Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Not displaying a web page's source. 1

Status
Not open for further replies.
1200Bandit

1200Bandit

Technical User
Oct 26, 2003
18
0
0
US
Hello,
I have been a Web designer/Master for 10 years. I work with WYSIWYG ( GoLive. I know, I played the wrong card when thay came around, But I was a already an Adobe fan, still am! ) JS, CSS, Pearl, ect.. But not with server sided stuff like ASP ect..
Last week I had one of my web sites get spammed by a SpamBot, It was so bad that it shut down all the email boxes.
When I asked tech support what happened, they told me that it was my fault for displaying the info in the first place.
Ok, live and learn.
I work long hours and my time is at a premium. The things I learn usually come from dealing with new software products + 3rd party plugins, and the learning curve can be so daunting that I watch the sunrise.

Lately I have noticed that web designers have been "hideing" their pages content with Java Scripts.
This page is an a good example of what you don't see (But I know that this page is making calls to a BB program.).
Try it ( right click <veiw source> ).
But, I have seen sites that have a couple of JS in the Header or <body> that make calls for normal content Href's IE images, text, and most importantly JS that is usually sits in the source to add content (drop downs,boxes,buttons, ect...).

I have not found any step by step overview of the concept, and instruction on how this is acomplished.

I think this is a really important (security) issue.

What I would like to do here is ask-

How is it done?

Does the content reside in an other &quot;hidden&quot; html page layed out with the content that should appear?

Please keep the the answers so elementry that any skill level can aquire talent as others are watching.

I am really excited to see what happens next......

Best regards, John
 
Sort by date Sort by votes
When I view source on this page, I see everything. Many discussions have been posted in the JavaScript forum about hiding source code. In the end, you see that while you might make it more difficult to get, you cannot hide it.

One of my favorite posts is this:

javascript:void(xx=window.open(''));void(xx.document.open('text/plain'));void(xx.document.write(document.body.innerHTML))


put that in the address bar of any page and see what it reveals. I can't remember the guru who posted it (sorry) - but it have it as a favelete...

Programming today is a race between software engineers striving to build better and bigger idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rick Cook (No, I'm not Rick)

fart.gif
 
Upvote 0 Downvote
if you want to hide your source then i suggest you find a good spot that no one knows about and stash it there...

...what i mean to say barring my sarcasm is that if its on the web anyone who would want to see your source or steal your images will be able to one way or another...

the safest way to not have your source or images stolen is to not post it on the web (period).

<Signature>
Sometimes the Answer You Are LOOKING for can be FOUND BY SEARCHING THE FAQ'S @&%$*#!!!
</Signature>
 
Upvote 0 Downvote
Thank you, I have seen references to that.
More to the point is the following rules I ran in to on the net, that parts of were never fully explained.

I have put my queries in < >.

1, Never, EVER, include a valid E-mail address or link into your site in the HTML source of your page. <OK, How?>

2, ALWAYS include a fake email address within your page to satisfy the search algorithm of the miner (SpamBot) program. If you are &quot;nice&quot;, then you will make sure that your fake address is not really someone else's address. A way to measure effectiveness would be to have your fake business address point to a non-business email address that you own. That way, any mail you get there had to come from someone who mined your business site.

3, Never, EVER, flaunt yourself by making your fake address insulting - that is the way to get &quot;bombed&quot;! What we are trying to do here, is to fake them out, and make them leave you alone. Not call attention to yourself.

4, Never, EVER, do a document.write as a way to &quot;decrypt&quot; data as your page loads. <What?>

5, ALWAYS wait for the person to select some function from your page before you insert the correct code. This is one of the major failings of all of the so-called encryption programs. After their page loads all the correct, plain text is in the page Document Object of the browser cache and can be displayed with JavaScript. <as you hav just shown> Make sure that the correct data does not get inserted until they hit a submit, or an email, button! <HOW?>
6, Never, EVER, include your JavaScript in the same file as the HTML. Always put it in a separate file. <HOW?>

I think this guy did a good job of laying out some of the don'ts, don't you?
 
Upvote 0 Downvote
1) use this function

var email = &quot;name&quot;

var emailHost = &quot;domain.com&quot;

document.write(email + &quot;@&quot; + emailHost)

4) im assuming he means using the javascript function used to print out whole webpages.
5) Im not sure what he means
6) Link to an external javascript file -- check out this link for more info here


<Signature>
Sometimes the Answer You Are LOOKING for can be FOUND BY SEARCHING THE FAQ'S @&%$*#!!!
</Signature>
 
Upvote 0 Downvote
Do spambots include the

javascript:void(xx=window.open(''));void(xx.document.open('text/plain'));void(xx.document.write(document.body.innerHTML))

to mine their info?

