Comments on: Obfuscating Emails Revisited

By: Obfuscate no more: why your email address should go au naturale - Jason Priem

Obfuscate no more: why your email address should go au naturale - Jason Priem — Tue, 12 May 2009 21:12:48 +0000

[...] are too many js methods to cover in any detail here. Some are better than others; a few try to degrade gracefully for users without Javascript support. All of them, though, share [...]

By: links for 2009-04-17 « Amy G. Dala

links for 2009-04-17 « Amy G. Dala — Fri, 17 Apr 2009 22:40:52 +0000

[...] TextMate Blog » Obfuscating Emails Revisited (tags: email javascript web_dev utilities) [...]

By: Brandon

Brandon — Sun, 02 Dec 2007 22:26:30 +0000

I'm fairly new to Rails, and I'm not exactly sure what to do with the script? Is it a plugin? Do I call it using before_filter? Is there a special place I should put it?

By: kameko

kameko — Fri, 09 Nov 2007 06:05:35 +0000

interesting that bob has not returned with this magical $20 shareware harvesting tool.

By: thyncology » Blog Archive » Email Entitizer

thyncology » Blog Archive » Email Entitizer — Wed, 07 Nov 2007 11:13:07 +0000

[...] by a recent ongoing dialog on the TextMate blog about obfuscating email addresses to prevent spambots from scraping and foiling their [...]

By: Bob

Bob — Mon, 22 Oct 2007 10:00:29 +0000

Allen, I've asked the friend that gave me the software if he still has it. I'll let you know..

By: Allan Odgaard

Allan Odgaard — Thu, 18 Oct 2007 10:48:25 +0000

So bob, we have gone from the method being “utterly useless” to you recalling having seen a shareware program that could decipher addresses? ;)

Do you recall any details about this program? Like what type of enciphering did you do, that the program broke?

Don’t get me wrong, I know this is a cat & mouse game, and I certainly do not consider this method anywhere near unbreakable. I can just report that:

Based on a test I did, entity-encoded emails are safe from harvesters
I get no spam to the addresses listed (and enciphered) on these page.

So the cat (harvester) is not too concerned with winning the game (likely because there is far to much low-hanging fruit out there).

But even if the cat awakes, I am pretty optimistic, since legitimate use of email addresses will always be done by a human, and no script can fully mimic a human.

The question is how do we make the least obtrusive turing test?

Two ideas I am presently pondering is:

Use XMLHttpRequest both to fetch the valid address, but also (as a trap) blacklist the client’s IP (or feed it bad data) — a script is likely to follow the wrong path, for a human, use of CSS can make that near impossible.
Use DOM events, e.g. check that mouseEnter was actually called for the link clicked — we could require more intricate “gestures” to be performed.

I have some concerns though about a) making it easy to automatically obfuscate a page (so requiring server support for XMLHttpRequest is maybe not ideal) and b) still support browsers w/o JavaScript, non-mouse users, etc. One solution to that problem though could be, to always provide challenge/response protected email addresses by default, and then have JavaScript alter them to non-protected addresses, when the turing test has determined the page is viewed by a human.

By: bob

bob — Tue, 16 Oct 2007 18:55:58 +0000

It's a shame I lost the program, but i've spent a lot of time working on spam-protecting email addresses. Then, a friend showed me a $20 windows shareware tool that can be used to harvest email addresses from webpages. It found all addresses that were only visible after parsing javascript, and it was also pretty good at evading spam-traps (when they were hidden using CSS or javascript, it would just ignore them)

If this method works for you: great, but don't be surprised if one day you'll find that you name is on the spam lists.

By: Allan Odgaard

Allan Odgaard — Tue, 09 Oct 2007 14:16:33 +0000

If bots start to run JavaScript (while harvesting email addresses) then we can litter our pages with traps, i.e. put up invisible links to pages that lead to running infinite loops, or even report infested machines via XMLHttpRequest.

Meanwhile I can report that I receive zero spam for the JavaScript-obfuscated addresses published at this site (and they have been here for quite some time).

Based on a previous test I did it seems majority of harvesting bots doesn’t even entity-decode pages fetched.

So what are you basing your comment on Bob?

By: Guillaume Rischard

Guillaume Rischard — Tue, 09 Oct 2007 14:06:15 +0000

Sure they can parse javascript, but is it worth the cost? You have a harvesting bot. You find a bunch of javascript. Do you take the time to run it, hoping it has an email address, or just go to the next chunk of text?

Running a simple regular expression on the input will always be many times more efficient, in terms of email addresses harvested/time, than running the javascript on the page.

If this method becomes common enough and computers fast enough to make running the javascript worth it, the code can always be made more complex, to make the decoding of email addresses slower.