lojjic.net
Home of Jason Johnston
Thursday, August 28, 2003
Accessible Email Obfuscation
As I understand it, the Sobig virus making rounds recently propagates itself by looking not only in your address book, but also in any web pages cached on the system. So if you are a website operator who puts a mailto: link to your email address on your site, you may receive copies of the virus not only from friends who have you in their address book, but from any infected user who visits your site. Not to mention the bucketloads of spam you probably already receive from spammers who crawl the web looking for ripe email addresses to harvest.
There are ways to avoid both these problems, though. One common obfuscation technique is to do something like <script>document.write('<a ' + 'hre' + 'f="mai' + 'lto' + ':jj@' + 'lojji' + 'c.n' + 'et">j' + 'j@l' + 'ojjic.n' + 'et</a>');</script> Spambots don't recognize that as an email link, so they ignore it. It works, but there's a big problem: it isn't accessible. Anyone without scripting enabled won't see anything.
My approach to obfuscation is different: put the email address in the HTML as plain text, but using slightly different characters so that spambots won't recognize it but a human still can. Then use a script to transform the plain text into a full-fledged mailto: link.
Here's my script:
function linkEmail() {
if(!document.getElementsByTagName) return;
var allElts = document.getElementsByTagName("*");
if(allElts.length == 0 && document.all)
allElts = document.all; //hack for IE5
for(var i=0; i<allElts.length; i++) {
var elt = allElts[i];
var className = elt.className || elt.getAttribute("class")
|| elt.getAttribute("className");
if(className && className.match(/\belectronic-mail\b/)
&& elt.firstChild.nodeType == 3) {
var addr = elt.firstChild.nodeValue;
addr = addr.replace(/[ \[\{\(\|\/\\]at[ \]\}\)\|\/\\]/i, "@")
.replace(/[ \[\{\(\|\/\\](dot|period)[ \]\}\)\|\/\\]/gi, ".");
var lnk = document.createElement("a");
lnk.setAttribute("href","mailto:"+addr);
lnk.appendChild(document.createTextNode(addr));
elt.replaceChild(lnk, elt.firstChild);
}
}
}
window.onload = linkEmail;That goes through the entire document, looking for any element with class="electronic-mail". It then parses the text contained by that element, interprets it as an email address, and creates a link in its place. It should look something like <span class="electronic-mail">jj(at)lojjic(period)net</span> which is easily interpreted by a human as an email address, but a spambot won't see it. That example shows just one of many possible formats; the parentheses can be replaced by {, }, [, ], |, \, /, a space, or any combination of those. The period can also be dot.
I've been using this script (or a similar version) to create the email link in the sidebar on this site since it was launched (go ahead, view the source!) To date I haven't received a single spam message to that address. Feel free to use the script yourself, perhaps with a mention of where it came from.
Update: Thanks to Justin Makeig for pointing out a bug in the script: by adding a "g" flag to the regular expression for the "dot", addresses with more than one dot are now supported. Justin also informs me that he will be making use of the script on the new website for UC Berkeley's Center for Document Engineering.
Update 2: I've created an XBL version of this script.
