Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Has Google Broken JavaScript Spam Munging?

kdawson posted more than 5 years ago | from the step-too-far dept.

Spam 288

Baxil writes "For years now, Javascript munging has been a useful tool to share email addresses on the Web without exposing them to spammers. However, Google is now apparently evaluating Javascript when assembling summary text for web pages' listings, and publishing the un-munged email addresses to the world; and spammers have started to take advantage of this kind service." Anyone else seen this affecting their carefully protected email addresses?

cancel ×

288 comments

Sorry! There are no comments related to the filter you selected.

it's simple apha/beta reduction (-1)

Anonymous Coward | more than 5 years ago | (#28442627)

also, first post.

Mung (1, Funny)

Tokerat (150341) | more than 5 years ago | (#28442651)

You keep using that word. I do not think it means what you think it means.

Re:Mung (4, Informative)

eikonoklastes (530797) | more than 5 years ago | (#28442737)

Re:Mung (1)

Aladrin (926209) | more than 5 years ago | (#28442895)

Maybe you should read it yourself. Here's the first sentence.

Mung is computer jargon for "to make repeated changes which individually may be reversible, yet which ultimately result in an unintentional, irreversible destruction of large portions of the original item."

Again, check this out: "which ultimately result in an unintentional, irreversible destruction of large portions of the original item."

The email address is not munged, or you couldn't un-mung it.

Re:Mung (0)

Anonymous Coward | more than 5 years ago | (#28443157)

The wikipedia page also links to munge - modify until not guessed easily - which I guess is what the original person intended

Re:Mung (5, Funny)

Anonymous Coward | more than 5 years ago | (#28443295)

>The wikipedia page also links to munge - modify until not guessed easily -
> which I guess is what the original person intended

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rap your ears.

Re:Mung (0)

Anonymous Coward | more than 5 years ago | (#28443415)

You sir, are an asshole.

Re:Mung (3, Funny)

digitalsolo (1175321) | more than 5 years ago | (#28443553)

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rap your ears.

Then the original poster is a chimp and so are you. If you aren't aware that adding ~e may change the meaning of a word, I should come round and rape your ears.

You're right, just one 'e' and the whole thing changes.

Re:Mung (2, Funny)

twidarkling (1537077) | more than 5 years ago | (#28444003)

Yoeu're reight, juest onee 'e'e ande thee whoele tehing chaenges.

Re:Mung (1)

pythonax (769925) | more than 5 years ago | (#28443305)

Calm down. He meant http://en.wikipedia.org/wiki/Munge [wikipedia.org] , which seems like it would conjugate to munging following the normal rules. The fact that it does not is an exception in the way normal English works, and as usual these are things which you need to memorize since there rarely seems to be a pattern in the exceptions. There is even a link to this at the bottom of the page you linked because this is a common error.

Re:Mung (1)

edittard (805475) | more than 5 years ago | (#28443387)

He meant http://en.wikipedia.org/wiki/Munge [wikipedia.org] , which seems like it would conjugate to munging following the normal rules.

What, just like sing does?

Re:Mung (0)

Anonymous Coward | more than 5 years ago | (#28443485)

Munging == mung + ing /mun-ging/ munge+ing = mungeing /mun-djing/ The e needs to stay to prevent the word from splicing towards the end and making the previous syllable long. runing (== rune + ing; running = run+ing).

The complication comes from the fact that ng went from a n,g sound to a ng sound (sing [sin-g] and singer [sounds like finger]) and thus the lexically complex syllable is now realized a simple short one.

The rules are simple and most people can figure them out internally (for native speakers of English), ESL students... best of luck.

Re:Mung (1)

pythonax (769925) | more than 5 years ago | (#28443735)

I see your point, but there are plenty of examples on both sides. Change, lunge, and plunge all lose the e, while munge, tinge, and singe do not.

The question is... (1)

Fuzzums (250400) | more than 5 years ago | (#28443109)

... will it mung?

Re:Mung (0)

Anonymous Coward | more than 5 years ago | (#28443301)

Fwiw, munging is the gerund form of both mung and munge. However, mungeing would also be acceptable for the latter.

(c.f. Homonyms like "bass singer" which can refer to one who sings in a low key, or one who burns fish.)

