By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,963 Members | 1,815 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,963 IT Pros & Developers. It's quick & easy.

Avoid spam maybe ?

P: n/a
Hi

I just had a thought regarding spam...

I have noticed that when I do something in JavaAjax then I can't se the
context in the source.
.... If I open a page in a div with Ajax, right click and choose Source,
then the div is empty.
The context in the ajax page is not there.
Off cause you can find the .js file and see what page it opens.

But.... What if I place the .js file and a simple html file, containing an
email link, outside the root so only the server can get it.
Then open the html file with Ajax onload.

Then the email link will be shown in the browser like nothing is speciel
about it. But in the source neither the email address or link is shown.

Can spam crawlers in any way find the email then ?
The crawlers don't even know that there are en email address on the page.
Cause as far as I know spam crawlers or any crawler only look in the souce,
and not in the actual browser.

Just a thought .. will it work ?
Aug 16 '08 #1
Share this Question
Share on Google+
11 Replies


P: n/a
EnjoyNews wrote:
I just had a thought regarding spam...
[...] What if I place the .js file and a simple html file, containing an
email link, outside the root so only the server can get it.
Then open the html file with Ajax onload.

Then the email link will be shown in the browser like nothing is speciel
about it. But in the source neither the email address or link is shown.

Can spam crawlers in any way find the email then ?
It is possible; I do not know whether it is likely at this point. But in
any case many of your visitors will not see the e-mail address either then.
You really should use a form-mailer and a spam filter instead.
Just a thought .. will it work ?
To a certain extent.
PointedEars
--
Use any version of Microsoft Frontpage to create your site.
(This won't prevent people from viewing your source, but no one
will want to steal it.)
-- from <http://www.vortex-webdesign.com/help/hidesource.htm>
Aug 16 '08 #2

P: n/a

"Thomas 'PointedEars' Lahn" <Po*********@web.deskrev i en meddelelse
news:48**************@PointedEars.de...
EnjoyNews wrote:
>I just had a thought regarding spam...
[...] What if I place the .js file and a simple html file, containing an
email link, outside the root so only the server can get it.
Then open the html file with Ajax onload.

Then the email link will be shown in the browser like nothing is speciel
about it. But in the source neither the email address or link is shown.

Can spam crawlers in any way find the email then ?

It is possible; I do not know whether it is likely at this point. But in
any case many of your visitors will not see the e-mail address either
then.
You really should use a form-mailer and a spam filter instead.
Many ?
In my statistics it shows that 98% has java set to on ?
Aug 16 '08 #3

P: n/a
EnjoyNews meinte:
"Thomas 'PointedEars' Lahn" <Po*********@web.deskrev i en meddelelse
news:48**************@PointedEars.de...
Shorten that, please.
>It is possible; I do not know whether it is likely at this point. But in
any case many of your visitors will not see the e-mail address either
then.
You really should use a form-mailer and a spam filter instead.

Many ?
In my statistics it shows that 98% has java set to on ?
(a) We're talking about Java*Script*.
(b) Statistics like what? Hopefully not generated with JS?
(c) These detected JS enabled browser supports XHR, too?
(d) Your visitor hasn't disabled certain JS features or installed
add-ons that block your XHR request?
(e) Are you sure, that your script works on all current and future
browsers, that support XHR?

Gregor

--
http://photo.gregorkofler.at ::: Landschafts- und Reisefotografie
http://web.gregorkofler.com ::: meine JS-Spielwiese
http://www.image2d.com ::: Bildagentur fr den alpinen Raum
Aug 16 '08 #4

P: n/a
On Aug 16, 3:27*pm, "EnjoyNews" <mh-nyhe...@mail.dkwrote:
Hi

I just had a thought regarding spam...

I have noticed that when I do something in JavaAjax then I can't se the
context in the source.
... If I open a page in a div with Ajax, *right click and choose Source,
then the div is empty.
The context in the ajax page is not there.
Off cause you can find the .js file and see what page it opens.
<snip>
Can spam crawlers in any way find the email then ?
The crawlers don't even know that there are en email address on the page.
Cause as far as I know spam crawlers or any crawler only look in the souce,
and not in the actual browser.

