Help - Search - Members - Calendar
Full Version: Can I translate email addresses of commentors?
Movable Type Community Forum > Additional Resources > Tips and Tricks
d1taylor
Feb 16 2003, 10:26 PM
Since I anticipate that eventually my blog will begin to be scraped by spammers, I'd like to protect those folk who submit comments on my site by making a trivial translation: turning the '@' into a '@' sequence. Where would I add that code? I'm 99% sure that the Perl in question would be:
CODE
$varname ~= s/@/\&\#64\;/;

Thanks!  I'm running MT 2.51, btw.
medic119
Feb 17 2003, 06:47 AM
Why not just use the two attributes:
spam_protect="1"
and
show_email="0"

The first converts characters into their ASCII equivalents so spambots don't recognize the @ sign, for instance.  Pretty basic, but its better than re-writing the code.

The second won't even display the e-mail address on the outputted files at all.  I use this code because I require E-mail address to leave comments, but didn't want them displayed on the output to avoid spambots, etc.  The e-mail address is left in the comment so you can get it via the Admin panel, but not displayed in the output.

Usage is:
CODE
<$MTCommentAuthorLink spam_protect="1" show_email="0"$>

and works on any of the tags that shows an e-mail address.
phidauex
Feb 17 2003, 11:35 PM
An ideal spam protection system would use javascript to bust everything up into a big array, then dynamically rewrite everything on display. For an example, check out http://hiveware.com and see Enkoder, which is an OS X app that generates spam protected email addresses. There is also a java version that isn't as complex, but does a similar thing.

Contrary to popular opinion, spam harvesters can translate html and ascii entities usually, and still get so called 'spam protected' addresses. Even basic javascript protectors that just break the address into simple pieces and then prints them on demand can be parsed by spam bots.

THIS is what a spam protected email address looks like! It would probably be possible to implement the application that generates this (enkoder, by http://www.hiveware.com) as a plugin that would truely spam protect the commentor's email addresses.

CODE
<script type="text/javascript">
<!--
var d=new Array(
  129,178,115,224,149,166,119,214,149,147,
  120,115,122,104,135,168,147,211,106,136,
  142,171,135,225,112,147,103,209,114,106,
  101,145,140,197,129,102,113,218,149,172,
  103,219,115,138,135,153,127,150,122,220,
  135,123,113,166,140,204,116,212,123,124,
  127,141,136,179,108,214,129,105,121,140,
  126,208,135,158,102,182,118,212,135,218,
  149,102,131,127,129,135,140,157,103,220,
  108,170,117,192,125,203,133,204,145,111
);
var t = new Array();

var i=0,ii=0, n=0,nn=0; c=0; while(c<100) {
for (var f0=189; f0<=368; f0++) { i+=f0; n+=f0; if (c>=100) break;
for (var f1=133; f1<=294; f1++) { i+=f1; n+=f1; if (c>=100) break;
if (f1==140) continue;
if ( f1==(n+i) || (n+i)==283 ) continue;
if ( (f1+n-i) == 208 ) break;
for (var f2=113; f2<=230; f2++) { i+=f2; n+=f2; if (c>=100) break;
if ( (f2+n-i) == 157 ) break;
for (var f3=115; f3<=296; f3++) { i+=f3; n+=f3; if (c>=100) break;
if (f3==152) continue;
if ( f3==(n+i) || (n+i)==255 ) continue;
if ( (f3+n-i) == 123 ) break;
for (var f4=141; f4<=277; f4++) { i+=f4; n+=f4; if (c>=100) break;
for (var f5=188; f5<=313; f5++) { i+=f5; n+=f5; if (c>=100) break;
for (var f6=197; f6<=386; f6++) { i+=f6; n+=f6; if (c>=100) break;
if (f6==363) continue;
n%=127; i%=50; ii=i+d[c++]; nn=n+d[c++];nn%=127; ii%=50; t[ii]=nn;
}}}}}}}}

i=0; document.write('<a href="');
while( t[i] ) document.write('&#'+t[i++]+';');
i++; document.write('" title="');
while( t[i] ) document.write('&#'+t[i++]+';');
i++; document.write('">');
while( t[i] ) document.write('&#'+t[i++]+';');
i++; document.write('</a>');
// -->
</script>
<noscript>
<p>JavaScript is required to view this email address
</p></noscript>


That would require a complete implementation of the Java VM for a spambot to parse out, which no known spambots have. Plenty of spam bots have simple regex which lets them parse out html entities and whatnot.

Peace,
sam
adamrice
Feb 18 2003, 07:11 AM
Although I don't know how to adapt it to the comment-author system, I'm using a simpler variation on the same theme.
CODE
function sendto (domain, account, text) {
    var atsign = String.fromCharCode(64); // @
    document.write('<a href="mailto:');
    document.write(account + atsign + domain);
    if (text==null || text.length==0) {
 document.write('\">');
 document.write(account + atsign + domain);
    } else
 document.write('\" title=\"'+text+'\">'+text);
 document.write('<\/a>');
    }


You can invoke thistwo ways in your HTML: either
CODE
<script>sendto('domain.name','username')</script>
or
CODE
<script>sendto('domain.name','username','send me e-mail')</script>


If you invoke this with 2 arguments, your e-mail address appears as the link text. If you invoke it with 3 arguments, the content of the 3rd argument (which could be an IMG tag) will be the link text. So far, this seems to foil spambots.
stepan
Feb 18 2003, 08:06 AM
QUOTE
That would require a complete implementation of the Java VM for a spambot to parse out, which no known spambots have. Plenty of spam bots have simple regex which lets them parse out html entities and whatnot.

The only think Javascript has in common with the Java VM are the first four letters in their names (sorry, the geek in me just couldn't resist).

It really wouldn't take much to add a Javascript interpreter to a spambot (you can probably lift it right out of the Mozilla source), although I don't know why anyone would bother, considering how many unmasked email addresses are out there.  A better protection would be to generate an image of the email - preferable with some noise in it so it can't be easily OCRed.

Having said that, personally I resent sites that publish my email address - spam "protected" or not.  I don't mind entering my address for "authentication", but if you're going to be displaying it on your site, you really should put up a warning to let me know in advance (and then live without my comment or with a bogus email address).
medic119
Feb 18 2003, 10:53 AM
QUOTE
Having said that, personally I resent sites that publish my email address - spam "protected" or not.  I don't mind entering my address for "authentication", but if you're going to be displaying it on your site, you really should put up a warning to let me know in advance (and then live without my comment or with a bogus email address).


ie my use of the show_email="0" attribute built into MT.
stepan
Feb 18 2003, 11:51 AM
QUOTE
ie my use of the show_email="0" attribute built into MT.

Exactly  :D
phidauex
Feb 18 2003, 12:59 PM
QUOTE
The only think Javascript has in common with the Java VM are the first four letters in their names (sorry, the geek in me just couldn't resist).

You are absolutely right. I misworded it, and the geek in me feels bad.

I think the reason that its unlikely that a full javascript interpreter would be put into a spam bot is the fact that it would spend all its time parsing through people's drop down menus and rollover images and browser sniffers. The few email addresses it would get from that extra effort probably wouldn't be worth the extra time spent parsing. Not to say its not possible of course, just unlikely.

peace,
sam
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.