Re:Mung (1)

Ifni (545998) | more than 5 years ago | (#28443745)

So which one applies to Kim [wikipedia.org] ?

Yes, I know there are a couple missing "s"es, but work with me here...

Re:Mung (0)

Anonymous Coward | more than 5 years ago | (#28443105)

This has to be the most overused meme on Slashdot.

Re:Mung (2, Funny)

TheRealMindChild (743925) | more than 5 years ago | (#28443163)

Yeah, no kidding. I was wondering where Chowder and Schnitzel were

Re:Mung (1)

Megane (129182) | more than 5 years ago | (#28443951)

Mung [catb.org]
Munge [catb.org]
Munge [google.com]

Please turn in your card at the door on your way out.

*rolleyes* (5, Insightful)

Anonymous Coward | more than 5 years ago | (#28442663)

Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

Re:*rolleyes* (0, Redundant)

jollyreaper (513215) | more than 5 years ago | (#28442819)

Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

You say you want a spam resolution
Well, you know
We all want to save our email
You tell me that it's obfuscation
Well, you know
That kind of security'll fail
So when you talk about Javascript munging
Don't you know that you can count me out
If it's on the net it ain't secure, all right?
all right, all right

You say you got a real solution
Well, you know
We'd all love to can the spam
You ask me for some retribution
Well, you know
The Russian Mafia's got a plan
When you spam the boxes
of people with minds that hate
All I can tell is brother you sealed your fate
That spammer's gonna be canned all right
all right, all right

Re:*rolleyes* (1)

Sciryl Llort (1160727) | more than 5 years ago | (#28443085)

You say you want to make it rhy-ming
Well you know -
That's the really easy part

But when it comes down to the ti-ming
Well clearly you have no idea (and couldn't buy one if you won the lottery)
That it helps if you know what a syllable is and how to get roughly the right number on each line so that it sounds at least a bit like the original.

Re:*rolleyes* (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28442863)

Cue. Fucktard.

Re:*rolleyes* (2, Funny)

eln (21727) | more than 5 years ago | (#28442905)

Maybe he's merely advocating that the "obfuscation != security" people should form a line. You shouldn't be so quick to judge.

Re:*rolleyes* (1)

PMBjornerud (947233) | more than 5 years ago | (#28442919)

Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

The issue here is not personal email, which obviously nobody puts on a web page.

Many people prefer it when companies have a simple "contact us" email instead of having to go through a web form for sending them emails.

Thus, some people & companies want to display an email address. They just want to make it harder for spammers to discover it. Javascript did a pretty good job at this, and Google seems to have provided a simple workaround.

Re:*rolleyes* (4, Interesting)

hardburn (141468) | more than 5 years ago | (#28443019)

Javascript did a pretty good job at this

No, it didn't. Google isn't doing anything the spammers couldn't have done themselves with a little bit of Perl [cpan.org] .

Re:*rolleyes* (3, Informative)

broken_chaos (1188549) | more than 5 years ago | (#28443175)

Spambots don't, and never have, invested enough time to include JavaScript parsing. One of the linked articles suggests this is due to a possibility of crashing when trying to interpret badly formed or incorrect JavaScript, but it could also be due to simple plaintext (maybe with stripping HTML tags) parsing has been producing enough results so far.

Most spambots have been proven, in several experiments, to not even parse hex/decimal HTML character entities, so JavaScript parsing was considered to be mostly safe for the moment. It's not like people assume this is a perfect spam-blocking method - just that it's good enough to not get thousands upon thousands of spam, limiting it to a reasonable number.

Re:*rolleyes* (2, Informative)

RJFerret (1279530) | more than 5 years ago | (#28443259)

Recaptcha [recaptcha.net] has a service specifically for email addresses, no obfuscation needed... Which also has the added benefit of aiding book digitizing!

Re:*rolleyes* (1)

mlts (1038732) | more than 5 years ago | (#28443559)

One thing I use for my E-mail addresses is to have my address be a picture (take a snapshot with xwd, use the GIMP to crop the address). Unless spambots decide to grab every picture and run it through an OCR, the address is protected.

The downside is that Braille readers lose access to this information, so have some definite workaround for this, perhaps a Web form where the reader is told to solve a simple word problem and type the answer in a blank before sending.

