Best email address encoding method for forms?

Discussion in 'HTML' started by VestanPance, Oct 8, 2003.

  1. VestanPance

    VestanPance Guest

    I have read tons of ost regarding this issue and am still not sure
    what to do. I have a simple form that submits my addresses to
    formmail. I have read about ASCII encoding the addresses...is this the
    "best" way? I have also read about the java-script method...but I hear
    that you lose the users that have this turned off in their browsers.

    I know that there is NO way to absolutly prevent bots from havesting
    my addresses but I would like to minimize the chances.

    Thanks,

    SP
    www.sean-paul.com for Cinema 4d resources
     
    VestanPance, Oct 8, 2003
    #1
    1. Advertising

  2. VestanPance <> wrote:

    > I have read tons of ost regarding this issue and am still not sure
    > what to do. I have a simple form that submits my addresses to
    > formmail.


    > I know that there is NO way to absolutly prevent bots from havesting
    > my addresses but I would like to minimize the chances.


    If its a form, use something with the email address hard coded in to the
    script. Then it doesn't need to appear on the client side at all.

    --
    David Dorward http://dorward.me.uk/
     
    David Dorward, Oct 8, 2003
    #2
    1. Advertising

  3. <VestanPance> wrote in message
    news:...
    > I have read tons of ost regarding this issue and am still not sure
    > what to do. I have a simple form that submits my addresses to
    > formmail. I have read about ASCII encoding the addresses...is this the
    > "best" way? I have also read about the java-script method...but I hear
    > that you lose the users that have this turned off in their browsers.
    >
    > I know that there is NO way to absolutly prevent bots from havesting
    > my addresses but I would like to minimize the chances.
    >


    Your best bet isn't to use Formmail
    http://www.securityfocus.com/corporate/research/top10attacks_q1_2002.shtml

    "The Formmail package has become a favorite tool of spammers.

    Formmail allows a website to email form submissions to an email account. If
    left unpatched a malicious user can send spam simply by including the list
    of target email addresses in an HTTP request to Formmail. This behavior
    makes tracking down the origin of the spam difficult because the only place
    the spammers IP address is saved is in the Web logs of the affected site.

    FormMail is a widely-used web-based e-mail gateway, which allows form-based
    input to be emailed to a specified user.

    When the form is submitted, the commands will be executed on the host, with
    the privileges of the webserver process. This might be leveraged by the
    attacker to gain local access to the host. "


    Use a better script for your contact form.
    A good one is Phorm - http://www.phorm.com


    --
    Karl Core

    At times one remains faithful to a cause only because its opponents do not
    cease to be insipid.
    Friedrich Nietzsche

    eightninethree AT eightninethree.com
     
    EightNineThree, Oct 8, 2003
    #3
  4. VestanPance

    C A Upsdell Guest

    "EightNineThree" <> wrote in message
    news:bm0r8t$47f$...
    >
    > <VestanPance> wrote in message
    > news:...
    > > I have read tons of ost regarding this issue and am still not sure
    > > what to do. I have a simple form that submits my addresses to
    > > formmail. I have read about ASCII encoding the addresses...is this the
    > > "best" way? I have also read about the java-script method...but I hear
    > > that you lose the users that have this turned off in their browsers.
    > >
    > > I know that there is NO way to absolutly prevent bots from havesting
    > > my addresses but I would like to minimize the chances.
    > >

    >
    > Your best bet isn't to use Formmail
    > http://www.securityfocus.com/corporate/research/top10attacks_q1_2002.shtml
    >
    > "The Formmail package has become a favorite tool of spammers.
    >
    > Formmail allows a website to email form submissions to an email account.

    If
    > left unpatched a malicious user can send spam simply by including the list
    > of target email addresses in an HTTP request to Formmail. This behavior
    > makes tracking down the origin of the spam difficult because the only

    place
    > the spammers IP address is saved is in the Web logs of the affected site.


    It is trivial to patch Matt's formmail.pl so that, instead of accepting the
    recipient's email address as a parameter, it accepts a code that is mapped
    to the proper email address. This way (a) no email addresses appear on web
    pages from which spammers can harvest the addresses, and (b) it becomes
    impossible for spammers to hijack formmail.pl.
     
