Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Spam Businesses Google The Internet

Has Google Broken JavaScript Spam Munging? 288

Baxil writes "For years now, Javascript munging has been a useful tool to share email addresses on the Web without exposing them to spammers. However, Google is now apparently evaluating Javascript when assembling summary text for web pages' listings, and publishing the un-munged email addresses to the world; and spammers have started to take advantage of this kind service." Anyone else seen this affecting their carefully protected email addresses?
This discussion has been archived. No new comments can be posted.

Has Google Broken JavaScript Spam Munging?

Comments Filter:
  • Mung (Score:2, Funny)

    by Tokerat ( 150341 )

    You keep using that word. I do not think it means what you think it means.

    • Re:Mung (Score:5, Informative)

      by eikonoklastes ( 530797 ) on Tuesday June 23, 2009 @01:39PM (#28442737) Journal
      • by Aladrin ( 926209 )

        Maybe you should read it yourself. Here's the first sentence.

        Mung is computer jargon for "to make repeated changes which individually may be reversible, yet which ultimately result in an unintentional, irreversible destruction of large portions of the original item."

        Again, check this out: "which ultimately result in an unintentional, irreversible destruction of large portions of the original item."

        The email address is not munged, or you couldn't un-mung it.

        • Re: (Score:3, Funny)

          by PearsSoap ( 1384741 )

          The email address is not munged, or you couldn't un-mung it.

          You munged it; you can't un-mung it!

          Stay tuned for more... Tales! Of! Internet!

      • ... will it mung?

      • by sootman ( 158191 )

        It's also an acronym--it stands for mung until no good. [catb.org] :-)

      • Re: (Score:3, Insightful)

        Actually proper English indicates that you double consonant when adding 'ing' if it ends with one, or drop the 'e' if it ends with one:
            hop -> hopping
            hope -> hoping

        so:
            munge -> munging
            mung -> mungging

        • Re:Mung (Score:5, Informative)

          by Anonymous Coward on Tuesday June 23, 2009 @06:05PM (#28446919)

          Nice try, but that rule only applies to "[^ng]g$" words.

          beg + ing = begging
          dig + ing = digging
          hog + ing = hogging
          rag + ing = ragging
          tug + ing = tugging

          but it doesn't apply "[n]g$", because the n modifies the sound of the g, and gg$ is uncommon enough that it's an exception in itself.

          bang + ing = banging
          bring + ing = bringing
          (egg + ing = egging)
          hang + ing = hanging
          long + ing = longing
          ping + ing = pinging
          sing + ing = singing

          Unfortuantely we don't have many examples of "ung$" because most of the words of that form are either nouns (e.g. dung, lung, young) or past participles (e.g. clung, hung, sung), so their present participles are generally formed from the present tense "ing$" form of word (e.g. cling/clung/clinging, hang/hung/hanging, sing/sung/singing), etc.

          Note that we do have plenty of examples of "unge$" forming "unging$":

          expunge + ing = expunging
          lounge + ing = lounging
          lunge + ing = lunging
          plunge + ing = plunging
          scrounge + ing = scrounging

          So that's plenty of reason to believe that the rule is "unge + ing = unging", despite the fact that "inge + ing" can be either "inging" or "ingeing" depending on the word (and in some cases both are valid):

          binge + ing = binging or bingeing (both are valid; look it up)
          cringe + ing = cringing
          impinge + ing = impinging
          singe + ing = singeing
          twinge + ing = twinging or twingeing (both are valid)

          Therefore I strongly contend that:

          mung + ing = munging
          munge + ing = munging or mungeing (both are valid)

          You may dispute the claim above, but there's no disputing:

          mung + ed = munged
          munge + ed = munged

          :)

    • Re: (Score:3, Funny)

      Yeah, no kidding. I was wondering where Chowder and Schnitzel were
    • by Megane ( 129182 )

      Mung [catb.org]
      Munge [catb.org]
      Munge [google.com]

      Please turn in your card at the door on your way out.

