e-mail in source vs address harvesters (SPAM / security)

ATS16805

hello. i know that there are a few techniques we can use to protect our privacy from "spam-bots" (tech term?). in trying to decide which to employ, i ponder the advantages and disadvantages of each of those that i'm aware.

i can think of two methods which i've seen employed or recommended. they are the following:

use a graphical representation of the address: using an app such as XnView, the Gimp, Photoshop, or Illustrator which will insert text into an image-- or even a screen capture of your word-processor while the appropriate text is in focus-- how ever you are able to create the illusion of text in a simple jpg, gif, or png so that it appears as any genuine html e-mail hyperlink styled in your page font.
- advantage: through this method, the user can make note of your address for future reference. there is little margin for error in screen display
- disadvantage: the question of how to provide a mailto: hyperlink on hover associated w/ that image, while maintaining anonymity to code-crawlers
use javascript output: the source code need not contain (or expose to harvesters) a complete e-mail address, but instead, using javascript variables and document.write, the e-mail address and hyperlink can be made to appear to the user as if it were put there by plain html code.
- advantage:depending on choice of variables and formatting, hyperlink can be part of the output, naturally. user sees no difference from an "un-masked" link
- disadvantage: not all users will have javascript enabled in their browser which could result in no visible contact address

of course we can have variations on those-- perhaps even going as far as using CSS to create the illusion of a:hover w/ the image method (a sort of SwapOut() effect) while avoiding javascript altogether.

forever trying to discover the "best" or most "efficient approach" (ha! if i can learn to be more concise, perhaps!), i decided to try the image technique and create the hyperlink by using this code:

// filename: require.php 
define('EMAIL_CONTACT','mailto:address@domain.com');

//filename: userview.php
<?php   require_once('require.php');?>
<html>
<ul>
<li><a href="<?php echo EMAIL_CONTACT; ?>"><img name="Maria" src="<?php echo ROOT_OFFSET; ?>images/icons/maria.gif" width="135" height="22" alt="Catalog Order Contact Info" /></a></li>

when i view in the browser, it appears as if the image were actually a textual hyperlink, just as the javascript-- the difference being of course that the e-mail address isn't obfuscated to the same degree as it is in the javascript code so, my question for you is this...
is my address secure using this method, or can a bot "see" the code in define('EMAIL_CONTACT'...)?

thanks! i hope someone is able to use the examples i've provided! (if i've misrepresented anything, please correct me!)

justsomeone

Sadly, your code is insecure. The bots will easily find that mail address, they will only see the generated html, so generating it via PHP is no extra layer.

For me, javascript is the way to go.For users who don't have javascript-enabled, you could just link to a mail form.

Weedpacket

Would a typical address harvester recognise

preg_replace('/./e', '"&#".ord("$0").";"', EMAIL_CONTACT);

justsomeone

The spambot won't be reading the PHP code, only the html which it produces. So no matter what jiggery pokery you use in the PHP, if you end up creating a simple "mailto:me@mydomain.com" link, the bots will have no trouble extracting the email address.

MarkR

A spambot will fully normalise the URL, parsing all entities etc, before it tries to harvest an email address from it.

This means that urlencode() jiggery-pokery will simply have no effect.

The Javascript method is probably fairly sound, but personally, I use the human-readable-address format method.

mark@gensortium.sausages.com (but take .sausages out)

Mark

Weedpacket

Huh, huh, he said "jiggery pokery", huh huh....

justsomeone

How do pigs write top secret messages?
With invisible oink!

How do you take a sick pig to the hospital?
in a hambulance

how do you treat a pig with a rash?
oinkment

What do you call it when you cross a dinosaur and a pig?
jurassic pork

And that's "piggery jokery"

Weedpacket

Gee, you say all that and you don't even say "Pigs on the Wing" in your sig. 🙁🙂

Oh well: here's to address harvesters that contain Javascript interpreters and know about DOM.

Plasma

Check my contact page here: http://bpa-usage.com/contact.html

View the source - notice the email address is constructed with javascript.

I doubt any spambot bothers to parse javascript and construct an email address.

Id say every spambot simply views the page source, and looks for user@domain.tld messages.

justsomeone

I'm sure that spambots will eventually parse javascript, but for now it makes much more sense for them not to. Parsing javascript would just slow the spambots down, and they would get fewer pages parsed, and fewer email addresses harvested.

