Cenzic 232 Patent
Paid Advertising
web application security lab

Email Address Obfuscation Woes

This will be a quicky post as it was more just something I laughed at when I saw it. I ran across an obfuscation inconsistency that made me laugh out loud. If you click on one of Security Focus’s posts you’ll see something like this:

Cold Fusion Scan
by icos (at) arez (dot) com [email concealed]

Then if you click on the threaded version of the same post you see this:

Cold Fusion Scan
by icos@arez.com

Silly mistake that is happily leaking all the people’s email addresses who post to the mailing lists to spiders and robots. Wonder why you are getting so much spam? Hope they fix this, not that it makes much difference now. Time to retire that email address!

7 Responses to “Email Address Obfuscation Woes”

  1. nEUrOO Says:

    I remember once I laughed a lot on that type of obfuscation too… A friend of mine put something like
    email _AT_ address _DOT_ ext
    Obfuscation for human but not for robots :D

  2. Alex Says:

    The same you will see on www.zerodayinitiative.com ;)

  3. Computer Guru Says:

    lol!

    Not much of a difference anyway though, I doubt there’s a single haverst bot that does not have a regex-parser for dealing with the most popular types of “obfuscation” that are employed online.

  4. MikeA Says:

    I was going to say exactly the same thing but ComputerGuru beat me to it. Who honestly thinks that spammers can’t parse out (at) and (dot) (or _at_ and _dot_ or any of the other common versions).

    I’m sure that RSnake has some spammer contacts - how “effective” is this trick really?

  5. RSnake Says:

    I think it is actually pretty effective at stopping a lot of the less sophisticated robots. But yes, regex is your friend and can help you find a lot of stuff amongst the noise. I’ve never bothered to write that sort of regex myself, but I have a feeling it would be trivial to write a few dozen rules and some canonicalization that would parse through 95% of the obfuscation techniques out there.

  6. Conrad Schilbe Says:

    In this post http://ha.ckers.org/blog/20070525/email-address-obfuscation-woes/ you comment on an obfustication inconsistency on the SecurityFocus website and imply that this effects the mailing lists. The URLs referred to are actually of security related tools submitted to the site and are not tied to any mailing lists. If you can produce a similar effect within the online mailing lists I would very much like to be informed.

    The specific field where you have demonstrated the error is actually intended to contain the name or individual who produced the product. In this case, the individual chose to use their email address instead.

    Granted, you have pointed out an inconsistency that exposes the email addresses of individuals or companies who publicly post their tools uninformed about the possibility of email obfustication or not. I will be certain to remedy this issue very soon.

    For our mailing lists, we obfusticate the email address of the sender by replacing any occurrence of a `.’ or a `@’ with a space and of course not highlighting it with “[email concealed]”. I find this fairly effective. Email addresses found within the body of the mailing list posts are obfusticated in the manner mentioned before.

    Again, we do not advertise that we protect email addresses willingly posted but we do strive to provide some level of protection from bots.

    Realistically, there are many more effective ways a bot might harvest email addresses from a public list.

    Regards,

    Conrad Schilbe
    Software Engineer
    SecurityFocus

  7. RSnake Says:

    Conrad - thank you for the reply. But I didn’t “imply” that it was the mailing lists, I flat out said it. I didn’t test it, and yes, what I was looking at in that moment was indeed the tools so I could very easily be wrong. I have always loved securityfocus, so there was no love lost on that one. It was more amusing than anything. :)

    Thanks again for the reply!