New Email Address Obfuscation Technique


I suggested a better way might be to present an obfuscated email address in the HTML and use Javascript to decode it. The address would appear in the HTML source something like:

<a href="mailto:spamkiller_chip_at_remove-this_dot_unicom_dot_com_dot_nowhere">mail me</a>

A person could, by inspection, determine the correct address without too much difficulty. An address harvesting spider could not.

Moreover, by taking advantage of the Document Object Model implemented by all modern web browsers, an accompanying script could be used to de-obfuscate that address. Thus this method has the advantage of being transparent for a browser with functioning DOM and Javascript, readable in a browser that does not, and offering pretty good protection from spam spiders.

As proof of concept, I've implemented such a script. You can retrieve a copy from here.

You can view a web page that demonstrates this technique here.

The strength of all the Javascript obfuscation methods lies in the fact that address harvesting spiders do not (as far was we know) have Javascript capability--yet. That's sure to change. The method I present moves the de-obfuscation script to an external file, which provides a further measure of protection against harvesting.

This method could be strengthened even further by using a URL scheme other than mailto: and have the script restore it back. Then, an address harvesting agent almost certainly would not recognize the link contains an email address. Unfortunately, this would break functionality for users without DOM and Javascript. If the mailto: scheme is used and the link isn't automatically de-obfuscated, when the user clicks on the link the browser will open a mail client window, allowing the user to de-obfuscate the address by hand. If, however, some other scheme is used, then the browser won't know what to do with it and will raise an error.

This method could be compromised if address harvesters begin adding rules to recognize common obfuscation phrases, such as "dot" and "at" and "removethis". To guard against this, you should edit the noise_words list in the script to add your own words and use them when creating obfuscated addresses.

I think this method should be effective, but I'm not quite ready to switch over all my web pages. This strikes me as making things a little too complex and messy, although I'm not sure any Javascript de-obfuscation technique could avoid that. Still, it's a method I've not seen discussed before. Maybe some further work will lead to a viable method to protect email addresses from harvesting.


Comments have been closed for this entry.

re: New Email Address Obfuscation Technique

Oddly enough, I just ran across a much more obscure technique yesterday that relies on CSS generated content to hide your e-mail address--see

re: New Email Address Obfuscation Technique

how do i get a new email account?