Re: crippling mail archives
- Date: Wed, 26 Jun 2002 13:52:18 +0200
On Wed, Jun 26, 2002 at 10:05:46AM +0200, Mally Mclane wrote:
> Proposal: email addresses like:
> Mally Mclane mally@localhost
> are scrambled to URLs like the following:
> <A HREF="/cgi/descramble.pl?MUNGED-EMAIL">Mally Mclane</A>
> in the mail archive pages. descramble.pl returns:
> <META http-equiv="Refresh" content="0; URL=;>
> plus some descriptive text, including the descrambled email in case
> the browser can't handle the refresh. This instantly brings up the
> client's mail program if configured.
Email harvesting robots traditionally follow http GET urls, so this wouldn't
actually prevent any harvesting program from getting all the addresses.
Unless you're building in some sort of rate limit in descramble.pl, but
that would open up a whole new can of worms (and, it wouldn't stop real
determined spammers with access to thousands of open proxies. It is
questionable whether you want to protect against that anyway, though).
I'd suggest making it POST urls, like so:
<form action="/cgi/descramble.pl" name="mally_mclane">
<input type="hidden" name="user" value="mally" />
<input type="hidden" name="host" value="ripe.net" />
<input type="submit" name="Mally McLane" value="Mally McLane" />
<!-- (*) see note -->
> The advantages are:
> - you can make the scrambling algorithm whatever you like, it
> doesn't have to be clear to the (legitimate) user.
Likewise. You can of course change the descrambling algorithm, it doesn't
have to be so simplistic as I describe it here (but this'll probably do
against all casual harvesters :)
> - the user can just click on the link as normal to use
> his/her mailer.
Likewise. Except that when the user has javacsript disabled, he'll have
to click on a button, instead of on a link.
and the above code is untested. Ask your local web design guru to bugfix
this if necessary.
PS: as long as you're rolling your own scrambling routine, if you want to
go completely overboard, make the descramble.pl script return a webpage
the email address you need is:
It is valid for the next 24 hours. If you want to mail the same
person afterwards, come back to this archive.
Then insert SOMERANDOMID into your local mail aliases table, point it to
the intended recipient, and schedule it to be removed after 24 hours.
That way, the link doesn't even have to be a POST url, as the gathered
email addresses will be useless for any harvester robots. This would
however put an extra load on the ripe.net mail servers, plus, it gives
ripe the opportunity to invisibly tap emails to certain list subscribers
(or at least the mails sent in response to archived mailing list
postings). This will stop address harvesting from list archives, but
at a price...
#!perl -pl # This kenny-filter is virus-free as long as you don't copy it
3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet