Heal Your Church WebSite


Teaching, rebuking, correcting & training in righteous web design.

Clubbed with a Lojack!

Romans 12:17 & 18 offers the following instructions "Do not repay anyone evil for evil. Be careful to do what is right in the eyes of everybody. If it is possible, as far as it depends on you, live at peace with everyone"

I’ve also heard it said in various pulpits and Sunday schools "Locks on the door only keep the honest man honest."

When I lived in NYC, like many 20-sumthins, I had a bike. A nice mountain bike. I’m 40-sumthing now, and still have that bike. One of the reasons is I did not buy the run-of-the-mill light-n-affordable Kryptonite lock everyone else was using. I lugged some 10 pound, imported from the U.K., cold-steel ‘Universal Lock’. Not because this lock was impenetrable, but because it was a a pain in the "ars nova" to break. As a result, thieves would take the bike next to mine.

That is sort of what Mark Pilgrim is talking about when he writes about a Club vs. LoJack approach to securing your email address only our web site when he writes of the "Club" scenario:

The more interesting thing about these “option 2” approaches is that they each only work as long as they are not widespread. Consider the analogy of protecting email addresses from spam harvesters. Enterprising young webmasters who think they’re cool will obfuscate their email address with a combination of numeric entities, hexadecimal ASCII characters, and other junk. And spammers will simply use scripts that cut through such obfuscation like butter (deobfuscation methods explained). Even the vaunted Hivelogic Email Address Encoder is not safe anymore. Why? Because once enough people started using it, it was worth somebody’s time to write a simple regular expression to reduce it to numeric entities, which can be deobfuscated into plaintext.

Eeeyooouuch Mark! That felt about as good as a sharp poke in the eye! Was it something I said?

Actually, Mark is just confirming out something I wrote back in June when I discussed the article associated with the Mean Dean Anti-Spam Email Obfuscator when I said:

Unless the "industrious" spammer has taken the time to build a smart flexible ‘bot, then I’m safer using my ‘obfuscated’ address as opposed to hanging one out there in plain text. I also encode the "mailto:" in a further effort to make email links look-n-feel like hyperlinks.

In other words, a smart, determined thief, I mean spammer, is going to getcha if you put your email address up on your church website. The trick is to make it such pain in the posterior and to camouflage it in such a way that they move onto easier prey. So yes, Mark P. is right when he opines that what is really needed is a LoJack solution so we can hunt down spammers and prosecute them with every legal means available to us. So in response, I’ve made some modifications to the Mean Dean Anti-Spam EMail Obfuscation Tool.

You can now encode email addresses mangled such variations as:

  • foo<REMOVEME>@foobar.com
  • foo-AT-foobar-DOT-com
  • foo<REMOVEME>@foobar-DOT-com

Yes, I know, these are still Club-like solutions that trade-off usability for security. So I’ve made one other modification. For those of you who have the ability to create email forwarders and or have an email catch-all (usually those of you who have ‘Real Domains‘), the obfuscator now encodes crude almost LoJack-like addresses such as:

  • foo+FLAG1@foobar.com
  • foo+30OCT02+@foobar.com
  • foo+FLAG1+30OCT02+@foobar.com

These entries are based upon a LoJack-ish approach taken by Anders Jacobsen in his article entitled ‘Email addresses with a "+" are VALID‘. An article that came to my attention after he left a comment on my website with a very identifiable, traceable and if need be, blockable email address merely by encoding his address with some additional information between the ‘+’ signs.

Using this technique, the email address I use on this site is no longer as easy to cut through butter – at least for now. After all, Mark P. gets it right when he asserts that at some point it may be "worth somebody’s time to write a simple regular expression to reduce it to numeric entities." Though considering the nature of the spammer, I tend to think deflection and camouflage this level do provide me slightly more protection than the average bear.

In fact, I only disagree with Pilgrim’s process in one degree. There should be a third option I call the "dye-pack" solution. An email address that explodes all over the spammer and indelibly marks the address, rendering the address ‘unsellable’ and making it easy for the authorities to track down spammers like the filthy dogs that they are.

7 Comments

  1. But how much do you really effect usability when cloaking your email address? Will Aunt Ruth understand what is going on?

    I’ve been posting the attached email address all over the web since the beginning of the year and get NO spam. Of course all it takes is one! But I know I’ll not be using it anymore in three months, so the long-term risk is small.

    I think I’ll go for the DixieSys deal to replace it.

  2. Have you seen this article?

    http://www.evolt.org/article/Spam_Proofing_Your_Website/20/41849/index.html

    I added a link to your tool at the bottom.

  3. On our church website ( http://www.tnova.org ), all e-mails must be sent through web forms. When the person replies to them, the e-mail address is revealed and it makes repeat coorespondence very simple. The NMS version of Matt’s FormMail ( http://www.scriptarchive.com ) allows you to assign numbers to e-mail addresses, so that it is impossible to tell what the address is unless you hack into the site. Functionality intact. E-mails are as safe as possible. Everyone benefits!

  4. jon@young.com, I’ve deleted your comment because it wasn’t a comment. You merely cut and pasted the last paragraph of this article. I sure hope you aren’t trying to use my site as a form of spam.

  5. Ahh … as second post of the same. Guess what jon@young.com, I’m sending my complaint to abuse@integratelecom.com

  6. OK, but if a spambot can parse obfuscated addresses, can’t it be modified to strip off anything behind or between a + sign?

    JavaScript encoding would be much harder to crack, as I use on my site.

    (replace windows with mac to e-mail)

  7. Pingback: Kalsey Consulting Group :: Measure Twice