Discussion:
[feature] anti Spambot solutions
Ber Kessels
2004-01-08 14:50:23 UTC
Permalink
Project: User experience
Version: <none>
Component: accessability
Category: feature requests
Priority: minor
Assigned to: Anonymous
Reported by: Ber Kessels
Updated by: Ber Kessels
Status: active

It was discussed a couple of time already and loads of possible
solutions were mentioned. I think hiding email adresses needs a place
in the projects, since there are loads of good solutions and drupal
will need one too.

My solution would be to use the feedback module:
I had another idea. that would be to filter all emailadresses (in
content too) into a link to the feedback module.

thus http://www.mysite.org/feedback/mailto/me/mysite.org

the feedback can then print a form that can send the message to
***@mysite.org.

Any pro's and contra's? other ideas?

Bèr


Ber Kessels
--
View: http://drupal.org/node/view/5034
Edit: http://drupal.org/project/comments/add/5034
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Thatguywhowon'tgivehisname
2004-01-08 15:29:12 UTC
Permalink
Take a look at this:

http://www.hiveware.com/enkoder_form.php

and this:

http://jimsun.linxnet.com/SCForm.html


This first is an example of decoding a mailto: link.
I use it and love it. I use it in conjunction with an
image that looks like text. You can see it here:
http://www.harvesterchurch.org/node/view/40 . This is
completely spam-proof.


The second is an example of an advanced contact form
processor. You can see it in action at
http://www.redlandbaptist.org/about_us/contact_us.php

The only thing it doesn't do that I wish it did is
autorespond an acknowledgement email.


I would like to see Drupal have a builtin,
highp-quality, configurable contact form since it is a
basic piece for the type of websites (community-based)
that we are building.
Post by Ber Kessels
Project: User experience
Version: <none>
Component: accessability
Category: feature requests
Priority: minor
Assigned to: Anonymous
Reported by: Ber Kessels
Updated by: Ber Kessels
Status: active
It was discussed a couple of time already and loads
of possible
solutions were mentioned. I think hiding email
adresses needs a place
in the projects, since there are loads of good
solutions and drupal
will need one too.
I had another idea. that would be to filter all
emailadresses (in
content too) into a link to the feedback module.
thus
http://www.mysite.org/feedback/mailto/me/mysite.org
the feedback can then print a form that can send the
message to
Any pro's and contra's? other ideas?
Bèr
Ber Kessels
--
View: http://drupal.org/node/view/5034
Edit: http://drupal.org/project/comments/add/5034
--
[ Drupal user list | http://list.drupal.org/ ]
[
http://lists.drupal.org/options/drupal-user/brother_of_karamazov%40yahoo.com
]


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Steven Wittens
2004-01-08 18:57:08 UTC
Permalink
Post by Thatguywhowon'tgivehisname
This first is an example of decoding a mailto: link.
I use it and love it. I use it in conjunction with an
http://www.harvesterchurch.org/node/view/40 . This is
completely spam-proof.
Using images for email addresses is quite unfriendly for e.g. blind users.
Email harvesters are also getting smarter and might first execute the script
on a page before scanning it: this is not such a crazy idea, because almost
any email address collected in this fashion will be real.
Even OCR techniques have been employed before; this is why the "please type
the text from image"-tests (commonly referred to as CAPTCHA) are becoming
more and more complicated, to the point where sometimes even people have
trouble completing it.

I'm not saying I have a better solution, but I'd like to point out that your
'completely spam proof' method is not as watertight as you might think.
Especially when people start using commonly available "plug-and-play"
scripts, it's dead easy to extract email addresses that are hidden using a
specific method.


Steven Wittens
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Thatguywhowon'tgivehisname
2004-01-08 19:20:51 UTC
Permalink
I'd like to point out that your 'completely spam
proof' method is not as watertight as you might
think.

Not even gonna allow me my arrogant, false sense of
security huh?

Spoilsport :-)
Using images for email addresses is quite unfriendly
for e.g. blind users.
FWIW, I frankly don't care about a blind user not
being able to read my site. Much has been made lately
about creating websites that adhere to some usability
standard so that every person on the globe is able to
read your site. However, when doing so becomes so
prohibitively expensive and time consuming that
content never makes it to publishing, it is
wrong-headed and damaging. What these folks are
saying is that if a blind person cannot read it then
nobody should be able to read it.

