24 July 2005

Hiding an email address with JavaScript

This works, is relatively simple and is pretty much immune to being scraped even by amazingly advanced ’bots – even a massivly underpaid human “’bot” would take a little while to sort it out:

<script language="JavaScript">
function href(spamtrap,username) {
return 'mail' +
('to' +
':' + username +
'@' + spamtrap).replace(/ /g,'.');
}

...and wherever you have an email link, you put something like this:

Email: <a href="mailto:username domain com au"
onmouseover="this.href=href('domain com au','username')"
title="Click to send to real email address">username at
domain com au</a>.

If you want to armour it even further, omit the “at”, use an image (not a nice, clean readily OCRable one, either) or don’t even put the shadow of an email address there.

Using the JavaScript function throws off the vast majority of bots, because there’s no “@” sign for them to key on. The really persistent ones will still key on “looks-like-username looks-like-domain-name” even if the delimiters are totally wild. Reversing the order of the domain and username should nail even the really persistent ones without having to do work-intensive stuff like hex- or MIME64-encoding strings.

Think of your own name for the function and obfuscate stuff in different ways (e.g. use “=” or “%” or capital letters as domain element separators or pass the domain as a variable-length list of arguments) lest the one name and technique suggested here become popular enough to be worth writing into a ’bot.

For the non-technical reader, what this does is supplies a web page with no easily discoverable trace of any email address in it. When the user waves their mouse over the email link, a little piece of JavaScript reconstructs the address and writes it into the link so that the web browser can now “see” it. Since ’bots generally don’t run the JavaScript, they have no hope of ever seeing the real address.

May the flaws be with you.

No comments: