How safe is javascript email obfuscation actually?

Question

How safe is javascript email obfuscation actually?

To put email addresses on my sites, I use this Javascript :

function showEmailLink(user, domain, linkText) { if (linkText == "") { linkText = user + "@" + domain; } return document.write("<a href=" + "mail" + "to:" + user + "@" + domain + ">" + linkText + "<\/a>"); }

so in my HTML I can write this:

 please send me an <script type="text/javascript"> <!-- showEmailLink("edward","tanguay.info","e-mail"); //--> </script>

This protects my site from spammers who collect email addresses using screencraping source code, since my text is not in the text.

However, I cannot imagine that a motivated spammer could not in any way create a screenshot file that could mechanically determine an email address based on this javascript and HTML code.

How safe is this javascript email explanation method actually?

+7

javascript html email-spam obfuscation spam-prevention

Edward tanguay Sep 06 '09 at 23:35

source share

7 answers

If someone wants to target your site, it’s safe at 0%. If you're just trying to raise the bar against automated scripts, you might be fine. I did not support the current state.

I would like to point out, however, that you should not enter arbitrary strings (such as username and domain name) in your HTML via document.write (), as this is a security hole. You must create an A node and use the getter / setter methods.

+1

i_am_jorf Sep 06 '09 at 23:40

source share

If you do this (which I fundamentally disagree with, that I believe that all content should be accessible to users without JavaScript), the trick will do something unique. If your method is unique, there isn’t much sense for the authors to encode a workaround, huh ??

However, some modern scrapers are known to use the provided source to clear addresses, which makes any JavaScript obfuscation methods useless.

+1

c_harm Sep 06 '09 at 23:41

source share

It all depends on whether the cost of rendering the page is offset by the value of the email address. As Dove said, professional spammers can use an army of cheap labor to provide such pages or decrypt CAPTCHAS. In some cases, this makes sense, such as creating new email accounts in trusted domains.

You can increase the cost of rendering a page by doing some calculations in showEmailLink ().

+1

nfm Sep 06 '09 at 23:42

source share

Although I do not have any convincing evidence, I believe that letter collectors have been able to execute javascript code for several years. This is based only on using a feature very similar to yours, on the "protection" of email addresses on a public page that were not used anywhere else. Of course, in the end they started getting spam.

In principle, everything that you can do does not require a person to interpret and enter an email address, and ultimately it will be cleared by mail combines. If your browser can execute javascript to decode it, let them too. (They probably use browsers for this.)

+1

Greg hewgill Sep 06 '09 at 23:46

source share

matt cutts just mentions in webmaster videos that this method is no longer “safe” see the link here http://www.youtube.com/watch?v=Ce6cLrrfS5E it says that if you put JavaScript in a place prohibited by robots .txt, then you don’t have to worry about robots displaying html, but Google is better at understanding JavaScript and your address may be searchable in clear text if you use this method

+1

Carter cole Oct 28 '09 at 15:43

source share

If you are like me and don't mind using javascript, I found this page: http://reliableanswers.com/js/mailme.asp It mainly uses this snippet:

 <script type="text/javascript"> function mailMe(sDom, sUser) { return("mail"+"to:"+sUser+"@"+sDom.replace(/%23/g,".")); } </script> <a href="/contact/" title="Contact Me!" onmouseover="javascript:this.href=mailMe('example%23com','me');" onfocus="javascript:this.href=mailMe('example%23com','me');">Contact Me!</a>

Pretty good obfuscation.

0

Rocky luck Sep 23 '09 at 12:55

source share

Amber · Accepted Answer · 2009-09-06T23:39:02+0000

This is not a question of “security” - everything that an ordinary user can see is not “safe”, since any really defined malicious object can simply act as a regular user and actually display / evaluate the page.

It is rather a matter of containment - how much do automatic harvesters care? I don’t have exact numbers, but I assume that most harvesters did not bother to fully display or evaluate pages, since there are many “softer” goals for them, and it takes a lot more time to fully evaluate page scripts, which is not good for a fast mass spider.

If you really want to hold back the harvesters, perhaps the best deterrent currently available is that CAPTCHA is included to get an address like Mailhide . However, even this can be thwarted if the harvester is sufficiently defined (by methods such as knowingly or even unconsciously crowdsourcing CAPTCHA-break, etc.).

How safe is javascript email obfuscation actually?

More articles: