AddressScrambler okay. Idea: How about AddressGenerator?

Discussion re sg development. You don't have to be a developer.

AddressScrambler okay. Idea: How about AddressGenerator?

Postby Skeeve » Thu Jun 03, 2004 12:02 pm

This would need a CGI on the server. The idea is to use different data provided by the client to generate a (more or less) unique address for each visitor. Easiest would be to use the ip address in hex to give the visitor the email address (e.g.): x0815affe.4.<username>@spamgourmet.com

As there is a need (at least in germany) to give an email address on your website, this would be an easy way to prevent being spammed.

Maybe it's also a good idea to add date and time so that each visitor gets a different mail address each visit like: x0815affeat200406021314.4.<username>@spamgourmet.com

Nicer would be something that creates "words" from the data.

What do you think?
Skeeve
 
Posts: 38
Joined: Tue Jun 01, 2004 9:46 pm

Postby maratheamit » Thu Jun 03, 2004 6:44 pm

I am a bit unclear as to the need for this: how would the script know what username to generate addresses for? What is the problem with making up a disposable address on the fly?

Could you elaborate a bit on the exact problem you are trying to solve?
maratheamit
 
Posts: 82
Joined: Fri Aug 29, 2003 2:35 pm

Postby Skeeve » Fri Jun 04, 2004 12:18 pm

maratheamit wrote:I am a bit unclear as to the need for this: how would the script know what username to generate addresses for?

Like in AddressScrambler: It will have to be configured. Let's say I'm the webmaster of somedomain.org and have the username MasterOfDesaster at spamgourmet.com. I will then have to configure it in my server to use "MasterOfDesaster at spamgourmet.com"

maratheamit wrote: What is the problem with making up a disposable address on the fly?

No problem. But I wanted to share the idea, get feedback, get other ideas... It would be nice to have a clean concept for it and to be able to tell from the generated address when it was created for whom.

maratheamit wrote:Could you elaborate a bit on the exact problem you are trying to solve?

The "problem" is that (at least here in germany) you have to give an email address on your website. To stop spam harvesters it would be easy to just add a GIF with that address. But then "visually disabled" people might have a problem. It's also nice to have a link to click on so that your configured mail client pops up.

To solve this, I think it would be nice to have a new email address for each visitor, so that you can stop being spammed easily. While I had some thoughts about it, I found out that it wouldn't be a too good idea to use date and time each time. If a IP was already seen, the same generated address should be used again.

Anyone any other ideas?
Skeeve
 
Posts: 38
Joined: Tue Jun 01, 2004 9:46 pm

Postby josh » Sat Jun 05, 2004 7:03 am

you could probably do that in javascript - I think javascript has access to the user's IP address (I can't say I know for sure right now, though).
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby Skeeve » Sat Jun 05, 2004 9:04 am

josh wrote:you could probably do that in javascript - I think javascript has access to the user's IP address (I can't say I know for sure right now, though).

JavaScript for proxy.pac has access to the IP Address. To be exact: It has access to the IP Address the computer had when the browser started.

But that won't help:
1. Normal JS has (AFAIK) know no access to the IP
2. It would normaly be an internal, non-routed IP. I'm not interested in that
3. It won't help if client has JS deactivated
Skeeve
 
Posts: 38
Joined: Tue Jun 01, 2004 9:46 pm

replacement for AddressScrambler

Postby eugene » Sun Apr 17, 2005 5:10 am

Skeeve wrote:The "problem" is that (at least here in germany) you have to give an email address on your website. To stop spam harvesters it would be easy to just add a GIF with that address. But then "visually disabled" people might have a problem. It's also nice to have a link to click on so that your configured mail client pops up.

Anyone any other ideas?

First of all, I found that AddressScrambler sadly did not work on Mozilla, so I wrote my own. In the spirit of spamgourmet, I will post its code online. This will address all but the "visually impaired" problem. (Adding a <noscript /> section will warn users that if they have javascript turned off, there will be no emails.)

For the visually impaired, you may already be providing them with a custom version of your website, via .htaccess and switching based on browser id, and, in this case, the issue is moot.