This may seem insensitive to some but I would prefer
to think that my publishing an email address that is
readable to 99.85% of people is better than not
publishing an address for anyone.

I don't want to start a war but I refuse to allow the
needs of the small minority dictate design for the
many. I will do what I can to accommodate everyone
but will not unnecessarily spend large amounts of my
(valuable) time doing so to the detriment of the
majority.
link.
Post by Thatguywhowon'tgivehisname
I use it and love it. I use it in conjunction
with an
Post by Thatguywhowon'tgivehisname
http://www.harvesterchurch.org/node/view/40 .
This is
Post by Thatguywhowon'tgivehisname
completely spam-proof.
Using images for email addresses is quite unfriendly
for e.g. blind users.
Email harvesters are also getting smarter and might
first execute the script
on a page before scanning it: this is not such a
crazy idea, because almost
any email address collected in this fashion will be
real.
Even OCR techniques have been employed before; this
is why the "please type
the text from image"-tests (commonly referred to as
CAPTCHA) are becoming
more and more complicated, to the point where
sometimes even people have
trouble completing it.
I'm not saying I have a better solution, but I'd
like to point out that your
'completely spam proof' method is not as watertight
as you might think.
Especially when people start using commonly
available "plug-and-play"
scripts, it's dead easy to extract email addresses
that are hidden using a
specific method.
Steven Wittens
--
[ Drupal user list | http://list.drupal.org/ ]
[
http://lists.drupal.org/options/drupal-user/brother_of_karamazov%40yahoo.com
]


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Moshe Weitzman
2004-01-08 19:46:33 UTC
Permalink
Post by Thatguywhowon'tgivehisname
FWIW, I frankly don't care about a blind user not
being able to read my site.
You can design your site however you'd like. This list isn't about your
site, or anyone else's site. It's about an open source software
application. The maintainers of this project already stated that
accessibility is important to Drupal. Debating this point, or shouting
your opinion, is pointless.

But then again I get the feeling you can't keep your ignorant mouth shut
even when speaking is pointless. And please don't bother replying to me
- you've just hit my junk filter.
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Thatguywhowon'tgivehisname
2004-01-08 21:50:51 UTC
Permalink
I was directly replying to a comment.

I do wish the list maintainers would blunt the
personal attacks and allow the open free statement of
opinion without the fear of being called ignorant.

As opposed to you, I will not add your posts to any
junk filter since I truly believe in open discussion
and not just paying lip service to them as you seem
to.
Post by Moshe Weitzman
Post by Thatguywhowon'tgivehisname
FWIW, I frankly don't care about a blind user not
being able to read my site.
You can design your site however you'd like. This
list isn't about your
site, or anyone else's site. It's about an open
source software
application. The maintainers of this project already
stated that
accessibility is important to Drupal. Debating this
point, or shouting
your opinion, is pointless.
But then again I get the feeling you can't keep your
ignorant mouth shut
even when speaking is pointless. And please don't
bother replying to me
- you've just hit my junk filter.
--
[ Drupal user list | http://list.drupal.org/ ]
[
http://lists.drupal.org/options/drupal-user/brother_of_karamazov%40yahoo.com
]


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Steven Wittens
2004-01-08 19:57:37 UTC
Permalink
You have blown up my small remark about blind people... but I would like to
point out that in some countries, accessible websites are required by law
(though usually by extension of a broader, non-webspecific law).

I don't really see why in your case you use an image at all though: you seem
to expect the spammer to get past the javascript-encoding (because you use
an image), but then you also include a regular mailto-link in the script;
doesn't this make the image useless?

Steven Wittens
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Thatguywhowon'tgivehisname
2004-01-08 22:02:31 UTC
Permalink
Yes, I likely overreacted to your remark but I have
had just about enough of loudly screaming special
interests having a tyranny over the majority and then
crucifying anyone who dares to disagree with them.
However, since we can now get off of the blind remark
in a reasonable way let's do so.


I use the image to keep a harvester from merely
scraping the text of the address, I use the encoder to
keep them from harvesting the mailto: html code. The
beauty of it is that to a harvester it looks like
javascript but to a person clicking the link it is a
mailto link. Did you take a look at the source of the
page?

