Well, that's one way to put an email link into an html page



  • So, in my spare time, I took over maintaining a website for a local business in exchange for free service. Owner recently sent me a request to change an email link on a particular page. Pulled up page in editor, hit ctrl+f and searched for "user@example.com". No results. Odd. Started scrolling down to find it manually and came across this:

    email us at: <script language=javascript>
    
    var username = "user";
    var hostname = "example.com";
    var linktext = username + "@" + hostname;
    document.write("<a href=" + "mail" + "to:" + username +
    "@" + hostname + ">" + linktext + "</a>")
    </script>
    


  • It’s an attempt at obfuscation against email harvesters, which will presumably not run the js and so not see the email address. Neither will anyone blocking javascript, but they’re all geeks anyway and will figure it out if they really want to send the email.



  • That page was written in an earlier, gentler era; a time unimaginable to the youth of today, when not every page scraping spam spider had Javascript turned on by default.



  • @flabdablet said:

    That page was written in an earlier, gentler era; a time unimaginable to the youth of today, when not every page scraping spam spider had Javascript turned on by default.

    You mean to say, if I put a Javascript tag to contstruct an e-mail address in my code, the spambot will actually execute the Javascript?

    <a id="evillink">Click here to e-mail us!</a> 
    <script language"javascript"> 
    for (var i=0; true; i++)
    {
         $("#evillink").attr("href","mailto:"+i.toString()+"@example.com");
    } 
    </script> 

    Traps spambots in an infinite loop. Traps legitimate users in a loop too, but who cares about them?



  • @Snowyowl said:

    Traps legitimate users in a loop too, but who cares about them?
     

    <% if (RequestAddressFrom in ('China', 'India', 'Russia')) %>

       EvilJavascriptFromAbove

    <%  else %>

       NiceJavascript

    <% end if %>



  • @Snowyowl said:

    Traps spambots in an infinite loop. Traps legitimate users in a loop too, but who cares about them?
    Just put it on a page linked to from your home page in such a way that users will never follow the link but bots will.

     



  • Hmm... I wonder if spammers also support WebSocket. If they do, you could get quite a few infos about the spammer's setup and the restrictions they have the JS VM running under (if any). If you found a sufficiently stupid spammer, you might even turn the spiders into your very own distributed computing grid...



  • @PSWorx said:

    Hmm... I wonder if spammers also support WebSocket. If they do, you could get quite a few infos about the spammer's setup and the restrictions they have the JS VM running under (if any). If you found a sufficiently stupid spammer, you might even turn the spiders into your very own distributed computing grid...
    You could do that with an XMLHttpRequest or even just dynamically constructing a link to some server-side information gathering script.


  • Winner of the 2016 Presidential Election

    @PSWorx said:

    Hmm... I wonder if spammers also support WebSocket. If they do, you could get quite a few infos about the spammer's setup and the restrictions they have the JS VM running under (if any). If you found a sufficiently stupid spammer, you might even turn the spiders into your very own distributed computing grid...

    Maybe you could use the compromised spam spiders to send out spam!



  • @joe.edwards said:

    @PSWorx said:
    Hmm... I wonder if spammers also support WebSocket. If they do, you could get quite a few infos about the spammer's setup and the restrictions they have the JS VM running under (if any). If you found a sufficiently stupid spammer, you might even turn the spiders into your very own distributed computing grid...

    Maybe you could use the compromised spam spiders to send out spam!

    Mine bitcoins and use them to buy more email servers


  • Well it's better then user at example dot com. Hell, I've seen sites do that then wrap the email in a perfectly unobfuscated mailto: link.

    Meanwhile I've probably gotten less then 10 spam emails past Gmail's spam filter ever. I was shocked to realize that nobody else is on top of the ball like Google is and every other email provider still gets tons of spam.



  • @MiffTheFox said:

    Meanwhile I've probably gotten less then 10 spam emails past Gmail's spam filter ever. I was shocked to realize that nobody else is on top of the ball like Google is and every other email provider still gets tons of spam.

    Check how many legit emails you missed.

    Gmail's spam filter works, but it's super-super-aggressive.



