Has Google Broken JavaScript Spam Munging?

Baxil writes "For years now, Javascript munging has been a useful tool to share email addresses on the Web without exposing them to spammers. However, Google is now apparently evaluating Javascript when assembling summary text for web pages' listings, and publishing the un-munged email addresses to the world; and spammers have started to take advantage of this kind service." Anyone else seen this affecting their carefully protected email addresses?

gmail mea culpa

Google's becoming a spammer's paradise. gmail is quickly moving up the ranks as the mail service of choice for comment spammers (for acct verification). You can see the top spam domains at StopForumSpam.com. I think gmail would be at the top except for others' longer history. Nearly all spammers nowadays use gmail on the forum I watch after.

Who CARES?

[nweaver]

The spammers WILL get your email address. Be it web trawling, google searchers, or stealing email address off of compromised computers, the spammers will get, and then resell, you email address.

Trying to keep the spammers from getting your email address is a lost cause, and not a battle worth fighting.

robots.txt

[physicsphairy]

I assume if you load your obfuscation code from script.js and put script.js in robots.txt that you will be safe, although that is sort of a pain.

What would be nice is if google created a new tag in the lines of rel="nofollow" which would be an in-line way to keep the engine from seeing content.

Re:*rolleyes*

[hardburn]

Javascript did a pretty good job at this

No, it didn't. Google isn't doing anything the spammers couldn't have done themselves with a little bit of Perl.

Pay to email

[Viking+Coder]

How about "pay to email"?

I register with a pay-to-email site, and give it my actual email address. It gives me my new publicly visible email address. Anyone who wants to can send me an email through this service if they pay me an amount of money that I set. After I receive the email, I can refund the sender. The pay-to-email site takes a 10% cut on all un-refunded emails.

Sound like a winner?

Re:Pay to email

[Viking+Coder]

Thanks for the sarcasm. I'll try to not stoop down as I respond to you:

(*) Mailing lists and other legitimate email uses would be affected

No they wouldn't. You can set up a whitelist.

(*) Users of email will not put up with it

If you have my private email account, you use it. I'm offering up an idea of a service that someone can use to mask their email address. If you really want to contact someone, you can send them a no-stamp email, and hope they happen to see it. This is no better and no worse than today. If you want them to see it, you affix a stamp. The receiver could easily let you know what their threshold level is. If you don't want to pay that much, then don't.

(*) Many email users cannot afford to lose business or alienate potential employers

Many email users will not use the idea. Okay. Some will. If you want to be employed by someone, or do business with them, give them your direct email address.

(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

If you desire spam-free email, point out the actual problems with my system. If you don't care to point out the actual problems, then don't.

(*) Sending email should be free

Receiving email should be spam-free. Also, sending email is free under my idea, as long as the people who receive it agree that it wasn't spam. Yes, there's a "deposit" which is held, but it should be good for as long as you don't spam people.

(*) Sorry dude, but I don't think it would work.

That's legitimate. I have Skype credit right now for the simple purpose of making phone calls. I have a recurring credit card debit set up from Amazon to pay for my AS3 (JungleDisk) access. I pay my ISP, and I suspect you pay yours, too. I pay per every text I send from my phone; you might pay a monthly fee to have "unlimited" texts. Returning a book from a library after the due date has a nominal fee.

If I want to send "larry (at) somesite (dot) com" an email, but Larry is as sick of getting spam as I am, and if we agree to trade the same reusable stamp with a group of like-minded individuals, would you seriously be completely unwilling to drop $1 onto a website to join the club?

I remember way back when the signal to noise ratio of email was THOUSANDS of times higher than it is now. I'd be willing to drop a $1 deposit to get back into those kinds of numbers.

Re:Pay to email

[Viking+Coder]

"Actually, No. It's designed to be open in this manner."

Actually, email is a content delivery system. It's up to the participants to decide the content. A stamp is perfectly valid content.

"require a specific definition to 'SPAM' that all agree on."

No, each person decides what spam is. I thought that was pretty obvious from what I was saying, sorry.

You do something publicly on the internet, and leave your stamp-required email address. I want to get in touch with you, so I send you an email with a stamp. If you decide, for whatever reason, to keep my stamp, I just have to accept that. The stamp was a nominal charge in the first place. Chances are, someone will send me an email I don't particularly want to receive, and I can keep their stamp to offset your action. Perhaps it will be considered rude to not return stamps. Perhaps it will be considered gracious to INSIST that recipients keep your stamps so they can donate them to their preferred charities, or use them themselves. Would you donate some email stamps to the homeless, so they can be more effective in emailing potential employers, or health care providers, or state representatives? ...just a thought.

Physical mail has more impact than email, when you write to your senator. Perhaps stamped email will carry a tad more weight. "Oh, geez - this is a $20 stamp, and it's even marked for-charity-only." (The recipient CAN'T return it, and CAN'T use it themselves...?)

"However, what if someone you haven't talked to in a while just sends an email out of the blue? is that spam? I know someone who considers that spam."

Then people will either not mind buying stamps to email that person, or they will. If that person ever wants to send emails back, the original senders you described should keep their stamp as payback.

"What about things that are not legally considered spam?"

"Legally" has nothing to do with it. It's a reusable stamp. Apply it to any purpose you want to.

"Or, you could get a Google account."

I've already got one, but I'm not quite cavalier enough to post my gmail address all over creation. Are you? Does it really work well enough on your spam?

One might say Google "Fixed" it

[dmomo]

It's a hack. When moving technology forward, you need to pick your battles when asking "should we not improve this service? It will break the hacks"?

All in all, you are displaying text on a page. Google's job is to take text that humans can read and make it text that humans can find.

I agree, spam is a problem, but this kind of obfuscation will only get you so far. It's the same argument that can be said about MP3s. If you can hear it, we can steal it. Same as "if you can see it."

Spam stinks, but in the end, even with these tricks, you are making your address public. Public information will be harvested by mortals and robots alike.

Re:It's not google, it's the web developers

[iYk6]

Bullshit. Google could recognize that I don't want to view crap, and not index it. The good websites don't pull inappropriate tricks with their pages, the mediocre sites would eventually figure out that they aren't getting indexed by search engines, and improve, and the terrible sites would remain in obscurity, partying with geocities.

The web is a big place, and we don't have to put up with crap. Google actually has the power to make the web better by only indexing good pages, but they are doing this instead. In fact, if Google returns these crap pages in their indexes, and other search engines like Bing and Ask don't, that would be a one up for those other engines.

In an environment as big as the web, quality over quantity.

Google interprets javascript? Really?

[eugene2k]

For everyone's information: the page the author links to as the one that has javascript munging also has a noscript tag with the email out in the open. Guess what Google and spammers' email-crawlers really do? ;)

Re:Google interprets javascript? Really?

[The+Famous+Brett+Wat]

For everyone's information: the page the author links to as the one that has javascript munging also has a noscript tag with the email out in the open. Guess what Google and spammers' email-crawlers really do? ;)

I've checked your claim, and it's not true. The "noscript" tag contains warning text about Javascript being turned off and an instruction to use a web form instead of email. I've also checked my own Javascript obfuscation, which uses "blah at domain" type descriptive text in the noscript tag, and Google's search results do not de-obfuscate it. This may be due to the fact that my Javascript is loaded from a separate file -- a point raised in TFA.

Even if Google is rendering some amount of Javascript in this way, it's still a stretch to accuse Google of being the leak. If you correspond with a person who has malware installed on their computer, there's a high risk that your email address will be exposed to spammers via that route. Such malware is hardly uncommon, is it? The obfuscation technique was only ever going to buy a little extra spam-free time in any case.

Let's Geto to Work

[tomsomething]

Yay, Google. Judging by the responses I've seen so far, it seems most of us think this is a step forward for the search engine. That said, why don't we use this story as an opportunity to have a productive conversation about e-mail address security in a world where JavaScript's effectiveness is dwindling? Here's one from A List Apart that uses some fancy mod_rewrite stuff. http://www.alistapart.com/articles/gracefulemailobfuscation/ I know we've got a lot of geniuses and experts in here. Don't be modest! Show off how smart you are! And yes, the next brilliant security measure will someday be pummeled by a robot that some spammer puts together, but hell if that ain't just exciting! We're helping people build better, "smarter" robots, and criminals are some of society's greatest innovators.

Re:*rolleyes*

[NewWorldDan]

Yep, the keyword there is most spambots. It just takes one motivated enough to write a parser for javascript for common munging techniques. Or in this case, finding an app out there that does it automagically for them. I would expect that email addresses stored as an image would be less subject to abuse for two reasons: First, it creates a much larger download causing a bottle neck and second, it's much more computationally intensive. Still, it can of course, be done. After all, it may only be a matter of time until Google or MSN parse it and save the results for the rest of the world.

What I find works best is to use a web form for submitting messages on our company website. That only gets spammed about once a month, and usually for something almost relavant to what we do. Then again, 2 years ago it never got spammed.

Re:Much ado about nothing

[hplus]

Given the immense quantity of mail that Google processes, they are in a uniquely effective position to classify mail as spam based on heuristics and other techniques that are similar to the sorting that they do for page-rankings. I'm not saying that other entities could not necessarily do what Google does, just that Google has a nice head start.

Re:Really....

[DragonWriter]

Personally, I don't like contact forms. Would you advocate for a CAPTCHA or requiring a POST request to obtain the real email address?

Never happen, but better would be:
You get the actual e-mail address via a POST request over SSL secured by a valid client certificate from a reputable CA, the client certicate's public key and associated identity information is transferred to the owner of the e-mail address, who requires e-mail to also be digitally signed, and who filters by using a sender address whitelist and validating the signature against the associated key. Senders are added to the whitelist when their key is received (e.g., from the website system, or out-of-band) and presumed good until they send spam or do something else unwelcome, at which point the receiver removes them from the whitelist.

Accountability, not obscurity.

Address-munging ceased being useful years ago

[Arrogant-Bastard]

Spammers have many methods of acquiring addresses, including but not limited to:

• subscribing to mailing lists
• acquiring Usenet news feeds
• querying mail servers
• acquiring corporate directories (sometimes from their web sites)
• insecure LDAP servers
• insecure AD servers
• use of backscatter/outscatter use of auto-responders
• use of mailing list mechanisms
• use of abusive "callback" mechanisms
• dictionary attacks
• purchase of addresses in bulk on the open market.
• purchase of addresses from vendors, web sites, etc.
• purchase of addresses from registrars, ISPs, web hosts, etc.
• domain registration (some registrars are spammers
• AND harvesting of the mail, address books and any other files present on any of the hundreds of millions of compromised Windows systems.

There's thus no point whatsoever in any form of address obfuscation or munging: it's a complete waste of time indulged in only by the clueless, delusional few who haven't been paying attention to what's gone in during the past decade. What's truly ironic is how many of these people are actually running Windows and thus stand a reasonably good chance of having their own system be the point at which their address(es) are harvested.

A far better point to critique Google on would be their pointless munging of addresses in Usenet news articles -- spammers have had their own Usenet feeds for MANY years and all Google's done is make the archives less useful for everyone else.