Re:*rolleyes* (0)

Anonymous Coward | more than 5 years ago | (#28443959)

Captcha's suck, the only ones that are at all effective are overly difficult for humans. And even those aren't that effective. Capcha's would have been a great idea ten years before they were first introduced. ten years from now, the only ones that work at all will take humans 10 minutes to figure out.

http://arstechnica.com/security/news/2008/10/right-back-at-ya-captcha-bad-guys-crack-gmail-hotmail.ars
http://arstechnica.com/security/news/2008/04/gone-in-60-seconds-spambot-cracks-livehotmail-captcha.ars

Re:*rolleyes* (1, Troll)

repetty (260322) | more than 5 years ago | (#28443721)

Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

Well, I'm glad you got that tiresome drivel out of the way. Hopefully no one else will post this type of statement.

Of course you are right -- everyone knows that you are right. The most effective way to secure anything is to hide it away and never use it.

That fact now out of the way, we can now proceed with productive discussions.

--Richard

Re:*rolleyes* (0, Troll)

Anonymous Coward | more than 5 years ago | (#28443771)

CUE motherfucker, cue.

Really.... (4, Insightful)

Darkness404 (1287218) | more than 5 years ago | (#28442713)

Really with the development of better OCR technologies and such comes the elimination of e-mail security by obscurity. If you don't want spam either A) have a decent spam filter (I don't think I've had a single piece of spam pass through G-mails filter and only one false positive) or B) don't share your e-mail address. Those are the only two ways to prevent spam that will continue to work.

Re:Really.... (1)

fpophoto (1382097) | more than 5 years ago | (#28442765)

Yeah, that's what I came in here to say. It's 2009, even most $5/month hosts offer pretty good spam filtering.

That 5 bucks also gets you unlimited email accounts (or close enough), so don't be afraid to use them. Makes it easier to track spam and disable it.

Re:Really.... (2, Informative)

Anonymous Coward | more than 5 years ago | (#28442809)

It's TRIVIAL for a spambot to execute code like this sitting in script tags in the "js" binary and dumping the contents, and then grabbing emails with a regex.

I use the "js" binary to rip porn off sites all the time.

~$ js -v
JavaScript-C 1.7.0 2007-10-03
usage: js [-PswWxCi] [-b branchlimit] [-c stackchunksize] [-v version] [-f scriptfile] [-e script] [-S maxstacksize] [scriptfile] [scriptarg...]

Re:Really.... (4, Insightful)

buchner.johannes (1139593) | more than 5 years ago | (#28443511)

No it is not. If you increase the time used per website, you can not process that many websites anymore. JS obfuscated emails were protected because spammers didn't take effort.
You might say computers got faster, but unfortunately the web didn't get smaller.

Anyway, I understand the need to post email addresses on a website. How else should people contact you the first time? Personally, I don't like contact forms. Would you advocate for a CAPTCHA or requiring a POST request to obtain the real email address? You could still cry "security by obscurity".

But you can't take away the option of posting email addresses on websites from users, as it is very useful to contact people by email. Reminds me of people saying "Flash is proprietary, and too fancy for my taste anyway, so nobody must use it. Use Javascript.".

Maybe one should make swf files with the email in them. Muhahaha

Re:Really.... (0)

Anonymous Coward | more than 5 years ago | (#28443423)

I always liked the idea of blacklisting ISPs that blatantly support spammers.

I'm not sure how well Russia would do being disconnected from the internet though. They might end up actually going bankrupt finally...

Re:Really.... (1)

Darkness404 (1287218) | more than 5 years ago | (#28443449)

I don't, and not because I like spam but because I really want more ISPs than AT&T, Comcast and Time Warner. They need all the competition they can get.

Re:Really.... (2, Insightful)

mshieh (222547) | more than 5 years ago | (#28443867)

I don't think I've had a single piece of spam pass through G-mails filter and only one false positive

You mean you've only noticed one false positive. I'm sure it's been mentioned in half of the comments in this thread, but security by obscurity is effective because there is value in stopping half of the spam, unlike traditional security where having your data stolen and sold once is not a big gain over having it done many times. There are many reasons why obscurity works towards this goal of reduction rather than elimination.

"Google indexes correctly rendered page" (5, Insightful)

RichardDeVries (961583) | more than 5 years ago | (#28442749)

That should be the title. That is, if it were newsworthy. Which it isn't.

Hex/decimal armoured e-mail also visible (1)

broken_chaos (1188549) | more than 5 years ago | (#28442761)

They're also parsing hex/decimal character entity armoured e-mails in exactly the same way. While not as safe as JavaScript, these have been mostly-invulnerable to spambots as well and are used by default in some web-based applications, like the Mercurial hgweb.cgi/hgwebdir.cgi scripts.

They should fix this right away (2, Insightful)

Null Nihils (965047) | more than 5 years ago | (#28442773)

This can easily be fixed, and should be right away. If Google is turning JavaScript into text output, they can easily parse that output (just like the spammers currently are) and see if the text contains an e-mail address. And if it does, they should omit it from search results (unless the address was originally plain text and not obfuscated, in which case they can assume the author wants it searchable).

Re:They should fix this right away (1)

pembo13 (770295) | more than 5 years ago | (#28443191)

You realize anyone could do this, right?

Re:They should fix this right away (1)

Null Nihils (965047) | more than 5 years ago | (#28443639)

Do what, parse JavaScript into plain text? You're right, anyone can do that if they really want to take the time. But for whatever reason spammers don't bother going that far.

I'm no fan of security by obscurity, but let's be pragmatic: people will get less spam if Google fixes this problem.

Welcome to the club (5, Funny)

fataugie (89032) | more than 5 years ago | (#28442775)

Dear Google:

Welcome to the "Impossible to do anything right" club.

Regards,

Wal-Mart,
Microsoft,
G. W. Bush

Re:Welcome to the club (0)

Anonymous Coward | more than 5 years ago | (#28442879)

Dear Google:

Welcome to the "Impossible to do anything right" club.

Regards,

Wal-Mart,
Microsoft,
G. W. Bush

Aha! I knew they were all in league with each other! I don't know how I knew it -- I just knew it!!!

Re:Welcome to the club (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28443139)

You forgot,

Barrack Obama
Clinton(s)

The right was on Obama's "ineffectiveness" even before he was sworn in! At least Bush had a year or so.

Re:Welcome to the club (0)

Anonymous Coward | more than 5 years ago | (#28443359)

Swing and a miss.

It was pointless to begin with.. (1)

poptix_work (79063) | more than 5 years ago | (#28442781)

Spammers know how to process javascript too. The benefits of having Google index the page as a client would see it far outweighs someones belief that they were 'safe' from spammers.

gmail mea culpa (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28442791)

Google's becoming a spammer's paradise. gmail is quickly moving up the ranks as the mail service of choice for comment spammers (for acct verification). You can see the top spam domains at StopForumSpam.com. I think gmail would be at the top except for others' longer history. Nearly all spammers nowadays use gmail on the forum I watch after.

Don't definitive, but spam volume has shot up (0)

Anonymous Coward | more than 5 years ago | (#28442811)

.. for two email addresses that have been posted (rendered through javascript) since early 2007. I am talking 100+ spams per day instead of 5-10.

Since the sites where the addresses are posted have not gone up in popularity, I was wondering what happened. This theory provides a plausible explanation.

JoeB
http://layoffsupportnetwork.com

What else can google do? (3, Insightful)

Bazman (4849) | more than 5 years ago | (#28442833)

So much content on the web these days is spat out by document.write(), I'm not surprised at all that google evaluates certain javascripts in order to get any content to index.

Even done a "View Source" on a google mail or google maps page? The web is now javascript.

Re:What else can google do? (0)

Anonymous Coward | more than 5 years ago | (#28443169)

Better question: This shit worked at some point?

Seriously. Who actually thought this technique would stop a determined spammer? Who actually thought that the same users protected by it wouldn't in many cases go and sign up for more spam than harvesting bots could get?

It was a dumb technique to begin with. Who gives a rat's ass if Google broke it.

Re:What else can google do? (1)

JCSoRocks (1142053) | more than 5 years ago | (#28443809)

Actually it was a perfectly legitimate technique that worked great for a long time. Spammers aren't interested in wasting a ton of time to get the 1% of email addresses that developers have obfuscated. This is a numbers game. Spend a few minutes to write a snippet of code that collects emails on all websites that are in plaintext and works on 99% of pages. Spending hours or more coming up with something that will handle all the different jacked up versions of javascript just to get a few more addresses doesn't make much sense.

