the point.

The Javascript obfuscation method allows you to make a mailto: url that was accessible to users yet difficult for spammers.

Sticking your email in an image is probably worse then simply asking users to solve a captcha before giving them your email.

Re:*rolleyes*

[selven]

Keeping email addresses protected is often about anti-spam, not security. Security breaches are rare, but severe, so you want no breaches, but anti-spam is about volume reduction.

Re:*rolleyes*

[insane_membrane]

wish i had modpoints...

Re:*rolleyes*

[hplus]

I did indeed mistake it for a rhetorical question, my apologies for the snark.

Re:*rolleyes*

[omnichad]

do each character as a separate image? Security through obfuscurity!

Re:*rolleyes*

[omnichad]

with an alt tag for each image, of course.

Re:*rolleyes*

[omnichad]

need an email sound maker. Link to a .wav of the email address being read aloud.

Re:*rolleyes*

[omnichad]

The implied obvious solution is a web contact form. That way, at worst, you only get one-off spam instead of a learned address. This can be hardened further against attacks or taken completely offline if needed.

Re:*rolleyes*

[omnichad]

Except that this cue would attract several people at once, which necessitates some kind of order. Hence, they should queue up and be ready for their chance to speak. Don't get me started on pedant.

Re:*rolleyes*

[indiechild]

Our forms get spammed a dozen times a day (government cultural organisation). It's basically pretty much the same as getting spam via email.

It's tricky because we're hesitant to implement CAPTCHAs, as our websites have to remain 100% accessible. We're currently investigating the new breed of "accessible CAPTCHAs" to see if they do actually work for people who use screen-reader browsers.

Re:*rolleyes*

[david.given]

Don't get me started on pedant.

ITYM 'pedantry'. HTH. HAND!

And your other point is only valid if you assume that the people are going to politely wait in a FIFO queue. In my experience, people are much more likely to mill around in a mob, resulting in an unordered set. Although if they keep interrupting each other, maybe it would be more like a stack...

Re:*rolleyes*

[Keeper+Of+Keys]

I would expect that email addresses stored as an image would be less subject to abuse for two reasons: First, it creates a much larger download causing a bottle neck and second, it's much more computationally intensive.

Also, the harvester bot has to identify *which* image has the email address in it.

Re:*rolleyes*

[solcott]

OP here (I guess I forgot to log in before) Actually, when I posted I was fully aware of the difference between cue and queue, but as referenced in #28442905 I was in fact referring to expecting a line of obfuscation != security posts to form, because /.ers really have some great arguments against it and I was hoping to get to read a lot of them.

Re:*rolleyes*

Actually, could you get started on less vs fewer?

Don't they mean the same thing?

Re:*rolleyes*

[foniksonik]

Yes but smart webmasters block all requests from libwww-perl bots and send it a 503 response... so they never get a chance to de-munge...

Re:*rolleyes*

[Negadecimal]

It just takes one motivated enough to write a parser for javascript for common munging techniques.

See, that's the thing... I'm not a spammer (really), but if I were, I wouldn't think the average person taking advantage of munging techniques would be remotely worth the effort.

Spam preys on the 1/10,000th of the population that gets excited about lost millions, internet lotteries, cheap pharmaceuticals, or security warnings that appear to be from their banks. People who take the time to obscure their primary e-mail addresses tend to be keen enough to not fall for these things...

Re:*rolleyes*

OK, I guess I'm not smart, but I'd like to be. How do I block these bots?

(Apache on a CentOS box)

Really....

[Darkness404]

Really with the development of better OCR technologies and such comes the elimination of e-mail security by obscurity. If you don't want spam either A) have a decent spam filter (I don't think I've had a single piece of spam pass through G-mails filter and only one false positive) or B) don't share your e-mail address. Those are the only two ways to prevent spam that will continue to work.

Re:Really....

[fpophoto]

Yeah, that's what I came in here to say. It's 2009, even most $5/month hosts offer pretty good spam filtering.

That 5 bucks also gets you unlimited email accounts (or close enough), so don't be afraid to use them. Makes it easier to track spam and disable it.

Re:Really....

It's TRIVIAL for a spambot to execute code like this sitting in script tags in the "js" binary and dumping the contents, and then grabbing emails with a regex.

I use the "js" binary to rip porn off sites all the time.

~$ js -v
JavaScript-C 1.7.0 2007-10-03
usage: js [-PswWxCi] [-b branchlimit] [-c stackchunksize] [-v version] [-f scriptfile] [-e script] [-S maxstacksize] [scriptfile] [scriptarg...]

Re:Really....

I always liked the idea of blacklisting ISPs that blatantly support spammers.

I'm not sure how well Russia would do being disconnected from the internet though. They might end up actually going bankrupt finally...

Re:Really....

[Darkness404]

I don't, and not because I like spam but because I really want more ISPs than AT&T, Comcast and Time Warner. They need all the competition they can get.

Re:Really....

[buchner.johannes]

No it is not. If you increase the time used per website, you can not process that many websites anymore. JS obfuscated emails were protected because spammers didn't take effort.
You might say computers got faster, but unfortunately the web didn't get smaller.

Anyway, I understand the need to post email addresses on a website. How else should people contact you the first time? Personally, I don't like contact forms. Would you advocate for a CAPTCHA or requiring a POST request to obtain the real email address? You could still cry "security by obscurity".

But you can't take away the option of posting email addresses on websites from users, as it is very useful to contact people by email. Reminds me of people saying "Flash is proprietary, and too fancy for my taste anyway, so nobody must use it. Use Javascript.".

Maybe one should make swf files with the email in them. Muhahaha

Re:Really....

[mshieh]

I don't think I've had a single piece of spam pass through G-mails filter and only one false positive

You mean you've only noticed one false positive. I'm sure it's been mentioned in half of the comments in this thread, but security by obscurity is effective because there is value in stopping half of the spam, unlike traditional security where having your data stolen and sold once is not a big gain over having it done many times. There are many reasons why obscurity works towards this goal of reduction rather than elimination.

Re:Really....

[thejynxed]

I would dare say all of the damned botnets and whatnot that contain rather large numbers of IP blocks belonging to Comcast disavow any notion of them not supporting spammers amongst other low-lifes, even if support=NotDoingADamnedThingToPrevent(TM).

If they even put forth minimal effort in policing their own networks for that crap instead of worrying about P2P traffic, you'd see a major drop in malicious traffic period.

But no, instead they'd rather putz about with P2P limiting and screwing up Vonage.

Re:Really....

[xaxa]

My personal email address is behind some javascript on my website.
It's also in plaintext about four links deep on the website of a large and famous university (given as the contact address for a student society).

I get about 150-200 spams a day. I get about 1 a day in my Inbox. About one false-positive a month goes into my Spam folder, typically a mailing list post.

The address is hosted with Google Apps -- i.e. the same as a Gmail address.

Re:Really....

[Bigjeff5]

Webforms and server-side scripts can send an email to the server owner without exposing the email of either party on the web. Once you recieve an email in this way, you will have the poster's email and can continue the conversation.

The spambots will never be able to gleen the website owenr's email in this way, because the processing of the script is done where the spambot has no access.

The next step in obfustication, if you don't want to go through the 30 minutes of coding (for a newbie) it would take to set up a web form (hosting servers often have this built in, btw), is to use an image of the email address. That will be effective until processing such images becomes so trivial that adding it to the spambot would not significantly impact the amount of emails collected.

Re:Really....

[DragonWriter]

Personally, I don't like contact forms. Would you advocate for a CAPTCHA or requiring a POST request to obtain the real email address?

Never happen, but better would be:
You get the actual e-mail address via a POST request over SSL secured by a valid client certificate from a reputable CA, the client certicate's public key and associated identity information is transferred to the owner of the e-mail address, who requires e-mail to also be digitally signed, and who filters by using a sender address whitelist and validating the signature against the associated key. Senders are added to the whitelist when their key is received (e.g., from the website system, or out-of-band) and presumed good until they send spam or do something else unwelcome, at which point the receiver removes them from the whitelist.

Accountability, not obscurity.

Re:Really....

