SitePoint Sponsor

User Tag List

Results 1 to 22 of 22
  1. #1
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Security of obfuscated mailto link

    I want to put a single mailto link in a footer. Using plain text invites spamming, so I've been looking for some obfuscation method. Those I've tried so far produce a link that opens my e-mail client successfully, but I can see the plain text version in the browser status bar when I hover over the link. Won't a bot see exactly the same ?
    Tim Dawson
    Isle of Mull, Scotland

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    I sometimes use JavaScript to obfuscate email addresses. All the bots see is the gobbledygook code in the HTML. There's no surefire way to obfuscate an email address (short of not placing it in the HTML).

  3. #3
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your repy.
    I realise nothing's perfect, I just don't want to be wide open to spamming.
    I've seen schemes that create hex code, but that looks too easy to circumvent. It's not clear to me why a JS solution should be any better, since the code is presumably there for all (bots) to see if they wish ?
    Tim Dawson
    Isle of Mull, Scotland

  4. #4
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    I often use this encoder form, which is very handy. It turns the email address (or HTML code if you want to encode more) into what looks like jibberish in HTML, and that's what the bots see, but the browser is able to turn it back into a readable email address:

    Enkoder

    So the only spammers who can misuse the email address are the flesh and blood ones sitting at their computer and manually spamming. But they do a lot less damage than the bots.

    The alternative, of course, is to use a form, in which case the email address can be hidden altogether. But life everything else, that's not a perfect solution either, as some people will mistype their email address etc.

  5. #5
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you. I've now tried 'enkoder' and it certainly does the stuff to the point of displaying the link correctly.
    I've always understood that crawlers saw the web page 'just as the browser sees it', which I took to mean that everything would be seen in its rendered form, negating any JS coding like 'enkoder'. But from what you say, this isn't true ?
    As you say, I could use a form, but this is only a link in the footer back to me (the designer), and I don't want to make it any harder for legitimate users.

    As an aside, we do have a form on this web site, for visitors to respond (the site lists tourist accommodation). The accommodation e-mail addresses are held in a MySQL database, and we still get the occasional spammed 'enquiry'. It's not yet reached the point where we'll introduce a CAPTCHA.
    Tim Dawson
    Isle of Mull, Scotland

  6. #6
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Just use a non-personal address, get a decent mail service [READ: google apps for domains], let service worry about spam and call it a day.

  7. #7
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by ramasaig View Post
    I've always understood that crawlers saw the web page 'just as the browser sees it'
    Yes, but not as the browser renders it. The browser sees it as code.

    we still get the occasional spammed 'enquiry'.
    Yes, probably because some spammer is manually filling out the form.

    It's not yet reached the point where we'll introduce a CAPTCHA.
    Captcha is horrid, and really just makes life harder for all the legitimate users. There are better options, in my view, like a 'honey pot' field that is hidden from most users and designed to trip up the bots.

  8. #8
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you.

    Yes, I'd rather hoped that these occasional bouts of spamming were being done manually. Clicking a link in each accommodation listing opens the form and when this is submitted the script extracts the appropriate address from the database and sends the e-mail (though the address is never displayed). Surely a bot could do that too ?

    I entirely agree that CAPTCHA is horrid. I'm not familiar with 'honeypot' fields, but I'll have to find out more.
    Tim Dawson
    Isle of Mull, Scotland

  9. #9
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by ramasaig View Post
    I'm not familiar with 'honeypot' fields, but I'll have to find out more.
    Honeypots are great IMHO.

    When a bot fills out a form, it fills in every field. So you put in a hidden field (display: none) and then set a rule in the PHP that if that field is filled in, the form aborts. In the rare cases that someone will have CSS turned off (and can thus see the honey pot field), you can either leave a message: "don't fill in this field!" or you could say "what is 5 plus five?" and allow for the answer 10/ten. To trick the bot, you can give the form field a name of "email" or something like that, so the bot thinks it's meant to stick an email address in there.

    With this method, I'm sure I've never had a single bot attack in any form I've put online.

  10. #10
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks. That seems a brilliantly simple idea. I'll give it a go.
    Tim Dawson
    Isle of Mull, Scotland

  11. #11
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    Here's one link I have on the topic, though I think it says more than strictly needed:

    Protecting Forms from Spam ‘Bots - Beast-Blog.com

  12. #12
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Many thanks for your help. I'll follow it up as soon as I can. It must be late (or early) in Australia !
    Tim Dawson
    Isle of Mull, Scotland

  13. #13
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    When a bot fills out a form, it fills in every field.
    Not always. I've had plenty of forms where the bot, for whatever reason, stopped halfway through (and so missed the honeypot, which was nearly the last question).

