Story #94904: Is spamProtectEmailAddresses still worth keeping around? - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (11)

Česlav Przywara
Daniel Corn
Daniel Haupt
Daniel Siepmann
Felix Nagel
Henrik Ziegenhain
Karina Helena Reinhardt
Oliver Hader
Sven Teuber
Tobias Stahn
Wittkiel Gruppe

Actions

Copy link

Story #94904

open

Is spamProtectEmailAddresses still worth keeping around?

Added by Benni Mack over 3 years ago. Updated over 1 year ago.

Status:

New

Priority:

Should have

Assignee:

Category:

Frontend

Target version:

Start date:

2021-08-16

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Sprint Focus:

Description

This question is around for quite some time, and I think it's worth discussing whether this option makes sense or not, or if we should deprecate it.

The main issue with having it around is still some quirks in our code base. Mainly the issue is regarding Content-Security-Policy (spamProtectEmailAddresses does not work with proper CSPs), and having inline JS which is output in Frontend (e.g. a separate JS file for the 50 lines of code).

I think it's best to have good and qualified feedback with statistics and numbers before we should move on regarding this feature.

Related issues 2 (1 open — 1 closed)

Related to TYPO3 Core - Bug #89910: spamProtectEmailAddresses doesn't work as expected with value "ascii"

Closed

2019-12-10

Actions

Related to TYPO3 Core - Feature #81939: Allow right click and copy for spam protected email addresses

Under Review

2017-07-21

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Jan Kiesewetter over 3 years ago

It’s not a 100% solution, but fighting against Spam is important on all fronts. It saved resources and money if addresses don’t get crawled in first place.
If there is good library that can replace the code base this would be the best solution IMO.

Actions

Copy link

Updated by Oliver Hader over 3 years ago

There are aspects that don't make much sense - like ASCII or HEX encoding to HTML entities.
However, there are measurements that do make sense and can be enhanced (e.g. having something like CloudFlare provides).

In order to get some numbers, I've started https://empirical-experiments.de/ - it'll will take some time until bots process it. In particular the different test are located at https://empirical-experiments.de/blog/email-markup

Actions

Copy link

Updated by Oliver Hader over 3 years ago

Research studies I found so far only focussed on detecting(!) spam on a server-level.
Adding some more potential references (in terms of "opinions"):

https://mailtrap.io/blog/email-obfuscation/
https://perishablepress.com/best-method-for-email-obfuscation/
https://superuser.com/questions/235937/does-e-mail-address-obfuscation-actually-work

Actions

Copy link

Updated by Sven Teuber about 3 years ago

So, according to the links Oliver provided, javascript encryption (numeric value for spamProtectEmailAddresses) still seems to be pretty effective - and is, by the way, not "broken" by the html sanitizer, since the javascript:linkTo_UncryptMailto-href is left untouched (at least in 9.5.30, will check 10.4 later today).

So the only problem seems to be finding good values for spamProtectEmailAddresses_atSubst and spamProtectEmailAddresses_lastDotSubst. (at)/(dot) are probably not the best values. Some JS call like <script>obscureAt()</script> worked until the latest html sanitizer changes, BUT can be easily turned around to something like:

<a href="javascript:linkTo_UncryptMailto(xyz...);">mail*company#tld</a>

JS:
$('a[href^="javascript:linkTo_UncryptMailto"]').each(function(e) { // Substitute at/dot here });

As long as the substitute characters are non-valid characters or "unique enough" (think of something like ~.~ ;-)), this solution should be compatibly with almost all mail addresses out there - and won't be affected by html sanitizing, since there is not <script> tag in the HTML.

Of course, there may always be one very sophisticated spam harvester that fully parses all JS on a page, but as long as 99% of all "stupid" harvesters are blocked, it will make a difference if the mail addresses are spam-protected in some way.

+ 1 for keeping spamProtectEmailAddresses

Actions

Copy link