Re: [tlug] Email address munging in the TLUG archives

[Curt Sampson <cjs@example.com>]

On Mon, 4 Dec 2006, Jim wrote:

> I typically think of Javascript as being executed on the client.
> Does you mean that actual address would be sent unobfuscated,
> then munged in client by Javascript?

No, the other way around. You send a munged version down from the
server, and it gets unmunged on the client by Javascript executed on the
client.

I see several ways to attack this.

The really easy way is to take advantage of the fact that most people
cut and paste this sort of code, so rewrite the algorithm in your
mail-address-grabber client and when you see this sort of code, decode
the address. You may have to grab keys, as well, and use those as input
to the algorithm, but it will all be in the page.

Perhaps slightly more complex, if people are changing things in the
algorithm itself (though this is not all that likely as then they need
to change the server side, too) is to extract the code and run it in a
a Javascript interpreter. You can download the one used in Mozilla and
Firefox from mozilla.org, and just link it in to your program.

But if you're going to go that far, you might as well just parse the
web page, build up a Javascript DOM model, and then hand the model
and all of the code to the interpreter. It will go and munge things
appropriately and then you just scan the updated DOM, which now has
the un-obfuscated mail addresses in it. This is nice because it's not
all that hard to do (I've already written similar things for testing
frameworks) and it works no matter what obfuscation algorithm is used.

Personally, given that it takes only *one* unobfuscated or poorly
obfuscated address on *any* web site on the Internet to make all further
obfuscation of your address worthless, I don't think that obfuscation
is worth pursuing at all. Think about it: no matter how much time and
effort you spend, you're still no more secure than the guy doing the
least amount of work on this, or being the least careful.

If you want to have some real effect, take the day or so you were
going to spend over the next year on installing and maintaining your
obfuscation system and use the time instead to help one of the many
organizations out there that collect evidence against spammers, track
them down, and deliver them to the authorities. If we had three or four
times as many people doing this, we might be making twice as many busts
against spammers, both stopping some real ones and making others think
again about whether the price and risk of being caught is worth the
money that they're making.

Spamming is, in the end, an economic problem, and economic solutions are
what's going to fix it, if it ever gets fixed. Turing tests won't do
it because there's enough cheap programming skill out there that it's
economical to write specialized software to pass those tests.

cjs
--
Curt Sampson            <cjs@example.com>             +81 90 7737 2974
  The power of accurate observation is commonly called cynicism
  by those who have not got it.    --George Bernard Shaw