BleepingComputer.com: Are password protected areas safe from bots?

Someone recently published an address list with all the details of a group I'm in into the member's area of the website. Aside from the fact that the address list was not supposed to be visible to everyone in the group, a lot of questions were raised as to the safety of the information from spam combers. The member's area is password protected. Does this protect it from software that is looking for email addresses? I thought, in order to protect this information, it had to be either encrypted or it had to be entered into one of the special email forms that some websites have. Does a password which protects a person from entering a webpage actually protect this data as well?

Zllio

anybody?

If the server is set up improperly, then a password is largely meaningless. On servers, there is a text file that sets permissions for search engine bots called robots.txt. It is possible that permissions were set to allow the bots into protected areas. Spammers can 'fool' servers into thinking that they are a googlebot, etc., and get access to areas that they are not supposed to have access to. Or, some member may have just posted the information to be malicious. Or someone had their password compromised, etc, etc.

There are hundreds of ways which a server can be attacked.

Quote

The only place that encryption is going to help is when the information is being passed from the client to the server (or vice-versa), and on the server. Once the material is published as HTML, then it is plain English. It is possible to use spiders/bots to read the raw html of a web site and parse it for email addresses. That is why we do not allow our members to use emails in their posts, or as user names.

There is no such thing as a 'special email form.' The data can be handled in such a way that it is very difficult to recover while being transmitted back and forth, but it is still not impossible to intercept. I don't think that is what happened here though since all details of a group were released. That indicates to me a server misconfiguration, or malicious user, or compromised password.

Thanks Groovicus!

There has been as yet nothing compromised, but there's a raging discussion about what if ...

Most of that discussion centers around whether or not an address list published in a password protected area of a website is protected from bots. Your answer is helpful. That it is not protected from people is a different problem. lol

The other part of the question is whether the same addresses are safe at the host where they are then subjected to a redirect email address. In that case, your answer is helpful too, because I'd never heard of the robots.txt files.

I suppose it's no different if you post your email address on your profile, only in the profile, it will often only give you a link to click on like "send name an email".

Anyway, I appreciate your information on the subject!
Zllio

A bot can not access the member area any more then a user
surfing your site. I'm guessing your site requires members to
log in first then enter a password for the protected area. The
bot can't perform the first step since it's not a valid member.
If you still have concerns locate your "robots.txt" file and edit
it to contain this line of code:

<META NAME=”robots” CONTENT=”noindex, nofollow”>

Quote

It depends on the site, and the parameters. On one site that I help on, the member section requires a password, but bots are allowed to crawl it to feed the search engines. Another section is not public at all, except to staff, and bots are allowed to crawl that section also.

My initial thought though is that a member's account was compromised.

EDIT: The more that I think about this, the more I have to wonder if the bots are set up with a special account. I need toask about htat, because that is surely possible.

So your saying GoogleBot has the ability to enter the member password
in order to access that page?
I is confused...