[epub] Re: faked eMail addresses

["Michael" <admin@xxxxxxxxxxxxxx>]

Ravi,

> Just wanted to clarify that the email address you
> see on the page, is put there in real time -
> dynamically.
>
> You see it because you are viewing it in real time.

Yeah, I get it! I am a programmer. ;) The script takes "Ravi"
and sticks it in front of @... to form an email address.

> The bots cannot see it because the email is actually
> NOT a part of the page's content. The email address
> is put together ONLY when the page is viewed
> through a browser, and is invisible if you try
> to suck the content from a backend script, much
> like the bots are programmed to do.

Sorry, you're wrong. :)

If a bot follows the URL as you are posting it... with "Ravi"
appended, the full email address is part of the page's
content... it is merged server side, but presents to the browser
or bot as plain HTML. The idea that a bot would get the contents
of a server parsed file without the "Ravi" merged would indicate
that they could get the raw code before being parsed... that
goes against the very definition of a server parsed page.

I wouldn't have posted my original message had I not tested to
be sure first! :) I went into my files and pulled up a "bot"
script written in perl using LWP::SIMPLE. Anyway, the script
"grabbed" the contents of your page... email address and all.
Just to be absolutely sure... I just uploaded to my server and
ran it via cron without a "browser" involved... same result. To
confirm my cron test, I had the script write your email address
to a file... that would be bad if this was a harvester used for
spamming. ;)

By the way, there could be lots of harvesters out there written
in Perl running from cron... my defintion of one kind of
"backend script". It takes less than 20 lines of code to do a
simple Perl email harvester... add some code to "crawl" the web
and you would have a full blown email harvester.

Now that I have backed up my original post :)... there is an
easy solution that doesn't require you changing much.

Seeing as you already have bunches of links out there to contact
you... you wouldn't want to dump your system. I suggest the
easiest way to make it bot proof is to insert "Ravi" into a
hidden field on the form and then *in the processing script
only* merge "Ravi" ( or whatever) with the rest of the email
address for sending. Problem solved. I bet you had that figured
out though, didn't you! ;)

So, back to my original point... "Email addresses should be kept
server side in the form processing code for the best protection
from regular harvesting."

-Michael
http://www.swapezineads.com/

> At 07:23 PM 7/10/03 -0500, you wrote:
> > > If you see the below link,
> > > that is exactly what it lets you do:
> > > http://WebmasterInABox.net/emailus.php?to=Ravi
> >
> >Just want to point out... an email harvester can still grab
the
> >email address if it follows the above URL from somewhere. The
> >PHP outputs plain HTML with the email address embedded in the
> >code.  Email addresses should be kept server side in the form
> >processing code for the best protection from regular
harvesting.



-----------------------------------------------------------------
   --> Get the Best Minds in the Business for under $1000! <--

Put your email-publishing product or service where 25,000+ pros
   in e-publishing and e-marketing will see it with a flexible
    ad package on the EmailUniverse.com Resource Network.
  Make CONTACT, Build INFLUENCE or Get MAXIMUM IMPACT.
    Enlist EmailUniverse.com in your next ad campaign!
     http://opt-influence.com/nl/pl.cgi?emailuniverse
-----------------------------------------------------------------