Javascript/image email obfuscation tactics - javascript

I'm trying to obfuscate the contact email address on my website. I'm wondering what the best way is to do that.
some javascript way (not sure what is the best one ... http://hivelogic.com/enkoder/ this one looks easy, but not sure if its strong or not).
having an image called like "90210.png" and it is an image of the email address.
If javascript, what are some good scripts to do this?
Thanks!
Ringo

Write a proper contact form system, so that you never give out your email address unless you choose to reply to a contact.
Alternatively, you can write it backwards, then use JavaScript to flip it around:
var email = "moc.elpmaxe#ydobemos";
document.write(email.split("").reverse().join(""));

Somebody did a study for 1.5 years to test which various methods of email obfuscation worked the most effectively -- Perishable Press created a writeup on it.
It seems like one of the best methods was to ROT-13 an email address then decrypt it using Javascript (of course, not everybody has Javascript enabled, so this isn't a perfect solution).
I'd recommend using a contact form if possible though -- that way, your website still remains accessible to people with Javascript disabled.

The safest approach would be to not publish an email address, and instead provide a contact form.
Next safest would be an image, as you said, or any presentation method that is not plain text.
If you're determined to present text, you just have to make sure it doesn't match a regular expression looking for email adresses. So you could break it up with spaces, replace "#" with "(at)" and/or "." with "(dot)", etc. Of course, those methods will not stop someone who wants to spam you specifically, but neither will any javascript trick.

Related

Is there a reliable way to automatically detect buttons and confirm codes in emails?

I find the automatic copy-code feature for incoming text messages really nice on my phone and was hoping to implement something similar for my emails. So far I've been able to hook incoming emails into a function and parse them using node-imap, but I'm struggling with the actual code autodetection.
For example, some verification codes are 6 numbers/capital letters, like 123X4Y. Some are a bit shorter and some are much longer, so I arbitrarily wrote the regex \b[0-9A-Z]{5,12}\b (I start it at 5 because many emails have a copyright date at the bottom that is 4 numbers). This works decently well but doesn't capture all codes and occasionally captures irrelevant information.
Moreover, many times instead of a code the email just contains a big ol' "Confirm" or "Verify" button. In these cases I'm currently just looking for links with the words confirm or verify either in the link text or the href, but this also fails much of the time.
I was wondering if there was any way to more reliably capture action buttons and confirmation codes from emails!
There isn't a reliable way to detect buttons in emails without some sort of computer vision as they can take infinitely many forms (a filled in table cell with an anchor, a styled anchor, etc).
You can get the confirmation code with a little bit of NLP -- you could either take a naive approach and just look for keywords like "confirm" or "verify," or you could utilize an NER (Named Entity Recognition) model to identify confirmation codes in an email.
An alternative to NER, you could simply run a Naive Bayes classifier on an encoded vector of the subject line to identify whether or not the email contains a confirmation code. If you are able to identify that the email is a "confirmation" email, you can plug in your regex above and parse out the code.

Prevent user-entered scripts from running in webpage

In my application, there is a comment box. If someone enters a comment like
<script>alert("hello")</script>
then an alert appears when I load that page.
Is there anyway to prevent this?
There are several ways to address this, but since you haven't mentioned which back-end technology you are using, it is hard to give anything but rough answers.
Also, you haven't mentioned if you want to allow, or deny, the ability to enter regular HTML in the box.
Method 1:
Sanitize inputs on the way in. When you accept something at the server, look for the script tags and remove them.
This is actually far more difficult to get right then might be expected.
Method 2:
Escape the data on the way back down to the server. In PHP there is a function called
htmlentities which will turn all HTML into which renders as literally what was typed.
The words <script>alert("hello")</script> would appear on your page.
Method 3
White-list
This is far beyond the answer of a single post and really required knowing your back-end system, but it is possible to allow some HTML characters with disallowing others.
This is insanely difficult to get right and you really are best using a library package that has been very well tested.
You should treat user input as plain text rather than HTML. By correctly escaping HTML entities, you can render what looks like valid HTML text without having the browser try to execute it. This is good practice in general, for your client-side code as well as any user provided values passed to your back-end. Issues arising from this are broadly referred to as script injection or cross-site scripting.
Practically on the client-side this is pretty easy since you're using jQuery. When updating the DOM based on user input, rely on the text method in place of the html method. You can see a simple example of the difference in this jsFiddle.
The best way is replace <script> with other string.For example in C#use:
str.replace("<script>","O_o");
Other options has a lot of disadvantage.
1.Block javascript: It cause some validation disabled too.those validation that done in frontend.Also after retrive from database it works again.I mean attacker can inject script as input in forms and it saved in database.after you return records from database in another page it render as script!!!!
2.render as text. In some technologies it needs third-party packages that it is risk in itself.Maybe these packages has backdoor!!!
convert value into string ,it solved in my case
example
var anything

