Gossamer Forum
Home : Products : Gossamer Links : Development, Plugins and Globals :

Paypal Scam - Spam - Robots ?

Quote Reply
Paypal Scam - Spam - Robots ?
Is anyone having paypal Spam problems while using LinskSQL?

I wanted to see if the Spam was coming from somewhere else so I added a new paypal email account, then added it to the payment options in LinksSLQ.

Did the normal pay for inclusion option and within 2 weeks the new paypal email address was SPAMMED. I understand people crawl sites to grab email addresses and apparently they are showing through in the payment section.

Anyone having issues or a repair for this problem?

Sandra Roussel
Chonsa Group Design - Fresh Start Housing
Quote Reply
Re: [SandraR] Paypal Scam - Spam - Robots ? In reply to
Took me a bit but found the answer and its actually working great:


Hide email addresses and links.

* 23 February, 2005 - improved link modifying code.
* 24 April, 2004 - expanded description and function.

The purpose of this offering is only to hide email addresses and links from programs that mine pages for such information. The techniques used here will effectively hide these things from those 'bots.

This is really simple to do. But you must follow some simple rules, and make sure your HTML is clean of any reference to either E-mail, or links into vital areas of your business. Here is how simple it is to do...

* Never, EVER, include a valid E-mail address or link into your site in the HTML source of your page. This includes "meta" statements which are a source for 'bots.
* ALWAYS include a fake email address within your page to satisfy the search algorithm of the miner program. If you are "nice", then you will make sure that your fake address is not really someone else's address. A way to measure effectiveness would be to have your fake business address point to a non-business email address that you own. That way, any mail you get there had to come from someone who mined your business site.
* Never, EVER, flaunt yourself by making your fake address insulting - that is the way to get "bombed"! What we are trying to do here, is to fake them out, and make them leave us alone. Not call attention to ourselves.
* Never, EVER, do a document.write as a way to "decrypt" data as your page loads. ALWAYS wait for the person to select some function from your page before you insert the correct code. This is one of the major failings of all of the so-called encryption programs. After their page loads, all the correct plain text is in the page Document Object of the browser cache and can be displayed with JavaScript. With my system the correct data does not get inserted until you hit a PayPal buy, or an email, button!
* Never, EVER, include your JavaScript in the same file as the HTML. Always put it in a separate file. This does not hide it, but creates another step that may be discourageing.
* This simple example only plugs the "business" value in the PayPay button, and a reference E-mail address. It may be expanded to include the "return", or the "cancel_return" links, or the IPN links - it is pretty simple to do.

What this will not protect you from is some Beavis that decides to "hack" you. In this case you must resort to other techniques. The most common is to have two E-mail addresses - one that is public, and one that you only give out to verified customers. This is not perfect, either, but it delays the bombardment by spammers.

A more complex approach is to have your primary E-mail address hosted by a service such as Yahoo!, and make use of their SpamGuard software. It is actually pretty good, and filters out over 95% of the crap messages you normally get.

One of the new advantages of larger ISPs is that they are filtering out viruses, and "spam" better than you can do it yourself. Smaller ISPs are gonna have to catch up!

View the source of this page, and see what is there. There is nothing for a spam 'bot to harvest! (except for the fake stuff!)

In the JavaScript (JS) there are three functions: One is designed for any FORM that contains a PayPal "business" reference that is called from the onsubmit event handler (EH) of every FORM in your site (FixBusi), one that will correct any link within the FORM (FixLink), aad the last is an EH called from any email link in your site (FixMail). See how I did it in this example.


* Put the JavaScript (JS) in a file by itself.
* Include a selection of it in the "head" section of your document.
* Make calls to the JS functions from EHs in your page.

All your "fake" addresses shall be changed to correct addresses when the user selects functions from your site - and not before. And 'bots mining browser cache just get the fake stuff!

This works better than any "encryption" foolishness ever thought of working. Establish a "real" fake email address and you can verify my claim.

List out the HTML source, and the JavaScript (JS) to follow along.

First note my three fake references in the HTML...

* http://yahoo.com/ron853211/ link
* ron853211@yahoo.com PayPal business ID
* mailto:ron853211@yahoo.com mail address

And notice how the JS changes all of them to the real values of...

* http://members.aol.com/paypalhelper/ link
* paypalhelper@aol.com PayPal business ID
* mailto:paypalhelper@aol.com mail address

And notice the three JS functions that perform the conversion...

* FixLink - fixes the link reference.
* FixBusi - fixes the PayPal business ID.
* FixMail - fixes any email references.

To "fix" a link, business ID or email address, include the appropriate call in an Event Handler of the affected item. Notice how this is done in the HTML.

Now, "ron853211" is a valid email reference, and is used to measure effectiveness. Any hits I get there come from mining operations on my site.

In the JS the global data divides my real path names into several parts. The reason for this is so that the real string does not exist in one place - in a single string that can be read by programs.

Remember, this does not slow people down very much, but it stops programs reading pages on the internet from getting valid link and email addresses - it stops them cold!

Since the JS is on an AOL page I decided to post it here.
// global variables to form MY addresses
var pref = "members."; // special prefix, or ""
var at1 = "@";
var dot = ".";
var typ = "com";
var id1 = "paypal"; // real id1
var id2 = "helper"; // real id2
var url = "aol"; // real URL
var fid1 = "ron"; // fake id1
var fid2 = "853211" // fake id2
var furl = "yahoo"; // fake URL

function FixBusi (obj1) { // PayPal FORM business value
var tmp;
if (obj1.business) { // see what is in this form
tmp = obj1.business.value;
obj1.business.value = id1 + id2 + at1 + url + dot + typ;
alert ("Fake business was ... \n " + tmp + "\n\n\n" +
"Real business is ... \n " + obj1.business.value);
return true; // make it work...

function FixLink (obj1) { // fix any PayPal link in calling FORM
var tmp,org,ary=new Array();
for (i=0; i<obj1.length; i++) { // run whole FORM
obj = obj1.elements; // address an element
org = obj.value;
tmp = org; // place holder
ary = tmp.split (furl); // do we have a fake
if (ary.length > 1) { // still a fake
tmp = ary.join (pref + url);
obj.value = tmp;
alert("Fix URL... \n\n" +
obj.name + " value was ... \n " + org + "\n\n\n" +
"New value IS ... \n " + tmp);
org = tmp; // any more stuff to fix?
ary = tmp.split (fid1 + fid2); // have a fake ID here?
if (ary.length > 1) { // still a fake
tmp = ary.join (id1 + id2);
obj.value = tmp;
alert("Fix ID... \n\n" +
obj.name + " value was ... \n " + org + "\n\n\n" +
"New value IS ... \n " + tmp);

function FixMail (obj1) { // fix a hyperlink mail addr
var tmp;
tmp = obj1.href;
obj1.href = "mailto:" + id1 + id2 + at1 + url + dot + typ;
alert ("Fake E-mail address was ... \n " + tmp + "\n\n\n" +
"Real E-mail address is ... \n " + obj1.href);
return true; // make it work...

Sandra Roussel
Chonsa Group Design - Fresh Start Housing

Last edited by:

SandraR: Jun 19, 2006, 11:41 AM