More than a year ago we started using a version of the spamoff filter to publish an email address on this site. It was a spinoff from Google and the Mission because research for this book showed that email addresses published in javascript (rather than a simple HTML mailto:) were opaque to spambots searching the Internet.
Since then we have never been spammed through our spamoff-published address even though we have been repeatedly spammed by attacks on our (generally very robust) ISP, spammed on all email addresses published on other sites and even spammed on feedback forms which require the spammer either to paste messages into a web form or to pull the email address out of the Formail code.
The original spamoff code used a simple javascript function to write an email address which all browsers interpret as HTML. If it ever became popular however, a spammer could simply target the function name and then break up the following code to extract a (premium) email address.
The solution was to (use php to) generate a randomized list of names and then to substitute the function name, parameters and all variables using this list which treats the vocabulary of Melville's Moby Dick as a dual-key, one-time pad. Spambots can no longer search on the function name, but if you can follow the logic you may be able to see how a very determined spammer might still attack it, and how this code would evolve to prevent that. Please let us know if you think your address in this code is being spammed by a mechanical searchbot (rather than a human editor).
Sadly Microsoft is reported to have stopped recognising mailto in Explorer 7. This has been compared to giving in to terrorism, because it means the scum mongers would have been allowed to corrupt and destroy a crucial tool of the Internet. Spamoff is a small contribution to the fight back. |
 |
The function itself is very simple, and can be edited any which way although the user's replacement of text appearance depends on the existing syntax, and spacing is not random. The div tag can be added with CSS, but most browsers add a line return before div, so we have used the span tag. (Span is much more limited than div but does not drop text down a line.) Name and variable substitution using php is arbitrary, and any random name generation will work equally well. Using php, rather than javascript, hides the randomized names from View Source in your browser.
The javascript functions on the page do what you would expect, break up and concatenate the text in the script box to change variables. Tracking user's changes to the script is done with a double bank of hidden fields which mirror the visible text fields but hold the last state of the script and its default state on load.
The usual javascript mixture of magic and migraine comes with the eval command which reads the script and runs the results in a new window. No suprises that the biggest headache is the deviation between the Netscape and Explorer versions of javascript, specifically the interpretation of double quotes or escape single quote in strings.
This only affects the script display method on our web page, not the spamoff function itself, and is dealt with by a sniffer which substitutes a different page for MS Explorer and all other browsers because of the number of contingent changes it requires to keep the two scripts complete and discrete, so that it does not matter which browser they have been created with or appear in.
Any other reliable improvements to this code will be gratefully received, used and credited. The next step is to include images and, if possible, compatability with MM DreamWeaver's image rollovers.
|