[x2A]

or just put the email address producing javascript file in a location excluded by robots.txt... then google won't look at it

Re:Really....

[squidinkcalligraphy]

Actually, you could do a recaptcha-style trick with this to help digitize (more) books - create an image with the first part the (undigitized) book-word, then a unique code for that word, then @recaptchadomain.com. The spambot's advanced OCR would decipher the word, and send spam to word.abd27e423de@recaptcha.com, which would match the unique code to the word, and wait till a few of them match up.

Re:Really....

[orngjce223]

I use a filter to make sure my mailing list posts stay in my Inbox and are autotagged with which mailing list they came from, and everything else can be chucked straight in the bin.

Of course, this is for my side account that is used solely for mailing lists. For everything else, hey, look up. After all, Slashdot's munging technique is pretty good, too.

Re:Really....

[omnichad]

Have you received your first email yet?

Re:Really....

[omnichad]

But Russia's too big to fail! The US Government would be there ready to hand them one of those oversized checks.

Re:Really....

[omnichad]

In other words,

Obscurity vs. a determined human != obscurity vs. a bot.

Re:Really....

"If you increase the time used per website, you can not process that many websites anymore."
"You might say computers got faster, but unfortunately the web didn't get smaller."
except this is no longer a one spammer with one computer, its a botnet that gets bigger everyday. Each unsuspecting zombie tasting multiple webpages and domains a minute.

Re:Really....

[lfaraone]

Really with the development of better OCR technologies and such comes the elimination of e-mail security by obscurity. If you don't want spam either A) have a decent spam filter (I don't think I've had a single piece of spam pass through G-mails filter and only one false positive) or B) don't share your e-mail address. Those are the only two ways to prevent spam that will continue to work.

Well, my email address is made up of my name, so I just tell people it's myfirstname@mylastname.cc. (use sensible replacements)

"Google indexes correctly rendered page"

[RichardDeVries]

That should be the title. That is, if it were newsworthy. Which it isn't.

Re:"Google indexes correctly rendered page"

[nidarus]

It is, for web developers (a nice percentage of /. users) who used javascript obfuscation...

Just because you don't find it interesting, doesn't mean that nobody does

Hex/decimal armoured e-mail also visible

[broken_chaos]

They're also parsing hex/decimal character entity armoured e-mails in exactly the same way. While not as safe as JavaScript, these have been mostly-invulnerable to spambots as well and are used by default in some web-based applications, like the Mercurial hgweb.cgi/hgwebdir.cgi scripts.

Re:Hex/decimal armoured e-mail also visible

Have they started parsing hex/decimal character entity armoured e-mails recently?

I've never noticed this before and I'd like to know when it started.

They should fix this right away

[Null+Nihils]

This can easily be fixed, and should be right away. If Google is turning JavaScript into text output, they can easily parse that output (just like the spammers currently are) and see if the text contains an e-mail address. And if it does, they should omit it from search results (unless the address was originally plain text and not obfuscated, in which case they can assume the author wants it searchable).

Re:They should fix this right away

[pembo13]

You realize anyone could do this, right?

Re:They should fix this right away

[Null+Nihils]

Do what, parse JavaScript into plain text? You're right, anyone can do that if they really want to take the time. But for whatever reason spammers don't bother going that far.

I'm no fan of security by obscurity, but let's be pragmatic: people will get less spam if Google fixes this problem.

Re:They should fix this right away

[Bigjeff5]

They don't do it because in the time it takes to process the javascript to get one email address, they could have gotten 20 by skipping it and grabbing more that are left wide open.

Also, obscurity = security until it isn't obscure any more. You -always- obscure before you secure, it adds another layer. If you don't need to be truly secure, obscurity is often a minimal ammount of security that can be quite effective, again depending on your needs.

Re:They should fix this right away

[complete+loony]

Google obscure email addresses in groups, why can't they obscure them in search results?

Welcome to the club

[fataugie]

Dear Google:

Welcome to the "Impossible to do anything right" club.

Regards,

Wal-Mart,
Microsoft,
G. W. Bush

Re:Welcome to the club

Dear Google:

Welcome to the "Impossible to do anything right" club.

Regards,

Wal-Mart,
Microsoft,
G. W. Bush

Aha! I knew they were all in league with each other! I don't know how I knew it -- I just knew it!!!

Re:Welcome to the club

Swing and a miss.

Re:Welcome to the club

[Ifni]

Everyone has their supporters. The "Impossible to do anything right" club is for those that are lambasted by the popular mainstream media, regardless of which action they take. "Mainstream" media excludes overtly biased sources such as Fox and what not.

Clinton was in the "Impossible to do anything wrong" club, hence his general association with Teflon. Even during the sex scandal, the general consensus was "who cares, there are more important issues."

Obama was in the ITDAW for a bit, but the financial crisis has made him everybody's enemy it seems. If this keeps up, he may be accepted into the ITDAR, but I think it's unlikely that the media can stay mad at him for that long.

Alternately, it could be the general perception of Slashdot (and not the mainstream media) that determines it, which means that, due to Slashdot's strong lean to the left, ITDAR is perpetually reserved for big corporations/conservative pundits. Even Slashdot darlings like Google eventually end up there. Sun and Apple will join soon, I suspect.

Re:Welcome to the club

[interkin3tic]

Man you have a strange sense of what "doing right" is.

The peanut gallery, not GP. He wasn't saying they never did anything right, he was saying they never get CREDIT from critics for doing anything right. Walmart pays workers less, people protest. Walmart raises worker pay, people find things wrong with that. Walmart keeps worker pay the same, people protest that.

Note that was just a hypothetical example, I've never heard of walmart raising wages.

Re:Welcome to the club

[Ifni]

Uh, what? Have I earned myself a rabid following of angry moderators? There is nothing flamebait-worthy in my post. It shows no bias, clarifies a point of query concerning a +5 post, and is at least interesting. Are the moderators here really that ignorant of what the moderation is for? Never mind, this is Slashdot, I've been here long enough to know the answer to that...

Re:Welcome to the club

The parent comment to which I am responding is in no way a flamebait post.

Does slashdot need to start offering moderation exams before allowing people access to moderation points? Maybe requiring a recert every 3/6 months?

Almost time to do a parody 'Ask Slashdot' about how to properly overhaul a website that offers 'news' to a target group of individuals interested in technology.

Posting as Anonymous Cowardon since I can't log in.

Re:Welcome to the club

No no no, those three are in the "Don't want to do anything right" club. The "Impossible to do anything right" club has as its members Dixie Cup Manufacturing Corp, NASA, and a little old lady in Kansas City, Missouri.

It was pointless to begin with..

[poptix_work]

Spammers know how to process javascript too. The benefits of having Google index the page as a client would see it far outweighs someones belief that they were 'safe' from spammers.

Re:It was pointless to begin with..

[GravityStar]

You are technically correct. It's just that spammers haven't bothered to process javascript. It was too big a hurdle.

I'm not blaming Google or anything. Because Google needs accurate indexing. And thus they benefit from pdf -> html conversion. Flash embedded strings -> html. And now javascript cloaking -> html.

Still. This is a wow moment. Like, wow, google has a lot of computing power. Wow.

Think about it, they just took on the challenge of executing all the javascript on the internet.

Re:It was pointless to begin with..

[xaxa]

Still. This is a wow moment. Like, wow, google has a lot of computing power. Wow.

Try finding a group of Google employees drunk in a bar somewhere. Then ask them about their computing resources.

About three seconds later, realise you have better things to do in a bar and forget the drunken answers.

(Actually, I remember some of the answers. It was very impressive, but not far off what you can figure out with a quick back-of-the-envelope calculation.)

gmail mea culpa

Google's becoming a spammer's paradise. gmail is quickly moving up the ranks as the mail service of choice for comment spammers (for acct verification). You can see the top spam domains at StopForumSpam.com. I think gmail would be at the top except for others' longer history. Nearly all spammers nowadays use gmail on the forum I watch after.

Don't definitive, but spam volume has shot up

.. for two email addresses that have been posted (rendered through javascript) since early 2007. I am talking 100+ spams per day instead of 5-10.

Since the sites where the addresses are posted have not gone up in popularity, I was wondering what happened. This theory provides a plausible explanation.

JoeB
http://layoffsupportnetwork.com

Re:Don't definitive, but spam volume has shot up

[Cross-Threaded]

Interestingly enough (or not), my GMail spam has roughly increased ten-fold since I logged in with my slashdot account again (two days ago).

I haven't used the slashdot account (tied to my GMail address) in a couple of years... Coincidence?

What else can google do?

[Bazman]

So much content on the web these days is spat out by document.write(), I'm not surprised at all that google evaluates certain javascripts in order to get any content to index.

Even done a "View Source" on a google mail or google maps page? The web is now javascript.

Re:What else can google do?

Better question: This shit worked at some point?

Seriously. Who actually thought this technique would stop a determined spammer? Who actually thought that the same users protected by it wouldn't in many cases go and sign up for more spam than harvesting bots could get?

It was a dumb technique to begin with. Who gives a rat's ass if Google broke it.

Re:What else can google do?

The web is now javascript.

Those who make heavy use of javascript apps may think so. Personally I browse with javascript disabled and get by fine. Most problems I encounter are easily worked around via a quick view source.

Re:What else can google do?

[JCSoRocks]

Actually it was a perfectly legitimate technique that worked great for a long time. Spammers aren't interested in wasting a ton of time to get the 1% of email addresses that developers have obfuscated. This is a numbers game. Spend a few minutes to write a snippet of code that collects emails on all websites that are in plaintext and works on 99% of pages. Spending hours or more coming up with something that will handle all the different jacked up versions of javascript just to get a few more addresses doesn't make much sense.

Re:What else can google do?

[cripkd]

Ahhh, so you're the one my boss thinks of when he sais "Ah, that's clever, but what if the user has disabled javascript?". I guess you're friends with that guy who disables cookies and his buddy tin-foil-man.
Why the hell have browsers evolved if you still look in the source code to find content? Why don't you donwload html and use it like that? Best browser for you could be wget i guess.

Re:What else can google do?

[asdf7890]

Spending hours or more coming up with something that will handle all the different jacked up versions of javascript just to get a few more addresses doesn't make much sense.

Yes, but it works both ways. Once one person has gone to a bit of extra effort for shits and giggles (or because they were paid to?) and the code gets out (is deliberately released, is sold an leaked, or just leaked) it becomes so easy to copy the technique in some cases that is a no brainer to do so to catch that extra 1%.

I'm sure that some address farming bots have been passing script blocks containing little more than document.write calls through one of the several freely available javascript engines for ages. It is not as if they have to write even a partial interpreter themselves. The address having been interpreted by Google and therefore existing in their cache makes little difference at this point.

Re:What else can google do?

[hairyfeet]

Well I don't know about him, but I can tell you why I block JavaScript and use Noscript and ABP, and it is because JavaScript is becoming the new ActiveX. You see, ActiveX wasn't really that bad when it was just used by a couple of corporate types for very basic jobs but then along came everybody and their dog and soon the web became a giant ActiveX nightmare.

Now we are seeing the same thing all over again with JavaScript and Flash. Sites that could have been perfectly fine in plain old HTML become this giant bloated mess that can cause even a good dual core and cable connection to go "WTF? Is the script not responding?" because they have overloaded it with crap. So I will happily block most scripts and keep my bandwidth and my sanity, thanks ever so much. I have found most sites that are the worst offenders rarely have anything worth looking at anyway.

BTW, Who is writing the code for Slashdot anyway? I've found if I don't block JavaScript on Slashdot it looks like the page was rendered with a shotgun. Just really nasty and hard to read.

Re:What else can google do?

[yuhong]

JavaScript is the new ActiveX? Well, ActiveX code is IE and Windows specific, has unrestricted access to the computer and is in raw native code which makes it impossible for a browser to abort, while JS is browser-independent, runs in a VM that lets the browser abort the execution of JS if it takes too long (the browser will usually use a timeout, after which the browser pops up a message that lets you choose whether you want to continue execution of JS or stop it), and it's access to the computer is restricted by the browser.

Re:What else can google do?

Funny you should ask. They've got a guy in the back now wielding a shotgun loaded with rubber pellets pointed at his keyboard...

Re:What else can google do?

[Bigjeff5]

It's not the time to code it, even if it takes you a month it's pretty trivial.

It's the cost to process the javascript. If in the time it takes to grab 1 email by processing javascript you could have grabbed 20 or 30 emails by moving on to an easier target, you'd be a fool to process the javascript.

Spammers may have server farms, but they definitely aren't Google sized server farms, it's way too costly for them to do this on their own. Now if Google pre-processes the javascript for them - speaking figuratively, obviously the intended benefitors are not spammers, but regular searchers - they don't waste any extra processing power grabbing those emails too.

Not that big of a deal though, switch to web forms or a simple .png of the email instead of plain text to replace the javascript obfustication.

Re:What else can google do?

Meh. You're wrong.

The first problem with ActiveX was its lack of a security model, not that it was "ActiveX".

The other big problem with ActiveX was that it wasn't cross-platform.

Re:What else can google do?

[hairyfeet]

Tell you what yuhong, look up "JavaScript Exploit" in Google. Go on, I'll wait /listens to Judas Priest Live/....what's that? There is like millions of hits? BINGO, there you go. The reason Chrome is sucking up so much RAM is having to sandbox every little piece of JScript. JavaScript security is NO better than ActiveX, it is just cross platform. Big whoop. Now we can all deal with the nasties! Yay!

I don't know whether we need a completely new web based language designed from the ground up with permissions and security in mind, or if JavaScript can be fixed with a complete rewrite. What I do know is when I teach my customers how to use Noscript their malware infection rates quickly drop to squat. JavaScript now is just like ActiveX was when it comes to nasties. The Linux guys just don't see them because nobody is targeting them. And before anybody says it, yes I know the web servers are running Linux. They are also run by folks like my friend Glen who reads security bulletins and always patches and minimizes risks, etc. By contrast Windows is run by folks that don't have a clue about security.

For those folks JavaScript is a gaping security hole that really needs fixing IMHO. Just because something is cross platform doesn't mean it isn't broken, it just means it is broken on multiple platforms.

It's not google, it's the web developers

[Punto]

nowadays, half of the pages I try to visit don't render at all without javascript. Somtimes the main content is missing (you just get the headline, the links that go on the sides, and the ads), somtimes it's just a blank page. It seems like all these traditional news organizations just _have_ to be "web 2.0" to appear relevant again.

Google needs to index the page, they don't have much choice.

Re:It's not google, it's the web developers

And that's the real sadness of the problem. The web was better when it "the web". None of this AJAX everywhere crap.

Re:It's not google, it's the web developers

[BlitzTech]

AJAX is a great technology that has vastly improved the usefulness of the web. However, like every other fad, it gets significantly overused in places where it just IS NOT reasonable. I wish more developers would come to the realization that AJAX != 'Web 2.0-ifying your page' and move back to using the right technology for a given problem. AJAX everywhere just reeks of the same kind of software bloat that makes modern computers run slow compared to 5-10 year old equipment.

When all you have is a hammer...

Re:It's not google, it's the web developers

[Todd+Knarr]

Seconded. You don't need Javascript to do a simple hyperlink. You don't need a scrolling text-box to display your page, the browser can scroll the page just fine thankyouveddymuch. You don't need to dynamically replace elements to change content while maintaining a navigation header or sidebar when appropriate (note: appropriate) use of frames will accomplish exactly what you want.

The two sins of engineering: making it more complicated than it needs to be, and making it simpler than it needs to be. Avoid them.

Re:It's not google, it's the web developers

[iYk6]

Bullshit. Google could recognize that I don't want to view crap, and not index it. The good websites don't pull inappropriate tricks with their pages, the mediocre sites would eventually figure out that they aren't getting indexed by search engines, and improve, and the terrible sites would remain in obscurity, partying with geocities.