Google Wave (1)

paulthomas (685756) | more than 5 years ago | (#28443197)

Google Wave may mean that web sites and blogs will be implemented as embedded Waves. The wave demo at http://wave.google.com/ [google.com] shows how this would work for blog comments & galleries.

In this demo, they basically hint that because of this, Google is rethinking what embedding & javascript mean on a page because they envision a future where the content can and will live anywhere and won't be represented by static HTML.

As you point out, this is already happening, albeit to a lesser degree than I think Google anticipates.

Re:What else can google do? (0)

Anonymous Coward | more than 5 years ago | (#28443715)

The web is now javascript.

Those who make heavy use of javascript apps may think so. Personally I browse with javascript disabled and get by fine. Most problems I encounter are easily worked around via a quick view source.

It's not google, it's the web developers (5, Insightful)

Punto (100573) | more than 5 years ago | (#28442881)

nowadays, half of the pages I try to visit don't render at all without javascript. Somtimes the main content is missing (you just get the headline, the links that go on the sides, and the ads), somtimes it's just a blank page. It seems like all these traditional news organizations just _have_ to be "web 2.0" to appear relevant again.

Google needs to index the page, they don't have much choice.

Re:It's not google, it's the web developers (0)

Anonymous Coward | more than 5 years ago | (#28442983)

And that's the real sadness of the problem. The web was better when it "the web". None of this AJAX everywhere crap.

Re:It's not google, it's the web developers (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28443215)

And that's the real sadness of the problem. The web was better when it "the web". None of this AJAX everywhere crap.

Someone get grandpa his oatmeal.

Re:It's not google, it's the web developers (3, Insightful)

BlitzTech (1386589) | more than 5 years ago | (#28443255)

AJAX is a great technology that has vastly improved the usefulness of the web. However, like every other fad, it gets significantly overused in places where it just IS NOT reasonable. I wish more developers would come to the realization that AJAX != 'Web 2.0-ifying your page' and move back to using the right technology for a given problem. AJAX everywhere just reeks of the same kind of software bloat that makes modern computers run slow compared to 5-10 year old equipment.

When all you have is a hammer...

Re:It's not google, it's the web developers (3, Insightful)

Todd Knarr (15451) | more than 5 years ago | (#28443561)

Seconded. You don't need Javascript to do a simple hyperlink. You don't need a scrolling text-box to display your page, the browser can scroll the page just fine thankyouveddymuch. You don't need to dynamically replace elements to change content while maintaining a navigation header or sidebar when appropriate (note: appropriate) use of frames will accomplish exactly what you want.

The two sins of engineering: making it more complicated than it needs to be, and making it simpler than it needs to be. Avoid them.

Re:It's not google, it's the web developers (2, Informative)

JCSoRocks (1142053) | more than 5 years ago | (#28443893)

Frames aren't a replacement. There's a reason people dropped frames. Layout limitations, limited scaling, poor bookmarking, broken back button, etc. I, for one, appreciate partial page refreshes - when done correctly. Full page postbacks suck.

Re:It's not google, it's the web developers (1, Interesting)

iYk6 (1425255) | more than 5 years ago | (#28443581)

Bullshit. Google could recognize that I don't want to view crap, and not index it. The good websites don't pull inappropriate tricks with their pages, the mediocre sites would eventually figure out that they aren't getting indexed by search engines, and improve, and the terrible sites would remain in obscurity, partying with geocities.

The web is a big place, and we don't have to put up with crap. Google actually has the power to make the web better by only indexing good pages, but they are doing this instead. In fact, if Google returns these crap pages in their indexes, and other search engines like Bing and Ask don't, that would be a one up for those other engines.

In an environment as big as the web, quality over quantity.

Re:It's not google, it's the web developers (1)

nweaver (113078) | more than 5 years ago | (#28443791)

The good websites don't pull inappropriate tricks with their pages, the mediocre sites would eventually figure out that they aren't getting indexed by search engines, and improve, and the terrible sites would remain in obscurity, partying with geocities.

Sorry, this is just plain untrue. Have you looked at the source for the FRONT PAGE of Google lately?

The head is 2 script blobs and a style sheet blob.

The body has onload loading of images, an iframe with a bunch of onload crap, etc...

