Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Experiences with using JS and obscuring techniques to foil mailto spam

2:43 pm on Jul 12, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 11, 2001
votes: 0

I know there have being a few threads on this, but none seem to be open.

The various techniques I have seen include

1) Using images - Use a image file for the whole email etc file, or even just to replace the @ symbol.

Disadvanatage- The visually handicapped would be left out, you could use alt text, but that means choosing a method to protect the alt text. Also visitor has to type in the text manually.

2) "Munging" - adding nospam, adding nonsense words in caps, or doing myname AT domainname DOT com (good for visually handicapped).

Disadvanatage - many comment methods like adding nospam is easily handled by spambots. Too sophiscated methods might even fool the humans!

3) Using URL-encoding and/or HTML character entities. You can encode some percentage, and it can get very sophiscated.


It's recommended to encode even the mailto: otherwise it's easy for spambots to just just pick up whatever it's behind that. This works for most broswers, but unfortunately it seems spambots are ready beginning to attack this.

4) Basic Javascript

The most common idea is to split up the email address then put them together using document.write. This is usually combined with entity encoding mostly to hide the @.

Here's a sample from http://www.b-link.co.uk/stevedawson/script_hide_email_.php

<SCRIPT LANGUAGE="javascript">
<!-- // Javascript Email Address Encoder
// by www.stevedawson.com

var first = 'ma';
var second = 'il';
var third = 'to:';
var address = 'yeah';
var domain = 'fdfs';
var ext = 'com';
document.write('<a href="');
document.write('Click Here to Email Me!</a>');
// -->

Similar but alternative ideas that don't use document.write


ii)<script language="javascript">
function SendMail(Login, Server)
window.navigate("mailto:" + Login + "@" + Server);
<a href="javascript:SendMail('marcell.toth', 'nextra.hu')">Mail me</a>

iii)<script language="javascript">
function SendMail(Login, Server)
window.navigate("mailto:" + Login + "@" + Server);
<a href="javascript:SendMail('marcell.toth', 'nextra.hu')">Mail me</a>

Most of the examples are given as inline JS, you should probably convert them to external JS files for more protection (I like the ones where you can easily change email by just changing the external JS file). Also doing some minor changes to varible name, mix/try encoding to mess it up some more.


There is one common problems for the above methods.

The first is what to do for users without JS. Because the above methods using a normal a href link (unlike other methods like http://www.hiveware.com/enkoder_form.php , you can't use <noscript> to hide them from non-js users.

Some of the methods, e.g i), have a built in failsafe as long as you are willing to sacrifice a disposal email. The other methods don't.

One method is to do <a href="javascript...."> <img src=pic.gif> </a>. That way both none-js and js using visitors both get some functionality.

A visually handicapped ,none-JS using visitor is out of luck though, perhaps adding isntructions in the alt text (if you are going to add the real email - even encoded in the alt text, you might as well don't use javascript in the first place) to turn on JS, might help.

5) more complicated javascript methods

http://rumkin.com/samples/mailto_encoder/ - The most customisable one out there, including some interesting ideas.

The above methods use "encrpytion", with arrays and whatnot. Basically the only way a spambot is going to get thorough this is to actually go through the whole process of running the script, since there is no @ or mailto at all.

Also each person's script will be different, so there is no common way to break it.

Probably most secure, for JS methods?

5) Other methods include form email also other advanced techniques of trapping spambots, blocking by useragent, and CGI re-direct tricks (http://www.bestprac.org/articles/spam_bots_2.htm), that I didn't understand yet.



5:38 pm on July 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
votes: 0

One of my clients was having a major spam problem -- we used the simple javascript approach to hiding the addresses.

We changed all their addresses, set up an autoresponder for one month to answer any "legit" email to the old addresses -- it sends the writer to a directory page with all the new javascript cloaked addresses.

We also sent all addresses not explicitly in use to devnull, and chose non-obvious but relatively intuitive new names. There is plenty of non-email contact information on every page, so we didn't worry about visitors with js turned off.

They're about 10 months along now, and things are still very, very quiet on the spam front. And of course, having suffered badly, they're quite cautious about leaving their new addies in guestbooks, forums and the like. It helps to be "once bitten".

I was very pleased because it didn't take too much work to set this up -- and now maintenance is extremely easy. I can change one variable in one javascript file and that address changes all over the website.

6:45 pm on July 12, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 27, 2003
votes: 0

This may be dumb - but why dont you just set up a perl script to process emails from the site?

Dont put the email address on site for the spam bots to collect..


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members