    • Re: (Score:3, Informative)

      From Jargon File (4.4.4, 14 Aug 2003) [jargon]:

      mung /muhng/, vt.

      [in 1960 at MIT, "Mash Until No Good"; sometime after that the
      derivation from the {recursive acronym} "Mung Until No Good" became
      standard; but see {munge}]

      1. To make changes to a file, esp. large-scale and irrevocable
      changes. See {BLT}.

      2. To destroy, usually accidentally, occasionally maliciously. The
      system only mungs things maliciously; this is a consequence of
      {Finagle's Law}. See {scribble}, {mangle}, {trash}, {nuke}. Reports
      from {Usenet} suggest that the pronunciation /muhnj/ is now usual in
      speech, but the spelling `mung' is still common in program comments
      (compare the widespread confusion over the proper spelling of
      {kluge}).

      3. In the wake of the {spam} epidemics of the 1990s, mung is now
      commonly used to describe the act of modifying an email address in a
      sig block in a way that human beings can readily reverse but that will
      fool an {address harvester}. Example: johnNOSPAMsmith@isp.net.

      4. The kind of beans the sprouts of which are used in Chinese food.
      (That's their real name! Mung beans! Really!)

      Like many early hacker terms, this one seems to have originated at
      {TMRC}; it was already in use there in 1958. Peter Samson (compiler of
      the original TMRC lexicon) thinks it may originally have been
      onomatopoeic for the sound of a relay spring (contact) being twanged.
      However, it is known that during the World Wars, `mung' was U.S.: army
      slang for the ersatz creamed chipped beef better known as `SOS', and
      it seems quite likely that the word in fact goes back to Scots-dialect
      {munge}.

      Charles Mackay's 1874 book Lost Beauties of the English Language
      defined "mung" as follows: "Preterite of ming, to ming or mingle; when
      the substantive meaning of mingled food of bread, potatoes, etc.
      thrown to poultry. In America, `mung news' is a common expression
      applied to false news, but probably having its derivation from mingled
      (or mung) news, in which the true and the false are so mixed up
      together that it is impossible to distinguish one from another."

      See the third definition.

  • *rolleyes* (Score:5, Insightful)

    by Anonymous Coward on Tuesday June 23, 2009 @01:35PM (#28442663)

    Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

    • Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

      The issue here is not personal email, which obviously nobody puts on a web page.

      Many people prefer it when companies have a simple "contact us" email instead of having to go through a web form for sending them emails.

      Thus, some people & companies want to display an email address. They just want to make it harder for spammers to discover it. Javascript did a pretty good job at this, and Google seems to have provided a simple workaround.

      • Re:*rolleyes* (Score:5, Interesting)

        by hardburn ( 141468 ) <hardburn@nosPaM.wumpus-cave.net> on Tuesday June 23, 2009 @01:55PM (#28443019)

        Javascript did a pretty good job at this

        No, it didn't. Google isn't doing anything the spammers couldn't have done themselves with a little bit of Perl [cpan.org].

        • Re:*rolleyes* (Score:4, Informative)

          by broken_chaos ( 1188549 ) on Tuesday June 23, 2009 @02:04PM (#28443175)
          Spambots don't, and never have, invested enough time to include JavaScript parsing. One of the linked articles suggests this is due to a possibility of crashing when trying to interpret badly formed or incorrect JavaScript, but it could also be due to simple plaintext (maybe with stripping HTML tags) parsing has been producing enough results so far.

