<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: crippling mail archives

  • From: Jan Pieter Cornet < >
  • Date: Wed, 26 Jun 2002 13:52:18 +0200

On Wed, Jun 26, 2002 at 10:05:46AM +0200, Mally Mclane wrote:
> Proposal: email addresses like:
> 
>      Mally Mclane mally@localhost
> 
> are scrambled to URLs like the following:
> 
>      <A HREF="/cgi/descramble.pl?MUNGED-EMAIL">Mally Mclane</A>
> 
> in the mail archive pages. descramble.pl returns:
> 
> <META http-equiv="Refresh" content="0; URL=
;> > > plus some descriptive text, including the descrambled email in case > the browser can't handle the refresh. This instantly brings up the > client's mail program if configured. Email harvesting robots traditionally follow http GET urls, so this wouldn't actually prevent any harvesting program from getting all the addresses. Unless you're building in some sort of rate limit in descramble.pl, but that would open up a whole new can of worms (and, it wouldn't stop real determined spammers with access to thousands of open proxies. It is questionable whether you want to protect against that anyway, though). I'd suggest making it POST urls, like so: <form action="/cgi/descramble.pl" name="mally_mclane"> <input type="hidden" name="user" value="mally" /> <input type="hidden" name="host" value="ripe.net" /> <script language="javascript"> <!-- document.write("<a href=\"javascript:document.form['mally_mclane'].submit\"> Mally McLane</a>") // --> </script> <noscript> <input type="submit" name="Mally McLane" value="Mally McLane" /> </noscript> </form> <!-- (*) see note --> > The advantages are: > > - you can make the scrambling algorithm whatever you like, it > doesn't have to be clear to the (legitimate) user. Likewise. You can of course change the descrambling algorithm, it doesn't have to be so simplistic as I describe it here (but this'll probably do against all casual harvesters :) > - the user can just click on the link as normal to use > his/her mailer. Likewise. Except that when the user has javacsript disabled, he'll have to click on a button, instead of on a link. (*) Note: my html and javascript hacking skills aren't used very often, and the above code is untested. Ask your local web design guru to bugfix this if necessary. PS: as long as you're rolling your own scrambling routine, if you want to go completely overboard, make the descramble.pl script return a webpage that says: the email address you need is:
It is valid for the next 24 hours. If you want to mail the same person afterwards, come back to this archive. Then insert SOMERANDOMID into your local mail aliases table, point it to the intended recipient, and schedule it to be removed after 24 hours. That way, the link doesn't even have to be a POST url, as the gathered email addresses will be useless for any harvester robots. This would however put an extra load on the ripe.net mail servers, plus, it gives ripe the opportunity to invisibly tap emails to certain list subscribers (or at least the mails sent in response to archived mailing list postings). This will stop address harvesting from list archives, but at a price... -- #!perl -pl # This kenny-filter is virus-free as long as you don't copy it $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):('m',p,f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet

  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>