    C A Upsdell, Oct 8, 2003
    #4
  5. VestanPance <> wrote:

    > I have read tons of ost regarding this issue and am still not sure
    > what to do.


    Presumably you don't yet understand what the issue is.

    > I have a simple form that submits my addresses to
    > formmail.


    Why?

    > I have read about ASCII encoding the addresses...is this
    > the "best" way? I have also read about the java-script method...but
    > I hear that you lose the users that have this turned off in their
    > browsers.


    What is your problem? If you wish to make it possible to contact you,
    you should disclose your contact address(es). Simple as that. Naturally
    this, as anything, can be abused. Either you pay the price (and, for
    example, take suitable filtering actions against spam), or decide that
    it's too high, and then the logical conclusion is not to have Web
    pages, or any Internet activity for that matter.

    (A contact form should be just an alternative, hopefully something that
    has some added value to the _user_.)

    > I know that there is NO way to absolutly prevent bots from
    > havesting my addresses but I would like to minimize the chances.


    Of course there is a way. Disconnect from the Internet _now_ and
    never return. That is the safe way, and the only safe way. Naturally it
    has its cost. But it's safe. Many other methods have been proposed, but
    they are unsafe _and_ cause much more trouble than they could possibly
    save.

    Followups randomized as usual.

    --
    Yucca, http://www.cs.tut.fi/~jkorpela/
    Pages about Web authoring: http://www.cs.tut.fi/~jkorpela/www.html
     
    Jukka K. Korpela, Oct 8, 2003
    #5
  6. VestanPance

    Todd H. Guest

    "Jukka K. Korpela" <> writes:
    > VestanPance <> wrote:
    >
    > > I have read tons of ost regarding this issue and am still not sure
    > > what to do.

    >
    > Presumably you don't yet understand what the issue is.
    >
    > > I have a simple form that submits my addresses to formmail.

    >
    > Why?
    >
    > > I have read about ASCII encoding the addresses...is this
    > > the "best" way? I have also read about the java-script method...but
    > > I hear that you lose the users that have this turned off in their
    > > browsers.

    >
    > What is your problem? If you wish to make it possible to contact you,
    > you should disclose your contact address(es). Simple as that. Naturally
    > this, as anything, can be abused.


    Jukka, what world are you living in? If you're like the rest of us,
    the abundance of email worms and UCE have raised the bar so high that
    it's no longer practical to leave exposed email addresses out on the
    web and expect to maintain a productive email box.

    > Either you pay the price (and, for example, take suitable filtering
    > actions against spam), or decide that it's too high, and then the
    > logical conclusion is not to have Web pages, or any Internet
    > activity for that matter.


    I maintain that's a nice ivory tower view that is no longer
    applicable.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Oct 9, 2003
    #6
  7. VestanPance

    PeterMcC Guest

    Todd H. wrote:
    > "Jukka K. Korpela" <> writes:
    >> VestanPance <> wrote:
    >>
    >>> I have read tons of ost regarding this issue and am still not sure
    >>> what to do.

    >>
    >> Presumably you don't yet understand what the issue is.
    >>
    >>> I have a simple form that submits my addresses to formmail.

    >>
    >> Why?
    >>
    >>> I have read about ASCII encoding the addresses...is this
    >>> the "best" way? I have also read about the java-script method...but
    >>> I hear that you lose the users that have this turned off in their
    >>> browsers.

    >>
    >> What is your problem? If you wish to make it possible to contact you,
    >> you should disclose your contact address(es). Simple as that.
    >> Naturally this, as anything, can be abused.

    >
    > Jukka, what world are you living in? If you're like the rest of us,
    > the abundance of email worms and UCE have raised the bar so high that
    > it's no longer practical to leave exposed email addresses out on the
    > web and expect to maintain a productive email box.
    >
    >> Either you pay the price (and, for example, take suitable filtering
    >> actions against spam), or decide that it's too high, and then the
    >> logical conclusion is not to have Web pages, or any Internet
    >> activity for that matter.

    >
    > I maintain that's a nice ivory tower view that is no longer
    > applicable.