The web is a big place, and we don't have to put up with crap. Google actually has the power to make the web better by only indexing good pages, but they are doing this instead. In fact, if Google returns these crap pages in their indexes, and other search engines like Bing and Ask don't, that would be a one up for those other engines.

In an environment as big as the web, quality over quantity.

Re:It's not google, it's the web developers

[nweaver]

The good websites don't pull inappropriate tricks with their pages, the mediocre sites would eventually figure out that they aren't getting indexed by search engines, and improve, and the terrible sites would remain in obscurity, partying with geocities.

Sorry, this is just plain untrue. Have you looked at the source for the FRONT PAGE of Google lately?

The head is 2 script blobs and a style sheet blob.

The body has onload loading of images, an iframe with a bunch of onload crap, etc...

Even the slashdot front page has javascript which is using document.write().

The only way to really index the web these days is to be javascript aware and actually render it.

Re:It's not google, it's the web developers

[JCSoRocks]

Frames aren't a replacement. There's a reason people dropped frames. Layout limitations, limited scaling, poor bookmarking, broken back button, etc. I, for one, appreciate partial page refreshes - when done correctly. Full page postbacks suck.

Re:It's not google, it's the web developers

[larry+bagina]

frames suck like kathleen fent when you wave a hamilton in her face.

Re:It's not google, it's the web developers

[unfasten]

You are aware that both the examples you give (google front page and slashdot) both render with javascript off, right? They function as well. The javascript just adds more, it's not spitting out the main content.

Javascript should not be creating the main content on your site unless it's a "web application", and even then a lot of applications should still be able to produce something usable.

Re:It's not google, it's the web developers

[Todd+Knarr]

Using dynamic replacement of elements has most of those same problems, though: you end up with bookmarks that don't refer to the page you bookmarked, the back button doesn't work since the previous page isn't the previous step in the history, etc. etc.. At least with frames I can right-click and display the desired frame in it's own window or tab and get a correct URL to bookmark the content.

The only advantage AJAX has is in layout, and more often than not when faced with a layout where AJAX really does make it possible I find myself wishing the site designer had picked a simpler layout with fewer mis-features getting in the way of my reading/using the content. Eg., expanding FAQs where I have to click on every single item to browse all of it instead of just scrolling through reading it.

Re:It's not google, it's the web developers

[HTH+NE1]

At least with frames I can right-click and display the desired frame in it's own window or tab and get a correct URL to bookmark the content.

Yeah, that doesn't always work. Some of those pages use Javascript to check to see if they're in their frameset and, if not, will use more Javascript to redirect you back to the frameset. If you're lucky, it will be a frameset that contains the page you wanted and you can bookmark that.

Of course it still doesn't help when they contain text whose flow has been fixed to a specific width and the frames aren't wide enough to read entire lines and aren't resizeable (and worse, omit scroll bars).

I don't even like how sidebar content wastes real-estate further down the page.

Re:It's not google, it's the web developers

[omnichad]

AJAX should only be implemented as an add-on to a site that works fine without it. Partial refresh, or fall back to plain hyperlink. Click a link to reveal a comment form, or fall back to loading a new copy of the page with that form.

Done right, AJAX can include itself in your History and even function properly with the back button. Just look at some of Google's sites. Just because a bunch of people do a lousy job, doesn't mean that it doesn't work. Of course, that goes for just about every technology visible on the web.

Re:It's not google, it's the web developers

[foniksonik]

Frames are the devils hand-maiden... never ever frames.

Bad for usability, bad for programmatic access, bad for seo, bad for everything...

Who CARES?

[nweaver]

The spammers WILL get your email address. Be it web trawling, google searchers, or stealing email address off of compromised computers, the spammers will get, and then resell, you email address.

Trying to keep the spammers from getting your email address is a lost cause, and not a battle worth fighting.

Re:Who CARES?

[mapsjanhere]

oddly enough, the email account linked to my slashdot login was created just for the "easily compromised but I need a valid email to get a login" situations. Even after 5 years in use to create logins it's the only one NOT heavily spammed (other than by some Russian spammers in a font I can't even read, talk about easy spam detection).

Re:Who CARES?

[slyborg]

So why is it that you don't have your email address in canonical form on your homepage?? One hasn't needed to explain that "nweaver" is an account on a "server" since, um, 1986 or so.

Re:Who CARES?

[nweaver]

History. I haven't updated my front page in years.

Re:Who CARES?

[mlts]

If a spammer wanted my email address specifically, they would get it. However, the key is being able to raise the bar so its not harvested with ease.

Re:Who CARES?

The spammers WILL get your email address.

Yes they will. That's why my web site contains one hundred new randomly generated garbage email addresses in black on a black background for them to harvest every time they come to visit. Yours should too. Inundate them with email addresses.

Re:Who CARES?

[stine2469]

slick.  does your script generate a page that makes them THIER email addresses????

Yes, but . . .

[Art3x]

Your email address will almost certainly get out. If not by a spambot then through an unscrupulous merchant.

That's why spam filtering is better than email hiding. Gmail's spam filter, for example, is very good. I get spam in my Inbox about once a quarter.

Google's job is to turn human-readable pages into machine-searchable pages. So it will always seek to expand what it can read: images, Flash, JavaScript, etc.

It's best not to hide in the direction that technology is advancing.

robots.txt

[physicsphairy]

I assume if you load your obfuscation code from script.js and put script.js in robots.txt that you will be safe, although that is sort of a pain.

What would be nice is if google created a new tag in the lines of rel="nofollow" which would be an in-line way to keep the engine from seeing content.

Re:robots.txt

[RajivSLK]

What would be nice is if google created a new tag in the lines of rel="nofollow" which would be an in-line way to keep the engine from seeing content.

That would be exploited by spammers to the extreme. Imagine clicking on a listing for disney kids fun house only to have a hidden ad for an online Viagra dispensary dominate the page.

Re:robots.txt

On Google appliances, there is actually a googleon / googleoff set of comment tags you can use.

Re:robots.txt

It would have to still check the whole page and rate based on that but not show it in search results or check it against the query terms.

Re:robots.txt

--And clearly all advertisers would clamber to that, since everyone knows the market for 'Viagra' covers the same demographic as the market for 'Disney Kids Fun House'.

None the less, it would still be a good point, if it weren't for the fact that you could already do similar tricks using the 'robot.txt' file.

Re:robots.txt

You can spam google spiders by ip address.

Plus - If you post your email address on a website (obfuscated or not) then you have indiscriminately published it, you are at fault not google.

Re:robots.txt

[physicsphairy]

That would be exploited by spammers to the extreme. Imagine clicking on a listing for disney kids fun house only to have a hidden ad for an online Viagra dispensary dominate the page.

Well, there is nothing preventing that from happening right now, either--certainly not if the ad is graphical (redirect) or a flash ad.

We are in effect a long way off from the days when it will not be a trivial exercise to trick a bot. Until then, I think being able to request alternate behavior will always be worth the advantage it affords to the common and decent folk.

one answer

[martas]

http://mailhide.recaptcha.net/

And that's not all...

[DanCentury]

They're probably spidering the "generated source" of a page, which means any content rendered with JavaScript is now spiderable and indexible [sic, I'm sure] -- what your eyes can see, Google will index.

Google is doing a lot of new things now, like listening to audio files and changing speech to text. Complete parsing of SWF files, including media and XML files called by the SWF. They can pull text off of images as well.

 

grapcha - new puzzle

[alxtoth]

If everything else seems to fail, try these convoluted, big captchas generated based on Graphviz graphs. Link : http://snowflakejoins.com/grapcha/index?text=slashdot

Re:grapcha - new puzzle

[EdIII]

That's a horribly weak captcha. Most simple text captcha's like that are broken. There is no randomness in font size, orientation, etc.

The greatest distinction is just the bubbles and the lines. However, it is a single line with a color coded stop and start. Finding the green and red bubble would be easy, as well as identifying the stop and start labeled bubbles and then just following the lines.

Quite frankly, this would be fairly easy to automate a solving process for this captcha.

Re:grapcha - new puzzle

[omnichad]

Yeah, just look for ?text= in the URL.

Carefully protected..

[gmuslera]

Considering how much machines belong to one or another botnet, encripting it somehow in a web page dont protect your email from a contact that belongs directly or indirectly to one. As soon you start to try to use your email, the risks of getting in some spammers list start to raise. And that includes posting it in a web page under any encryption and get a mail from a visitor (probably the main reason of posting there the email) which machine is already owned.

The question is...

[Fuzzums]

... will it mung?

Contact Me Form

[Jason+Levine]

A better method is to have a Contact Me form that doesn't display your e-mail address anywhere on it. Yes, you'll get spammers filling it out, but you can cut down on those with some simple techniques. For example, make a "Phone Number" field and set the CSS display attribute to none. Normal users won't see this field and won't fill it out. Spam-bots will see it and attempt to fill it out. Then, have your submission script silently fail to send to e-mail if the "Phone Number" is filled out. (If you toss an error, the spammer might figure out the trick.) No method is fool-proof, of course, but this is much better than putting your e-mail address on your webpage and hoping that someone doesn't de-mung it.

Re:Contact Me Form

[JCSoRocks]

Hiding it with CSS is quite clever. I've obviously used it for UI reasons but I hadn't considered its usefulness as a bot fighting strategy. Good tip.

Re:Contact Me Form

[LordKronos]

Then, have your submission script silently fail to send to e-mail if the "Phone Number" is filled out.

Although I've never tried it to verify, won't this also fail for anybody who has their web browser set to remember and autofill form fields?

Re:Contact Me Form

[Jason+Levine]

Maybe, but it would be a bad idea to have your browser auto-fill out your phone number on any page that asks for it.

Re:Contact Me Form

What about the form auto-fill implementation on certain browsers?

Like this is the only way...

[almightyon11]

Like this is the only way to protect emails published on the web from spambots... I could list a few, but my favourite is to publish a well done (not easily broken) captcha img in some host I have easy acess to. If I want I can just delete that image, or add an expiration timers so that after a few days that image won't show up anymore.

Google Wave

[paulthomas]

Google Wave may mean that web sites and blogs will be implemented as embedded Waves. The wave demo at http://wave.google.com/ shows how this would work for blog comments & galleries.

In this demo, they basically hint that because of this, Google is rethinking what embedding & javascript mean on a page because they envision a future where the content can and will live anywhere and won't be represented by static HTML.

As you point out, this is already happening, albeit to a lesser degree than I think Google anticipates.

I have a new solution:

[Facegarden]

In order to prevent SPAMbots once and for all, you should require that everyone interested in contacting you first drive to the next geohash http://www.wiki.xkcd.com/geohashing/Main_Page in the region of your choosing, wearing a lumberjack outfit and carrying a case of jolt cola.

Then, and only then, does the read quest begin...
-Taylor

Re:I have a new solution:

[Hamoohead]

I'm a lumberjack and I'm ok, I sleep all night and I work all day. . .</oblig>

Re:I have a new solution:

[Facegarden]

In order to prevent SPAMbots once and for all, you should require that everyone interested in contacting you first drive to the next geohash http://www.wiki.xkcd.com/geohashing/Main_Page in the region of your choosing, wearing a lumberjack outfit and carrying a case of jolt cola.

Then, and only then, does the read quest begin...
-Taylor

Dammit, I misspelled "real"! Grr.
-Taylor

The harvesting bots are definitely getting smarter

[Fast+Thick+Pants]

When they learn to subtract pi, we're all hosed.

Inevitability

[Captain+Spam]

So, the ability to process JavaScript outside of a browser is somehow Google-specific?

Frankly, this was inevitable. If JavaScript is processed by a computer in one application, it can be processed by a computer in another application, and the latter may be more Evil(tm) than the former. So what if Google stops parsing JavaScript in their summaries? How hard is it for the spammers to get a parser of their own and not even touch Google's servers?

That's why I've never really trusted those munging hacks.

My method

[EkriirkE]

My simple method seems pretty well help up - I just randomly use the HTML control characters instead of the ASCII character in some spots. e.g. instead of "e", use or

Re:My method

[EkriirkE]

Err, seems /. doesn't seem to like that

e = &#101; or &#x64;

a search for my email just brings up some random page talking about me (i should ask the author to remove the addy.. oh well)

Re:My method

Dude, you might want to consider changing your signature. That key hasn't been useful for a couple of years now.

Pay to email

[Viking+Coder]

How about "pay to email"?

I register with a pay-to-email site, and give it my actual email address. It gives me my new publicly visible email address. Anyone who wants to can send me an email through this service if they pay me an amount of money that I set. After I receive the email, I can refund the sender. The pay-to-email site takes a 10% cut on all un-refunded emails.

Sound like a winner?

Re:Pay to email

[PenguinBob]

I know I wouldn't pay to send a simple email to somebody. But it does *sound* like it would work.

Re:Pay to email

[Kozz]

How about "pay to email"?

I register with a pay-to-email site, and give it my actual email address. It gives me my new publicly visible email address. Anyone who wants to can send me an email through this service if they pay me an amount of money that I set. After I receive the email, I can refund the sender. The pay-to-email site takes a 10% cut on all un-refunded emails.

Sound like a winner?

My... GOD... that's genius! Your plan clearly has no flaws. We should implement it right now.

OK, honestly, I was just too lazy to fill out the ubiquitous rejection form.

Re:Pay to email

[amRadioHed]

Sounds like you'd never get any email.

Re:Pay to email

[PRMan]

I still think a new e-mail system that charged 1 cent per e-mail would work. SPAM would instantly be too expensive, but the 10 messages I send friends per month wouldn't be.

Re:Pay to email

Well, here you go:
---
Your post advocates a

( ) technical ( ) legislative (*) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(*) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(*) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Pay to email

If you like it so much, why didn't you post your email address?

Re:Pay to email

[jfengel]

The problem is the micro-transactions. You'd want to charge very little, a penny or less. But the overhead of transaction processing is enormous; no credit card company will deal with it.

You could try to hold the money yourself and just shuffle it around, but that requires everybody to be on your system, and email users don't care for that.

It also represents a pain to users: protecting the authorization and authentication info that lets them charge either requires frequent human intervention, OR a spam-bot could just use the account.

So, nice idea, and I think something like it may happen some day, but not soon.

Re:Pay to email

[witherstaff]

0day exploits that infect machines and turn them into spammers would get mighty expensive.

Re:Pay to email

[Viking+Coder]

Thanks for the sarcasm. I'll try to not stoop down as I respond to you:

(*) Mailing lists and other legitimate email uses would be affected

No they wouldn't. You can set up a whitelist.

(*) Users of email will not put up with it

If you have my private email account, you use it. I'm offering up an idea of a service that someone can use to mask their email address. If you really want to contact someone, you can send them a no-stamp email, and hope they happen to see it. This is no better and no worse than today. If you want them to see it, you affix a stamp. The receiver could easily let you know what their threshold level is. If you don't want to pay that much, then don't.

(*) Many email users cannot afford to lose business or alienate potential employers

Many email users will not use the idea. Okay. Some will. If you want to be employed by someone, or do business with them, give them your direct email address.

(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

If you desire spam-free email, point out the actual problems with my system. If you don't care to point out the actual problems, then don't.

(*) Sending email should be free

Receiving email should be spam-free. Also, sending email is free under my idea, as long as the people who receive it agree that it wasn't spam. Yes, there's a "deposit" which is held, but it should be good for as long as you don't spam people.

(*) Sorry dude, but I don't think it would work.

That's legitimate. I have Skype credit right now for the simple purpose of making phone calls. I have a recurring credit card debit set up from Amazon to pay for my AS3 (JungleDisk) access. I pay my ISP, and I suspect you pay yours, too. I pay per every text I send from my phone; you might pay a monthly fee to have "unlimited" texts. Returning a book from a library after the due date has a nominal fee.

If I want to send "larry (at) somesite (dot) com" an email, but Larry is as sick of getting spam as I am, and if we agree to trade the same reusable stamp with a group of like-minded individuals, would you seriously be completely unwilling to drop $1 onto a website to join the club?

I remember way back when the signal to noise ratio of email was THOUSANDS of times higher than it is now. I'd be willing to drop a $1 deposit to get back into those kinds of numbers.

Re:Pay to email

[Viking+Coder]

I'm okay with that, amRadioHed.

Re:Pay to email

[Viking+Coder]

So, picture if someone competent ran it - Google, if that floats your boat.

The credit card charge happens one time - load up your Spam Busting account with $10 worth of credit. Maybe the system even prevents you from ever withdrawing your money (or any money you get from spammers) back from it. If you could get money back, you could make a profit, and then you're into the realm of paying taxes and reporting income to the IRS. Instead, the system lets you donate to one of say a hundred charities, at any time (rolled up into a monthly donation with other people).

"requires everybody to be on your system"

At first it might - but it could easily be a federation of like-minded providers with simple, secure protocols between them.

Also, this is merely an intermediary between your public internet persona and your real email address. All your friends still use your real email address. When someone wants to make the jump from "random person on the internet who wants to send you an email" to "someone you'd give your real email address to," they send you an email with a stamp on it, you read the email, you give them back their stamp and then you just send them your real email address. If you think there's a chance they might turn into a psycho and sell your email address to Nigeria, then never give them your real email address. Yes, if someone or some virus steals one of your friends email address book, you're screwed. So, maybe you just use the Spam Busting account all the time, but you manage your whitelist. Kind of a pain. The only reason it's ANY better than setting up your own email filters is because you A) can have a public web email account and B) you increase the odds that spammers can't reach you without having to donate to charity to do it. :-)

Re:Pay to email

[geekoid]

No.

Re:Pay to email

[geekoid]

(*) Mailing lists and other legitimate email uses would be affected

No they wouldn't. You can set up a whitelist.

And now it fails, since most spam uses false 'sent from' and not everyone on the list is going to be diligent with the email iof the list serv.lets continue to see the other ways this with fail.

"Many email users will not use the idea. Okay. Some will. If you want to be employed by someone, or do business with them, give them your direct email address."
Now your direct email is in the wild.
Fail.

"Receiving email should be spam-free. "
Actually, No. It's designed to be open in this manner.

"but it should be good for as long as you don't spam people."
require a specific definition to 'SPAM' that all agree on.
Obviously business to transfer money from Nigeria is highly suspicious(this does happen legitimately, in some cases)
However, what if someone you haven't talked to in a while just sends an email out of the blue? is that spam? I know someone who considers that spam.

What about things that are not legally considered spam?

Your idea, while not unique, is only good from a small group of people, all whom agree on what spam is, and all who are equally tight with there email.

Or, you could get a Google account.

There are ways to make a spam free email system*, but there put a lot of weight on the users.
For example, including a hash of the processor number added to a hash of the date sent culd be used to keep spammers from getting through, but it's a pain in the ass and it gives an illusion of security
But you need to maintain a list of everyone processor ID to compare to the hash.

Re:Pay to email

[jonwil]

SPAM might be expensive under such a system. But it would put any of the 1000s of open source mailing lists (many of which have a LOT of traffic) out of action.

Re:Pay to email

[The+Famous+Brett+Wat]

There have been many variations on the "pay to email" theme over the years. The oldest relevant citation of which I am aware is Brad Templeton, E-Stamps. His proposal does not involve the middle-man that takes a cut. Esther Dyson has also advocated this kind of solution for many years. The nearest equivalents to "pay to email" that we have in the actual marketplace are certification schemes like those from Return Path and Goodmail. These involve paying to receive certification as a responsible practitioner of bulk email, and thereby receive a recommendation which will prevent your mail from being filtered in some cases. That's not much like an e-stamp, admittedly, but it's as near to the concept that the market actually bears. Nobody has yet figured out how to introduce an e-stamp system which any email senders have the slightest incentive to use.

Re:Pay to email

[Viking+Coder]

"Actually, No. It's designed to be open in this manner."

Actually, email is a content delivery system. It's up to the participants to decide the content. A stamp is perfectly valid content.

"require a specific definition to 'SPAM' that all agree on."

No, each person decides what spam is. I thought that was pretty obvious from what I was saying, sorry.

You do something publicly on the internet, and leave your stamp-required email address. I want to get in touch with you, so I send you an email with a stamp. If you decide, for whatever reason, to keep my stamp, I just have to accept that. The stamp was a nominal charge in the first place. Chances are, someone will send me an email I don't particularly want to receive, and I can keep their stamp to offset your action. Perhaps it will be considered rude to not return stamps. Perhaps it will be considered gracious to INSIST that recipients keep your stamps so they can donate them to their preferred charities, or use them themselves. Would you donate some email stamps to the homeless, so they can be more effective in emailing potential employers, or health care providers, or state representatives? ...just a thought.

Physical mail has more impact than email, when you write to your senator. Perhaps stamped email will carry a tad more weight. "Oh, geez - this is a $20 stamp, and it's even marked for-charity-only." (The recipient CAN'T return it, and CAN'T use it themselves...?)

"However, what if someone you haven't talked to in a while just sends an email out of the blue? is that spam? I know someone who considers that spam."

Then people will either not mind buying stamps to email that person, or they will. If that person ever wants to send emails back, the original senders you described should keep their stamp as payback.

"What about things that are not legally considered spam?"

"Legally" has nothing to do with it. It's a reusable stamp. Apply it to any purpose you want to.

"Or, you could get a Google account."

I've already got one, but I'm not quite cavalier enough to post my gmail address all over creation. Are you? Does it really work well enough on your spam?

Re:Pay to email

[Viking+Coder]

(Weird, I thought your post said "Sounds like you'd never get any email from me.")

Re:Pay to email

[fulldecent]

>> How about "pay to email"?

s/this comment/standard response to spam fighting suggestions that recommend a pay-to-email approach/

(can I really do that? I just did!)

Re:Pay to email

[Viking+Coder]

No it wouldn't.

An email gets sent without a stamp, and if the recipient hasn't white-listed the mailing list then they won't see it unless they look for it (by turning off their "stamped-only" filter).

Re:Pay to email

[Viking+Coder]

s/this comment/standard response illustrating that since you're too lazy to fight spam, I curse you forever with the results/

(can I really do that? I just did!)

Re:Pay to email

[jfengel]

Unfortunately, sooner or later somebody will always leak your "real" email address. They'll forward you a comic strip or include it on a mass emailing, and now it's in every spammer's book forever.

And everybody in that intermediate camp (close enough to send email regularly, not close enough to reveal your One True Email Address) is in a bind. They either can't get to you without signing up for the system, or you establish some sort of black/white/gray listing on top of the other system. Which means you might as well skip the transaction problems.

Mailing lists are also problematic, though I think that replacing push mailing lists with RSS pull mailing lists is going to take a big chunk out of that eventually.

For YEARS we've had transparent CSS methods

Do they mention these ever?

Why would you assume obfuscation would work?

[Todd+Knarr]

I assume that, if a human can figure out the e-mail address, a spammer can too. After all, if nothing else they'll simply hire an IT sweatshop over in Asia or Africa to scan the pages for addresses at a dollar an hour or a nickel an address. JS obfuscation doesn't even take that, if your browser can evaluate the Javascript then the spammer's page-scraping software can too. So I assume that the only obfuscation that'll work is one that renders a human unable to read the address, at which point why bother putting the address there at all. And if all else fails, the well-known spammer tactic of just shotgunning every possible e-mail address in a domain will find anything their other tricks didn't (just like the auto-dialers that dial every number in a given exchange will find even unlisted, unpublished, known-only-to-the-owner phone numbers).

The only viable defense is at the mail-server level. The spammers will get your address, so prepare your mail server to deal with them. Reject connections from known residential/dial-up netblocks that shouldn't be contacting your mail server directly. Apply SpamAssassin and other filtering to incoming mail. Use reliable blacklists (evaluate their policies yourself against your own tolerance for false positives, and remember that the spammers don't want you to use any blacklists because using them stops them from spamming). Use what your filters learn by blocking netblocks that generate too many filter-rejected messages. You can't stop them from sending that first SYN, but you can decide whether to SYN-ACK or NAK them.