Given that the vast majority of javascript has nothign at all to do with email addresses, it would just be waste of spambot effort.

rjive

Ok, well, I'm having the same issues. My mail form is getting hijacked or something. I've had my form up for about 1-2 years now and all of sudden, within the last week, I'm getting junk mail as a result of a bot or something processing my mail form... what can I do to help it. I don't have the "mailto" function on the site and the form and email to mail it to is inside the php... What can I do to resolve this and protect my inbox! help!

justsomeone

These are different issues.

The issues being discussed here are about spambots harvesting email addresses from web pages.

It sounds like your problem is "the other one" spambots using your mail form to send their spam. The sad fact is that they may not just be sending it to you. They may be using email injection to send the mail to lots and lots of innocent users. They could be "bcc'ed" on the form and you would never know... unless you check your mail logs.

You need to lock down your mail form. See this tutorial from SecurePHP for an example discussion of this topic.

This will make sure that your mail form is not used for anything other than contacting you.

Of course your form may still be used to send you mail you don't want, but this is a much smaller problem (to the rest of us). You could look at implementing a CAPTCHA process to ensure that a real person and not a bot is sending the mail.

rjive

justsomeone wrote:
These are different issues.

The issues being discussed here are about spambots harvesting email addresses from web pages.

It sounds like your problem is "the other one" spambots using your mail form to send their spam. The sad fact is that they may not just be sending it to you. They may be using email injection to send the mail to lots and lots of innocent users. They could be "bcc'ed" on the form and you would never know... unless you check your mail logs.

You need to lock down your mail form. See this tutorial from SecurePHP for an example discussion of this topic.

This will make sure that your mail form is not used for anything other than contacting you.

Of course your form may still be used to send you mail you don't want, but this is a much smaller problem (to the rest of us). You could look at implementing a CAPTCHA process to ensure that a real person and not a bot is sending the mail.

Sorry if I hijacked the thread, but this is exactly what I'm looking for. Will the CAPTCHA decrease or stop the BOT from spamming me? How can they read the php code? You cannot "view source" and see it. As you can see, I'm a little bit of a novice when it comes to php. I appreciate the help. I think that I will have to start the CAPTCHA tonight so I can stop recv'ing the junk mail. Oh, one more question, does that need to run on the server side? Currently I don't have any of the mail function running on the server side-- that will all come in time! Thanks again for the help!

justsomeone

CAPTCHA is designed to prevent bots from using your form. It stands for Completely Automated Process to Tell Computers and Humans Apart. Research it, it's good stuff. A typical CAPTCHA technique is to present a graphic with some random distorted characters on it, and ask require the person(?) complete the form to type in the text contained in the graphic. This is something that people can do with more success than bots. If course there are restrictions on this method relating to people with poorer eyesight, but I'm sure there are other suitable CAPTCHA methods for people in this situation.

I'm not sure why you ask "How can they read the php code". They don't need to. They only need to generate the html form, and feed in values which you may not be expecting into it. If you don't properly parse any data you get from a hostile user, they could inject extra mail headers into the mail. This could result in, for example, 100 BCC's added to the spam so that your server sends it to 100 other victims.

Your "server side" question is also confusing. If your mail form is a html form which submits to a PHP script which uses PHP to send the mail from the server, then you ARE running server side mail functionality and all of the above applies.

If your "mail form" is in fact a "mailto:me@mydomain.com", which just causes the client software to open a blank email window, then it's not really a form at all and none of the above applies to you.

In that case, the spammer may have harvested your email address from your site, in which case the original thread is exactly what you need to help stop any MORE spambots harvesting your address in future, although you are probably bolting the stable door after the horse has bolted.

Also in that case, the spam mail is not coming through your webserver, so nothing on your webserver can block it. You need to look into getting a good spam filter on either your mail server or your mail client.

ATS16805

justsomeone wrote:
[there exists the issue of] spambots using your mail form to send their spam. The sad fact is that they may not just be sending it to you. They may be using email injection to send the mail to lots and lots of innocent users. They could be "bcc'ed" on the form and you would never know... unless you check your mail logs.

