Got some very strange spam

MattBeard Peon

Messages:: 259

Likes Received:: 5

Best Answers:: 0

Trophy Points:: 0

#1

I got a very strange e-mail sent to the admin address of a website that I use to promote and support some Open Source software. It is a well written e-mail (none of the normal spam junk), but looks more like a blog article than an e-mail.

It is entitled "Protecting your source code from analysis and reuse by competitors" and details the benefits of code obfuscation for web-code.

There are only two links in the e-mail, one to the search page of sharetheware (dot) com and another to a page about Flexelint (but it doesn't seem to be suggesting that I should use it).

The e-mail seems to be well targetted (sent to the admin address of a site supporting software development) except for the fact that the code on the site is Open Source.

Any thoughts?

MattBeard, Jul 26, 2006 IP

Bondat Peon

Messages:: 2,397

Likes Received:: 217

Best Answers:: 0

Trophy Points:: 0

#2

Post the content of the email here.

Bondat, Jul 26, 2006 IP

Blogmaster Blood Type Dating Affiliate Manager

Messages:: 25,924

Likes Received:: 1,354

Best Answers:: 0

Trophy Points:: 380

#3

Spammers are getting smarter. Rather than suggesting you use it, they want to point your interest into that direction

Blogmaster, Jul 26, 2006 IP

MattBeard Peon

Messages:: 259

Likes Received:: 5

Best Answers:: 0

Trophy Points:: 0

#4

This is the text of the e-mail:
Protecting your source code from analysis and reuse by competitors
One day a client asked us to produce a special CD version of the website we created for him (so that the web server and database server could be run directly from a CD inserted in the user's computer). Finding a toolkit on Google that would allow producing such a CD was rather easy. There are several webservers on the market designed to run from CD; some even allow the same CD to be used on several platforms, i.e. Windows, Mac OS X and even Linux.

That site used several dozens of PHP files we've created, and to protect them, we used one of PHP encoders available on the market.

The site also used a lot of complex JavaScript code that was our important intellectual property, so we were rather concerned by the fact that anyone could take our JavaScript code and adapt it for use in their own projects. We turned again to Google and found that there are special tools called "obfuscators" that rename variables and functions to meaningless strings like s2jE9j4RMt or names that are as short as possible, remove comments and all extra space characters. It turned out that such tools exist for almost all popular programming languages, including JavaScript. You can see a sample list of such obfuscation tools for Javascript here.
//--------------------------------------------------------------------------
// Here goes some comment with sensitive private information about the code.
//--------------------------------------------------------------------------

function CalculateSalary(aEmployees)
{
   var nEmpIndex = 0;
   while (nEmpIndex < aEmployees.length)
   {
      var oEmployee = aEmployees[nEmpIndex];
      oEmployee.fSalary = CalculateBaseSalary(oEmployee.nType,
                                           oEmployee.nWorkingHours);
      if (oEmployee.bBonusAllowed == true)
      {
         oEmployee.fBonus = CalculateBonusSalary(oEmployee.nType,
                                                 oEmployee.nWorkingHours,
                                                 oEmployee.fSalary);
      }
      else

      {
         oEmployee.fBonus = 0;
      }
      oEmployee.sSalaryColor = GetSalaryColor(oEmployee.fSalary +
                                              oEmployee.fBonus);
      nEmpIndex++;
   }
}
Code (markup):
Here is the obfuscated version of the same JavaScript code:
function c(g){var m=0;while(m<g.length){var r=g[m];
r.l=d(r.n,r.o);if(r.j==true){
r.k=e(r.n,r.o,r.l);}else{r.k=0;}r.t=f(r.l+r.k);m++;}}
Code (markup):
As you can see, the obfuscated JavaScript code is extremely hard or impossible to understand. Also, its size is much smaller, resulting in shorter download times and less bandwidth used. browser.

Some obfuscators provide even more protection -- like uglification of names (using long meaningless names), string and integer uglification and encoding of the result.

The output files such tools create are almost impossible for a human to understand. Google itself also uses such an obfuscation tool to scramble and minimize the size of JavaScript code in Gmail - just login to Gmail and examine the source of webpages for yourself.

Since that project, we've used obfuscation to protect a lot of our projects, including obfuscation of ASP code. Several tools exist even for obfuscation of PHP, Python, Perl and TCL languages, so we feel much less nervous after discovering the safety obfuscation provides.

It turns out that some people are using obfuscators for protection of source code written in compiled languages, like C#, Ada, C/C++ and Java. There are companies selling cross-platform software that prefer to ship it as obfuscated source code instead of providing executables for every operating system; they expect customers to build their software on the platform on which they wish to use it - for example FlexeLint for C/C++ by Gimpel Software is distributed as obfuscated C code.

We are excited by the increased safety obfuscation provides for our intellectual property, and strongly recommend all developers use this technology!

Happy developers who use
obfuscation and encoding technologies
Click to expand...

MattBeard, Jul 26, 2006 IP

Log in or Sign up

Got some very strange spam - or is it?

MattBeard Peon

Bondat Peon

Blogmaster Blood Type Dating Affiliate Manager

MattBeard Peon

Log in or Sign up

Got some very strange spam - or is it?

MattBeard Peon

Bondat Peon

Blogmaster Blood Type Dating Affiliate Manager

MattBeard Peon

Useful Searches