Antipixel | Blog | Spammers Harvesting RSS

Night Fever < Home > Yes, We Have No Sopranos

Spammers Harvesting RSS

Comments: 17

This was only a matter of time of course, but I’ve received the first piece of spam sent to an address that only appears in my RSS feeds, so it looks like spamming scum have cottoned on to the fact that they may be a new source of addresses.

If I believed in an afterlife, in heaven and hell for example, then I could content myself with the thought that there’s an especially hot and unpleasant place awaiting spammers. Unfortunately I don’t, so my feelings for these scum tend to be, um… earthier.

Note: I publish a feed that contains recent comments people leave on the site. It does not contain anyone’s e-mail address but my own.

•••
Posted to Computers • 2002.12.22 (Sun) • 16:07

Comments

Posted by damien 2002.12.23, 00:46

hi, urm nothing related to this post, just wondering if you are using php to upload your kung tunes data? considering adding kung tunes via an iframe, but that would mean my site can’t meet the xhtml1.0-strict standard, would it? would like to know how you set up your kung tunes, thanks!

Posted by jh 2002.12.23, 01:14

Not using PHP, no. I get Kung-Tunes to save out an HTML file (called “trackinfo.html”) which I then call into the main page with a server-side include:

<p><!—#include file=”trackinfo.html”—></p>

Then it’s just a matter of letting Apache do the rest.

Posted by webspiffy 2002.12.23, 03:08

Hmm this needs to be mentioned to the Trotts (the creators of MoveableType). Yeah those damn bots are just too quick. Well I for one am taking my e-mail address out of the template. Thanks for the warning.

Posted by Adam Rice 2002.12.23, 06:17

It’s also unfortunate that the spambot-blocking algorithm used in MT seems not to be very effective.

Posted by Kristian 2002.12.23, 07:26

Sadly, the only way to guarantee your address will never be harvested is to never publish it on a site. Even that doesn’t ensure you won’t get spam, I’ve seen some spam with TO: lines that look like attempts to hack plaintext passwords, sheer brute force.

Posted by jh 2002.12.23, 11:08

Adam — It’s not terribly effective at all these days. The approach is similar to that taken by SpamStopper from RailHead Designs (available for Mac OS 8.6, 9 & X). This free utility converts text strings (e.g., e-mail addresses) to hexadecimal. I suspect that this is no barrier for bots anymore, but notice that the latest version now includes several different encoding methods, so perhaps it’s staying one jump ahead.

It’s only a matter of time before the scum figure out the latest encodings, though, so this method has an inherently limited shelf life.

Kristian — Sad but true.

I read of an interesting approach to defeating spam recently which involved creating an e-mail address that appears to contain one of the typical bogus phrases people include to decrease spam (e.g., “remove” or “nospam” or diespammer”).

The idea is that when bots harvest the address, they strip out the part that appears to have been arbitrarily added. Because this string is actually part of the address, however, the result is useless to them.

Posted by webspiffy 2002.12.23, 14:33

Heh yes that is a clever approach. I was always paranoid about the MoveableType spam_protect=”1” variable tag since it only changes the @ character. Obviously the bots are smarter than that. Maybe my gotohellspammers@yahoo.com e-mail address is finally safe.

Posted by Jim Ley 2002.12.26, 06:16

Many spam crawlers don’t parse the content of files more than looking for a pattern “…@…” (which works for any XML attributed email address. They’re not XML parsers or anything like that, content-types are not something they care about, the fact it’s in a RSS feed is pretty irrelevant to them.

I’ve had my mail server reject lots of http:// … @jibbering.com type addresses from XML docs, they’re likely doing nothing clever with RSS, just crawing any old linked file.

Fighting spam on preventing it appearing on lists will never work, as you only have to lose once to lose everything.

Posted by Joshua Kaufman 2002.12.28, 01:43

Well, that’s reason enough for me to pull my email out of it. I switched it to my spam motel email, which I’ll delete sometime in the distant future whenever I receive too much spam at that address.

Those interested in the hexadecimal approach of hiding emails should also take a look at hivelogic’s email encoder, which not only converts it to hexadecimals, but also wraps it in JavaScript, further confusing the stupid spam bots.

Posted by Jim Ley 2002.12.28, 10:29

Please don’t use javascript to hide your email address, why bother including it if you don’t want clients to use it?

It’s trivial to create your spambot based on a popular webbrowser, and it’s what I’d do, and I’d certainly have it reading javascript, it’s so simple, and such protected email addresses are almost guaranteed “good” so it’d be well worth doing.

Posted by jh 2002.12.28, 11:33

Jim —

> Fighting spam on preventing it appearing on lists > will never work, as you only have to lose once > to lose everything.

Agreed. In fact, I doubt ‘shielding’ or obfuscation measures are helpful at all. As soon as a certain technique reaches a critical mass of popularity, it’s worth it (and trivial) for spammers to write a bot that parses it.

Client-side filtering is getting better, and we need, as I’ve said before, we need aggressive (but sane) legislation and rabid prosecution of offenders, dammit! Tar and feather the bastards and ride them out of town on a rail.

Posted by Moises 2003.04.04, 16:57

Maybe you want to look a anti-spam engine I’m using in my blog to avoid e-mail robots harvest e-mails from the comments of my blog. Here is the the url of the post in my site:

http://www.moik78.com/20030301moik78archive.html#90410984

Posted by lee yin 2003.07.14, 15:01