As a circle of light increases so does the circumference of darkness around it. - Albert Einstein
 
Upvote 0 Downvote
I think this might help. I think he is doing something with PayPal.

function LoadVals (obj1) { // load true values into page
var at1 = &quot;@&quot;;
var dot = &quot;.&quot;;
var id1 = &quot;paypal&quot;;
var id2 = &quot;helper&quot;;
var typ = &quot;com&quot;;
var url = &quot;aol&quot;;
if (obj1.business) // see what is in this form
obj1.business.value = id1 + id2 + at1 + url + dot + typ;
if (obj1.action.substring(0,6) == &quot;mailto&quot;)
obj1.action = &quot;mailto:&quot; + id1 + id2 + at1 + url + dot + typ;
if (obj1.cancel_return)
obj1.cancel_return.value = &quot; + dot + url +
dot + typ + &quot;/&quot; + id1 + id2 + &quot;/spam1.html&quot;;
return true;
}


As a circle of light increases so does the circumference of darkness around it. - Albert Einstein
 
Upvote 0 Downvote
Most spambots are just that - 'bots'. They will rarely, if ever, be as crafty as a determined human. For the most part they simply rely on a simple algorithm of:

Get one page.
By pattern matching around the @ symbol, extract all email addresses from the source.
By pattern matching the &quot;<a href&quot; get all the links from the source.
Recursively follow all the extracted links.

Perhaps the solution could be as simple as including a robots.txt file which denies access to your &quot;contact us&quot; page. Otherwise mangling the email addresses as per deecee's suggestion should take care of it.

Of course it may be that the spammer just picked your domain and decided to spam random addresses eg admin@yourdomain.com, webmaster@yourdomain.com etc, in which case there's not a lot you can do to prevent that sort of spam being sent.

[sub]Never be afraid to share your dreams with the world.
There's nothing the world loves more than the taste of really sweet dreams.[/sub]
 
Upvote 0 Downvote
Ok, number one, you can't hide your source code, unless you want to try some of the methods set out in
Spambots don't really care too much about your source, they just parse your pages looking for bits of text that look like email addresses, or for other pages to parse. Javascript might put them off their stride, but anything you do to deter spambots in this way will also affect search engine spiders - which you don't want to do.

What you can do is
[ol]
[li]Never use a mailto: URL to get user feedback. Use a form with some kind of CGI script behind it to email you the contents (plenty available at ). If possible, (re)name the script to comething unconnected with mail, and make sure your email address is hard-coded in the script, not passed as a parameter from the form.[/li]

[li]Don't use standard email addresses like webmaster@yourdomain.com, admin@yourdomain.dom, sales@yourdomain.com etc. They're too easy to guess. Configure your server so that mail sent to those addresses are automatically discarded. Use an address like johnb@yourdomain.com instead[/li]

[li]If you HAVE to display your email anywhere, do it with an image file, not with text.[/li]

[li]Create a special email address just for signing up for things like this forum, and that you generally ignore. If it gets sold to spammers it won't affect your real inbox.[/li]

[li]Accept that spam is, sadly, a fact of life. However careful you are, you're going to get it in the end[/li]
[/ol]

-- Chris Hunt
 
Upvote 0 Downvote
Chris,

One thing I don't agree with is:

Don't use standard e-mail addresses like webmaster@yourdomain.com, admin@yourdomain.dom, sales@yourdomain.com etc. They're too easy to guess. Configure your server so that mail sent to those addresses are automatically discarded. Use an address like johnb@yourdomain.com instead

If I am contacting a company and know their domain name, I would sent mail to sales@ if I was looking for sales. If I had a problem with the site I would send mail to webmaster@

Not using these addresses could end up in you losing legitimate mail.

The best way I have seen to cut down on unwanted mail is to authorise every mail based on a string of text. On the e-mail server, setup a filter rule that only allow mail to pass if there is a certain string of text in the subject or body, say for example &quot;Wullie&quot;.

If this string isn't present, send an auto-response alerting the user that there e-mail was not sent, and what they must do to allow it to bypass your filters. For convenience sake, include a copy of the e-mail in the auto-response so they don't have to type it out again.

I know of a site that does this but for the life of me, I can't remember what one. I'll post a link to the full explanation when I remember.

Hope this helps

Wullie


The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
Upvote 0 Downvote
Wow! that's a brilliant idea. Digging a little deeper, though, I see that the product they're using - Choicemail - runs on the email client, rather than on the server. So you're still going to have to download all that rubbish before you discard it.

I stand by my original advice (although actually I don't follow it yet myself). Surely, if you are &quot;contacting a company and know their domain name&quot;, you'd go to their web site wouldn't you? If you're worried about losing valid mail, put an autoresponder on that account saying something like &quot;Sorry this account gets too much spam, please use the online form at or send this message to someothername-at-blah.com (replacing -at- with an @ sign)&quot;


-- Chris Hunt
 
Upvote 0 Downvote
Hi mate,

Their method might be to do this on the client but most mail servers have filter options, so it could be done very easily on the server side. It would only take a few minutes to set this up on a server.

If I was contacting a company, I would check their website but there are so many domains that don't include contact e-mails for webmaster, or they only have an online form for sales. If I wanted to make sure my request got to the webmaster and there was only a sales link, I would still use webmaster@domain.

Hope this helps

Wullie


The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Digital Dose
  • Locked
  • Question
My website refreshes twice when it is opened on any browser. 1
Replies
3
Views
132
sartechy
sartechy
ControlNovice
  • Locked
  • Question
Any plans to add AppSheet programming to this list?
Replies
0
Views
91
ControlNovice
ControlNovice
JScannell
  • Locked
  • Question
Accessing a localhost website from other devices
Replies
4
Views
173
JScannell
JScannell
chris900
  • Locked
  • Question
suggest a Magento development company
Replies
0
Views
78
chris900
chris900
bogdangromov
  • Locked
  • Question
Free-royalty music for a vlog
Replies
0
Views
138
bogdangromov
bogdangromov

Part and Inventory Search

Sponsor

Back
Top