after looking around at trying to combat email harvesters and bots etc, leaching email address's from websites, i came across the dec/hex method however while this does make it more harder more clever bots etc could still get your email address's
I decided to make my own little script to make these bots work harder and poss eliminate the problem for my self with out someone having to write a bot just for my script.
by encrypting the email addess in php and then outputing an encrypted version to java i can now do the following.
have a look for your selves, and dont forget to check out the source code.
This is just a little time filler for my self. Feedback welcome.
EDIT: to display an email anywhere on my site all i have to now do is use the following php code
<? echo encode_email('your email'); ?>
PS. I only have IE on my works pc, anyone using other browsers could you please comment if the script works or not..
Cheers
artViper
05-30-2006, 10:39 AM
It works in firefox too.
n_wattam
05-30-2006, 08:19 PM
cool cheers...
scross
06-05-2006, 02:00 PM
surely by the use of regular expressions someone could just detect wherever the 'decode_email()' function is in the page and snatch the contents from inside and implement your method to simply decode the text. I'll make a script to demonstrate if you want.
Btw It works in Opera
madwormer2
06-05-2006, 02:32 PM
In reply to the person above me, there is absolutely no way for you to completely block the mis-use of emails if there is someone who is going to make a script to do it. (Well, there IS but it wouldn't be human readable, defeating the point entirely.)
This script (at the top) provides a way to combat mis-use by bots and whatnot.
I suppose you could randomise chr_adjust, to add a bit more confusion for a bot (who I'd like to officially call a complete a**hole if they wanna misuse emails ;))
Well, I think its good anyway :P
scross
06-05-2006, 02:39 PM
In reply to the person above me, there is absolutely no way for you to completely block the mis-use of emails if there is someone who is going to make a script to do it. (Well, there IS but it wouldn't be human readable, defeating the point entirely.)
This script (at the top) provides a way to combat mis-use by bots and whatnot.
I suppose you could randomise chr_adjust, to add a bit more confusion for a bot (who I'd like to officially call a complete a**hole if they wanna misuse emails ;))
Well, I think its good anyway :P
I see your point. If there's a human making a script to work against your script there's generally not much you can do... :bemused:
Good work anyway :)
bradgrafelman
06-05-2006, 10:42 PM
You can also convert each character in the e-mail address into the corresponding HTML entity.
See this (http://www.wbwip.com/wbw/emailencoder.html) page for more information.
n_wattam
06-06-2006, 10:38 AM
surely by the use of regular expressions someone could just detect wherever the 'decode_email()' function is in the page and snatch the contents from inside and implement your method to simply decode the text. I'll make a script to demonstrate if you want.
Btw It works in Opera
I suppose you could randomise chr_adjust, to add a bit more confusion for a bot (who I'd like to officially call a complete a**hole if they wanna misuse emails ;))
Well, I think its good anyway :P
yeah this value could be randomised, but also another thing which i thought of was to randomise the function name 'decode_email()', this would be very achievalbe as the php generates both the encoded email but also the javascript, so a randomation of the function names or even all the varibles would make things much harder for anti scripts.
However as mentioned i doubt there is a 100%, but you can sure make there job very hard :). The ideas i have used and suggested would require for someone to make an anti script for mine.
If anyone is interested in trying to do this, it would be interesting to put to a test. :D
madwormer2
06-06-2006, 11:01 AM
Could you post the source code for the PHP side of things?
This is the source code for my script as it is, see few things i wasnt to change in it, as the notes say above.
scross
06-06-2006, 12:41 PM
yeah this value could be randomised, but also another thing which i thought of was to randomise the function name 'decode_email()', this would be very achievalbe as the php generates both the encoded email but also the javascript, so a randomation of the function names or even all the varibles would make things much harder for anti scripts.
These are good ideas and would be quite simple. To make it even harder you could vary the structure of the script, so regular expressions are harder to form to find it. When you're done and you've checked it for errors (for example you have to make sure that chr_adjust doesn't become too negative otherwise the values passed to chr() could be negative) I would be happy to make a 'counter script' to test it out.
