![]() This is the first blog post I’ve ever written. Of course this suppresses the user experience a little, but it might be worth it if you can prevent your e-mail of ending up on a spam list First article. ![]() MailHide is a free and simple service for locking your e-mail behind a CAPTCHA. When you want to make sure only real visitors can see something, the only good solution seems like using a CAPTCHA. The real solutionīots have become outstanding at mimicking humans. Most spiders aren’t doing this yet, since this is way more CPU intensive. ![]() When entering a link you can see the rendered HTML, containing my actual e-mail address. Some -more advanced- spiders can render JavaScript. This will prevent this specific attack, but is still relatively easy to circumvent. For my own website I created my own custom encoding script. Spammers can’t account for all the different obfuscate-scripts out-of-the box, but this one is definitely worth it. The biggest flaw is the widespread use of the same encoding script. Boom, you now have your own spam list! What can I do about it? This means, there are 361.107 e-mails laying out to be grabbed already! All you’d have to do is download their list, create a script to retrieve all the webpages, and decode the e-mails. PublicWhen we search for the CloudFlare mail script, we find already 361.107 results. But since the same obfuscation script is used for so many websites (keep in mind that 15% of the whole internet is using CloudFlare in November 2020), it creates a flaw.Īll a spammer has to do is update their crawling-regex to also look for CloudFlare mail hashes, instead of only basic e-mails. Most bots won’t recognize this trick or care enough, and indeed skip these obfuscated e-mails. Decoding the e-mail key function parseHex(string, position) What is the problem? After it has done this on the whole webpage, the script removes itself. It decodes the e-mails and makes them clickable. The script looks for e-mails in anchors, elements with a specific class, and also makes sure to not skip `` elements as well. Whilst the minified code seemed pretty slim, it turns out the code is bigger than it looks. With the help of I was able to format the code, and rename all the variables to names that made sense. After all, it has to transmit it millions of times every day. Of course CloudFlare has minified its decode code. It contains some code and boring explanations, so if it doesn’t interest you, you can skip it. This part explains how CloudFlare obfuscated the e-mail addresses. This way bots can’t read the e-mail address, but visitors that have enabled JavaScript will just see the e-mail as if nothing happened. It also includes its own JavaScript /cdn-cgi/scripts/5c5dd728/cloudflare-static/ to deobfuscate the e-mail and show it to users when they visit the website. An obfuscated e-mail might look like this: It does this automatic when you enable this option in the dashboard. In the CloudFlare dashboard, you have an option to obfuscate e-mail addresses.ĬloudFlare provides the option to obfuscate (the action of making something obscure) any e-mail addresses it finds on your website.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |