homepage Welcome to WebmasterWorld Guest from 50.19.206.49
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
Experiences with using JS and obscuring techniques to foil mailto spam
Hobbyist




msg:1487388
 2:43 pm on Jul 12, 2003 (gmt 0)
I know there have being a few threads on this, but none seem to be open.

The various techniques I have seen include

1) Using images - Use a image file for the whole email etc file, or even just to replace the @ symbol.

Disadvanatage- The visually handicapped would be left out, you could use alt text, but that means choosing a method to protect the alt text. Also visitor has to type in the text manually.

2) "Munging" - adding nospam, adding nonsense words in caps, or doing myname AT domainname DOT com (good for visually handicapped).

Disadvanatage - many comment methods like adding nospam is easily handled by spambots. Too sophiscated methods might even fool the humans!

3) Using URL-encoding and/or HTML character entities. You can encode some percentage, and it can get very sophiscated.

http://www.u.arizona.edu/~trw/spam/spam4.htm
http://www.metaprog.com/samples/encoder.htm

It's recommended to encode even the mailto: otherwise it's easy for spambots to just just pick up whatever it's behind that. This works for most broswers, but unfortunately it seems spambots are ready beginning to attack this.

4) Basic Javascript

The most common idea is to split up the email address then put them together using document.write. This is usually combined with entity encoding mostly to hide the @.

Here's a sample from http://www.b-link.co.uk/stevedawson/script_hide_email_.php

<SCRIPT LANGUAGE="javascript">
<!-- // Javascript Email Address Encoder
// by www.stevedawson.com

var first = 'ma';
var second = 'il';
var third = 'to:';
var address = 'yeah';
var domain = 'fdfs';
var ext = 'com';
document.write('<a href="');
document.write(first+second+third);
document.write(address);
document.write('&#64;');
document.write(domain);
document.write('.');
document.write(ext);
document.write('">');
document.write('Click Here to Email Me!</a>');
// -->
</script>

Similar but alternative ideas that don't use document.write
include

i)http://philringnalda.com/blog/2002/06/accessible_spamproofing.php

ii)<script language="javascript">
function SendMail(Login, Server)
{
window.navigate("mailto:" + Login + "@" + Server);
}
</script>
<body>
<a href="javascript:SendMail('marcell.toth', 'nextra.hu')">Mail me</a>
</body>

iii)<script language="javascript">
function SendMail(Login, Server)
{
window.navigate("mailto:" + Login + "@" + Server);
}
</script>
<body>
<a href="javascript:SendMail('marcell.toth', 'nextra.hu')">Mail me</a>
</body>
</html>

Most of the examples are given as inline JS, you should probably convert them to external JS files for more protection (I like the ones where you can easily change email by just changing the external JS file). Also doing some minor changes to varible name, mix/try encoding to mess it up some more.

iv)http://www.metaprog.com/samples/encoder.htm

There is one common problems for the above methods.

The first is what to do for users without JS. Because the above methods using a normal a href link (unlike other methods like http://www.hiveware.com/enkoder_form.php , you can't use <noscript> to hide them from non-js users.

Some of the methods, e.g i), have a built in failsafe as long as you are willing to sacrifice a disposal email. The other methods don't.

One method is to do <a href="javascript...."> <img src=pic.gif> </a>. That way both none-js and js using visitors both get some functionality.

A visually handicapped ,none-JS using visitor is out of luck though, perhaps adding isntructions in the alt text (if you are going to add the real email - even encoded in the alt text, you might as well don't use javascript in the first place) to turn on JS, might help.

5) more complicated javascript methods

http://www.hiveware.com/enkoder_form.php
http://www.jracademy.com/~jtucek/email/index.html
http://www.u.arizona.edu/~trw/spam/spam.htm
http://www.u.arizona.edu/~trw/spam/spam4.htm
http://rumkin.com/samples/mailto_encoder/ - The most customisable one out there, including some interesting ideas.

The above methods use "encrpytion", with arrays and whatnot. Basically the only way a spambot is going to get thorough this is to actually go through the whole process of running the script, since there is no @ or mailto at all.

Also each person's script will be different, so there is no common way to break it.

Probably most secure, for JS methods?

5) Other methods include form email also other advanced techniques of trapping spambots, blocking by useragent, and CGI re-direct tricks (http://www.bestprac.org/articles/spam_bots_2.htm), that I didn't understand yet.

References

http://www.bestprac.org/articles/spam_bots.htm
http://www.neilgunton.com/spambot_trap/

 

tedster




msg:1487389
 5:38 pm on Jul 12, 2003 (gmt 0)

One of my clients was having a major spam problem -- we used the simple javascript approach to hiding the addresses.

We changed all their addresses, set up an autoresponder for one month to answer any "legit" email to the old addresses -- it sends the writer to a directory page with all the new javascript cloaked addresses.

We also sent all addresses not explicitly in use to devnull, and chose non-obvious but relatively intuitive new names. There is plenty of non-email contact information on every page, so we didn't worry about visitors with js turned off.

They're about 10 months along now, and things are still very, very quiet on the spam front. And of course, having suffered badly, they're quite cautious about leaving their new addies in guestbooks, forums and the like. It helps to be "once bitten".

I was very pleased because it didn't take too much work to set this up -- and now maintenance is extremely easy. I can change one variable in one javascript file and that address changes all over the website.

SinclairUser




msg:1487390
 6:45 pm on Jul 12, 2003 (gmt 0)

This may be dumb - but why dont you just set up a perl script to process emails from the site?

Dont put the email address on site for the spam bots to collect..

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved