Slashdot Mirror

← Back to Stories (view on slashdot.org)

Has Google Broken JavaScript Spam Munging?

Posted by kdawson on from the step-too-far dept.

Baxil writes "For years now, Javascript munging has been a useful tool to share email addresses on the Web without exposing them to spammers. However, Google is now apparently evaluating Javascript when assembling summary text for web pages' listings, and publishing the un-munged email addresses to the world; and spammers have started to take advantage of this kind service." Anyone else seen this affecting their carefully protected email addresses?

22 of 288 comments (clear)

  1. *rolleyes* by Anonymous Coward · · Score: 5, Insightful

    Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

    1. Re:*rolleyes* by Chabil+Ha' · · Score: 2, Insightful

      To add:

      Relying on the expected behavior (Google not processing JS) of something over which you have no control for your security is pretty silly as well.

      --
      We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
    2. Re:*rolleyes* by interkin3tic · · Score: 2, Insightful

      Do you really think whipping up a perl script is beyond the abilities of somebody who has the ability to run a spamming "business"?

      Maybe you mistook that for a rhetorical question, sorry for that misleading question, it was semi-honest. I really don't know how much effort goes into a spamming buisiness. Never met anyone who identified themselves as a spammer, so I don't know if they're as dumb as they seem. For that matter, I've never written a perl script.

      Just seems to me like if you have a decent head on your shoulders you'd be doing more than the equivalent of agressively begging for change on the sidewalk.

    3. Re:*rolleyes* by enoz · · Score: 2, Insightful

      You miss the point.

      The Javascript obfuscation method allows you to make a mailto: url that was accessible to users yet difficult for spammers.

      Sticking your email in an image is probably worse then simply asking users to solve a captcha before giving them your email.

  2. Really.... by Darkness404 · · Score: 4, Insightful

    Really with the development of better OCR technologies and such comes the elimination of e-mail security by obscurity. If you don't want spam either A) have a decent spam filter (I don't think I've had a single piece of spam pass through G-mails filter and only one false positive) or B) don't share your e-mail address. Those are the only two ways to prevent spam that will continue to work.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Really.... by buchner.johannes · · Score: 4, Insightful

      No it is not. If you increase the time used per website, you can not process that many websites anymore. JS obfuscated emails were protected because spammers didn't take effort.
      You might say computers got faster, but unfortunately the web didn't get smaller.

      Anyway, I understand the need to post email addresses on a website. How else should people contact you the first time? Personally, I don't like contact forms. Would you advocate for a CAPTCHA or requiring a POST request to obtain the real email address? You could still cry "security by obscurity".

      But you can't take away the option of posting email addresses on websites from users, as it is very useful to contact people by email. Reminds me of people saying "Flash is proprietary, and too fancy for my taste anyway, so nobody must use it. Use Javascript.".

      Maybe one should make swf files with the email in them. Muhahaha

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:Really.... by mshieh · · Score: 2, Insightful

      I don't think I've had a single piece of spam pass through G-mails filter and only one false positive

      You mean you've only noticed one false positive. I'm sure it's been mentioned in half of the comments in this thread, but security by obscurity is effective because there is value in stopping half of the spam, unlike traditional security where having your data stolen and sold once is not a big gain over having it done many times. There are many reasons why obscurity works towards this goal of reduction rather than elimination.

  3. "Google indexes correctly rendered page" by RichardDeVries · · Score: 5, Insightful

    That should be the title. That is, if it were newsworthy. Which it isn't.

    --
    Error 001
    Security Scan and Virus Detection do not work with your operating system.
  4. They should fix this right away by Null+Nihils · · Score: 2, Insightful

    This can easily be fixed, and should be right away. If Google is turning JavaScript into text output, they can easily parse that output (just like the spammers currently are) and see if the text contains an e-mail address. And if it does, they should omit it from search results (unless the address was originally plain text and not obfuscated, in which case they can assume the author wants it searchable).

  5. What else can google do? by Bazman · · Score: 3, Insightful

    So much content on the web these days is spat out by document.write(), I'm not surprised at all that google evaluates certain javascripts in order to get any content to index.

    Even done a "View Source" on a google mail or google maps page? The web is now javascript.

    1. Re:What else can google do? by hairyfeet · · Score: 3, Insightful

      Well I don't know about him, but I can tell you why I block JavaScript and use Noscript and ABP, and it is because JavaScript is becoming the new ActiveX. You see, ActiveX wasn't really that bad when it was just used by a couple of corporate types for very basic jobs but then along came everybody and their dog and soon the web became a giant ActiveX nightmare.

      Now we are seeing the same thing all over again with JavaScript and Flash. Sites that could have been perfectly fine in plain old HTML become this giant bloated mess that can cause even a good dual core and cable connection to go "WTF? Is the script not responding?" because they have overloaded it with crap. So I will happily block most scripts and keep my bandwidth and my sanity, thanks ever so much. I have found most sites that are the worst offenders rarely have anything worth looking at anyway.

      BTW, Who is writing the code for Slashdot anyway? I've found if I don't block JavaScript on Slashdot it looks like the page was rendered with a shotgun. Just really nasty and hard to read.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  6. It's not google, it's the web developers by Punto · · Score: 5, Insightful

    nowadays, half of the pages I try to visit don't render at all without javascript. Somtimes the main content is missing (you just get the headline, the links that go on the sides, and the ads), somtimes it's just a blank page. It seems like all these traditional news organizations just _have_ to be "web 2.0" to appear relevant again.

    Google needs to index the page, they don't have much choice.

    --

    --
    Stay tuned for some shock and awe coming right up after this messages!

    1. Re:It's not google, it's the web developers by BlitzTech · · Score: 3, Insightful

      AJAX is a great technology that has vastly improved the usefulness of the web. However, like every other fad, it gets significantly overused in places where it just IS NOT reasonable. I wish more developers would come to the realization that AJAX != 'Web 2.0-ifying your page' and move back to using the right technology for a given problem. AJAX everywhere just reeks of the same kind of software bloat that makes modern computers run slow compared to 5-10 year old equipment.

      When all you have is a hammer...

    2. Re:It's not google, it's the web developers by Todd+Knarr · · Score: 3, Insightful

      Seconded. You don't need Javascript to do a simple hyperlink. You don't need a scrolling text-box to display your page, the browser can scroll the page just fine thankyouveddymuch. You don't need to dynamically replace elements to change content while maintaining a navigation header or sidebar when appropriate (note: appropriate) use of frames will accomplish exactly what you want.

      The two sins of engineering: making it more complicated than it needs to be, and making it simpler than it needs to be. Avoid them.

  7. Yes, but . . . by Art3x · · Score: 2, Insightful

    Your email address will almost certainly get out. If not by a spambot then through an unscrupulous merchant.

    That's why spam filtering is better than email hiding. Gmail's spam filter, for example, is very good. I get spam in my Inbox about once a quarter.

    Google's job is to turn human-readable pages into machine-searchable pages. So it will always seek to expand what it can read: images, Flash, JavaScript, etc.

    It's best not to hide in the direction that technology is advancing.

  8. I don't think they got the email from Google by bheer · · Score: 2, Insightful

    I don't think the spammers got his email address from Google. I mean, to do that they'd have to send a fairly narrow query to Google -- something like 'chibi jesus' -- and then scrape the results ... just scraping the cached page wouldn't help -- that contains JS, not the email address. Plus, I imagine Google would notice if a bot started sending lots of search queries its way.

    It's far more likely that spammer bots are now actively processing JS. As others on this thread have pointed out, it ain't hard to do.

    --
    Go somewhere random
  9. Re:robots.txt by RajivSLK · · Score: 4, Insightful

    What would be nice is if google created a new tag in the lines of rel="nofollow" which would be an in-line way to keep the engine from seeing content.

    That would be exploited by spammers to the extreme. Imagine clicking on a listing for disney kids fun house only to have a hidden ad for an online Viagra dispensary dominate the page.

  10. Much ado about nothing by Asmor · · Score: 4, Insightful

    I publically list my email whenever I need to. If I want someone to email me something, I say, "Send it to itoltz@gmail.com". In fact, if HTML is allowed where ever I'm writing that, I'll even be so kind as make it a mailto link (i.e. <a href='mailto:itoltz@gmail.com'>itoltz@gmail.com</a>).

    And you know what? I almost never get spam in my inbox. I'd say a piece squeaks through Gmail's filters every few months (though when it does, I usually seem to get 2-3 similar spams over the course of a day or two).

    Granted, not everyone has the option of using gmail, and for those who do not everyone is comfortable with the idea of using it. That's fine. But the point is, if gmail is that good at filtering out spam, anyone else can be too.

  11. Some robots are more equal than others by Cajun+Hell · · Score: 5, Insightful

    For example, make a "Phone Number" field and set the CSS display attribute to none. Normal users won't see this field and won't fill it out. Spam-bots will see it and attempt to fill it out.

    This only works for as long as spammers don't care about it. I think anyone who can figure out the HTML resulting from javascript, can also figure out the style of an element.

    What's really funny about this problem is that we used to talk about using captchas to tell the robots apart from the meatbags, so that you could discriminate against robots. But now people want the robots to make sense of their page (so that they get referrals from Google) but they don't want the robots to make sense of their page (so that their email box doesn't get referrals from spambot). You're on the web or you're not. Choose.

    --
    "Believe me!" -- Donald Trump
  12. Re:Mung by Anonymous Coward · · Score: 2, Insightful

    I believe a 'WHOOSH' is in order.

  13. Re:Mung by Midnight+Thunder · · Score: 2, Insightful

    Actually proper English indicates that you double consonant when adding 'ing' if it ends with one, or drop the 'e' if it ends with one:
        hop -> hopping
        hope -> hoping

    so:
        munge -> munging
        mung -> mungging

    --
    Jumpstart the tartan drive.
  14. Re:Mung by SausageOfDoom · · Score: 3, Insightful

    It has been happening for quite some time.

    I have always said that the only way to keep your e-mail address safe from spammers is to not give it out at all. Although Google may be doing it now, it's been perfectly possible for as long as computing power has been available cheaply to the spammers (ie botnets).

    About 4 years ago I conducted an experiment with anti-spam techniques for the comments on my blog. One of the things I tried was a bit of javascript which added a validation field to the form. The spammers kept on as if it wasn't there, which meant they had to be evaluating javascript.

    And the thing is, once your obsfucation measures are broken by the spammers, because of places like archive.org the internet never forgets - so you can't claw it back. You can update your obsfucation code on your site, but there's nothing stopping the spammers from simply trawling the archives and mirrors to find it there.

    The only way to protect your e-mail address is to never send it client-side - always put it behind a form and a server-side mailing script.