Even the slashdot front page has javascript which is using document.write().

The only way to really index the web these days is to be javascript aware and actually render it.

Re:It's not google, it's the web developers (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28443647)

And then you have Web 4.0 abominations like idle.slashdot.org. Yes, it's so bad that I just skipped Web 3.0 altogether. Honestly, is Pudge a fucking retard or what?

Who CARES? (4, Interesting)

nweaver (113078) | more than 5 years ago | (#28442883)

The spammers WILL get your email address. Be it web trawling, google searchers, or stealing email address off of compromised computers, the spammers will get, and then resell, you email address.

Trying to keep the spammers from getting your email address is a lost cause, and not a battle worth fighting.

Re:Who CARES? (1)

mapsjanhere (1130359) | more than 5 years ago | (#28442979)

oddly enough, the email account linked to my slashdot login was created just for the "easily compromised but I need a valid email to get a login" situations. Even after 5 years in use to create logins it's the only one NOT heavily spammed (other than by some Russian spammers in a font I can't even read, talk about easy spam detection).

Re:Who CARES? (1)

slyborg (524607) | more than 5 years ago | (#28443059)

So why is it that you don't have your email address in canonical form on your homepage?? One hasn't needed to explain that "nweaver" is an account on a "server" since, um, 1986 or so.

Re:Who CARES? (1)

nweaver (113078) | more than 5 years ago | (#28443265)

History. I haven't updated my front page in years.

People still receive spam? (1)

iYk6 (1425255) | more than 5 years ago | (#28443725)

The spammers WILL get your email address. Be it web trawling, google searchers, or stealing email address off of compromised computers, the spammers will get, and then resell, you email address. Trying to keep the spammers from getting your email address is a lost cause, and not a battle worth fighting.

I don't get any spam at my personal account. No blacklisting or bayesian filters necessary. I just don't give my personal e-mail address to companies, nor do I display it on the Internet. I also have a sneakemail address that I only give to companies, and that one actually doesn't receive spam either. Go figure.

History. I haven't updated my front page in years.

You last updated that page 8 months ago.

Re:Who CARES? (1)

mlts (1038732) | more than 5 years ago | (#28443741)

If a spammer wanted my email address specifically, they would get it. However, the key is being able to raise the bar so its not harvested with ease.

Yes, but . . . (3, Insightful)

Art3x (973401) | more than 5 years ago | (#28442891)

Your email address will almost certainly get out. If not by a spambot then through an unscrupulous merchant.

That's why spam filtering is better than email hiding. Gmail's spam filter, for example, is very good. I get spam in my Inbox about once a quarter.

Google's job is to turn human-readable pages into machine-searchable pages. So it will always seek to expand what it can read: images, Flash, JavaScript, etc.

It's best not to hide in the direction that technology is advancing.

robots.txt (3, Interesting)

physicsphairy (720718) | more than 5 years ago | (#28442935)

I assume if you load your obfuscation code from script.js and put script.js in robots.txt that you will be safe, although that is sort of a pain.

What would be nice is if google created a new tag in the lines of rel="nofollow" which would be an in-line way to keep the engine from seeing content.

Re:robots.txt (4, Insightful)

RajivSLK (398494) | more than 5 years ago | (#28443807)

What would be nice is if google created a new tag in the lines of rel="nofollow" which would be an in-line way to keep the engine from seeing content.

That would be exploited by spammers to the extreme. Imagine clicking on a listing for disney kids fun house only to have a hidden ad for an online Viagra dispensary dominate the page.

And that's not all... (1)

DanCentury (110562) | more than 5 years ago | (#28443025)

They're probably spidering the "generated source" of a page, which means any content rendered with JavaScript is now spiderable and indexible [sic, I'm sure] -- what your eyes can see, Google will index.

Google is doing a lot of new things now, like listening to audio files and changing speech to text. Complete parsing of SWF files, including media and XML files called by the SWF. They can pull text off of images as well.

 

grapcha - new puzzle (1)

alxtoth (914920) | more than 5 years ago | (#28443031)

If everything else seems to fail, try these convoluted, big captchas generated based on Graphviz graphs. Link : http://snowflakejoins.com/grapcha/index?text=slashdot [snowflakejoins.com]

Re:grapcha - new puzzle (1)

EdIII (1114411) | more than 5 years ago | (#28443477)

That's a horribly weak captcha. Most simple text captcha's like that are broken. There is no randomness in font size, orientation, etc.