I seriously doubt if a spammer has the capability to
keep up with and process all known (well or not)
javascripts that encode an email address.

I also changed the function name to further obscure
the fact that I am using an email address encoder.
Nothing about the script identifies it as email
related. I am saying that this is pretty darn
spam-proof, even completely spam-proof. The results
are that I have yet to get spammed on that address.
This is either because my actions work or because I
have such an insignificant little site that nobody
cares enough to even harvest from me.
Post by Steven Wittens
You have blown up my small remark about blind
people... but I would like to
point out that in some countries, accessible
websites are required by law
(though usually by extension of a broader,
non-webspecific law).
I don't really see why in your case you use an image
at all though: you seem
to expect the spammer to get past the
javascript-encoding (because you use
an image), but then you also include a regular
mailto-link in the script;
doesn't this make the image useless?
Steven Wittens
--
[ Drupal user list | http://list.drupal.org/ ]
[
http://lists.drupal.org/options/drupal-user/brother_of_karamazov%40yahoo.com
]


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Steven Wittens
2004-01-12 15:00:24 UTC
Permalink
Post by Thatguywhowon'tgivehisname
I use the image to keep a harvester from merely
scraping the text of the address, I use the encoder to
keep them from harvesting the mailto: html code. The
beauty of it is that to a harvester it looks like
javascript but to a person clicking the link it is a
mailto link. Did you take a look at the source of the
page?
Yes I did look at your source... which is why I'm saying the image is
useless. You seem to forget that your image tag is part of the encoded data.

Harvesters that don't execute Javascript will not grab the address.
Harvesters that do execute javascript will see the following piece of
content in the resulting HTML:

<a href="mailto:***@emailaddress.com"><img
src="picture-of-email-address"></a>

They already /have/ the email address in this case, from the mailto link:
the image is useless and only makes your site less accessible (not allowing
text resizing and blocking out screenreaders). The replacement I suggest is
that you encode the following

<a href="mailto:***@emailaddress.com">***@emailaddress.com</a>

This would give you the same level of protection that you currently have.

Steven Wittens
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Thatguywhowon'tgivehisname
2004-01-12 15:11:32 UTC
Permalink
Your point is valid.

Do the harvesters actually execute javascript? I
cannot imagine that they do. Their methods are based
on collecting the maximum number of addresses in the
shortest period of time, executing javascript and
having it output a real address would consume too much
time I would surmise. I could be wrong.

Perhaps someone could clear this all up with a couple
of examples of harvesters that can execute JS and
output and address.
Post by Thatguywhowon'tgivehisname
Post by Thatguywhowon'tgivehisname
I use the image to keep a harvester from merely
scraping the text of the address, I use the
encoder to
Post by Thatguywhowon'tgivehisname
keep them from harvesting the mailto: html code.
The
Post by Thatguywhowon'tgivehisname
beauty of it is that to a harvester it looks like
javascript but to a person clicking the link it is
a
Post by Thatguywhowon'tgivehisname
mailto link. Did you take a look at the source of
the
Post by Thatguywhowon'tgivehisname
page?
Yes I did look at your source... which is why I'm
saying the image is
useless. You seem to forget that your image tag is
part of the encoded data.
Harvesters that don't execute Javascript will not
grab the address.
Harvesters that do execute javascript will see the
following piece of
src="picture-of-email-address"></a>
They already /have/ the email address in this case,
the image is useless and only makes your site less
accessible (not allowing
text resizing and blocking out screenreaders). The
replacement I suggest is
that you encode the following
<a
This would give you the same level of protection
that you currently have.
Steven Wittens
--
[ Drupal user list | http://list.drupal.org/ ]
[
http://lists.drupal.org/options/drupal-user/brother_of_karamazov%40yahoo.com
]


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Ber Kessels
2004-01-09 09:48:48 UTC
Permalink
Project: User experience
Version: <none>
Component: accessability
Category: feature requests
Priority: minor
Assigned to: Anonymous
Reported by: Ber Kessels
Updated by: Ber Kessels
Status: active


Up to now there are two solutions given:

