Best email address encoding method for forms?

[VestanPance]

I have read tons of ost regarding this issue and am still not sure
what to do. I have a simple form that submits my addresses to
formmail. I have read about ASCII encoding the addresses...is this the
"best" way? I have also read about the java-script method...but I hear
that you lose the users that have this turned off in their browsers.

I know that there is NO way to absolutly prevent bots from havesting
my addresses but I would like to minimize the chances.

Thanks,

SP
www.sean-paul.com for Cinema 4d resources

 

[David Dorward]

I have read tons of ost regarding this issue and am still not sure
what to do. I have a simple form that submits my addresses to
formmail.

I know that there is NO way to absolutly prevent bots from havesting
my addresses but I would like to minimize the chances.

If its a form, use something with the email address hard coded in to the
script. Then it doesn't need to appear on the client side at all.

 

[EightNineThree]

I have read tons of ost regarding this issue and am still not sure
what to do. I have a simple form that submits my addresses to
formmail. I have read about ASCII encoding the addresses...is this the
"best" way? I have also read about the java-script method...but I hear
that you lose the users that have this turned off in their browsers.

I know that there is NO way to absolutly prevent bots from havesting
my addresses but I would like to minimize the chances.

Your best bet isn't to use Formmail
http://www.securityfocus.com/corporate/research/top10attacks_q1_2002.shtml

"The Formmail package has become a favorite tool of spammers.

Formmail allows a website to email form submissions to an email account. If
left unpatched a malicious user can send spam simply by including the list
of target email addresses in an HTTP request to Formmail. This behavior
makes tracking down the origin of the spam difficult because the only place
the spammers IP address is saved is in the Web logs of the affected site.

FormMail is a widely-used web-based e-mail gateway, which allows form-based
input to be emailed to a specified user.

When the form is submitted, the commands will be executed on the host, with
the privileges of the webserver process. This might be leveraged by the
attacker to gain local access to the host. "


Use a better script for your contact form.
A good one is Phorm - http://www.phorm.com


--
Karl Core

At times one remains faithful to a cause only because its opponents do not
cease to be insipid.
Friedrich Nietzsche

eightninethree AT eightninethree.com

 

[C A Upsdell]

Your best bet isn't to use Formmail
http://www.securityfocus.com/corporate/research/top10attacks_q1_2002.shtml

"The Formmail package has become a favorite tool of spammers.

Formmail allows a website to email form submissions to an email account. If
left unpatched a malicious user can send spam simply by including the list
of target email addresses in an HTTP request to Formmail. This behavior
makes tracking down the origin of the spam difficult because the only place
the spammers IP address is saved is in the Web logs of the affected site.

It is trivial to patch Matt's formmail.pl so that, instead of accepting the
recipient's email address as a parameter, it accepts a code that is mapped
to the proper email address. This way (a) no email addresses appear on web
pages from which spammers can harvest the addresses, and (b) it becomes
impossible for spammers to hijack formmail.pl.

 

[Jukka K. Korpela]

I have read tons of ost regarding this issue and am still not sure
what to do.

Presumably you don't yet understand what the issue is.

I have a simple form that submits my addresses to
formmail.
Why?

I have read about ASCII encoding the addresses...is this
the "best" way? I have also read about the java-script method...but
I hear that you lose the users that have this turned off in their
browsers.

What is your problem? If you wish to make it possible to contact you,
you should disclose your contact address(es). Simple as that. Naturally
this, as anything, can be abused. Either you pay the price (and, for
example, take suitable filtering actions against spam), or decide that
it's too high, and then the logical conclusion is not to have Web
pages, or any Internet activity for that matter.

(A contact form should be just an alternative, hopefully something that
has some added value to the _user_.)

I know that there is NO way to absolutly prevent bots from
havesting my addresses but I would like to minimize the chances.

Of course there is a way. Disconnect from the Internet _now_ and
never return. That is the safe way, and the only safe way. Naturally it
has its cost. But it's safe. Many other methods have been proposed, but
they are unsafe _and_ cause much more trouble than they could possibly
save.

Followups randomized as usual.

 

[Todd H.]

Presumably you don't yet understand what the issue is.


What is your problem? If you wish to make it possible to contact you,
you should disclose your contact address(es). Simple as that. Naturally
this, as anything, can be abused.

Jukka, what world are you living in? If you're like the rest of us,
the abundance of email worms and UCE have raised the bar so high that
it's no longer practical to leave exposed email addresses out on the
web and expect to maintain a productive email box.

Either you pay the price (and, for example, take suitable filtering
actions against spam), or decide that it's too high, and then the
logical conclusion is not to have Web pages, or any Internet
activity for that matter.

I maintain that's a nice ivory tower view that is no longer
applicable.

 

[PeterMcC]

Jukka, what world are you living in? If you're like the rest of us,
the abundance of email worms and UCE have raised the bar so high that
it's no longer practical to leave exposed email addresses out on the
web and expect to maintain a productive email box.


I maintain that's a nice ivory tower view that is no longer
applicable.

Mail filtering deals with the problem of spam/viruses - the benefits derived
from using a legitimate email address are simply too great to lose because
of the relatively minor and easily overcome inconvenience caused by spammers
and the like.

 

[Chris Morris]

Jukka, what world are you living in? If you're like the rest of us,
the abundance of email worms and UCE have raised the bar so high that
it's no longer practical to leave exposed email addresses out on the
web and expect to maintain a productive email box.

Hmm. My address is on every usenet posting I make, and on quite a few
web pages. Between the server-side spam/virus filters and a few pages
of simple procmail filter at my end, I'm currently seeing only single
figure junk actually make it through each day.

That seems manageable to me.

 

[Adrienne]

Gazing into my crystal ball I observed (e-mail address removed) (Todd H.) writing
in

Jukka, what world are you living in? If you're like the rest of us,
the abundance of email worms and UCE have raised the bar so high that
it's no longer practical to leave exposed email addresses out on the
web and expect to maintain a productive email box.


I maintain that's a nice ivory tower view that is no longer
applicable.

I use my real email address as well. I also use Mailwasher
[http://www.mailwasher.net], and Pegasus mail client. The only real spam I
get is from my website, and Mailwasher automatically takes care of that,
and very rarely do I get spam at my regular address. Pegasus also has a
good spam filter, and I also filter HTML email to go to a special folder
that I usually delete anyway.

I have never gotten a virus/worm from an email, simply because I do not
open any attachments I am not expecting, and my mail client does not
"preview" messages in such a way that it can be exploited.

I think of it this way. Do you go to the beach without sunblock? If you
do, you know you can get burned. That's just the nature of the sun.

 

[Big Bill]

Hmm. My address is on every usenet posting I make, and on quite a few
web pages. Between the server-side spam/virus filters and a few pages
of simple procmail filter at my end, I'm currently seeing only single
figure junk actually make it through each day.

That seems manageable to me.

I'm seeing an average of 4000 emails a week, 99% of which are spam.
Lordy me, it takes forever to plough through the headers but it has to
be done.

BB