The greatest distinction is just the bubbles and the lines. However, it is a single line with a color coded stop and start. Finding the green and red bubble would be easy, as well as identifying the stop and start labeled bubbles and then just following the lines.

Quite frankly, this would be fairly easy to automate a solving process for this captcha.

Carefully protected.. (1)

gmuslera (3436) | more than 5 years ago | (#28443093)

Considering how much machines belong to one or another botnet, encripting it somehow in a web page dont protect your email from a contact that belongs directly or indirectly to one. As soon you start to try to use your email, the risks of getting in some spammers list start to raise. And that includes posting it in a web page under any encryption and get a mail from a visitor (probably the main reason of posting there the email) which machine is already owned.

Contact Me Form (5, Informative)

Jason Levine (196982) | more than 5 years ago | (#28443145)

A better method is to have a Contact Me form that doesn't display your e-mail address anywhere on it. Yes, you'll get spammers filling it out, but you can cut down on those with some simple techniques. For example, make a "Phone Number" field and set the CSS display attribute to none. Normal users won't see this field and won't fill it out. Spam-bots will see it and attempt to fill it out. Then, have your submission script silently fail to send to e-mail if the "Phone Number" is filled out. (If you toss an error, the spammer might figure out the trick.) No method is fool-proof, of course, but this is much better than putting your e-mail address on your webpage and hoping that someone doesn't de-mung it.

Like this is the only way... (1)

almightyon11 (1577457) | more than 5 years ago | (#28443167)

Like this is the only way to protect emails published on the web from spambots... I could list a few, but my favourite is to publish a well done (not easily broken) captcha img in some host I have easy acess to. If I want I can just delete that image, or add an expiration timers so that after a few days that image won't show up anymore.

I have a new solution: (2, Funny)

Facegarden (967477) | more than 5 years ago | (#28443209)

In order to prevent SPAMbots once and for all, you should require that everyone interested in contacting you first drive to the next geohash http://www.wiki.xkcd.com/geohashing/Main_Page [xkcd.com] in the region of your choosing, wearing a lumberjack outfit and carrying a case of jolt cola.

Then, and only then, does the read quest begin...
-Taylor

The harvesting bots are definitely getting smarter (1)

Fast Thick Pants (1081517) | more than 5 years ago | (#28443235)

When they learn to subtract pi, we're all hosed.

Re:The harvesting bots are definitely getting smar (1)

amRadioHed (463061) | more than 5 years ago | (#28443549)

Looks like you're already hosed [google.com] .

Inevitability (0, Redundant)

Captain Spam (66120) | more than 5 years ago | (#28443261)

So, the ability to process JavaScript outside of a browser is somehow Google-specific?

Frankly, this was inevitable. If JavaScript is processed by a computer in one application, it can be processed by a computer in another application, and the latter may be more Evil(tm) than the former. So what if Google stops parsing JavaScript in their summaries? How hard is it for the spammers to get a parser of their own and not even touch Google's servers?

That's why I've never really trusted those munging hacks.

My method (1)

EkriirkE (1075937) | more than 5 years ago | (#28443287)

My simple method seems pretty well help up - I just randomly use the HTML control characters instead of the ASCII character in some spots. e.g. instead of "e", use or

Re:My method (1)

EkriirkE (1075937) | more than 5 years ago | (#28443341)

Err, seems /. doesn't seem to like that

e = e or d

a search for my email just brings up some random page talking about me (i should ask the author to remove the addy.. oh well)

Re:My method (0)

Anonymous Coward | more than 5 years ago | (#28443793)

Dude, you might want to consider changing your signature. That key hasn't been useful for a couple of years now.

Pay to email (5, Interesting)

Viking Coder (102287) | more than 5 years ago | (#28443289)

How about "pay to email"?

I register with a pay-to-email site, and give it my actual email address. It gives me my new publicly visible email address. Anyone who wants to can send me an email through this service if they pay me an amount of money that I set. After I receive the email, I can refund the sender. The pay-to-email site takes a 10% cut on all un-refunded emails.

Sound like a winner?