Btw randomizing names makes the job harder but it's still quite easy with regex
Yeh, most of thats not mine BTW, most of it's the thread creators ideas and whatnot, I just put it together.
scross
06-07-2006, 02:33 PM
Fine, counter this:
...
Yeh, most of thats not mine BTW, most of it's the thread creators ideas and whatnot, I just put it together.
Done. You can see your script in the middle untouched, I used the output capturing functions to capture the output and then it's all regex from there on...
EDIT: Changed CODE box to PHP box for highlighting
madwormer2
06-07-2006, 02:39 PM
Now, how long did that take you? Lol.
scross
06-07-2006, 05:54 PM
Now, how long did that take you? Lol.
no more than 5 minutes
madwormer2
06-07-2006, 08:24 PM
And did you work backwards from the javascript, or the PHP?
Because if you used the PHP you cheated :P
scross
06-08-2006, 03:01 AM
And did you work backwards from the javascript, or the PHP?
Because if you used the PHP you cheated :P
I'm not very good at javascript so yes I used the php to get the encoding mechanism. If you want next time just submit a link to a script so I can only see the javascript.
madwormer2
06-08-2006, 08:14 AM
http://jshomepage.co.uk/ascii.php
Give that one a go.
Off to an English exam. Ouch...
scross
06-09-2006, 03:24 PM
http://jshomepage.co.uk/ascii.php
Give that one a go.
Off to an English exam. Ouch...
Firstly, hope you did well in your exam :)
Secondly, I'm sorry I kind of forgot about this topic and got all dragged back by work.
Thirdly, I have to say it's much harder when you can't see the php (I liked that comment trick and the mixing up of the variable order) but this should work for most cases:
Basically it's breakable but I think it'd be easier to let a human do it :D
Soon I'll post some code that's even harder to break but I don't have enough time to do all this again :p
Btw sorry for the rubbish code, I was trying to do this quickly
madwormer2
06-09-2006, 03:34 PM
Good job on that one, did better than I could have done, I'd have fallen at the parseInt hurdle, I have no idea how that thing works...
And if you have someone willing to go to that length to get emails from your website, you sure do have some enemies!
If you REALLY want proper code, research ciphers, there are some REALLY tough ones out there (I've taken part in the http://www.cipher.maths.soton.ac.uk/ cipher challenge a few years ago, and I got to the penultimate hurdle, and it just got impossible. At least I got a badge and a CD :P)
And the exam wasn't as bad as it could have been.
scross
06-09-2006, 04:00 PM
Good job on that one, did better than I could have done, I'd have fallen at the parseInt hurdle, I have no idea how that thing works...
And if you have someone willing to go to that length to get emails from your website, you sure do have some enemies!
If you REALLY want proper code, research ciphers, there are some REALLY tough ones out there (I've taken part in the http://www.cipher.maths.soton.ac.uk/ cipher challenge a few years ago, and I got to the penultimate hurdle, and it just got impossible. At least I got a badge and a CD :P)
And the exam wasn't as bad as it could have been.
Thanks. You're right, they would need to have serious motive to put that much effort in. I was thinking that you can always break that script because the decoding machine (the javascript) is always given to you so all you need to do is figure out it's structure in regex and then decode the text.
A more secure system could create an id (a random string between 40-60 characters) on each request of a page with an email address on it and the id would be stored with a time. There would then be javascript on the page that would take the id and call another php page using ajax. There would be a 10 second time limit for the ajax to call it and then the id would expire. If the id had not expired the php script would output the email address. The problem is this is slow and it's still not too hard to crack.
madwormer2
06-09-2006, 04:21 PM
Or create a load of fake email addresses on your domain, and have them all set to autorespond. That'd really piss them off :P
Hmm, how about a system where there's an email, and instead of displaying the email it says "email hidden". When you click it, a box comes up and you have to varify you're human by typing in a CAPTCHA. Then the email is pulled using javascript. Better than the "do it quickly or die" approach lol.