Unfortunately, it seems to be a very difficult problem. I prefer to use a php contact form for contact purposes.
eugene
 
Posts: 2
Joined: Sun Apr 17, 2005 5:03 am

Postby eugene » Sun Apr 17, 2005 5:13 am

As for IP address, you could try to use SSI (or a php/asp/jsp page) to pass the IP to the webpage.
Code: Select all
<!--#echo var="REMOTE_ADDR"-->

If java is installed, you can try (not with IE):
Code: Select all
<SCRIPT>
var ip = new java.lang.String(new java.net.InetAddress.getLocalHost());
var userIP=ip.substring(ip.indexOf("/")+1);
</SCRIPT>

A third possibility is to use MM Flash to get the IP
eugene
 
Posts: 2
Joined: Sun Apr 17, 2005 5:03 am

Postby snowmaker » Thu Dec 15, 2005 5:32 pm

I wanted to share a link to a script I found awhile back on Hotscripts, hotscripts.com/search/7602701.html, that can be used to put a 'auto generated spamgourmet address' in a mailto: link. Another link to an email address obfuscator here.

-bruce
snowmaker
 
Posts: 21
Joined: Thu Dec 15, 2005 4:39 pm

Postby crazycomputers » Fri Dec 30, 2005 8:30 am

I started a sourceforge project to embed the viewer's IP and access time in a 14-or-so character string. It can easily be tacked on the front of an sg address.

The script uses a "site key" to generate the "sharkbait," as I call it, so sharkbait from one site will not work on another site's decoder. This also keeps people from forging sharkbait to implicate someone else's IP address, provided you never disclose your site key.

http://sharkbait.sf.net - There are currently no download packages but you can get the scripts from the CVS repository.
Real programmers don't comment their code. It was hard to write; it should be hard to understand.
crazycomputers
 
Posts: 31
Joined: Sat Dec 18, 2004 7:53 pm

Postby josh » Mon Jan 02, 2006 4:17 am

sweet!
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby vellire » Tue Aug 01, 2006 5:06 pm

I had a similar idea over 2 years ago and it never occurred to me to post code here. (And now of course I don't have it handy to post.) I took a slightly different take on the problem - I generated the email address on the server side (the site was in ASP) and based it on the week of the year. There were a few reasons for this:

- I was only anticipating a few dozen legitimate emails a year to begin with. If was being spam harvested hardcore, I could wind up with hundreds of different harvester IP addresses in one year, which could translate to hundreds of new disposables where I'd get at least 1 spam, wheras by going weekly I'd get at most 52 compromised accounts per year.
- I figured that anyone actually interested in speaking with me could read the little disclaimer that "to prevent spam, this email address expires after 1 week" (though it doesn't actually, it makes more sense at a glance than "it will expire after the first 20 emails"). If someone did decide to hold on to an address for more than a week, odds were extremely good that I'd still receive the message.
- If I had to shut down an address mid-week, I would of course be aware of that fact and would go manually change the address on my site for the rest of the week.
- As a bit of a privacy nut, I wanted to preserve the ability of a user to completely preserve their anonymity. To me that means they should be able to send two emails from the same computer in the same sitting and I should not be able to tell that it's even the same person.
- While I never actually implemented it, I knew it would be trivial to make a map of a few hundred user-friendly words that could be used in order instead of the week number. In fact you could have some fun with this if you came up with a nice scheme.

As it happened, only 1 week's disposable address was ever compromised, and naturally it has received 600 emails in the last year or so. The vast majority of weeks have gone by without a disposable even being created.
vellire
 
Posts: 27
Joined: Tue Jan 27, 2004 7:42 pm

review and alterative idea.

Postby yizwos » Sun Jan 06, 2008 6:22 pm

I was planning to build an idea similar to this but read through the forum first and had a look at sharkbait. From reading it and thinking I decided to make a completely different system and I've just posted an example of simple random address generation. As I read through your code I had some thoughts.

Firstly, I couldn't see the use of a standard encryption function. I haven't attempted to analyse the encryption too much, but whilst it's not plain Xor encryption, it doesn't seem sufficient to reliably hide the key. If I'm right in my understanding this introduces the weakness that the encryption key could be recovered by asking for a few email addresses (this is a known plaintext attack since the IP address is known an the clock can be easily guessed).

If I'm right then the problem with this is that then someone could do joe-jobs by forging another person's IP address. Whilst this would be some effort, once the solution became widespread it would be a serious risk.

The second thought that I had was that even if you can't forge the data, it's easy to corrupt it. Just one character change in the email address stops the decoding program working. I think this is an inherent weakness that could only be solved by spamgourmet enforcing the use of valid email addresses.

The second problem leads to a trade off. With my system you must keep logs but will probably be able to guess who spammed even if they corrupt the email address. With sharkbait you will have data without having to check back in logs, but there's a risk of curruption. Possibly both methods working together would be best?
I'm veggie, so please eat a tin of spam for me.
yizwos
 
Posts: 5
Joined: Sat Jan 05, 2008 9:45 pm


Return to Developers

Who is online

Users browsing this forum: No registered users and 1 guest