[meta-bug] I can not contact Jeremy Newman
Molle Bestefich
molle.bestefich at gmail.com
Tue Aug 15 07:40:56 CDT 2006
Joerg Mayer wrote:
> http://www.bugzilla.org/features/#eam
As far as I can see from a real-world Bugzilla, Bugzilla's HTML
munging means replacing the @ character with the HTML entity "@".
That's a stupid scheme.
Even if it replaced all the characters, it would be a stupid scheme:
First, it's takes 10 minutes for a coder to implement a workaround against.
Second, the HTML standard even *requires* you to decode such
characters inside the "href=" attribute.
There's absolutely no incentive for a spammer *not* to incorporate a
decoder for HTML entities in his/her harvester as far as I can see,
and with Bugzilla using HTML entities, it won't take long before one
of them does. In fact, most of them probably does already.
A much better scheme would use encryption via Javascript:
a) Decryption takes time, for a spam harvester time equals money.
b) We can do our best to make sure that the spammer actually needs to
*run* the Javascript to decrypt addresses, by for example changing the
keys, or even obfuscating the way the key is assembled as a string in
the Javascript decrypt() function with some PHP. Running actual
Javascript from web pages harvested will slow down a harvester, or
crash it, and it's exceedingly difficult, so it's very unlikely that
someone is going to do that in a harvester.
That would be an efficient scheme, as far as I can see.
It could be implemented like this:
1) A snippet of PHP code on the server side to encrypt e-mail addresses
2) A snippet of Javascript on the client side to decrypt e-mail addresses
3) mailto: links would look like this:
<a href="javascript:decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234)'"><script
type='javascript'>mail me</a>
<a href="javascript:decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234')"><script
type=javascript>document.write(decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234'));</script></a>
I've just tested it, btw. The above method of returning
"mailto:joe at example.com" from Javascript works fine, both in IE,
Firefox, Opera and Konqueror.
4) Or like this
<head>
<script type=javascript>
function decrypt_all_mailto() {
var links = document.getElementByTagName('A');
for (var i=0;i<links.length;i++) {
var href = String(links[i].href);
if href.substring(0,10) == "#decryptme" {
var decrypted = decrypt(href.substring(10));
links[i].href = "mailto:" + decrypted;
links[i].innerHTML = decrypted;
}
}
}
</script>
</head>
<body onload='decrypt_all_mailto()'>
<a href='#decryptme1234,4231,2343,3421,23432,1234,321,1234,321,234' />
<a href='#decryptme756,56,43,456,234,8,6,2134,43,576,85,23,111,234' />
PS. It's not an original idea by me, by the way. Can't remember where
I read about it, but someone else out there implemented some sort of
JavaScript email obfuscator.
More information about the wine-devel
mailing list