scross
06-09-2006, 05:40 PM
Or create a load of fake email addresses on your domain, and have them all set to autorespond. That'd really piss them off :P
Hmm, how about a system where there's an email, and instead of displaying the email it says "email hidden". When you click it, a box comes up and you have to varify you're human by typing in a CAPTCHA. Then the email is pulled using javascript. Better than the "do it quickly or die" approach lol.
even better...why not display the email address in captcha??
madwormer2
06-09-2006, 05:48 PM
Oh yeh... lol. But that's just too easy.
scross
06-10-2006, 02:10 PM
Hmm, how about a system where there's an email, and instead of displaying the email it says "email hidden". When you click it, a box comes up and you have to varify you're human by typing in a CAPTCHA. Then the email is pulled using javascript. Better than the "do it quickly or die" approach lol.
Wouldn't this be a bit annoying for users? I guess it could work though.
Oh yeh... lol. But that's just too easy.
What?? :) How can it be too easy?? :D
n_wattam
06-11-2006, 08:05 AM
nice to see interest still and the anti scripts, very impressed :)...
Origonaly when i first thought about this idea the only real secure way was to make a Javascript varible = a php varible, actuall pass the data across like $java = $php, and without the page having to be submited.
The only way i found was to look at ajax however that went over my head and not to sure if you need additional software installed on the server your hosting on etc.
EDIT
But as said i think the above examples would work nice on your own sites / projects as someone will have to really go out of there way if they want to harvest your sites.
n_wattam
06-11-2006, 08:12 AM
in regards to CAPTCHA, what about this idea
instead of an email link you just have a standard link "email me" etc, when this link is clicked a popup box apears, requesting a 3 didgit number using CAPTCHA. when entered the script in the popup then confirm and displays your email or opens your email application.
However again this might be a bit annoying for the browser, then again it will only effect a user if they want to actually send you an email and if they really want to do that entering a few numbers is no real effort...
scross
06-11-2006, 03:03 PM
in regards to CAPTCHA, what about this idea
instead of an email link you just have a standard link "email me" etc, when this link is clicked a popup box apears, requesting a 3 didgit number using CAPTCHA. when entered the script in the popup then confirm and displays your email or opens your email application.
However again this might be a bit annoying for the browser, then again it will only effect a user if they want to actually send you an email and if they really want to do that entering a few numbers is no real effort...
it's a good idea, but the pop up might be blocked, even on a link :bemused:
I think a simple non javascript captcha method might be better
laserlight
06-11-2006, 03:18 PM
I think that realistically, simple steganography works. If you describe the parts of your email address in a short paragraph, with minimal telltale signs/symbols, then it becomes impractical to try and harvest your email addresses with bots.
The problem comes when you say, have a forum script, and you want the option of listing your users' email addresses. If your email paragraph is in a fixed template, and your script becomes (really) popular, then it becomes trivial for bots to specially look out for it. In such a case the CAPTCHA idea becomes more viable, especially since it can be used to restrict registration and login (or even general use, as I have seen in some online games).
scross
06-11-2006, 03:23 PM
Here are some alternatives to captcha: http://www.w3.org/TR/turingtest/
scross
06-11-2006, 03:25 PM
I think that realistically, simple steganography works. If you describe the parts of your email address in a short paragraph, with minimal telltale signs/symbols, then it becomes impractical to try and harvest your email addresses with bots.
The problem comes when you say, have a forum script, and you want the option of listing your users' email addresses. If your email paragraph is in a fixed template, and your script becomes (really) popular, then it becomes trivial for bots to specially look out for it. In such a case the CAPTCHA idea becomes more viable, especially since it can be used to restrict registration and login (or even general use, as I have seen in some online games).
perhaps you could mix captcha and steganography
PHP Builder
Copyright Internet.com Inc. All Rights Reserved.