Re:Pay to email (1)

PenguinBob (1208204) | more than 5 years ago | (#28443395)

I know I wouldn't pay to send a simple email to somebody. But it does *sound* like it would work.

Re:Pay to email (4, Funny)

Kozz (7764) | more than 5 years ago | (#28443439)

How about "pay to email"?

I register with a pay-to-email site, and give it my actual email address. It gives me my new publicly visible email address. Anyone who wants to can send me an email through this service if they pay me an amount of money that I set. After I receive the email, I can refund the sender. The pay-to-email site takes a 10% cut on all un-refunded emails.

Sound like a winner?

My... GOD... that's genius! Your plan clearly has no flaws. We should implement it right now.

OK, honestly, I was just too lazy to fill out the ubiquitous rejection form.

Re:Pay to email (2, Funny)

Anonymous Coward | more than 5 years ago | (#28444047)

Well, here you go:
---
Your post advocates a

( ) technical ( ) legislative (*) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(*) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(*) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Pay to email (1)

amRadioHed (463061) | more than 5 years ago | (#28443631)

Sounds like you'd never get any email.

Re:Pay to email (1)

PRMan (959735) | more than 5 years ago | (#28443641)

I still think a new e-mail system that charged 1 cent per e-mail would work. SPAM would instantly be too expensive, but the 10 messages I send friends per month wouldn't be.

For YEARS we've had transparent CSS methods (0)

Anonymous Coward | more than 5 years ago | (#28443357)

Why would you assume obfuscation would work? (1)

Todd Knarr (15451) | more than 5 years ago | (#28443459)

I assume that, if a human can figure out the e-mail address, a spammer can too. After all, if nothing else they'll simply hire an IT sweatshop over in Asia or Africa to scan the pages for addresses at a dollar an hour or a nickel an address. JS obfuscation doesn't even take that, if your browser can evaluate the Javascript then the spammer's page-scraping software can too. So I assume that the only obfuscation that'll work is one that renders a human unable to read the address, at which point why bother putting the address there at all. And if all else fails, the well-known spammer tactic of just shotgunning every possible e-mail address in a domain will find anything their other tricks didn't (just like the auto-dialers that dial every number in a given exchange will find even unlisted, unpublished, known-only-to-the-owner phone numbers).

The only viable defense is at the mail-server level. The spammers will get your address, so prepare your mail server to deal with them. Reject connections from known residential/dial-up netblocks that shouldn't be contacting your mail server directly. Apply SpamAssassin and other filtering to incoming mail. Use reliable blacklists (evaluate their policies yourself against your own tolerance for false positives, and remember that the spammers don't want you to use any blacklists because using them stops them from spamming). Use what your filters learn by blocking netblocks that generate too many filter-rejected messages. You can't stop them from sending that first SYN, but you can decide whether to SYN-ACK or NAK them.

One might say Google "Fixed" it (3, Interesting)

dmomo (256005) | more than 5 years ago | (#28443491)

It's a hack. When moving technology forward, you need to pick your battles when asking "should we not improve this service? It will break the hacks"?

All in all, you are displaying text on a page. Google's job is to take text that humans can read and make it text that humans can find.

I agree, spam is a problem, but this kind of obfuscation will only get you so far. It's the same argument that can be said about MP3s. If you can hear it, we can steal it. Same as "if you can see it."

Spam stinks, but in the end, even with these tricks, you are making your address public. Public information will be harvested by mortals and robots alike.

I don't think they got the email from Google (2, Insightful)

bheer (633842) | more than 5 years ago | (#28443539)

I don't think the spammers got his email address from Google. I mean, to do that they'd have to send a fairly narrow query to Google -- something like 'chibi jesus' -- and then scrape the results ... just scraping the cached page wouldn't help -- that contains JS, not the email address. Plus, I imagine Google would notice if a bot started sending lots of search queries its way.

It's far more likely that spammer bots are now actively processing JS. As others on this thread have pointed out, it ain't hard to do.

Google What Happened? (0)

Anonymous Coward | more than 5 years ago | (#28443683)

What happened to "Do No Harm"?

Mangle better (1)

jlcooke (50413) | more than 5 years ago | (#28443887)

Like this:

www.certainkey.com/dm [certainkey.com] .

Needs some crypto computation to decrypt. User needs to click on a "Get my Email" button. Works on iphone.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?