Comments on: How to Stop Spam Harvesting With Email Obfuscation

By: Craig Buckler

Craig Buckler — Tue, 26 May 2009 11:30:54 +0000

@jj

…all I’m seeing is the obfuscated address

The code is either failing or not being started. Run it in Firefox with the error console open (Tools > Error Console) – that should tell you if there are any obvious errors. Otherwise, post a link to your page URL and I’ll take a look.

By: jj

jj — Mon, 25 May 2009 18:27:35 +0000

I tried it but it’s not working. I put in the email.js file to the server, linked to it in the header, added the ‘window.onload’ line at the bottom, and used “class” in the email link (actually I copied/pasted and just changed the email address), but all I’m seeing is the obfuscated address. And I’m almost 100% sure that I have javascript enabled.

By: visual28

visual28 — Mon, 11 May 2009 22:46:21 +0000

I agree with omnicity, the spammers are far to smart and the email is easily hacked using common replacement techniques. I use a modified algorithm of the Project Honeypot system found here:
http://www.projecthoneypot.org/how_to_avoid_spambots_3.php

Even it’s not perfect, and will surely be defeated soon enough if not already. The only decent way to protect your email is through the use of a contact form.

By: omnicity

omnicity — Mon, 11 May 2009 22:26:30 +0000

There is plenty of evidance to suggest that the spam-bots are already using regExp patterns to look for even partial email addresses.
Where only a domain name is found, they then launch a dictionary attack with that, though domain names can just as easily be found via DNS.

By: Stomme poes

Stomme poes — Fri, 08 May 2009 08:13:40 +0000

[quote]Re-captcha allows you to protect your email with a security image.[/quote]

More and more sites, I cannot contact the owners because of captchas. I can’t read most of them, and I’m not blind.

I’ve been using numerical charcter entities for the whole email addresses, the mailto and the text in the anchor, and sometimes also with the word “email”. I also don’t know how well this works, but I’ll keep doing it so long as I know there are still many bots who can’t read them.

By: soundjet

soundjet — Fri, 08 May 2009 07:53:47 +0000

Nice one! guaranteed? ;)

By: roger

roger — Fri, 08 May 2009 00:02:23 +0000

Of course, unfortunately, you have also provided in this article the source code for the spammer to look at currently obfuscated email addresses and harvest them.

… Hey dude, just look for anything that is class email and then run it through this code …

Maybe calling the class ‘honeypot’ would be more appropriate.

great code btw, but those spammers have more time on their hands than we have to defeat them.

Of course by suggesting it in this comment I am also aiding them … Wheres the delete key ?

By: justseth

justseth — Thu, 07 May 2009 02:54:43 +0000

using a contact form is the best of solutions for many reasons:
1) the developer can control the conversation, ensuring the required information is sent
2) forms are trackable / measurable
3) auto-responses can be delivered based upon an array of conditions.
4) contact forms are routable. meaning, depending upon subject, will determine where the email is sent.

By: heggaton

heggaton — Wed, 06 May 2009 23:44:11 +0000

@Patrick, I completely understand now and yeah, you’re way is much better than using the noscript tag :)

I think I’ll stick to my original way of obfuscating and directing people to the feedback form on JavaScript failover but use your method of replacing HTML rather than the noscript.

Cheers

By: PatrickSamphire

PatrickSamphire — Wed, 06 May 2009 11:49:11 +0000

@heggaton, I was simply suggesting approaching it from the other direction to come up with the same solution. So, rather than having noscript for those without javascript, have the link to the contact form included in the html as default for everyone (but not inside noscript), then use javascript to remove that link and replace it with the obfuscated email.

That way, you don’t need a noscript tag at all.

The result will be exactly the same, and there’s no particular reason that anyone should go this more complicated route, but I just like things to look neat, and noscript always seemed a little ugly to me. :)