|
|
Posted by Philip on 06/30/06 04:49
In article <e81ska$jgd$1$8302bc10@news.demon.co.uk>,
"Richard Cornford" <Richard@litotes.demon.co.uk> wrote:
> Philip wrote:
> > Richard Cornford wrote:
> >> Philip wrote:
> > I disagree. I think spammers are after the low-hanging
> > fruit that is unobfuscated email addresses, and there
> > doesn't seem to be a shortage of that now or in the
> > foreseeable future.
>
> You don't see this thread as being an indication in itself that your
> 'low-hanging fruit' is already trying to move out of reach?
Yes, and kudos to the OP for doing so. But there's always a fresh crop
of low-hanging fruit coming onto the Internet. I think that there will
always be some percentage of savvy Webmasters who will adapt the latest
techniques (whatever they may be) to protect their email addresses. I
also think that this percentage will be dwarfed by those who don't
protect their email addresses, hence the fresh crop. In a few years
time, maybe the situation will be the same or maybe it will be different
or maybe we won't even be using email anymore. But I think most people
would be happy with a method that would protect their email addresses
from harvesters for several years, and I think that simply not being
low-hanging fruit will do the job.
> > You're right that spam harvesting programs could
> > conceivably evolve to handle obfuscated addresses,
> > but I see very little pressure for them to do so.
>
> They already exist, they just are not yet in common use. Your own
> qualification of "but not perfectly" suggests that some are already
> defeating your e-mail address obfuscation. So the 'evolution' does not
> have to be in the software for the task, just in the choice of software
> that people use for the task.
That's true. But I still see very little pressure pushing programmers to
add this feature to harvesters and equally little pressure pushing
spammers to seek out software that reads obfuscated addresses. I just
don't think they care that much.
> > If you disagree, that's your opinion and I'm not going
> > to try to tell you it's wrong. But one thing is for sure:
> > right now, obfuscating one's email address will foil more
> > email harvesters than not obfuscating.
>
> What I am saying is that what may be true "right now" may not be true
> next year. So if you can address the problems you may have next year
> with the same effort now as you are spending on implementing a technique
> that can be defeated it makes more sense to do that now.
Of course.
> > I believe (and am trying to assemble real data to so I
> > can rely on something besides intuition here) that using a
> > Javascript-based method is more secure than simple
> > obfuscation, even allowing for evolution of email
> > harvesting programs. I think it is unlikely that email
> > harvesters will ever develop the ability to interpret
> > Javascript,
>
> The e-mail harvesters that are based upon automating the Microsoft web
> browser COM object (Internet Explorer) can already interpret and execute
> javascript (well, technically JScript).
>
> > not because it is too difficult to do but because it would
> > be resource-intensive, a little dangerous, and would
> > have a very low ROI.
> <snip>
>
> It has already been done, would not take more than a week's work to do
> again, and once written could be employed by thousands of individuals
> (if made available). That is not too much investment, so the return is
> proportional to the number of people trying to use javascript to obscure
> their e-mail addresses.
The investment in programming time is a one-time cost and is thus less
significant in the long run relative to the other costs that I cited:
resource usage and risk. A Javascript interpreter will consume resources
on the spam harvester's machine. I would guess that they're running
their harvesting operations at full speed (why wouldn't they?) and a
Javascript interpreter would eat CPU and memory that could be spent
parsing HTML. In addition, there's risk to running a Javascript
interpreter. The interpreter has to be correctly sandboxed (maybe the IE
COM object does this already, I am unfamiliar with it) and even if it
is, there are bugs in the interpreter that can expose the harvester to
virus payloads, etc. Carefully written Javascript could even harvest
from the harvesters.
So my argument, as I said before, is that the cost of adding a
Javascript interpreter to a harvester has little to do with difficulty
but much more to do with the long-term costs in resources and risk, and
that these costs promise little return because (IMO) very few sites
obscure their email addresses with Javascript.
Regards
--
Philip
http://NikitaTheSpider.com/
Bulk HTML validation, link checking and more
Navigation:
[Reply to this message]
|