  • @MiffTheFox said:

    Meanwhile I've probably gotten less then 10 spam emails past Gmail's spam filter ever.


    I had to train it to treat e-mails from G+ as spam, because for some reason (any guesses?) it thought they weren't.



  • @blakeyrat said:

    Check how many legit emails you missed.

    Gmail's spam filter works, but it's super-super-aggressive.

     

    I've stopped checking. I think I only ever got 1 in there when Google thought the forum emails were spam.

     

     



  • @pjt33 said:

    @MiffTheFox said:

    Meanwhile I've probably gotten less then 10 spam emails past Gmail's spam filter ever.


    I had to train it to treat e-mails from G+ as spam, because for some reason (any guesses?) it thought they weren't.

    I just deleted my G+ account. Much easier solution.



  • @blakeyrat said:

    Gmail's spam filter works, but it's super-super-aggressive.

    I almost never get false positives in my Gmail account. Gmail has the best spam filtering I have seen, even when compared to commercial alternatives, hands down. (Note I'm talking about Gmail proper here, not Postini. Postini sucks balls.)

    Several years ago I worked for a company that developed email products, including spam filtering. Gmail kicked everybody's asses.



  • @blakeyrat said:

    Check how many legit emails you missed.

    I scan mine whenever a site signup confirmation fails to appear, which has happened for maybe one site in ten. That's quite acceptable given that my spam folder usually holds around 500 mails under 30 days old. False negative rate is maybe one a month.

    Gmail's spam filter is the best I've seen; it's rendered spam a non-issue for me. If all spam stopped tomorrow it would save me less than five minutes per year.


  • Discourse touched me in a no-no place

    @Lorne Kates said:

    I've stopped checking. I think I only ever got 1 in there when Google thought the forum emails were spam.
    ... well technically, some of them are...



  • @PJH said:

    @Lorne Kates said:
    I've stopped checking. I think I only ever got 1 in there when Google thought the forum emails were spam.
    ... well technically, some of them are...

    We need to set up a gmail account that is subscribed to every forum. Then have a script that polls the Spam folder and deletes any post that shows up there.



  • @flabdablet said:

    Gmail's spam filter is the best I've seen

    A long time ago my boss told me that the best spam filter is a good secretary because she can also delete legitimate but uninteresting emails and she would be too nervous to lose an important email (and her job) to use an automated spam filter herself so there is no false positives. At the time I found that stupid, but as I grow older I can see now how great it would be to have someone summarize to me verbally the emails people send me, hand me a printout for the important ones and put in a nice written form the basic and rude replies I dictate.



    The more I think about it the more I can see myself going down this path...

    1. Dictate emails
    2. Dictate code or SQL queries ("Cheryl, read me back that where clause, and then get me another red bull")
    3. Give a general idea of what the code I want to be written should do
    4. Indicate what business requirements should be met by a new application to be created following design patterns I provided
    5. Make sure that the IT budget is in line with what the competition is spending
    6. Provide broad visionary mission statements such as: "increase revenue and lower expenses"




    It's a good thing I'm a male otherwise there would be mandatory oral sex to be performed on old disgusting men to go from one step to the other.



  • @Ronald said:

    A long time ago my boss told me that the best spam filter is a good secretary because she can also delete legitimate but uninteresting emails and she would be too nervous to lose an important email (and her job) to use an automated spam filter herself so there is no false positives.

    You can always tell someone's a good boss because they rule by fear.

    That's why Stalin was the best boss ever.



  • I actually don't bother with email obfuscation anymore. Turns out, there isn't a noticable difference in spam between the email I've posted openly online, the email I use exclusively to communicate with clients/etc, and the email I gave out only to Microsoft's beta program* — they all receive fairly large volumes of spam.

    The email only needs to be collected once, and it's on harvester lists forever. It does not matter if it's harvested through a malicious spider, through one of your contacts' Yahoo accounts being phished, or a security breach at a major corporation: the only workable solution is a good spam filter. Gmail's is indeed pretty awesome, I only have about one piece of spam slip through every few months, despite recieving countless thousands of total spam emails in that timeframe.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.