[meta-bug] I can not contact Jeremy Newman

Molle Bestefich molle.bestefich at gmail.com
Tue Aug 15 07:40:56 CDT 2006 

Joerg Mayer wrote:
> http://www.bugzilla.org/features/#eam

As far as I can see from a real-world Bugzilla, Bugzilla's HTML
munging means replacing the @ character with the HTML entity "@".

That's a stupid scheme.
Even if it replaced all the characters, it would be a stupid scheme:

First, it's takes 10 minutes for a coder to implement a workaround against.

Second, the HTML standard even *requires* you to decode such
characters inside the "href=" attribute.

There's absolutely no incentive for a spammer *not* to incorporate a
decoder for HTML entities in his/her harvester as far as I can see,
and with Bugzilla using HTML entities, it won't take long before one
of them does.  In fact, most of them probably does already.

A much better scheme would use encryption via Javascript:
 a) Decryption takes time, for a spam harvester time equals money.
 b) We can do our best to make sure that the spammer actually needs to
*run* the Javascript to decrypt addresses, by for example changing the
keys, or even obfuscating the way the key is assembled as a string in
the Javascript decrypt() function with some PHP.  Running actual
Javascript from web pages harvested will slow down a harvester, or
crash it, and it's exceedingly difficult, so it's very unlikely that
someone is going to do that in a harvester.

That would be an efficient scheme, as far as I can see.

It could be implemented like this:
 1) A snippet of PHP code on the server side to encrypt e-mail addresses
 2) A snippet of Javascript on the client side to decrypt e-mail addresses
 3) mailto: links would look like this:

<a href="javascript:decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234)'"><script
type='javascript'>mail me</a>

<a href="javascript:decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234')"><script
type=javascript>document.write(decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234'));</script></a>

I've just tested it, btw.  The above method of returning
"mailto:joe at example.com" from Javascript works fine, both in IE,
Firefox, Opera and Konqueror.


 4) Or like this

<head>
<script type=javascript>
function decrypt_all_mailto() {
   var links = document.getElementByTagName('A');
   for (var i=0;i<links.length;i++) {
      var href = String(links[i].href);
      if href.substring(0,10) == "#decryptme" {
         var decrypted = decrypt(href.substring(10));
         links[i].href = "mailto:" + decrypted;
         links[i].innerHTML = decrypted;
      }
   }
}
</script>
</head>
<body onload='decrypt_all_mailto()'>
<a href='#decryptme1234,4231,2343,3421,23432,1234,321,1234,321,234' />
<a href='#decryptme756,56,43,456,234,8,6,2134,43,576,85,23,111,234' />


PS. It's not an original idea by me, by the way.  Can't remember where
I read about it, but someone else out there implemented some sort of
JavaScript email obfuscator.

More information about the wine-devel mailing list