          Most spambots have been proven, in several experiments, to not even parse hex/decimal HTML character entities, so JavaScript parsing was considered to be mostly safe for the moment. It's not like people assume this is a perfect spam-blocking method - just that it's good enough to not get thousands upon thousands of spam, limiting it to a reasonable number.
          • Re:*rolleyes* (Score:4, Interesting)

            by NewWorldDan ( 899800 ) <dan@gen-tracker.com> on Tuesday June 23, 2009 @04:23PM (#28445583) Homepage Journal
            Yep, the keyword there is most spambots. It just takes one motivated enough to write a parser for javascript for common munging techniques. Or in this case, finding an app out there that does it automagically for them. I would expect that email addresses stored as an image would be less subject to abuse for two reasons: First, it creates a much larger download causing a bottle neck and second, it's much more computationally intensive. Still, it can of course, be done. After all, it may only be a matter of time until Google or MSN parse it and save the results for the rest of the world.

            What I find works best is to use a web form for submitting messages on our company website. That only gets spammed about once a month, and usually for something almost relavant to what we do. Then again, 2 years ago it never got spammed.
    • Re: (Score:3, Informative)

      by RJFerret ( 1279530 )

      Recaptcha [recaptcha.net] has a service specifically for email addresses, no obfuscation needed... Which also has the added benefit of aiding book digitizing!

      • by mlts ( 1038732 ) *

        One thing I use for my E-mail addresses is to have my address be a picture (take a snapshot with xwd, use the GIMP to crop the address). Unless spambots decide to grab every picture and run it through an OCR, the address is protected.

        The downside is that Braille readers lose access to this information, so have some definite workaround for this, perhaps a Web form where the reader is told to solve a simple word problem and type the answer in a blank before sending.

    • Re: (Score:2, Troll)

      by repetty ( 260322 )

      Seriously, queue the obfuscation != security thing. If your email address is carefully protected, it is not displayed on a web page, obfuscated or not.

      Well, I'm glad you got that tiresome drivel out of the way. Hopefully no one else will post this type of statement.

      Of course you are right -- everyone knows that you are right. The most effective way to secure anything is to hide it away and never use it.

      That fact now out of the way, we can now proceed with productive discussions.

      --Richard

    • Re: (Score:3, Insightful)

      by Chabil Ha' ( 875116 )

      To add:

      Relying on the expected behavior (Google not processing JS) of something over which you have no control for your security is pretty silly as well.

  • Really.... (Score:5, Insightful)

    by Darkness404 ( 1287218 ) on Tuesday June 23, 2009 @01:37PM (#28442713)
    Really with the development of better OCR technologies and such comes the elimination of e-mail security by obscurity. If you don't want spam either A) have a decent spam filter (I don't think I've had a single piece of spam pass through G-mails filter and only one false positive) or B) don't share your e-mail address. Those are the only two ways to prevent spam that will continue to work.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      It's TRIVIAL for a spambot to execute code like this sitting in script tags in the "js" binary and dumping the contents, and then grabbing emails with a regex.

      I use the "js" binary to rip porn off sites all the time.

      ~$ js -v
      JavaScript-C 1.7.0 2007-10-03
      usage: js [-PswWxCi] [-b branchlimit] [-c stackchunksize] [-v version] [-f scriptfile] [-e script] [-S maxstacksize] [scriptfile] [scriptarg...]

      • Re:Really.... (Score:5, Insightful)

        by buchner.johannes ( 1139593 ) on Tuesday June 23, 2009 @02:25PM (#28443511) Homepage Journal

        No it is not. If you increase the time used per website, you can not process that many websites anymore. JS obfuscated emails were protected because spammers didn't take effort.
        You might say computers got faster, but unfortunately the web didn't get smaller.

        Anyway, I understand the need to post email addresses on a website. How else should people contact you the first time? Personally, I don't like contact forms. Would you advocate for a CAPTCHA or requiring a POST request to obtain the real email address? You could still cry "security by obscurity".

        But you can't take away the option of posting email addresses on websites from users, as it is very useful to contact people by email. Reminds me of people saying "Flash is proprietary, and too fancy for my taste anyway, so nobody must use it. Use Javascript.".

        Maybe one should make swf files with the email in them. Muhahaha

        • Re: (Score:3, Interesting)

          Personally, I don't like contact forms. Would you advocate for a CAPTCHA or requiring a POST request to obtain the real email address?

