Avoid spam maybe ?

[EnjoyNews]

Hi

I just had a thought regarding spam...

I have noticed that when I do something in JavaAjax then I can't se the
context in the source.
.... If I open a page in a div with Ajax, right click and choose Source,
then the div is empty.
The context in the ajax page is not there.
Off cause you can find the .js file and see what page it opens.

But.... What if I place the .js file and a simple html file, containing an
email link, outside the root so only the server can get it.
Then open the html file with Ajax onload.

Then the email link will be shown in the browser like nothing is speciel
about it. But in the source neither the email address or link is shown.

Can spam crawlers in any way find the email then ?
The crawlers don't even know that there are en email address on the page.
Cause as far as I know spam crawlers or any crawler only look in the souce,
and not in the actual browser.

Just a thought .. will it work ?

 

[Thomas 'PointedEars' Lahn]

I just had a thought regarding spam...
[...] What if I place the .js file and a simple html file, containing an
email link, outside the root so only the server can get it.
Then open the html file with Ajax onload.

Then the email link will be shown in the browser like nothing is speciel
about it. But in the source neither the email address or link is shown.

Can spam crawlers in any way find the email then ?

It is possible; I do not know whether it is likely at this point. But in
any case many of your visitors will not see the e-mail address either then.
You really should use a form-mailer and a spam filter instead.

Just a thought .. will it work ?

To a certain extent.


PointedEars

 

[EnjoyNews]

I just had a thought regarding spam...
[...] What if I place the .js file and a simple html file, containing an
email link, outside the root so only the server can get it.
Then open the html file with Ajax onload.

Then the email link will be shown in the browser like nothing is speciel
about it. But in the source neither the email address or link is shown.

Can spam crawlers in any way find the email then ?

It is possible; I do not know whether it is likely at this point. But in
any case many of your visitors will not see the e-mail address either
then.
You really should use a form-mailer and a spam filter instead.

Many ?
In my statistics it shows that 98% has java set to on ?

 

[Gregor Kofler]

EnjoyNews meinte:

"Thomas 'PointedEars' Lahn" <[email protected]> skrev i en meddelelse
news:[email protected]...

Shorten that, please.

Many ?
In my statistics it shows that 98% has java set to on ?

(a) We're talking about Java*Script*.
(b) Statistics like what? Hopefully not generated with JS?
(c) These detected JS enabled browser supports XHR, too?
(d) Your visitor hasn't disabled certain JS features or installed
add-ons that block your XHR request?
(e) Are you sure, that your script works on all current and future
browsers, that support XHR?

Gregor

 

[slebetman]

Hi

I just had a thought regarding spam...

I have noticed that when I do something in JavaAjax then I can't se the
context in the source.
... If I open a page in a div with Ajax,  right click and choose Source,
then the div is empty.
The context in the ajax page is not there.
Off cause you can find the .js file and see what page it opens.
<snip>
Can spam crawlers in any way find the email then ?
The crawlers don't even know that there are en email address on the page.
Cause as far as I know spam crawlers or any crawler only look in the souce,
and not in the actual browser.

You're right in that I haven't seen any spam crawler in the wild that
parses javascript. But it's not that hard to do these days since you
can embed Rhino or Spidermonkey in your code. Still.. most programmers
are lazy by default and as long as they can get significant amounts of
emails without parsing javascript then they won't bother parsing
javascript.

But as always, once the majority of the web start using javascript to
obfuscate emails you can bet the spammers will start looking at
parsing those javascript. In fact, on Windows it's not too hard. Just
embed internet explorer in your code and parse the DOM tree instead of
the raw HTML. Most "screen capture" sites do this already.

In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">[email protected]</span>
<script>
window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =
e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>

 

[Thomas 'PointedEars' Lahn]

In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">[email protected]</span>
<script>

Not Valid.

window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =

Proprietary, error-prone.

e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>

This will have all users with insufficient script or DOM support send to the
spammer.com address, if that; a domain that one may not even own. Bad Thing.
And of course it is easy to read innerHTML. Could you anti-scriptkiddies
scriptkiddies please stop posting your "solutions" and start thinking first?


PointedEars

 

[Lasse Reichstein Nielsen]

In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">[email protected]</span>
<script>
window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =
e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>

Remember: Gracefull degredation! If Javascript is not enabled, the
address will be wrong.

I have used something like
foo<img src="atsign.png">example.com
with an image looking like a "@" (in the correct color and font) and a
script that replaces the image with a text "@" sometime after the page
has loaded, so that cut-n-paste will work as well.