    Mail filtering deals with the problem of spam/viruses - the benefits derived
    from using a legitimate email address are simply too great to lose because
    of the relatively minor and easily overcome inconvenience caused by spammers
    and the like.

    --
    PeterMcC
    If you feel that any of the above is incorrect,
    inappropriate or offensive in any way,
    please ignore it and accept my apologies.
     
    PeterMcC, Oct 10, 2003
    #7
  8. VestanPance

    Chris Morris Guest

    (Todd H.) writes:
    > "Jukka K. Korpela" <> writes:
    > > What is your problem? If you wish to make it possible to contact you,
    > > you should disclose your contact address(es). Simple as that. Naturally
    > > this, as anything, can be abused.

    >
    > Jukka, what world are you living in? If you're like the rest of us,
    > the abundance of email worms and UCE have raised the bar so high that
    > it's no longer practical to leave exposed email addresses out on the
    > web and expect to maintain a productive email box.


    Hmm. My address is on every usenet posting I make, and on quite a few
    web pages. Between the server-side spam/virus filters and a few pages
    of simple procmail filter at my end, I'm currently seeing only single
    figure junk actually make it through each day.

    That seems manageable to me.

    --
    Chris
     
    Chris Morris, Oct 10, 2003
    #8
  9. VestanPance

    Adrienne Guest

    Gazing into my crystal ball I observed (Todd H.) writing
    in news::

    > Jukka, what world are you living in? If you're like the rest of us,
    > the abundance of email worms and UCE have raised the bar so high that
    > it's no longer practical to leave exposed email addresses out on the
    > web and expect to maintain a productive email box.
    >
    >> Either you pay the price (and, for example, take suitable filtering
    >> actions against spam), or decide that it's too high, and then the
    >> logical conclusion is not to have Web pages, or any Internet activity
    >> for that matter.

    >
    > I maintain that's a nice ivory tower view that is no longer
    > applicable.
    >


    I use my real email address as well. I also use Mailwasher
    [http://www.mailwasher.net], and Pegasus mail client. The only real spam I
    get is from my website, and Mailwasher automatically takes care of that,
    and very rarely do I get spam at my regular address. Pegasus also has a
    good spam filter, and I also filter HTML email to go to a special folder
    that I usually delete anyway.

    I have never gotten a virus/worm from an email, simply because I do not
    open any attachments I am not expecting, and my mail client does not
    "preview" messages in such a way that it can be exploited.

    I think of it this way. Do you go to the beach without sunblock? If you
    do, you know you can get burned. That's just the nature of the sun.

    --
    Adrienne Boswell
    Please respond to the group so others can share
    http://www.arbpen.com
     
    Adrienne, Oct 10, 2003
    #9
  10. VestanPance

    Big Bill Guest

    On 10 Oct 2003 13:44:19 +0100, Chris Morris <>
    wrote:

    > (Todd H.) writes:
    >> "Jukka K. Korpela" <> writes:
    >> > What is your problem? If you wish to make it possible to contact you,
    >> > you should disclose your contact address(es). Simple as that. Naturally
    >> > this, as anything, can be abused.

    >>
    >> Jukka, what world are you living in? If you're like the rest of us,
    >> the abundance of email worms and UCE have raised the bar so high that
    >> it's no longer practical to leave exposed email addresses out on the
    >> web and expect to maintain a productive email box.

    >
    >Hmm. My address is on every usenet posting I make, and on quite a few
    >web pages. Between the server-side spam/virus filters and a few pages
    >of simple procmail filter at my end, I'm currently seeing only single
    >figure junk actually make it through each day.
    >
    >That seems manageable to me.


    I'm seeing an average of 4000 emails a week, 99% of which are spam.
    Lordy me, it takes forever to plough through the headers but it has to
    be done.

    BB
     
    Big Bill, Oct 10, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JC
    Replies:
    0
    Views:
    440
  2. Alex
    Replies:
    1
    Views:
    372
    Steve Holden
    Nov 23, 2004
  3. Zeynel
    Replies:
    1
    Views:
    584
    alex23
    Dec 6, 2010
  4. Eric
    Replies:
    2
    Views:
    647
  5. Replies:
    5
    Views:
    276
    Dr John Stockton
    Dec 23, 2005
Loading...

Share This Page