You need to lock down your mail form.

hello there! this issue above is the one i'm truly concerned with. i've been in the habit of not putting my e-mail address on my web sites, but only using forms to send w/ mail(), but i realized the hard way this past weekend that indeed i was only part of the way there in terms of security when i suddenly saw all kinds of spam coming from my domain name.

a similar thing happened to me once before which, now that i've learned about this spamtacular technique, i wonder what method was actually used to hijack my dns's sendmail the first time it happened to me-- (would that be what's going on?-- i mean- the proper way to reference what's happening in justsomeone's scenario i've quoted? is that my dns's sendmail, or my "hosting provider's" sendmail-- is that one and the same? uh...). not to get too far off-track here, but the first i fell victim to this exploit was back before i knew any php... might have had some cfmail stuff going on, but i don't even recall exactly how coldfusion does it... more like a perl cgi form, i think... only no need for the perl and... anyway-- all i know is that i got every name in the book sending from user@mydomain.com-- but i resolved, some several MONTHS later, when i discovered that i was a victim of SQL INJECTION in my phpbb2, that perhaps someone was making use of Cross Site Scripting (XSS) to manipulate my my server.

blah, blah-- so many darn things to worry about-- and here i was just looking for some javascript / regular expression (always one and the same, no?) form validator scripts, and then, in a typical 70% impulse-power-Jim moment, i realized that javascript isn't the answer either because if it's disabled, then the form gets submitted regardless!

i beg your pardon if this is redundant (considering justs.'s link above, which i have yet to read), but what IS the best way-- realizing that there's almost always some workaround-- to make secure one's html text field and textarea forms-- especially if those forms are going to subject our db's to SQL injection-- which in my opinion is the gravest personal danger due to potential for XSS if the right sequence of characters are submitted via $POST, or even worse, $GET

disclaimer: i'm a newbie (relatively speaking), so if you want to assume that i know it already, instead, assume that i don't know it yet-- might have heard of it-- but my experience is limited. thanks so much, y'all*!

(y'all: an abbreviation for the plural "You", indicitive of US Americans of the Southern states, and those who, attempting to 'sound hip-hop', use it when they be gettin' funky, chillin' wit da G's, tippin' 40's to their homey's and such)

rjive

Ok, well, here is my code... my form...

 <?php 
echo "<p> Your Name is: <b>$_POST[first] $_POST[last]</b></p>";
echo "<p> Your email address is: <b>$_POST[email]</b></p>";

//start building the mail string
$msg = "First:      $_POST[first]\r\n";
$msg .= "Last:      $_POST[last]\r\n";
$msg .= "Address:   $_POST[address]\r\n";
$msg .= "City:      $_POST[city]\r\n";
$mst .= "State      $_POST[state]\r\n";
$msg .= "Zip        $_POST[zip]\r\n";
$msg .= "Telephone  $_POST[telephone]\r\n";
$msg .= "Email:     $_POST[email]\r\n";
$msg .= "Terms:     $_POST[yes]\r\n";
$msg .="Terms_NO    $_POST[no]\r\n";
//set up the mail
$recipient = "myemail@address.com";
$subject = "Contact Information";
$mailheaaders = "from: My email address <myemail@address.com>  \r\n";
$mailheaders .= "Reply-to: $_POST[email]";
//send the mail
mail($recipient, $subject, $msg, $mailheaders);  ?>

So, this form is getting hijacked and sending me all sort of junk mail. How can I add CAPTCHA to this. I tried to add Auto Image Verification, but that wasn't too sucessful. On the form side of this script I can add the verification, but it will still process the form. I think that I'm missing something. Any ideas?

herve

rjive wrote:
So, this form is getting hijacked and sending me all sort of junk mail. How can I add CAPTCHA to this. I tried to add Auto Image Verification, but that wasn't too sucessful. On the form side of this script I can add the verification, but it will still process the form. I think that I'm missing something. Any ideas?

Have you read the tutorial justsomeone told you ? ( this tutorial from SecurePHP )

It exactly explain how your script can be hijacked by some spammer and what you can do about it.

justsomeone

rjive,

You don't seem to be doing any validation on the inputs provided by your users. You should treat all form input as hostile and only process it once you have verified that it is ok.

For example, $_POST[email] could contain anything. A list of email addresses perhaps? Or (as per the tutorial I mentioned earlier), it could contain any valid email headers to completely control how the mail is processed.

As for adding CAPTCHA, this is a big thing and you need to read up on it. The link which you provided would appear to show you what to do.

rjive

Thanks for the help. As you can see, I'm a little new to this PHP thing. I did read the article that Justsomeone provided, but I guess it wasn't clear. I will re-read it and give it another shot. I understand that I need to verify the information that is being inputted into the form. I guess that's my question... how do I verify that info. I understand how to verify the email address... I just want to verify that it is a human punching the info into my form and not a bot. I assumed that the auto image would take care of that. Is it possible to put the auto image code into my form and use an IF/Else statement to send the mail? Thanks again for all the help. You guys are very helpful and i'd be lost with all the turtorials and user help I receive on this site! Great tool for beginners! 🙂