Please address your comments to the folks that maintain Wine's Bugzilla.

Gah. Was typing in a hurry, and hit send before I could add one more piece I wanted to add, which was:

It would be really helpful if you could add a constructive comment. So, for example, if you could download and install the current WineHQ version of Bugzilla and determine what settings mask the emails, or work up a patch that accomplishes that, I'm sure that Jeremy (or one of the other admins) would be happy to make that change.

Jumping up and down and demanding work from a volunteer tends not to work well (heck, it never seems to work for me for the people I pay <grin>).

Cheers,

Jeremy

Joerg Mayer wrote:

http://www.bugzilla.org/features/#eam

As far as I can see from a real-world Bugzilla, Bugzilla's HTML munging means replacing the @ character with the HTML entity "&#64;".

That's a stupid scheme. Even if it replaced all the characters, it would be a stupid scheme:

First, it's takes 10 minutes for a coder to implement a workaround against.

Second, the HTML standard even *requires* you to decode such characters inside the "href=" attribute.

There's absolutely no incentive for a spammer *not* to incorporate a decoder for HTML entities in his/her harvester as far as I can see, and with Bugzilla using HTML entities, it won't take long before one of them does. In fact, most of them probably does already.

A much better scheme would use encryption via Javascript: a) Decryption takes time, for a spam harvester time equals money. b) We can do our best to make sure that the spammer actually needs to *run* the Javascript to decrypt addresses, by for example changing the keys, or even obfuscating the way the key is assembled as a string in the Javascript decrypt() function with some PHP. Running actual Javascript from web pages harvested will slow down a harvester, or crash it, and it's exceedingly difficult, so it's very unlikely that someone is going to do that in a harvester.

That would be an efficient scheme, as far as I can see.

It could be implemented like this: 1) A snippet of PHP code on the server side to encrypt e-mail addresses 2) A snippet of Javascript on the client side to decrypt e-mail addresses 3) mailto: links would look like this:

<a href="javascript:decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234)'"><script type='javascript'>mail me</a>

<a href="javascript:decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234')"><script type=javascript>document.write(decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234'));</script></a>

I've just tested it, btw. The above method of returning "mailto:joe@example.com" from Javascript works fine, both in IE, Firefox, Opera and Konqueror.

4) Or like this

<head> <script type=javascript> function decrypt_all_mailto() { var links = document.getElementByTagName('A'); for (var i=0;i<links.length;i++) { var href = String(links[i].href); if href.substring(0,10) == "#decryptme" { var decrypted = decrypt(href.substring(10)); links[i].href = "mailto:" + decrypted; links[i].innerHTML = decrypted; } } } </script> </head> <body onload='decrypt_all_mailto()'> <a href='#decryptme1234,4231,2343,3421,23432,1234,321,1234,321,234' /> <a href='#decryptme756,56,43,456,234,8,6,2134,43,576,85,23,111,234' />

PS. It's not an original idea by me, by the way. Can't remember where I read about it, but someone else out there implemented some sort of JavaScript email obfuscator.