One might say Google "Fixed" it

[dmomo]

It's a hack. When moving technology forward, you need to pick your battles when asking "should we not improve this service? It will break the hacks"?

All in all, you are displaying text on a page. Google's job is to take text that humans can read and make it text that humans can find.

I agree, spam is a problem, but this kind of obfuscation will only get you so far. It's the same argument that can be said about MP3s. If you can hear it, we can steal it. Same as "if you can see it."

Spam stinks, but in the end, even with these tricks, you are making your address public. Public information will be harvested by mortals and robots alike.

Re:One might say Google "Fixed" it

Indeed, they can even help find pages that are 'hidden' using this junk. If you do not want google going thru it setup your robot file... Instead you have crazy javascript fills that do nothing but make it hard to cut and paste links...

Google could do themselves a favor though and make their own products more cachable. It is almost as if everything from them is 'dynamic' with crazy information embedded in the urls.

I don't think they got the email from Google

[bheer]

I don't think the spammers got his email address from Google. I mean, to do that they'd have to send a fairly narrow query to Google -- something like 'chibi jesus' -- and then scrape the results ... just scraping the cached page wouldn't help -- that contains JS, not the email address. Plus, I imagine Google would notice if a bot started sending lots of search queries its way.

It's far more likely that spammer bots are now actively processing JS. As others on this thread have pointed out, it ain't hard to do.

Re:I don't think they got the email from Google

I will mod you -1 Wapanese

Re:I don't think they got the email from Google

[larry+bagina]

They don't even need to process javascript. There's a handful of common mungeing techniques and a few lines of perl would detect and decode them.

Re:I don't think they got the email from Google

(Original article's author here.)

There's no way to prove or disprove how the spammers originally got the address, but you demonstrably can crawl Google for addresses in this way without knowing them first. All you have to do is search for things that *look like* e-mail addresses. Try a google search for:

"* tomorrowlands org" site:tomorrowlands.org chibi

And the "protected"* address shows up at the top of the list.

* (Yes, those are scare quotes, I'm a bad person for munging in the first place, etc.)

Re:I don't think they got the email from Google

[complete+loony]

"contact me via email at *"

I'm sure you could come up with other search terms...

Re:The harvesting bots are definitely getting smar

[amRadioHed]

Looks like you're already hosed.

Google What Happened?

What happened to "Do No Harm"?

People still receive spam?

[iYk6]

The spammers WILL get your email address. Be it web trawling, google searchers, or stealing email address off of compromised computers, the spammers will get, and then resell, you email address. Trying to keep the spammers from getting your email address is a lost cause, and not a battle worth fighting.

I don't get any spam at my personal account. No blacklisting or bayesian filters necessary. I just don't give my personal e-mail address to companies, nor do I display it on the Internet. I also have a sneakemail address that I only give to companies, and that one actually doesn't receive spam either. Go figure.

History. I haven't updated my front page in years.

You last updated that page 8 months ago.

Mangle better

[jlcooke]

Like this:

www.certainkey.com/dm.

Needs some crypto computation to decrypt. User needs to click on a "Get my Email" button. Works on iphone.

Much ado about nothing

[Asmor]

I publically list my email whenever I need to. If I want someone to email me something, I say, "Send it to itoltz@gmail.com". In fact, if HTML is allowed where ever I'm writing that, I'll even be so kind as make it a mailto link (i.e. <a href='mailto:itoltz@gmail.com'>itoltz@gmail.com</a>).

And you know what? I almost never get spam in my inbox. I'd say a piece squeaks through Gmail's filters every few months (though when it does, I usually seem to get 2-3 similar spams over the course of a day or two).

Granted, not everyone has the option of using gmail, and for those who do not everyone is comfortable with the idea of using it. That's fine. But the point is, if gmail is that good at filtering out spam, anyone else can be too.

Re:Much ado about nothing

[hplus]

Given the immense quantity of mail that Google processes, they are in a uniquely effective position to classify mail as spam based on heuristics and other techniques that are similar to the sorting that they do for page-rankings. I'm not saying that other entities could not necessarily do what Google does, just that Google has a nice head start.

Re:Much ado about nothing

[Lulu+of+the+Lotus-Ea]

I am in general agreement with a number of posters about the effectiveness of Gmail's spam filtering. However, the claims of only getting uncaught spam once on the order of weeks or months baffles me. I get at least several spams a day that make it through Gmail's filter. Of course, next to that, I also get hundreds of spams that are caught correctly (and once in a while false positives too though, so I really need to review the spam folder manually, which is a fairly quick visual scan). It's manageable, but not completely negligible, work.

It's possible (quite likely) that I have a more public identity than many posters (I'm widely known, and never hide or disguise my email address). But I still have to wonder if their accuracy claims about Gmail filtering are a bit exaggerated.

Re:Much ado about nothing

[Asmor]

If I am exaggerating, it's not a conscious decision. I do admit that I have a terrible sense of time. But honestly, my guess is that you do receive more spam than me. Why? Who knows. I suspect it probably has more to do with the sorts of circles in which we expose our respective emails.

Re:Much ado about nothing

[Phroggy]

Something that most people don't understand is that spam is NOT universal. Every e-mail address is unique, and will get a different assortment of spam. Some of the users on my mail server get spam that I don't get, and I get spam that they don't get.

In particular, a new e-mail address will never get spam, unless:

1. A spammer randomly guesses the address, using a dictionary attack
2. The address is posted on a web site, and scraped by a spammer
3. The address is submitted to a company or organization which posts it on their site
4. Malware extracts the address from somebody's address book
5. Somebody hacks into a company or organization that the address and takes it from their database
6. Some sleazy company sells it

That's pretty much it. #1 is only likely if your username is common (like just your first name). #3 isn't a common problem anymore, since most sites either don't post their users' e-mail addresses, or they obfuscate them (like Slashdot does). #5 isn't a common problem either. I've only gotten burned by #6 a few times.

Re:Much ado about nothing

[LihTox]

I agree; I generally get 1 or 2 messages per day (on average) that escape the Gmail filter. However, one of the email addresses I have forwarded there is roughly 14 years old, and was used on Usenet, so everybody's got it by now.
To fix this, I've created a label called "!Spam", and as spam leaks through the filter I try to come up with a filter to send messages of that kind to !Spam, bypassing the inbox. I go through those messages to check for false positives regularly, but at least the spam doesn't show up in my email alerts, which makes me happy.

Re:Much ado about nothing

[dynchaw]

My gmail account has had 2 spams make it to my inbox in the last 6 months (probably longer) of the 20-50 spams a day the account receives. I have never published the address and have only even given it out to friends and family but it has received spam since the day I opened it. I also don't have any other email addresses forward to it. Very effective for me.

No-Archive META Tag

Isn't there a META tag which tells Google's bot not to archive your site (Google Cache) in the first place? I believe it's the No-Archive tag.

Captcha

[nausea_malvarma]

Has this ever been done before: Instead of posting your email on a website, post a link to another website which stores contact information and require users to fill out a captcha before they see your email address. (I realize this is obtrusive, and time consuming. Just curious)

And... your point...?

http://mailhide.recaptcha.net/

Problem solved, with the only remaining CAPTCHA that hasn't been automatically broken.

Some robots are more equal than others

[Cajun+Hell]

For example, make a "Phone Number" field and set the CSS display attribute to none. Normal users won't see this field and won't fill it out. Spam-bots will see it and attempt to fill it out.

This only works for as long as spammers don't care about it. I think anyone who can figure out the HTML resulting from javascript, can also figure out the style of an element.

What's really funny about this problem is that we used to talk about using captchas to tell the robots apart from the meatbags, so that you could discriminate against robots. But now people want the robots to make sense of their page (so that they get referrals from Google) but they don't want the robots to make sense of their page (so that their email box doesn't get referrals from spambot). You're on the web or you're not. Choose.

Re:Some robots are more equal than others

[Phroggy]

If I make a page with an e-mail address on it, I want Google to index everything except the e-mail address. Apparently now we need a new way to hide specific bits of content from bots, while leaving the rest of the page unobfuscated.

