Software Secret Weapons™


 
Fighting spam with SEIG – Secure Email Image Generator
by Pavel Simakov on 2007-09-10 17:42:36 under Spam & Bots, view comments
Bookmark and Share
 


found 1 post(s) for this archive:

The Problem

SEIG PHP Library

Preventing spam from getting into the personal email inbox is the number one privacy concern of any conscious Internet user. Many large scale e-commerce sites have implemented various schemes to safeguard your email address. But smaller providers of forum and collaborative platform software lag behind.

Internet forums software like PHPBB, collaborative software like Drupal and Joomla are very popular, but can lead to exposure of email address to spammers. PHPBB, for example, shows listing of all registered users with the email addresses printed in plain text form right behind the user names. Any spammer or bot can come to crawl the forum and harvest the email addresses. Even if listings of users is disabled, any email address included as the part of the forum message is in danger. The forum post, unless specifically protected, can now be harvested.

The Solution

One can convert email address from a plain text to another representation: obfuscated text, encrypted text, image, etc. {1, 2}. In this post I describe SEIG (Secure Email Image Generator) PHP library that can be added to PHPBB, Drupal, Joomla or any other PHP package of your choice. With less than 100 lines of PHP code, SEIG library simply converts email addresses from text to images on the fly. Let me show you how SEIG library can improve email address privacy by securing the members list and posts in PHPBB 2.0.22.

Download SEIG PHP library, image generation script and monofont.ttf and place all three files into the root of your PHPBB installation. You can place it anywhere, but I chose this location to simplify the explanations; we also assume that PHPBB installed in "/forum" folder.

Securing email addresses in memberlist.php

Open and edit /forum/common.php; find a section of code where includes are done (around line 191); add a reference to SEIG library like this: 


	include($phpbb_root_path . 'includes/constants.'.$phpEx);
	include($phpbb_root_path . 'includes/template.'.$phpEx);
	include($phpbb_root_path . 'includes/sessions.'.$phpEx);
	include($phpbb_root_path . 'includes/auth.'.$phpEx);
	include($phpbb_root_path . 'includes/functions.'.$phpEx);
	include($phpbb_root_path . 'includes/db.'.$phpEx);

	// new line is here
	require_once($phpbb_root_path . "oySeig.php");

Open and edit /forum/memberlist.php; find a section of code that renders email address (around line 184); edit this sections to read as follows: 


	if ( !empty($row['user_viewemail']) || $userdata['user_level'] == ADMIN )
	{
		// new lines are here
		$em_secret = md5($userdata[session_start].$userdata[session_id]);
		$seig = new OYSeig();
		$email = $seig->encodeURL($row['user_email'], $em_secret);
		$email_img = '<img src="/forum/emgif.php?'.$email.'">';
		$email = $email_img;
	}
	else
	{
		$email_img = 'hidden ';
		$email = ' ';
	}

Securing email addresses in bbcode.php

Open and edit /forum/includes/bbcode.php; find a section of code where includes are done (around line 635); replace these lines of the original code: 


	// matches an email@domain type address at the start of a line, or after a space.
	// Note: Only the followed chars are valid; alphanums, "-", "_" and or ".".
	$ret = preg_replace(
		"#(^|[\n ])([a-z0-9&\-_.]+?)@([\w\-]+\.([\w\-\.]+\.)*[\w]+)#i",
		"\\1<a href=\"mailto:\\2@\\3\">\\2@\\3</a>", 
		$ret
	);
with these new lines: 

	// replace plain text email with image reference
	global $userdata;
	$em_secret = md5($userdata[session_start].$userdata[session_id]);
	$seig = new OYSeig();
	$email = $seig->encodeURL($row['user_email'], $em_secret);
	$ret = preg_replace_callback(
		"#(^|[\n ])([a-z0-9&\-_.]+?)@([\w\-]+\.([\w\-\.]+\.)*[\w]+)#i", 
		"mailToLambda",
		$ret
	);

Finally, add new function mailToLambda() right before the function make_clickable() (line 617) is declared, like this: 

	function mailToLambda($matches){
		global $userdata;
		$em_secret = md5($userdata[session_start].$userdata[session_id]);
		$seig = new OYSeig();
	
		return 
			"<img src='/forum/emgif.php?".
			$seig->encodeURL($matches[2]."@".$matches[3], $em_secret).
			"'>";
	}

How SEIG Works

What is going on in here? We simply convert a plain text of the email address into a reference to an email image. The SRC attribute of the IMG tag has email in the encrypted form (using MCRYPT_RIJNDAEL_256 method of mcrypt PHP library). The key for this encryption is unique in space-time to each user session and is composed of session start time (session_start) and session id (session_id).

The image is generated by the image generation script /forum/emgif.php as presented below. It initializes forum objects, computes the encryption key, decodes the email from query string. If all went well, it then renders email address image, or shows "no spam" image otherwise. 


	<?php
	
		// connect to forum
		define('IN_PHPBB', true);
		include_once('extension.inc');
		include_once('common.'.$phpEx);
	
		// load user data fro this session
		$userdata = session_pagestart($user_ip, PAGE_INDEX);
	
		// connect SEIG library
		require_once 'oySeig.php';
	
		// get current key
		$em_secret = md5($userdata[session_start].$userdata[session_id]);
	
		// decrypt
		$seig = new OYSeig();
		$text = $seig->decodeURL($em_secret, $_REQUEST);
	
		if ($text === false){
			// failure
			$seig->renderGif("[no spam]", 255, 0, 0);
		} else { 
			// success
			$seig->renderGif($text, 0, 80, 160);
		}
	
	?>

References

  1. Simple JavaScript obfuscator http://www.dynamicdrive.com/emailriddler/
  2. Hide Your E-mail Address from Spam Bots http://howto.wired.com/wiredhowtos/index.cgi?page_name=hide_your_e_mail_address_from_spam_bots

Comments (32)

Leave a comment


 
Dog Emotional 2010 Calendar Dog Emotional Mousepad Dog Fashionable 2010 Calendar Dog Fashionable Mousepad

Copyright © 2004-2010 by Pavel Simakov
any conclusions, recommendations, ideas, thoughts or the source code presented on this site are my own and do not reflect a official opinion of my current or past employers, partners or clients 		SourceForge.net Logo