1) use images + javascript [1]
2) use a feedback form that allows one to post from the site. [2]
3) use javascript to call a mailclient [3]

ad 1)
pro's: +people can use their default mailing program
con's: -Rules of good accessibility are broken (eg non-visual
browsers)
-not all-browser-proof (javascript)
ad 2)
pro's: +email adresses can be hidden totally
+feedback can be maintained in the CMS
con's: -users cannot use their default mail program
-bigger overhead: you have to provide programs online, that
otherwise clients would run themselcves
(php+server vs. mailprogram)
ad 3)
pro's: +seems very spam proof
con's: -not all-browser-proof (javascript)

some reference in the mails given:
[1]http://www.hiveware.com/enkoder_form.php
[2]http://drupal.org/project/feedback
[3]http://jimsun.linxnet.com/SCForm.html

Ber Kessels



Previous comments:
------------------------------------------------------------------------

January 8, 2004 - 16:50 : Ber Kessels

It was discussed a couple of time already and loads of possible
solutions were mentioned. I think hiding email adresses needs a place
in the projects, since there are loads of good solutions and drupal
will need one too.

My solution would be to use the feedback module:
I had another idea. that would be to filter all emailadresses (in
content too) into a link to the feedback module.

thus http://www.mysite.org/feedback/mailto/me/mysite.org

the feedback can then print a form that can send the message to
***@mysite.org.

Any pro's and contra's? other ideas?

Bèr
--
View: http://drupal.org/node/view/5034
Edit: http://drupal.org/project/comments/add/5034
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Stefan Nagtegaal
2004-01-09 10:04:22 UTC
Permalink
Ber,

I recently made a contact.module for my own drupal (cvs) which hides the
e-mail adresses for spam-bots. If you like, i can mail you the module so you
can get an idea about what i've done...
All e-mail adresses are hardcoded in there, but it's shouldn't be that hard
to make these chageable using an admin interface..

You can see it in action here: http://www.sempre-crescendo.nl/index/contact


Kind regards,



Stefan

----- Original Message -----
From: "Ber Kessels" <drupal-***@drupal.org>
To: <drupal-***@drupal.org>
Sent: Friday, January 09, 2004 10:48 AM
Subject: [drupal-user] [feature] anti Spambot solutions
Post by Ber Kessels
Project: User experience
Version: <none>
Component: accessability
Category: feature requests
Priority: minor
Assigned to: Anonymous
Reported by: Ber Kessels
Updated by: Ber Kessels
Status: active
1) use images + javascript [1]
2) use a feedback form that allows one to post from the site. [2]
3) use javascript to call a mailclient [3]
ad 1)
pro's: +people can use their default mailing program
con's: -Rules of good accessibility are broken (eg non-visual
browsers)
-not all-browser-proof (javascript)
ad 2)
pro's: +email adresses can be hidden totally
+feedback can be maintained in the CMS
con's: -users cannot use their default mail program
-bigger overhead: you have to provide programs online, that
otherwise clients would run themselcves
(php+server vs. mailprogram)
ad 3)
pro's: +seems very spam proof
con's: -not all-browser-proof (javascript)
[1]http://www.hiveware.com/enkoder_form.php
[2]http://drupal.org/project/feedback
[3]http://jimsun.linxnet.com/SCForm.html
Ber Kessels
------------------------------------------------------------------------
January 8, 2004 - 16:50 : Ber Kessels
It was discussed a couple of time already and loads of possible
solutions were mentioned. I think hiding email adresses needs a place
in the projects, since there are loads of good solutions and drupal
will need one too.
I had another idea. that would be to filter all emailadresses (in
content too) into a link to the feedback module.
thus http://www.mysite.org/feedback/mailto/me/mysite.org
the feedback can then print a form that can send the message to
Any pro's and contra's? other ideas?
Bèr
--
View: http://drupal.org/node/view/5034
Edit: http://drupal.org/project/comments/add/5034
--
[ Drupal user list | http://list.drupal.org/ ]
[
http://lists.drupal.org/options/drupal-user/drupal-user%40frontaal-online.com ]
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Bèr Kessels
2004-01-09 10:20:56 UTC
Permalink
Post by Stefan Nagtegaal
I recently made a contact.module for my own drupal (cvs) which hides the
e-mail adresses for spam-bots. If you like, i can mail you the module so you
can get an idea about what i've done...
All e-mail adresses are hardcoded in there, but it's shouldn't be that hard
to make these chageable using an admin interface..
You can see it in action here: http://www.sempre-crescendo.nl/index/contact
Sounds very good! I think that the mail-selection is a good feature.
Could you mail it? i can see if i get the feedback for 4.3 online before
4.4 release :). A thing i'd like to know if people oppose to using the
node-engine for feedback:

I made something similar, using nodes as feedback. The reason for this
is that you can use taxonomy for a category. The module should then
select, according to categories where to send the mail to.
Another good thing, IMO, is that feedback is saved online. Problems are:
search etc.

