Email Address Obfuscation Woes
This will be a quicky post as it was more just something I laughed at when I saw it. I ran across an obfuscation inconsistency that made me laugh out loud. If you click on one of Security Focus’s posts you’ll see something like this:
Cold Fusion Scan
by icos (at) arez (dot) com [email concealed]
Then if you click on the threaded version of the same post you see this:
Cold Fusion Scan
by icos@arez.com
Silly mistake that is happily leaking all the people’s email addresses who post to the mailing lists to spiders and robots. Wonder why you are getting so much spam? Hope they fix this, not that it makes much difference now. Time to retire that email address!
May 26th, 2007 at 6:14 am
I remember once I laughed a lot on that type of obfuscation too… A friend of mine put something like
email _AT_ address _DOT_ ext
Obfuscation for human but not for robots
May 27th, 2007 at 4:48 am
The same you will see on www.zerodayinitiative.com
May 27th, 2007 at 10:09 pm
lol!
Not much of a difference anyway though, I doubt there’s a single haverst bot that does not have a regex-parser for dealing with the most popular types of “obfuscation” that are employed online.
May 28th, 2007 at 1:34 pm
I was going to say exactly the same thing but ComputerGuru beat me to it. Who honestly thinks that spammers can’t parse out (at) and (dot) (or _at_ and _dot_ or any of the other common versions).
I’m sure that RSnake has some spammer contacts - how “effective” is this trick really?
May 28th, 2007 at 2:14 pm
I think it is actually pretty effective at stopping a lot of the less sophisticated robots. But yes, regex is your friend and can help you find a lot of stuff amongst the noise. I’ve never bothered to write that sort of regex myself, but I have a feeling it would be trivial to write a few dozen rules and some canonicalization that would parse through 95% of the obfuscation techniques out there.
May 28th, 2007 at 9:27 pm
In this post http://ha.ckers.org/blog/20070525/email-address-obfuscation-woes/ you comment on an obfustication inconsistency on the SecurityFocus website and imply that this effects the mailing lists. The URLs referred to are actually of security related tools submitted to the site and are not tied to any mailing lists. If you can produce a similar effect within the online mailing lists I would very much like to be informed.
The specific field where you have demonstrated the error is actually intended to contain the name or individual who produced the product. In this case, the individual chose to use their email address instead.
Granted, you have pointed out an inconsistency that exposes the email addresses of individuals or companies who publicly post their tools uninformed about the possibility of email obfustication or not. I will be certain to remedy this issue very soon.
For our mailing lists, we obfusticate the email address of the sender by replacing any occurrence of a `.’ or a `@’ with a space and of course not highlighting it with “[email concealed]”. I find this fairly effective. Email addresses found within the body of the mailing list posts are obfusticated in the manner mentioned before.
Again, we do not advertise that we protect email addresses willingly posted but we do strive to provide some level of protection from bots.
Realistically, there are many more effective ways a bot might harvest email addresses from a public list.
Regards,
Conrad Schilbe
Software Engineer
SecurityFocus
May 29th, 2007 at 7:10 am
Conrad - thank you for the reply. But I didn’t “imply” that it was the mailing lists, I flat out said it. I didn’t test it, and yes, what I was looking at in that moment was indeed the tools so I could very easily be wrong. I have always loved securityfocus, so there was no love lost on that one. It was more amusing than anything.
Thanks again for the reply!