          Never happen, but better would be:
          You get the actual e-mail address via a POST request over SSL secured by a valid client certificate from a reputable CA, the client certicate's public key and associated identity information is transferred to the owner of the e-mail address, who requires e-mail to also be digitally signed, and who filters by using a sender address whitelist

    • Re: (Score:2, Insightful)

      by mshieh ( 222547 )

      I don't think I've had a single piece of spam pass through G-mails filter and only one false positive

      You mean you've only noticed one false positive. I'm sure it's been mentioned in half of the comments in this thread, but security by obscurity is effective because there is value in stopping half of the spam, unlike traditional security where having your data stolen and sold once is not a big gain over having it done many times. There are many reasons why obscurity works towards this goal of reduction rather than elimination.

  • by RichardDeVries ( 961583 ) on Tuesday June 23, 2009 @01:40PM (#28442749) Journal
    That should be the title. That is, if it were newsworthy. Which it isn't.
  • They're also parsing hex/decimal character entity armoured e-mails in exactly the same way. While not as safe as JavaScript, these have been mostly-invulnerable to spambots as well and are used by default in some web-based applications, like the Mercurial hgweb.cgi/hgwebdir.cgi scripts.

  • by Null Nihils ( 965047 ) on Tuesday June 23, 2009 @01:41PM (#28442773) Journal

    This can easily be fixed, and should be right away. If Google is turning JavaScript into text output, they can easily parse that output (just like the spammers currently are) and see if the text contains an e-mail address. And if it does, they should omit it from search results (unless the address was originally plain text and not obfuscated, in which case they can assume the author wants it searchable).

    • by pembo13 ( 770295 )

      You realize anyone could do this, right?

      • Do what, parse JavaScript into plain text? You're right, anyone can do that if they really want to take the time. But for whatever reason spammers don't bother going that far.

        I'm no fan of security by obscurity, but let's be pragmatic: people will get less spam if Google fixes this problem.

  • by fataugie ( 89032 ) on Tuesday June 23, 2009 @01:41PM (#28442775) Homepage

    Dear Google:

    Welcome to the "Impossible to do anything right" club.

    Regards,

    Wal-Mart,
    Microsoft,
    G. W. Bush

  • Spammers know how to process javascript too. The benefits of having Google index the page as a client would see it far outweighs someones belief that they were 'safe' from spammers.

  • by Bazman ( 4849 ) on Tuesday June 23, 2009 @01:45PM (#28442833) Journal

    So much content on the web these days is spat out by document.write(), I'm not surprised at all that google evaluates certain javascripts in order to get any content to index.

    Even done a "View Source" on a google mail or google maps page? The web is now javascript.

    • Google Wave may mean that web sites and blogs will be implemented as embedded Waves. The wave demo at http://wave.google.com/ [google.com] shows how this would work for blog comments & galleries.

      In this demo, they basically hint that because of this, Google is rethinking what embedding & javascript mean on a page because they envision a future where the content can and will live anywhere and won't be represented by static HTML.

      As you point out, this is already happening, albeit to a lesser degree than I think Go

  • by Punto ( 100573 ) <puntob&gmail,com> on Tuesday June 23, 2009 @01:47PM (#28442881) Homepage

    nowadays, half of the pages I try to visit don't render at all without javascript. Somtimes the main content is missing (you just get the headline, the links that go on the sides, and the ads), somtimes it's just a blank page. It seems like all these traditional news organizations just _have_ to be "web 2.0" to appear relevant again.

    Google needs to index the page, they don't have much choice.

    • Re: (Score:2, Interesting)

      by iYk6 ( 1425255 )

      Bullshit. Google could recognize that I don't want to view crap, and not index it. The good websites don't pull inappropriate tricks with their pages, the mediocre sites would eventually figure out that they aren't getting indexed by search engines, and improve, and the terrible sites would remain in obscurity, partying with geocities.

