I made a plugin for the blog software I use, that uses javascript obfuscation. The purpose here is to prevent comments spam ( random key is hidden in session, and provided in an obfuscated form with javascript on the page ). But that's the same problem.
The one that spammed my blog liked a bit of challenge... before that, I've made several changes that forced the spammer to specially adapt his robot to my blog ( false form hidden by stylesheet, etc. ) . But he still passed through after a few days. He either really loved or hated me.
But once I've made that javascript obfuscation he finally stopped and I've no more spams. So I guess he was motivated and not dumb, but this trick was too much for him. I was not worth all that effort - In fact I never was. I figure he had no life and/or had some fun with me, but breaking that protection was not even worth the fun to do it.
But I still think this trick will not last forever. Like an antivirus database, a spam filter is worthless unless you keep it up-to-date.
So I tried to hack myself. And succeeded in no time, unfortunately. The easy way is to take a standalone javascript interpreter like http://www.njs-javascript.org/ . Get the page, use a pattern to grab the javascript, create a.js that outputs the key ( or email ), and that's it. So I've got to obscure the code even more, get it to use some dom elements, load some secret parts, or whatsoever.
Just figure your antispam system is great if it stopped all spam without annoying the legitimates users for at least three months. And that's all you can expect.
Also think about profitability. If you use a widely used antispam it has to be really great. Because the more use an antispam solution, the more it's profitable to crack it. So you could use a lame system, even home-made, that just few use, and you could be safer than with mainstream antispams.
One of these days spammers will understand it's easy to parse javascript with the right tools, and I'll be one of their victims. And then, someday one will come with some all-purposes javascript de-obfuscator that does not even need specific code to grab and execute the obfuscation script. That will not be easy, but profitable for sure. So... I guess it'll happen.
Slashdot Mirror
I made a plugin for the blog software I use, that uses javascript obfuscation. The purpose here is to prevent comments spam ( random key is hidden in session, and provided in an obfuscated form with javascript on the page ). But that's the same problem.
... before that, I've made several changes that forced the spammer to specially adapt his robot to my blog ( false form hidden by stylesheet, etc. ) . But he still passed through after a few days. He either really loved or hated me.
.js that outputs the key ( or email ), and that's it. So I've got to obscure the code even more, get it to use some dom elements, load some secret parts, or whatsoever.
... I guess it'll happen.
The one that spammed my blog liked a bit of challenge
But once I've made that javascript obfuscation he finally stopped and I've no more spams. So I guess he was motivated and not dumb, but this trick was too much for him. I was not worth all that effort - In fact I never was. I figure he had no life and/or had some fun with me, but breaking that protection was not even worth the fun to do it.
But I still think this trick will not last forever. Like an antivirus database, a spam filter is worthless unless you keep it up-to-date.
So I tried to hack myself. And succeeded in no time, unfortunately. The easy way is to take a standalone javascript interpreter like http://www.njs-javascript.org/ . Get the page, use a pattern to grab the javascript, create a
Just figure your antispam system is great if it stopped all spam without annoying the legitimates users for at least three months. And that's all you can expect.
Also think about profitability. If you use a widely used antispam it has to be really great. Because the more use an antispam solution, the more it's profitable to crack it. So you could use a lame system, even home-made, that just few use, and you could be safer than with mainstream antispams.
One of these days spammers will understand it's easy to parse javascript with the right tools, and I'll be one of their victims. And then, someday one will come with some all-purposes javascript de-obfuscator that does not even need specific code to grab and execute the obfuscation script. That will not be easy, but profitable for sure. So