Silverstripe spam prevention

Anyone who’s ever done it knows:  don’t post your email address on the web.

It’s a sad state, but the internet is so innundated with spam, that if you post an email address virtually anywhere, no matter how remote, the spambots will probably find it. Just like google, spammers search the internet, but they’re not looking for interesting content, they’re looking solely for your email address.  Though I could see a future where spambots collect contextual information and tie it to the email addresses they harvest, to target spam more effectively.

The following strategies offer some help:

  1. remove any mailto: links  — this is the easiest target.
  2. remove any email addressses — the @ symbol is like the smell of blood to these sharks.  But spambots are even getting clever enough to figure out things like  user AT example.com or user @ example.com
  3. use an image instead of text — either the whole email address or just the @ symbol.
  4. use javascript to generate the text — however, spambots may start being able to parse javascript.
  5. use a contact form, possibly with a captcha.

But what do you do for your users’ sake?  If they can’t click on your email address, they might not go to the effort of finding your form, or deciphering your obfuscated email: aarone (AT) NOSPAM one-shore (DOT) com.

While javascript based email links or captcha based forms might be the best solution at present, it takes a programmer to implement them.  Thankfully, Silverstripe has a module that helps out, and actually makes it easy and (fairly) secure to allow users to click on a link that is not a mailto link, but will act like one.

It’s called hidemailto and here’s how it works:

Hidemailto uses an ordinary link to the HideEmail_Controller class, which then opens a page that redirects to  a javascript generated mailto link.  In effect, you click on the link, which you make to look something like this:

http://mysite/silverstripe/mailto/user/host/subject

Here’s an example I set up:

http://one-shore.com/~aaron/silverstripe/contact-us/

Which has the following link:

http://one-shore.com/%7Eaaron/silverstripe/mailto/aarone/one-shore.com/customer%20service

A few things could be done to make it a bit more secure.

  1. don’t use the word ‘mailto’ in the link
  2. obfuscate the javascript a bit more — but if a spambot becomes able to  parse javascript it won’t matter.
  3. before the redirect there could be a captcha

It’s a nice touch to make it wait for the redirect, because spambots are so successful precisely because it’s so computationally cheap.

Okay, now that you know the techical details (or have skimmed to this point) here’s how you install it.

I assume you have a working installation of Silverstripe, download the hidemailto controller from here:

http://silverstripe.org/hide-mail-to-module/

The module should be a compressed tarball, and look something like this:

hidemailto-trunk-r62511.tar.gz

To unzip it, type something like this.

tar -xvzf hidemailto-trunk-r62511.tar.gz

Some versions of tar don’t have the ‘z’ flag to decompress gzip.  If that command doesn’t work, try it in two steps:

gunzip hidemailto-trunk-r62511.tar.gz

tar -xvf hidemailto-trunk-r62511.tar

Then rename the extracted folder from hidemailto-trunk-r62511 to hidemailto:

mv hidemailto-trunk-r62511 hidemailto

and finally copy it to your silverstripe installation directory.

cp hidemailto /your/path/to/silverstripe/

for example, if silverstripe was installed in /var/www/silverstripe you’d type:

cp hidemailto /var/www/silverstripe/

You may also need to do the same with another module called gallery.  The Hidemailto documentation mentions a  dependency on gallery.  Follow the same steps:

  1. download
  2. unzip
  3. rename
  4. copy it to the silverstripe directory

If you don’t have shell access, do the first three steps locally, and then use FTP to copy the hidemailto (and gallery) folders to the silverstripe directory on your server.

There’s one more step you need to do before it will work.  Add the domain part of the email address (such as one-shore.com) to the file named _config.php in the hidemailto directory (/your/path/to/silverstripe/hidemailto/_.config.php):

HideEmail_Controller::set_allowed_domains(array('silverstripe.com', 'one-shore.com'));

You might want to remove silverstripe.com from that list, since you probably won’t be receiving any email for that domain.

I can also implement a plain javascript solution that will work without silverstripe in basically the same way, or point the more ambitious to some examples on the internet to help them do it themselves.

Feel free to email me (with the link above)  or comment here if you have questions or corrections.

Advertisements

3 thoughts on “Silverstripe spam prevention

  1. Here are a couple links about spam prevention:

    — a quick example on using javascript to write a mailto
    http://med.stanford.edu/irt/web/clips/javascript-antispam.html

    — this is a more complete example including step by setp implementation
    http://www.bronze-age.com/nospam/

    — this has several links to implementations including the one below it
    http://www.webmasterworld.com/forum91/492.htm

    — this is a good example that uses javascript obfuscation
    http://rumkin.com/samples/mailto_encoder

    — this is probably the definitive article on spam prevention
    http://www.alistapart.com/articles/spam

    — and this is great practical follow up
    http://www.alistapart.com/articles/gracefulemailobfuscation

    • Is the hidemailto module compatible with Silverstripe 2.4? I tried and i does not work and it should. When I click on the link silverstripe tries to open the mailto/xxx/xxx/Subject link which result in 404 Not found error.

  2. Pingback: Project Foxfish « Fiji Ecuador Seattle Greece Montana

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s