You're right in that I haven't seen any spam crawler in the wild that
parses javascript. But it's not that hard to do these days since you
can embed Rhino or Spidermonkey in your code. Still.. most programmers
are lazy by default and as long as they can get significant amounts of
emails without parsing javascript then they won't bother parsing
javascript.

But as always, once the majority of the web start using javascript to
obfuscate emails you can bet the spammers will start looking at
parsing those javascript. In fact, on Windows it's not too hard. Just
embed internet explorer in your code and parse the DOM tree instead of
the raw HTML. Most "screen capture" sites do this already.

In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">bi****@spammer.com</span>
<script>
window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =
e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>
Aug 17 '08 #5

P: n/a
slebetman wrote:
In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">bi****@spammer.com</span>
<script>
Not Valid.
window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =
Proprietary, error-prone.
e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>
This will have all users with insufficient script or DOM support send to the
spammer.com address, if that; a domain that one may not even own. Bad Thing.
And of course it is easy to read innerHTML. Could you anti-scriptkiddies
scriptkiddies please stop posting your "solutions" and start thinking first?
PointedEars
--
Prototype.js was written by people who don't know javascript for people
who don't know javascript. People who don't know javascript are not
the best source of advice on designing systems that use javascript.
-- Richard Cornford, cljs, <f8*******************@news.demon.co.uk>
Aug 17 '08 #6

P: n/a
slebetman <sl*******@gmail.comwrites:
In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">bi****@spammer.com</span>
<script>
window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =
e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>
Remember: Gracefull degredation! If Javascript is not enabled, the
address will be wrong.

I have used something like
foo<img src="atsign.png">example.com
with an image looking like a "@" (in the correct color and font) and a
script that replaces the image with a text "@" sometime after the page
has loaded, so that cut-n-paste will work as well.

/L
--
Lasse Reichstein Nielsen
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Aug 17 '08 #7

P: n/a
Lasse Reichstein Nielsen wrote:
slebetman <sl*******@gmail.comwrites:
>In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">bi****@spammer.com</span>
<script>
window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =
e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>

Remember: Gracefull degredation! If Javascript is not enabled, the
address will be wrong.

I have used something like
foo<img src="atsign.png">example.com
Not Valid as well, the `alt' attribute is required.
with an image looking like a "@" (in the correct color and font) and a
script that replaces the image with a text "@" sometime after the page
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^
has loaded, so that cut-n-paste will work as well.
^^^^^^^^^^

If JavaScript was not enabled, script support was insufficient or DOM
support was insufficient, or if simply the user was too fast spotting the
content in question, there would be no address at all. If images could not
be displayed by the UA (as a possible consequence of them not being
perceivable by the user), the "@" image would not be displayed as well.
In fact, it is possible that with this code missing the `alt' attribute,
"fooatsign.pngexample.com" will be displayed. So much for graceful degradation.

Someone in <dciwam/[1] has suggested (to use a server-side script) to
arbitrarily escape characters in the e-mail address, -- like

foo@example.com

-- and he has claimed it would considerably reduce the spam he is getting
then; but, of course, this will only stop the less sophisticated spamming bots.

The bottom line is that there is no way to deal with spam(mers) passively
that complies both with accessibility guidelines and imprint legislation
(e.g. in Germany, the latter requires a visible textual contact e-mail
address displayed in the imprint section of any public Web site) but to use
good spam filters. Of course, actively fighting spam(mers) is always an
option, and worth a try; see also
<http://www.interhack.net/pubs/munging-harmful/>.
PointedEars
___________
[1] Common acronym for the newsgroup
de.comm.infosystems.www.authoring.misc
--
var bugRiddenCrashPronePieceOfJunk = (
navigator.userAgent.indexOf('MSIE 5') != -1
&& navigator.userAgent.indexOf('Mac') != -1
) // Plone, register_function.js:16
Aug 18 '08 #8

P: n/a
slebetman wrote:
But as always, once the majority of the web start using javascript to
obfuscate emails you can bet the spammers will start looking at
parsing those javascript. In fact, on Windows it's not too hard. Just
embed internet explorer in your code and parse the DOM tree instead of
the raw HTML. Most "screen capture" sites do this already.
You don't have to put the email in clear even inside your JavaScript.
See the mailto: link at the bottom of http://www.swiftys.org.uk for an
example. My webpage contains a page for generating such links. It has a
minor bug in it, IIRC, affecting people with JavaScript disabled. which
I could probably fix now, since I have another year's experience writing
such stuff (no, it doesn't show).

--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
Aug 18 '08 #9

P: n/a
Thomas 'PointedEars' Lahn meinte:
Someone in <dciwam/[1] has suggested (to use a server-side script) to
arbitrarily escape characters in the e-mail address, -- like

foo@example.com
So do I. It's simple - and as you stated - will reduce the spam to a
certain extend. I suppose most harvesters focus on fast-and-simple
methods, with so many readily available emails on web pages.

Gregor
--
http://photo.gregorkofler.at ::: Landschafts- und Reisefotografie
http://web.gregorkofler.com ::: meine JS-Spielwiese
http://www.image2d.com ::: Bildagentur für den alpinen Raum
Aug 18 '08 #10

P: n/a
In comp.lang.javascript message <48**************@PointedEars.de>, Sun,
17 Aug 2008 21:19:02, Thomas 'PointedEars' Lahn <Po*********@web.de>
posted:
>slebetman wrote:
>In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">bi****@spammer.com</span>
<script>

Not Valid.
A more congenial respondent would have indicated why it is not valid.
> window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =

Proprietary, error-prone.
A more congenial respondent would have indicated that the code is
acceptable to popular browsers including IE, Firefox, Opera, Safari. A
more intelligent respondent would realise that one's credibility is
degraded by only suggesting that such code is likely to fail when in
fact it generally will succeed.
> e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>

This will have all users with insufficient script or DOM support send to the
spammer.com address, if that; a domain that one may not even own. Bad Thing.
You have evidently failed to perceive that "spammer.com" should be
replaced by an address to which one wants one's spam to be sent. A
thoughtful ISP or system manager will provide users with such an
address. Such details are the user's responsibility; slebetman did,
after all, write "like this" which carries a clear implication, to those
with a sufficient understanding of English, that the code is merely
illustrative.

--
(c) John Stockton, nr London UK. replyYYWW merlyn demon co uk Turnpike 6.05.
Web <URL:http://www.uwasa.fi/~ts/http/tsfaq.html-Timo Salmi: Usenet Q&A.
Web <URL:http://www.merlyn.demon.co.uk/news-use.htm: about usage of News.
No Encoding. Quotes precede replies. Snip well. Write clearly. Mail no News.
Aug 18 '08 #11

P: n/a
On Aug 18, 7:30 pm, Dr J R Stockton <j...@merlyn.demon.co.ukwrote:
In comp.lang.javascript message <48A879A6.1040...@PointedEars.de>, Sun,
17 Aug 2008 21:19:02, Thomas 'PointedEars' Lahn <PointedE...@web.de>
posted:
slebetman wrote:
In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:
<span id="secretemail">bit...@spammer.com</span>
<snip>
>
This will have all users with insufficient script or DOM support send to the
spammer.com address, if that; a domain that one may not even own. Bad Thing.

You have evidently failed to perceive that "spammer.com" should be
replaced by an address to which one wants one's spam to be sent.
In Thomas's defence, many people just put in a random email address
without thinking causing the spam to be sent to a hapless random
bystander like in this case:
http://thedailywtf.com/Articles/CAN(...ALLY)SPAM.aspx

so the [strong] warning is not unwarranted.
A thoughtful ISP or system manager will provide users with such an
address. Such details are the user's responsibility;
Personally I like to use a /dev/null type email service like
mallinator (aka thisisnotmyrealemail.com) address since that is
exactly what the service is designed to do.
Aug 20 '08 #12

This discussion thread is closed

Replies have been disabled for this discussion.