Page 1 of 1

Random Address Generator

PostPosted: Sun Jan 06, 2008 4:57 pm
by yizwos
I had a different thought on the address generator idea and I'd like to get comments on it. This script is designed to generate random addresses with an embedded watchword. It runs on Fedora Core and RHEL at least. You need to have the "base64" utility. If someone spams you you look up in a log file and there should be enough evidence left in the address they use to find out who spammed you. It should also be pretty difficult to guess the watchword from the web visible address if you do it the way I have done. I've gone for maximum simplicity (e.g. a text document rather than a web page) since that's the way I like it.

Since it's so simple and I want comments on coding, I'll post it inline for now and only find a place to keep it if it grows and other people like it.

Code: Select all
#!/bin/sh                                                                                                                                                                                                                               
#Copyright Michael De La Rue 2008;                                                                                                                                                                                                         
# This program may be used under the GNU General Public License version 3 or (at your option) later.                                                                                                                                         
#   http://www.gnu.org/copyleft/gpl.html                                                                                                                                                                                                     
#                                                                                                                                                                                                                                           
#file where we log people who generate ; if you have selinux do chcon -t httpd_sys_content_t <filename>                                                                                                                                     
LOGFILE=/var/www/data/email-address.log
#your base email address; you also set the watchword in the regex below                                                                                                                                                                     
BASEADDR="myuser@spamgourmet.com"
#the email address contains random characters mixed (by the sed pattern) with a watch word                                                                                                                                                   
#you would use a watchword like "^wa.*tc.*h$" to match these email addresses which will stop                                                                                                                                                 
#spammers from simply appending or removing parts of the string.                                                                                                                                                                             
sleep 1 # rate limit on /dev/urandom when combined with httpd connection limit.;                                                                                                                                                             
#the watchword is in the regular expression "^wa.*tc.*h$" in this case.  Test carefully                                                                                                                                                     
EMAIL=`dd if=/dev/urandom bs=10 count=1 2>/dev/null | base64 | tr -d '/+=' | sed 's/\(.....\)\(.*\)/wa\1tc\2h/'`.$BASEADDR || exit 3
echo `date +"%Y/%m/%d %H:%M:%S"` "$REMOTE_ADDR $REMOTE_PORT $EMAIL $REQUEST_URI" | cat -v >> $LOGFILE || exit 4
echo "Content-type: text/plain"
echo
echo This email address may not be valid for long.  Please use it immediately.
echo For reliable contact please consider a mobile phone or registered letter.
echo
echo "   " $EMAIL



Some possible improvements I can think of

- address based blocking (maybe better just to use a .httaccess file)
- locking to reduce maximum server load (only one user at a time; second one gets a busy message)
- output an html page
- force the user to go through a post CAPTCHA javascript or other thing likely to stop a bot (remember accessibility)


Hints for usage

- I haven't yet managed to test the watchword pattern above..
- make sure it's somewhere robots aren't encouraged to go. You might use a robots.txt
- the above cuts and pastes to a working script but be careful that you don't add any line breaks that weren't there in the original.
- immediately you get your first spam (and as often as you like), add a new watchword to spamgourmet and change over your script. Delete your old watchword after a week or so (so your correspondents have time to contact you).
- you have to trust your web server to run scripts. enabling SELINUX will probably improve your security
- you can use logrotate to keep the file size limited but beware of spammers trying to overload your logs.

Changelog (I edited this comment):
- added logging of request url. now you can know where the spammer got the link from by using a link like http://example.com/cgi-bin/mymail.cgi/xxxyyyxxx

PostPosted: Wed Jan 09, 2008 10:05 pm
by josh
I'll check it out -- looks cool!