      The web is a big place, and we don't have to put up with crap. Google actually has the power to make the web better by only indexing good pages, but they are doing this instea

      • by nweaver ( 113078 )

        The good websites don't pull inappropriate tricks with their pages, the mediocre sites would eventually figure out that they aren't getting indexed by search engines, and improve, and the terrible sites would remain in obscurity, partying with geocities.

        Sorry, this is just plain untrue. Have you looked at the source for the FRONT PAGE of Google lately?

        The head is 2 script blobs and a style sheet blob.

        The body has onload loading of images, an iframe with a bunch of onload crap, etc...

        Even the slashdot front

        • You are aware that both the examples you give (google front page and slashdot) both render with javascript off, right? They function as well. The javascript just adds more, it's not spitting out the main content.

          Javascript should not be creating the main content on your site unless it's a "web application", and even then a lot of applications should still be able to produce something usable.

  • Who CARES? (Score:5, Interesting)

    by nweaver ( 113078 ) on Tuesday June 23, 2009 @01:47PM (#28442883) Homepage

    The spammers WILL get your email address. Be it web trawling, google searchers, or stealing email address off of compromised computers, the spammers will get, and then resell, you email address.

    Trying to keep the spammers from getting your email address is a lost cause, and not a battle worth fighting.

    • oddly enough, the email account linked to my slashdot login was created just for the "easily compromised but I need a valid email to get a login" situations. Even after 5 years in use to create logins it's the only one NOT heavily spammed (other than by some Russian spammers in a font I can't even read, talk about easy spam detection).
    • by slyborg ( 524607 )

      So why is it that you don't have your email address in canonical form on your homepage?? One hasn't needed to explain that "nweaver" is an account on a "server" since, um, 1986 or so.

    • The spammers WILL get your email address. Be it web trawling, google searchers, or stealing email address off of compromised computers, the spammers will get, and then resell, you email address. Trying to keep the spammers from getting your email address is a lost cause, and not a battle worth fighting.

      I don't get any spam at my personal account. No blacklisting or bayesian filters necessary. I just don't give my personal e-mail address to companies, nor do I display it on the Internet. I also have a sneakemail address that I only give to companies, and that one actually doesn't receive spam either. Go figure.

      History. I haven't updated my front page in years.

      You last updated that page 8 months ago.

    • by mlts ( 1038732 ) *

      If a spammer wanted my email address specifically, they would get it. However, the key is being able to raise the bar so its not harvested with ease.

  • Yes, but . . . (Score:2, Insightful)

    by Art3x ( 973401 )

    Your email address will almost certainly get out. If not by a spambot then through an unscrupulous merchant.

    That's why spam filtering is better than email hiding. Gmail's spam filter, for example, is very good. I get spam in my Inbox about once a quarter.

    Google's job is to turn human-readable pages into machine-searchable pages. So it will always seek to expand what it can read: images, Flash, JavaScript, etc.

    It's best not to hide in the direction that technology is advancing.

  • robots.txt (Score:4, Interesting)

    by physicsphairy ( 720718 ) on Tuesday June 23, 2009 @01:51PM (#28442935)

    I assume if you load your obfuscation code from script.js and put script.js in robots.txt that you will be safe, although that is sort of a pain.

    What would be nice is if google created a new tag in the lines of rel="nofollow" which would be an in-line way to keep the engine from seeing content.

    • Re:robots.txt (Score:5, Insightful)

      by RajivSLK ( 398494 ) on Tuesday June 23, 2009 @02:40PM (#28443807)

      What would be nice is if google created a new tag in the lines of rel="nofollow" which would be an in-line way to keep the engine from seeing content.

      That would be exploited by spammers to the extreme. Imagine clicking on a listing for disney kids fun house only to have a hidden ad for an online Viagra dispensary dominate the page.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        On Google appliances, there is actually a googleon / googleoff [google.com] set of comment tags you can use.

