{"id":193,"date":"2006-06-22T14:39:31","date_gmt":"2006-06-22T14:39:31","guid":{"rendered":"http:\/\/neosmart.net\/blog\/archives\/193"},"modified":"2013-08-26T18:09:53","modified_gmt":"2013-08-26T23:09:53","slug":"javascript-protection-dont-fall-for-it","status":"publish","type":"post","link":"https:\/\/neosmart.net\/blog\/javascript-protection-dont-fall-for-it\/","title":{"rendered":"JavaScript “Protection:” Don't Fall for it!"},"content":{"rendered":"

Every once in a while it comes up again. JavaScript – used totally wrong. This times it’s Hivelogic’s “Enkoder” script<\/a> reborn for Wordpress<\/a>. What people just don’t get is: JavaScript was never meant to be used as a heavy cavalry, a knight in shining armor, or else a bit of code that can<\/strike> may be used to do anything – because it’s not.<\/p>\n

JavaScript can<\/em> do a lot of things, but that doesn’t mean it should be used that way. But that’s not the problem – not this time. The problem is that people are still insisting on believing that using JavaScript to hide text means that the bad guys won’t ever see it. But that’s just not true. <\/p>\n

<\/p>\n

For one thing, as we all know, the weapons reach the bad guys first, and it takes a long time for the “good guys” to get them later. Just because GoogleBot and Yahoo! Crawler don’t exactly understand JS-rendered text, doesn’t mean that the spam bots, email harvesters, blog spammers, and more don’t. As a matter of fact, more spam bots come to NeoSmart Technologies with javascript enabled engines than authentic users with JS enabled browsers (stats thanks to SpamKarma 2) – and they’re on your site too.<\/p>\n

Just like people insist<\/strong> on writing their emails as ramblings [at] neosmart dot net<\/code> or one of it’s variations, and it never occurs to them that spambots can harvest these just as well as they can ComputerGuru@NeoSmart.net<\/code> with or without the mailto: entity defined, it just doesn’t matter. It takes the code masters over at HiveLogic a month or more to write such a complicated algorithm, but it takes spam bot and email harvester authors mere hours to add JS processing to their engines – and all of a sudden everyone is vulnerable.<\/p>\n

There really is no good<\/em> way to prevent an email address from being listed in spam directories and sold in bulk along with thousands of others to spammers around the web – especially not image renders of email addresses, OCR is actually a rather practical method once combined with baesian filters to identify a likely email-in-image target. The best thing one can<\/em> do is to sign up for a good email service if you use free webmail (don’t use AOL, Hotmail, Walla, WowMail, SpyMac, or most others; use Yahoo!, Live.com, or GMail if you have to), or if you have your own MX server, invest in a quality spam-control engine (don’t use BrightMail or anything else Symantec!). If it’s too late to change whatever it is that you picked or your email address is all over the web such that it doesn’t make a difference, get a decent client-side program instead (reviews to come!).<\/p>\n

Remember, you can never beat them completely, just do your best to bat them away. Using disposable email addresses helps, but it’s not the best way since spammers will send messages to random email addresses and bookmark those that don’t bounce back – you really can’t win outright, just keep trying.<\/p>\n

However (and this is important!) Hivelogic deserves recognition for their algorithm. I personally used it the month it went public (3 or 4 years ago?), and it was a great idea, the innovation is there, and it definitely worked for a couple of years, but times change and technology swarms and grows, and nothing lasts forever. If you really want security via obsecurity, then this is your award-winning horse that’ll take you quite far, but remember, no one is perfect, and nothing lasts forever.<\/p>\n","protected":false},"excerpt":{"rendered":"

Every once in a while it comes up again. JavaScript – used totally wrong. This times it’s Hivelogic’s “Enkoder” script reborn for Wordpress. What people just don’t get is: JavaScript was never meant to be used as a heavy cavalry, … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[76,54],"class_list":["post-193","post","type-post","status-publish","format-standard","hentry","category-software","tag-javascript","tag-wordpress"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p4xDa-37","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/posts\/193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/comments?post=193"}],"version-history":[{"count":1,"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/posts\/193\/revisions"}],"predecessor-version":[{"id":1979,"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/posts\/193\/revisions\/1979"}],"wp:attachment":[{"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/media?parent=193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/categories?post=193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/neosmart.net\/blog\/wp-json\/wp\/v2\/tags?post=193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}