    So I put those honeypots near the tops of forms.

    Also, display: none, when used on form elements, is one of those rare occasions where a screen reader will still render the elements. So always have a label explaining as if the user sees the label/input normally.

    You can also mix a honeypot with a bit of Javascript. On some of the forms on the Fronteers.nl site, if you have Javascript on (whether with a screen reader or not) there is no honeypot to be found and you don't have to fill anything in. But if you have Javascript off, the honeypot appears and you are told "Fill in No" (which I misread many times as "No fill in" which meant I kept hitting the spam gate, arg).

  14. #14
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    display: none, when used on form elements, is one of those rare occasions where a screen reader will still render the elements.
    Be darned. Why do they do that?

  15. #15
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you, that's very timely, as I'm just setting up testing my honeypot. I've hidden it by CSS positioning, so I fully expect a screen reader to find it.

    I have set the input legend to say 'Do not complete this field', but I'm not sure that's the best way to put it for those not fluent in English.

    The default input text is blank, but I could equally put a message in there too, and test that it's not been changed.
    Tim Dawson
    Isle of Mull, Scotland

  16. #16
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    Be darned. Why do they do that?
    No idea.

    Juicy Studio: Screen Readers and display: none

    I dunno about VO, but Orca and NVDA will also. And visibility: hidden as well.

    I have set the input legend to say 'Do not complete this field', but I'm not sure that's the best way to put it for those not fluent in English.
    How do those not fluent in English fill out the rest of your form?

  17. #17
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    How do those not fluent in English fill out the rest of your form?
    Fair question, but you don't have to be FLUENT in English to follow legends like 'Name', 'e-mail address', but the instruction 'Do not complete this field' is probably harder to understand.

    I'm sure your English is fluent, but you said yourself that you confused 'Fill in No' with 'No fill in' (and then presumably you DID fill it in, and fell foul of the trap as you say). I might have read the first as 'Fill in number' !

    Perhaps plain 'Do not fill in' would be a better choice of words in my case.
    Last edited by ramasaig; May 26, 2011 at 05:28. Reason: typo correction
    Tim Dawson
    Isle of Mull, Scotland

  18. #18
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    I dunno about VO, but Orca and NVDA will also. And visibility: hidden as well.
    I just tested VO, and it skipped over the honeypot that was set to display: none.

    Thanks for the link.



    Quote Originally Posted by ramasaig View Post
    Perhaps plain 'Do not fill in' would be a better choice of words in my case.
    As I mentioned, I decided to ask a simple question for those who can see the input field—something like a simple math question. Or maybe something like: "what color is a pink rose?" … although that might be too confusiong, being such a weird question.

  19. #19
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    You linked to Mike Cherim earlier. He uses "Is fire hot?" which gets a pretty unanimous "yes".

    Got hit by some guy's blog's captcha-question: did you cry when littlefoot died? (or something like that). It was a set of radio buttons with "no" selected by default. Of course I didn't answer it: I was informed that I was either a bot, or a psychopath : )

  20. #20
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I decided to ask a simple question for those who can see the input field—something like a simple math question. Or maybe something like: "what color is a pink rose?"
    Surely you need a question to which you can accurately predict the answer, without possibility of error ? Or you could test for a range of answers, by why make it difficult ?
    Tim Dawson
    Isle of Mull, Scotland

  21. #21
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,598
    Mentioned
    411 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    I was informed that I was either a bot, or a psychopath
    Hah ha, they knew you were coming.

    Quote Originally Posted by ramasaig View Post
    why make it difficult ?
    Yes, that latter option was just a joke. I wouldn't actually use that. Lately I've been using "What is 2 + 2?" Not sure if a bot could work that out or not, but I haven't had any bot spam with it yet.

  22. #22
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    We've all seen the strange captchas with calculus equations and middled images asking us "how many cats?" where there's just no way you could tell the cats from the dogs.
    I prefer to keep my honeypots as filled/unfilled and accept that it's only for stupid bots, not smart bots or human spammers. Otherwise you start snagging the cognitively disabled (or simply confusing non-disabled) and other real humans in your filter.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •