Has Google Broken JavaScript Spam Munging?

Baxil writes "For years now, Javascript munging has been a useful tool to share email addresses on the Web without exposing them to spammers. However, Google is now apparently evaluating Javascript when assembling summary text for web pages' listings, and publishing the un-munged email addresses to the world; and spammers have started to take advantage of this kind service." Anyone else seen this affecting their carefully protected email addresses?

Re:Mung

[eikonoklastes]

See http://en.wikipedia.org/wiki/Mung [wikipedia.org]

Re:Really....

[Anonymous Coward]

It's TRIVIAL for a spambot to execute code like this sitting in script tags in the "js" binary and dumping the contents, and then grabbing emails with a regex.

I use the "js" binary to rip porn off sites all the time.

~$ js -v
JavaScript-C 1.7.0 2007-10-03
usage: js [-PswWxCi] [-b branchlimit] [-c stackchunksize] [-v version] [-f scriptfile] [-e script] [-S maxstacksize] [scriptfile] [scriptarg...]

one answer

[martas]

http://mailhide.recaptcha.net/ [recaptcha.net]

Contact Me Form

[Jason Levine]

A better method is to have a Contact Me form that doesn't display your e-mail address anywhere on it. Yes, you'll get spammers filling it out, but you can cut down on those with some simple techniques. For example, make a "Phone Number" field and set the CSS display attribute to none. Normal users won't see this field and won't fill it out. Spam-bots will see it and attempt to fill it out. Then, have your submission script silently fail to send to e-mail if the "Phone Number" is filled out. (If you toss an error, the spammer might figure out the trick.) No method is fool-proof, of course, but this is much better than putting your e-mail address on your webpage and hoping that someone doesn't de-mung it.

Re:*rolleyes*

[broken_chaos]

Spambots don't, and never have, invested enough time to include JavaScript parsing. One of the linked articles suggests this is due to a possibility of crashing when trying to interpret badly formed or incorrect JavaScript, but it could also be due to simple plaintext (maybe with stripping HTML tags) parsing has been producing enough results so far.

Most spambots have been proven, in several experiments, to not even parse hex/decimal HTML character entities, so JavaScript parsing was considered to be mostly safe for the moment. It's not like people assume this is a perfect spam-blocking method - just that it's good enough to not get thousands upon thousands of spam, limiting it to a reasonable number.

Re:*rolleyes*

[RJFerret]

Recaptcha [recaptcha.net] has a service specifically for email addresses, no obfuscation needed... Which also has the added benefit of aiding book digitizing!

Re:It's not google, it's the web developers

[JCSoRocks]

Frames aren't a replacement. There's a reason people dropped frames. Layout limitations, limited scaling, poor bookmarking, broken back button, etc. I, for one, appreciate partial page refreshes - when done correctly. Full page postbacks suck.

Re:robots.txt

[Anonymous Coward]

On Google appliances, there is actually a googleon / googleoff [google.com] set of comment tags you can use.

Re:Mung

[collinstocks]

From Jargon File (4.4.4, 14 Aug 2003) [jargon]:

    mung /muhng/, vt.

          [in 1960 at MIT, "Mash Until No Good"; sometime after that the
          derivation from the {recursive acronym} "Mung Until No Good" became
          standard; but see {munge}]

          1. To make changes to a file, esp. large-scale and irrevocable
          changes. See {BLT}.

          2. To destroy, usually accidentally, occasionally maliciously. The
          system only mungs things maliciously; this is a consequence of
          {Finagle's Law}. See {scribble}, {mangle}, {trash}, {nuke}. Reports
          from {Usenet} suggest that the pronunciation /muhnj/ is now usual in
          speech, but the spelling `mung' is still common in program comments
          (compare the widespread confusion over the proper spelling of
          {kluge}).

          3. In the wake of the {spam} epidemics of the 1990s, mung is now
          commonly used to describe the act of modifying an email address in a
          sig block in a way that human beings can readily reverse but that will
          fool an {address harvester}. Example: johnNOSPAMsmith@isp.net.

          4. The kind of beans the sprouts of which are used in Chinese food.
          (That's their real name! Mung beans! Really!)

          Like many early hacker terms, this one seems to have originated at
          {TMRC}; it was already in use there in 1958. Peter Samson (compiler of
          the original TMRC lexicon) thinks it may originally have been
          onomatopoeic for the sound of a relay spring (contact) being twanged.
          However, it is known that during the World Wars, `mung' was U.S.: army
          slang for the ersatz creamed chipped beef better known as `SOS', and
          it seems quite likely that the word in fact goes back to Scots-dialect
          {munge}.

          Charles Mackay's 1874 book Lost Beauties of the English Language
          defined "mung" as follows: "Preterite of ming, to ming or mingle; when
          the substantive meaning of mingled food of bread, potatoes, etc.
          thrown to poultry. In America, `mung news' is a common expression
          applied to false news, but probably having its derivation from mingled
          (or mung) news, in which the true and the false are so mixed up
          together that it is impossible to distinguish one from another."

See the third definition.

Re:Mung

[Anonymous Coward]

Nice try, but that rule only applies to "[^ng]g$" words.

beg + ing = begging
dig + ing = digging
hog + ing = hogging
rag + ing = ragging
tug + ing = tugging

but it doesn't apply "[n]g$", because the n modifies the sound of the g, and gg$ is uncommon enough that it's an exception in itself.

bang + ing = banging
bring + ing = bringing
(egg + ing = egging)
hang + ing = hanging
long + ing = longing
ping + ing = pinging
sing + ing = singing

Unfortuantely we don't have many examples of "ung$" because most of the words of that form are either nouns (e.g. dung, lung, young) or past participles (e.g. clung, hung, sung), so their present participles are generally formed from the present tense "ing$" form of word (e.g. cling/clung/clinging, hang/hung/hanging, sing/sung/singing), etc.

Note that we do have plenty of examples of "unge$" forming "unging$":

expunge + ing = expunging
lounge + ing = lounging
lunge + ing = lunging
plunge + ing = plunging
scrounge + ing = scrounging

So that's plenty of reason to believe that the rule is "unge + ing = unging", despite the fact that "inge + ing" can be either "inging" or "ingeing" depending on the word (and in some cases both are valid):

binge + ing = binging or bingeing (both are valid; look it up)
cringe + ing = cringing
impinge + ing = impinging
singe + ing = singeing
twinge + ing = twinging or twingeing (both are valid)

Therefore I strongly contend that:

mung + ing = munging
munge + ing = munging or mungeing (both are valid)

You may dispute the claim above, but there's no disputing:

mung + ed = munged
munge + ed = munged

:)

Re:Much ado about nothing

[Phroggy]

Something that most people don't understand is that spam is NOT universal. Every e-mail address is unique, and will get a different assortment of spam. Some of the users on my mail server get spam that I don't get, and I get spam that they don't get.

In particular, a new e-mail address will never get spam, unless:

1. A spammer randomly guesses the address, using a dictionary attack
2. The address is posted on a web site, and scraped by a spammer
3. The address is submitted to a company or organization which posts it on their site
4. Malware extracts the address from somebody's address book
5. Somebody hacks into a company or organization that the address and takes it from their database
6. Some sleazy company sells it

That's pretty much it. #1 is only likely if your username is common (like just your first name). #3 isn't a common problem anymore, since most sites either don't post their users' e-mail addresses, or they obfuscate them (like Slashdot does). #5 isn't a common problem either. I've only gotten burned by #6 a few times.