/L

 

[Thomas 'PointedEars' Lahn]

In any case, you don't need AJAX to do this sort of thing. Something
simple like this will do:

<span id="secretemail">[email protected]</span>
<script>
window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =
e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>

Remember: Gracefull degredation! If Javascript is not enabled, the
address will be wrong.

I have used something like
foo<img src="atsign.png">example.com

Not Valid as well, the `alt' attribute is required.

with an image looking like a "@" (in the correct color and font) and a
script that replaces the image with a text "@" sometime after the page ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
has loaded, so that cut-n-paste will work as well.

^^^^^^^^^^

If JavaScript was not enabled, script support was insufficient or DOM
support was insufficient, or if simply the user was too fast spotting the
content in question, there would be no address at all. If images could not
be displayed by the UA (as a possible consequence of them not being
perceivable by the user), the "@" image would not be displayed as well.
In fact, it is possible that with this code missing the `alt' attribute,
"fooatsign.pngexample.com" will be displayed. So much for graceful degradation.

Someone in <dciwam/> [1] has suggested (to use a server-side script) to
arbitrarily escape characters in the e-mail address, -- like

(e-mail address removed)

-- and he has claimed it would considerably reduce the spam he is getting
then; but, of course, this will only stop the less sophisticated spamming bots.

The bottom line is that there is no way to deal with spam(mers) passively
that complies both with accessibility guidelines and imprint legislation
(e.g. in Germany, the latter requires a visible textual contact e-mail
address displayed in the imprint section of any public Web site) but to use
good spam filters. Of course, actively fighting spam(mers) is always an
option, and worth a try; see also
<http://www.interhack.net/pubs/munging-harmful/>.


PointedEars
___________
[1] Common acronym for the newsgroup
de.comm.infosystems.www.authoring.misc

 

[Steve Swift]

But as always, once the majority of the web start using javascript to
obfuscate emails you can bet the spammers will start looking at
parsing those javascript. In fact, on Windows it's not too hard. Just
embed internet explorer in your code and parse the DOM tree instead of
the raw HTML. Most "screen capture" sites do this already.

You don't have to put the email in clear even inside your JavaScript.
See the mailto: link at the bottom of http://www.swiftys.org.uk for an
example. My webpage contains a page for generating such links. It has a
minor bug in it, IIRC, affecting people with JavaScript disabled. which
I could probably fix now, since I have another year's experience writing
such stuff (no, it doesn't show).

 

[Gregor Kofler]

Thomas 'PointedEars' Lahn meinte:

Someone in <dciwam/> [1] has suggested (to use a server-side script) to
arbitrarily escape characters in the e-mail address, -- like

(e-mail address removed)

So do I. It's simple - and as you stated - will reduce the spam to a
certain extend. I suppose most harvesters focus on fast-and-simple
methods, with so many readily available emails on web pages.

Gregor

 

[Dr J R Stockton]

In comp.lang.javascript message <[email protected]>, Sun,

Not Valid.

A more congenial respondent would have indicated why it is not valid.

window.onload = function () {
var e = ['a','e','i','o','m','y','c','r','l','@','.'];
document.getElementById('secretemail').innerHTML =

Proprietary, error-prone.

A more congenial respondent would have indicated that the code is
acceptable to popular browsers including IE, Firefox, Opera, Safari. A
more intelligent respondent would realise that one's credibility is
degraded by only suggesting that such code is likely to fail when in
fact it generally will succeed.

e[4]+e[1]+e[9]+e[7]+
e[1]+e[0]+e[8]+e[1]+
e[4]+e[0]+e[2]+e[8]+
e[10]+e[6]+e[3]+e[4];
}
</script>

This will have all users with insufficient script or DOM support send to the
spammer.com address, if that; a domain that one may not even own. Bad Thing.

You have evidently failed to perceive that "spammer.com" should be
replaced by an address to which one wants one's spam to be sent. A
thoughtful ISP or system manager will provide users with such an
address. Such details are the user's responsibility; slebetman did,
after all, write "like this" which carries a clear implication, to those
with a sufficient understanding of English, that the code is merely
illustrative.

 

[slebetman]

In comp.lang.javascript message <[email protected]>, Sun,


You have evidently failed to perceive that "spammer.com" should be
replaced by an address to which one wants one's spam to be sent.

In Thomas's defence, many people just put in a random email address
without thinking causing the spam to be sent to a hapless random
bystander like in this case:
http://thedailywtf.com/Articles/CAN(ACCIDENTALLY)SPAM.aspx

so the [strong] warning is not unwarranted.

A thoughtful ISP or system manager will provide users with such an
address. Such details are the user's responsibility;

Personally I like to use a /dev/null type email service like
mallinator (aka thisisnotmyrealemail.com) address since that is
exactly what the service is designed to do.