  • one answer (Score:2, Informative)

    by martas ( 1439879 )
  • Considering how much machines belong to one or another botnet, encripting it somehow in a web page dont protect your email from a contact that belongs directly or indirectly to one. As soon you start to try to use your email, the risks of getting in some spammers list start to raise. And that includes posting it in a web page under any encryption and get a mail from a visitor (probably the main reason of posting there the email) which machine is already owned.
  • Contact Me Form (Score:5, Informative)

    by Jason Levine ( 196982 ) on Tuesday June 23, 2009 @02:02PM (#28443145) Homepage

    A better method is to have a Contact Me form that doesn't display your e-mail address anywhere on it. Yes, you'll get spammers filling it out, but you can cut down on those with some simple techniques. For example, make a "Phone Number" field and set the CSS display attribute to none. Normal users won't see this field and won't fill it out. Spam-bots will see it and attempt to fill it out. Then, have your submission script silently fail to send to e-mail if the "Phone Number" is filled out. (If you toss an error, the spammer might figure out the trick.) No method is fool-proof, of course, but this is much better than putting your e-mail address on your webpage and hoping that someone doesn't de-mung it.

    • Hiding it with CSS is quite clever. I've obviously used it for UI reasons but I hadn't considered its usefulness as a bot fighting strategy. Good tip.
    • by Cajun Hell ( 725246 ) on Tuesday June 23, 2009 @03:26PM (#28444605) Homepage Journal

      For example, make a "Phone Number" field and set the CSS display attribute to none. Normal users won't see this field and won't fill it out. Spam-bots will see it and attempt to fill it out.

      This only works for as long as spammers don't care about it. I think anyone who can figure out the HTML resulting from javascript, can also figure out the style of an element.

      What's really funny about this problem is that we used to talk about using captchas to tell the robots apart from the meatbags, so that you could discriminate against robots. But now people want the robots to make sense of their page (so that they get referrals from Google) but they don't want the robots to make sense of their page (so that their email box doesn't get referrals from spambot). You're on the web or you're not. Choose.

  • by Facegarden ( 967477 ) on Tuesday June 23, 2009 @02:06PM (#28443209)

    In order to prevent SPAMbots once and for all, you should require that everyone interested in contacting you first drive to the next geohash http://www.wiki.xkcd.com/geohashing/Main_Page [xkcd.com] in the region of your choosing, wearing a lumberjack outfit and carrying a case of jolt cola.

    Then, and only then, does the read quest begin...
    -Taylor

  • When they learn to subtract pi, we're all hosed.

  • My simple method seems pretty well help up - I just randomly use the HTML control characters instead of the ASCII character in some spots. e.g. instead of "e", use or
    • Err, seems /. doesn't seem to like that

      e = &#101; or &#x64;

      a search for my email just brings up some random page talking about me (i should ask the author to remove the addy.. oh well)
  • Pay to email (Score:5, Interesting)

    by Viking Coder ( 102287 ) on Tuesday June 23, 2009 @02:11PM (#28443289)

    How about "pay to email"?

    I register with a pay-to-email site, and give it my actual email address. It gives me my new publicly visible email address. Anyone who wants to can send me an email through this service if they pay me an amount of money that I set. After I receive the email, I can refund the sender. The pay-to-email site takes a 10% cut on all un-refunded emails.

    Sound like a winner?

    • by Kozz ( 7764 ) on Tuesday June 23, 2009 @02:21PM (#28443439)

      How about "pay to email"?

      I register with a pay-to-email site, and give it my actual email address. It gives me my new publicly visible email address. Anyone who wants to can send me an email through this service if they pay me an amount of money that I set. After I receive the email, I can refund the sender. The pay-to-email site takes a 10% cut on all un-refunded emails.

      Sound like a winner?

      My... GOD... that's genius! Your plan clearly has no flaws. We should implement it right now.