Re:Some robots are more equal than others

[foniksonik]

Actually no... if you put the input inside a div with a class and set the class to display:none then there is no indication that the input element is special. The key thing about a honeypot is that the spam bot can not tell which input is the honeypot... they have to fill in every field. If your form has 5 fields, that means 5 factorial attempts are required to submit and they have no indication of success so they have to do it each time.

The only way to thwart the honeypot is to personally browse the page, view the source and then write a special script to handle that particular website. If you are this special then you'll need something else. For the vast majority of the web however it will work really well.

Re:Some robots are more equal than others

[Cajun+Hell]

Actually no... if you put the input inside a div with a class and set the class to display:none then there is no indication that the input element is special.

There's obviously some indication, because your web browser doesn't show that input.

It's not hard for a scraper to understand that if a container isn't shown, then the things inside that container aren't shown. That's a very basic aspect of CSS, and if one piece of software (browser) "gets it" then so can another.

Solution: PHP or Perl Script

I've found it rather effective so far to obfuscate my email address via an intermediate PHP or Perl script. You just have the script redirect to a "Mailto" location and the browser handles it normally. Unfortunately, the visitor will get a blank page, but bots seem confused by it. I guess it's only a matter of time until they figure this trick out, too; but so far I haven't gotten any spam in several years and have no spam blocking software. (Posting anonymously so no jerk-offs think it's funny to submit my address to spammers.)

Google interprets javascript? Really?

[eugene2k]

For everyone's information: the page the author links to as the one that has javascript munging also has a noscript tag with the email out in the open. Guess what Google and spammers' email-crawlers really do? ;)

Re:Google interprets javascript? Really?

[yuhong]

I can't find it.

Re:Google interprets javascript? Really?

Why is this scored 4? It's not true.

Re:Google interprets javascript? Really?

Your right, they have completely munged the javascript obfuscation of their email address.

Re:Google interprets javascript? Really?

[The+Famous+Brett+Wat]

For everyone's information: the page the author links to as the one that has javascript munging also has a noscript tag with the email out in the open. Guess what Google and spammers' email-crawlers really do? ;)

I've checked your claim, and it's not true. The "noscript" tag contains warning text about Javascript being turned off and an instruction to use a web form instead of email. I've also checked my own Javascript obfuscation, which uses "blah at domain" type descriptive text in the noscript tag, and Google's search results do not de-obfuscate it. This may be due to the fact that my Javascript is loaded from a separate file -- a point raised in TFA.

Even if Google is rendering some amount of Javascript in this way, it's still a stretch to accuse Google of being the leak. If you correspond with a person who has malware installed on their computer, there's a high risk that your email address will be exposed to spammers via that route. Such malware is hardly uncommon, is it? The obfuscation technique was only ever going to buy a little extra spam-free time in any case.

Let's Geto to Work

[tomsomething]

Yay, Google. Judging by the responses I've seen so far, it seems most of us think this is a step forward for the search engine. That said, why don't we use this story as an opportunity to have a productive conversation about e-mail address security in a world where JavaScript's effectiveness is dwindling? Here's one from A List Apart that uses some fancy mod_rewrite stuff. http://www.alistapart.com/articles/gracefulemailobfuscation/ I know we've got a lot of geniuses and experts in here. Don't be modest! Show off how smart you are! And yes, the next brilliant security measure will someday be pummeled by a robot that some spammer puts together, but hell if that ain't just exciting! We're helping people build better, "smarter" robots, and criminals are some of society's greatest innovators.

Re:Let's Geto to Work

[tomsomething]

Dangit, I misspelled "ghetto" in my own post title. No, wait...

CSS saves the day!

You can still post your email address in a monospace font with the CSS line-height attribute set to zero pixles... This has the effect of displaying your email address on screen, but making it difficult for harvesters to grab.

something like:

<div style="font-family: 'courier new', courier, monospace; line-height: 0px;">
c a f s z c @ e s a e c m <br>
  r y i h a h n t c p . o
</div>

Re:CSS saves the day!

[omnichad]

Still not quite readable. I had to add an   in front of the r in the second row. And even then, because line-height is based on the font's baseline, this still had a zig-zag look to it.

agreed

I have had my email address on every single page of 4 medium-traffic sites (about 1,500 visits a day) in both plain text and in a mailto: link. I use google apps for domains for my email and I get a spam mail about once a month.

The issue here is overblown.

Easy fix:

Place the javascript which deobfuscates the email address in a separate file and put that or the folder it's in in the robots.txt.

Give Google a summary.

[dov_0]

Seems to me that Google only produces that nice little page summary (which here included the guys obfuscated email address) when you haven't put a page description META tag in the header. For some reason google will use the FOOTER of the page if there is no header. MS Bing however does not use the META description, but seems to take anything similar to it in the body of the page.

SpamGourmet

[meehawl]

SpamGourmet - I can't begin to say how awesome this is.

Seems quite simple to me

Very simple solution, prosecute Google under DMCA for running a circumvention device! :)

Simple solution

[dmuir]

Just un-munge on a mouseover.

Google Announces CSS rendering

[omnichad]

This has broken CSS munging.

It is actually really easy

It is actually really easy: http://spidering-lessons.blogspot.com/2009/06/spidering-102-how-to-write-basic-script.html

Address-munging ceased being useful years ago

[Arrogant-Bastard]

Spammers have many methods of acquiring addresses, including but not limited to:

• subscribing to mailing lists
• acquiring Usenet news feeds
• querying mail servers
• acquiring corporate directories (sometimes from their web sites)
• insecure LDAP servers
• insecure AD servers
• use of backscatter/outscatter use of auto-responders
• use of mailing list mechanisms
• use of abusive "callback" mechanisms
• dictionary attacks
• purchase of addresses in bulk on the open market.
• purchase of addresses from vendors, web sites, etc.
• purchase of addresses from registrars, ISPs, web hosts, etc.
• domain registration (some registrars are spammers
• AND harvesting of the mail, address books and any other files present on any of the hundreds of millions of compromised Windows systems.

There's thus no point whatsoever in any form of address obfuscation or munging: it's a complete waste of time indulged in only by the clueless, delusional few who haven't been paying attention to what's gone in during the past decade. What's truly ironic is how many of these people are actually running Windows and thus stand a reasonably good chance of having their own system be the point at which their address(es) are harvested.

A far better point to critique Google on would be their pointless munging of addresses in Usenet news articles -- spammers have had their own Usenet feeds for MANY years and all Google's done is make the archives less useful for everyone else.

Re:Address-munging ceased being useful years ago

[redmoss]

I munge on my web site/blog/waste of internet space. The address printed there (via javascript obfuscation) is not used anywhere else. If you visit my site with javascript enabled, you'll note that the address ends in a "1" now, because a spammer got ahold of the previous email address. So I killed that address, and created its descendant with an appended "1". This has eliminated all spam for several years so far, and allowed through several legitimate mails. If a spammer gets ahold of the new one, I'll kill/create once again.

At some point, the spammers will get too smart about js parsing, it will be too time-consuming for me to continue killing/creating email addresses, and I'll have to do something else. For the time being, munging is still useful for me.

Simple Workaround

[Elixon]

Run the script on some event that the Google will not emulate.

For example: [Write me] where the link has something like href="javascript:decodeMail();"

(And at best program the web form that will submit it to you on the server side without revealing your address ;-)

Spam

[smoker2]

I'm more concerned that the sponsored links featured in gmail have recently been featuring generic soma and viagra substitutes. How do I report these ads as spam ?
And no, I wasn't reading a spam message at the time.

The solution (for the moment)...

[chalsall]

I developed this technique independently some time ago. So far none of the obscured addresses have been exposed.

Since the Googlebot doesn't appear to download referenced Javascript files, simple put the obscuring function into another file....

Almost!

[VeNoM0619]

The text field below is a tool to create your own Javascript email address obscuring script. Enter your email address in the box and press the "OBSCURE!" button. You can then copy the resulting script and place it anywhere on your webpages where you want your email address to appear.

Wont fool me twice, better safe than sorry, better safe than sorry.