I still beleive that the feedback module can offer *one* method of
anti-spam-botting. not per sé *the* method. Its up to admins if they
want to use a form or addresses (in combination with hiding the link)
for feedback.

The reason for opening this discussion, is that i wanted to see if there
were pro's and con's on using this method. and if there were better ones.

Regards
--
Ber Kessels,
aka exclude @ http://www.mediarevolution.org

Web design is not about art, it's about making money or disseminating
information.
Vincent Flanders @ webpagesthatsuck.com
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Stefan Nagtegaal
2004-01-09 10:32:31 UTC
Permalink
Well, currently I am developing it for release (asap) but it's full of bugs
and I busy at the moment..
Tomorrow I will work at it again, and after that I can put it in contrib
after some serious testing..

If you are still interested in the module which is at
http://www.sempre-crescendo.nl/index/contact it's attached..
All comments inside the code, variable name's, and all other stuff in
commented/named in dutch words so apologise to everyone who don't know
dutch..
They should wait till I release the module in contrib..

Kind regards,



Stefan

----- Original Message -----
From: "BÚr Kessels" <***@gmx.net>
To: <drupal-***@drupal.org>
Sent: Friday, January 09, 2004 11:20 AM
Subject: Re: [drupal-user] [feature] anti Spambot solutions
Post by Bèr Kessels
Post by Stefan Nagtegaal
I recently made a contact.module for my own drupal (cvs) which hides the
e-mail adresses for spam-bots. If you like, i can mail you the module so you
can get an idea about what i've done...
All e-mail adresses are hardcoded in there, but it's shouldn't be that hard
to make these chageable using an admin interface..
http://www.sempre-crescendo.nl/index/contact
Post by Bèr Kessels
Sounds very good! I think that the mail-selection is a good feature.
Could you mail it? i can see if i get the feedback for 4.3 online before
4.4 release :). A thing i'd like to know if people oppose to using the
I made something similar, using nodes as feedback. The reason for this
is that you can use taxonomy for a category. The module should then
select, according to categories where to send the mail to.
search etc.
I still beleive that the feedback module can offer *one* method of
anti-spam-botting. not per sé *the* method. Its up to admins if they
want to use a form or addresses (in combination with hiding the link)
for feedback.
The reason for opening this discussion, is that i wanted to see if there
were pro's and con's on using this method. and if there were better ones.
Regards
--
Ber Kessels,
Web design is not about art, it's about making money or disseminating
information.
--
[ Drupal user list | http://list.drupal.org/ ]
[
http://lists.drupal.org/options/drupal-user/drupal-user%40frontaal-online.com ]
Gerhard Killesreiter
2004-01-09 14:36:05 UTC
Permalink
Post by Ber Kessels
1) use images + javascript [1]
2) use a feedback form that allows one to post from the site. [2]
3) use javascript to call a mailclient [3]
4) encode email addresses in some way.

the email_guardian.module (only in cvs, I think) implements a number of
the proposed solutions.

Cheers,
Gerhard
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Thatguywhowon'tgivehisname
2004-01-09 16:25:18 UTC
Permalink
Someone else brought up the point in repsonse to my
suggested use of something like the HiveWare encoder
(http://www.hiveware.com/enkoder_form.php) that any
encoding method could be decoded by harvesters.

To help prevent that I would think that one would need
to obscure in some fashion the fact that the encoding
is there at all. This may help prevent harvesting
software from searching for a certain string that
identifies a 'Drupal-encoded' email address. A
readily identified string would actually make it
easier for harvesters to find the email. Whether they
could decode it after that is another matter.


--- Gerhard Killesreiter
Post by Gerhard Killesreiter
4) encode email addresses in some way.
__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
--
[ Drupal user list | http://list.drupal.org/ ]
[ http://lists.drupal.org/options/drupal-user/gcpdu-drupal-user%40gmane.org ]
Loading...