      OK, honestly, I was just too lazy to fill out the ubiquitous rejection form.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Well, here you go:
        ---
        Your post advocates a

        ( ) technical ( ) legislative (*) market-based ( ) vigilante

        approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

        ( ) Spammers can easily use it to harvest email addresses
        (*) Mailing lists and other legitimate email uses would be affected
        ( ) No one will be able to find the gu

        • Re: (Score:3, Interesting)

          Thanks for the sarcasm. I'll try to not stoop down as I respond to you:

          (*) Mailing lists and other legitimate email uses would be affected

          No they wouldn't. You can set up a whitelist.

          (*) Users of email will not put up with it

          If you have my private email account, you use it. I'm offering up an idea of a service that someone can use to mask their email address. If you really want to contact someone, you can send them a no-stamp email, and hope they happen to see it. This is no better and no worse than to

    • Sounds like you'd never get any email.

    • by PRMan ( 959735 )
      I still think a new e-mail system that charged 1 cent per e-mail would work. SPAM would instantly be too expensive, but the 10 messages I send friends per month wouldn't be.
    • by jfengel ( 409917 )

      The problem is the micro-transactions. You'd want to charge very little, a penny or less. But the overhead of transaction processing is enormous; no credit card company will deal with it.

      You could try to hold the money yourself and just shuffle it around, but that requires everybody to be on your system, and email users don't care for that.

      It also represents a pain to users: protecting the authorization and authentication info that lets them charge either requires frequent human intervention, OR a spam-bo

  • I assume that, if a human can figure out the e-mail address, a spammer can too. After all, if nothing else they'll simply hire an IT sweatshop over in Asia or Africa to scan the pages for addresses at a dollar an hour or a nickel an address. JS obfuscation doesn't even take that, if your browser can evaluate the Javascript then the spammer's page-scraping software can too. So I assume that the only obfuscation that'll work is one that renders a human unable to read the address, at which point why bother put

  • by dmomo ( 256005 ) on Tuesday June 23, 2009 @02:24PM (#28443491)

    It's a hack. When moving technology forward, you need to pick your battles when asking "should we not improve this service? It will break the hacks"?

    All in all, you are displaying text on a page. Google's job is to take text that humans can read and make it text that humans can find.

    I agree, spam is a problem, but this kind of obfuscation will only get you so far. It's the same argument that can be said about MP3s. If you can hear it, we can steal it. Same as "if you can see it."

    Spam stinks, but in the end, even with these tricks, you are making your address public. Public information will be harvested by mortals and robots alike.

  • by bheer ( 633842 ) <rbheerNO@SPAMgmail.com> on Tuesday June 23, 2009 @02:26PM (#28443539)

    I don't think the spammers got his email address from Google. I mean, to do that they'd have to send a fairly narrow query to Google -- something like 'chibi jesus' -- and then scrape the results ... just scraping the cached page wouldn't help -- that contains JS, not the email address. Plus, I imagine Google would notice if a bot started sending lots of search queries its way.

    It's far more likely that spammer bots are now actively processing JS. As others on this thread have pointed out, it ain't hard to do.

  • Like this:

    www.certainkey.com/dm [certainkey.com].

    Needs some crypto computation to decrypt. User needs to click on a "Get my Email" button. Works on iphone.

  • by Asmor ( 775910 ) on Tuesday June 23, 2009 @02:56PM (#28444093) Homepage

    I publically list my email whenever I need to. If I want someone to email me something, I say, "Send it to itoltz@gmail.com". In fact, if HTML is allowed where ever I'm writing that, I'll even be so kind as make it a mailto link (i.e. <a href='mailto:itoltz@gmail.com'>itoltz@gmail.com</a>).

    And you know what? I almost never get spam in my inbox. I'd say a piece squeaks through Gmail's filters every few months (though when it does, I usually seem to get 2-3 similar spams over the course of a day or two).