JavaScript : Find Captcha on a web page

I,am working on Captcha decode/break Firefox extension and I want to find captcha field on a page if it exists. I want to make a generic thing so that when ever a page is loaded, I get the captcha image.In short, Whenever a page is loaded, It checks for a captcha and if there, It gets its image.
An approach i was trying is that to find text 'captcha' on a page and then img tag if exist,can any one plz tell me a better solution that can run on max sites.Thanks in advance.
Saadsaf,
In one of your comments you mentioned that:
"...may be u r right, But actually i'm not using it for any enehical purpose, I'm just collecting captchas"
Collecting Captchas is pretty much a useless task.
How Captchas Work:
The way a Captcha works is that the user enters the characters in the image, and then submit a form - at which time the characters entered are compared to those in the image. If the two sets of characters match perfectly, a 'Pass' condition is declared and the guarded process is allowed to continue.
The characters in the Captcha image are generally not stored anywhere that the user has access to, otherwise there would be a severe security issue for Captchas. Most commonly, Captchas will be compared server-side so that the client has as little access to the character string as is possible.
Why collecting Captchas is a poor idea:
If you were to "collect" captchas for use on your sites, you would have to look at each and every one (thousands, if you figure out your code to collect them for you) and then somehow store the correct characters corresponding to each image for later use.
Between writing code to find you Captchas and then going through them all manually to correctly read the characters in each one, you will waste weeks or months of your life away.
What to do instead:
If you are interested in using Captchas on your sites to protect forms and prevent spam and abusive robots, your best bet is to learn how to create your own custom Captchas. There are endless resources at your disposal for just such a thing, including YouTube, Google, Stack Overflow, and more.
Where to start:
Hop on Google and search "How to create a Captcha". That is a good start. Other useful search terms might be "Custom Captcha", "PHP Captcha", "JavaScript and PHP Captcha"... Try the same searches on YouTube. Search for "Captcha" here on Stack Overflow.
Good luck. I hope you have only the best of intentions in mind when using this site.

Regex for valid, and invalid email addresses

I'm looking for some regex to match valid emails (doesn't need to be some whopping RFC-compatible job) and people trying to trick the system with invalid email addresses.
Examples of things I want to catch:
blah#blah.com
blah#blah.org
blah#blah.weirdtld
blat [ AT ] blah.com
blah[at]blah.com
blah#blah[ DOT]com
blah#blah[ dot ].com
etc.
I'm sure someone out there has published a tried-and-tested expression of all known permutations, but if they have, I can't find it, and would love to see it.
I don't care if it catches domains by accident, as they are being stripped anyway.
A real-world example of what this could be used for is eBay. Seller wants to put in their description "Contact me on: bob#example.com for a cheaper price" as they would not have to pay listing fees. I want to catch that address, regardless of how it is written.
I appreciate it's impossible to check everything, and this is not a replacement for human intervention (which is also a part of the validation process already, I'm just trying to make their lives easier).
I have already searched StackOverflow and Google, but unfortunately it's one of those problems which can be difficult to search for. If anyone has a link to a solution I would be very grateful.
Edit: Just to clarify even more. This is NOT to be used to check if an email address is valid or not. This is to be used to stop people entering valid email addresses AND email addresses with common substitutions into a textarea ([at] for #, [dot] for ., (d0t) for ., and so on and so forth).
I guess if even heavy spammers haven't found an easy way to overcome this problem, you won't have much luck here, either.
there are several reasons why it's a suicidal task to think about an algorithm for this, but the main one is human creativity vs machine stupidity.
There are literally infinite ways to camouflage an email address, for example test # domain.com (remove spaces) or test[d0t]again atsign domain[.com] (it took me 2 seconds to think about them and you surely can decode them without any issue.
Even if you can list every possible alternative (which is an inhuman task, anyway), somebody else will design a different scheme to hide their email contact (example: place email address inside an inline image)
Just by comparison, here is the best regex out there to simply detect valid email addresses that covers every RFC822 case.
See: How to Find or Validate an Email Address.
Excerpt:
...there's often a trade-off between what's exact, and what's
practical.
The virtue of my regular expression above is that it matches 99% of
the email addresses in use today. All the email address it matches can
be handled by 99% of all email software out there. If you're looking
for a quick solution, you only need to read the next paragraph. If you
want to know all the trade-offs and get plenty of alternatives to
choose from, read on.
To catch expressions that are likely aliases for an email address, just do a second test for [AT], [ at ], [DOT], etc. For example, here is a RegEx that does just that (the i qualifier tells Perl to ignore case):
/\[\s*(AT|DOT)\s*\]/i

I am using jquery validator, and need help writing my own addMethod( name, method, message,) to valid a promotional code?

I want to be able to validate a form field called promotional codes, without using a data base.
There are two valid codes and the forms field needs to match either one of these. They are codes like this 'VK2012'.
I've tried the equalto with a hidden form field but this doesn't quite work.
Any suggestions greatly appreciated.
First, the comments are right. You should do this on the server side. Client side validation of this sort really ought to be reserved for the case where you can safely assume that your users are acting in good faith (and as soon as you're talking about things like promotional codes, you cannot assume that). As far as a non-database solution goes, it's ugly and maintains poorly, but you could always hardwire the strings to compare to into the code on the server side. Alternately, for a somewhat less ugly (but somewhat more involved) version, you could put them into config files, which would let you change the codes without recompiling.

Categories