    Granted, not everyone has the option of using gmail, and for those who do not everyone is comfortable with the idea of using it. That's fine. But the point is, if gmail is that good at filtering out spam, anyone else can be too.

    • Re: (Score:3, Interesting)

      by hplus ( 1310833 )
      Given the immense quantity of mail that Google processes, they are in a uniquely effective position to classify mail as spam based on heuristics and other techniques that are similar to the sorting that they do for page-rankings. I'm not saying that other entities could not necessarily do what Google does, just that Google has a nice head start.
  • For everyone's information: the page the author links to as the one that has javascript munging also has a noscript tag with the email out in the open. Guess what Google and spammers' email-crawlers really do? ;)
    • by The Famous Brett Wat ( 12688 ) on Tuesday June 23, 2009 @08:43PM (#28448167) Homepage Journal

      For everyone's information: the page the author links to as the one that has javascript munging also has a noscript tag with the email out in the open. Guess what Google and spammers' email-crawlers really do? ;)

      I've checked your claim, and it's not true. The "noscript" tag contains warning text about Javascript being turned off and an instruction to use a web form instead of email. I've also checked my own Javascript obfuscation, which uses "blah at domain" type descriptive text in the noscript tag, and Google's search results do not de-obfuscate it. This may be due to the fact that my Javascript is loaded from a separate file -- a point raised in TFA.

      Even if Google is rendering some amount of Javascript in this way, it's still a stretch to accuse Google of being the leak. If you correspond with a person who has malware installed on their computer, there's a high risk that your email address will be exposed to spammers via that route. Such malware is hardly uncommon, is it? The obfuscation technique was only ever going to buy a little extra spam-free time in any case.

  • Let's Geto to Work (Score:3, Interesting)

    by tomsomething ( 1553077 ) on Tuesday June 23, 2009 @03:43PM (#28444919)
    Yay, Google. Judging by the responses I've seen so far, it seems most of us think this is a step forward for the search engine. That said, why don't we use this story as an opportunity to have a productive conversation about e-mail address security in a world where JavaScript's effectiveness is dwindling? Here's one from A List Apart that uses some fancy mod_rewrite stuff. http://www.alistapart.com/articles/gracefulemailobfuscation/ [alistapart.com] I know we've got a lot of geniuses and experts in here. Don't be modest! Show off how smart you are! And yes, the next brilliant security measure will someday be pummeled by a robot that some spammer puts together, but hell if that ain't just exciting! We're helping people build better, "smarter" robots, and criminals are some of society's greatest innovators.
  • by Arrogant-Bastard ( 141720 ) on Wednesday June 24, 2009 @05:00AM (#28450547)
    Spammers have many methods of acquiring addresses, including but not limited to:
    • subscribing to mailing lists
    • acquiring Usenet news feeds
    • querying mail servers
    • acquiring corporate directories (sometimes from their web sites)
    • insecure LDAP servers
    • insecure AD servers
    • use of backscatter/outscatter use of auto-responders
    • use of mailing list mechanisms
    • use of abusive "callback" mechanisms
    • dictionary attacks
    • purchase of addresses in bulk on the open market.
    • purchase of addresses from vendors, web sites, etc.
    • purchase of addresses from registrars, ISPs, web hosts, etc.
    • domain registration (some registrars are spammers
    • AND harvesting of the mail, address books and any other files present on any of the hundreds of millions of compromised Windows systems.

    There's thus no point whatsoever in any form of address obfuscation or munging: it's a complete waste of time indulged in only by the clueless, delusional few who haven't been paying attention to what's gone in during the past decade. What's truly ironic is how many of these people are actually running Windows and thus stand a reasonably good chance of having their own system be the point at which their address(es) are harvested.

    A far better point to critique Google on would be their pointless munging of addresses in Usenet news articles -- spammers have had their own Usenet feeds for MANY years and all Google's done is make the archives less useful for everyone else.

Trap full -- please empty.

Working...