javascripthtmlobfuscationspam-preventionemail-spam

How safe is javascript e-mail obfuscation really?


In order to put e-mail addresses on my sites, I use this Javascript:

function showEmailLink(user, domain, linkText) {
 if (linkText == "") {
  linkText = user + "@" + domain;
 }
 return document.write("<a href=" + "mail" + "to:" + user + "@" + domain
   + ">" + linkText + "<\/a>");
}

so that in my HTML I can write this:

please send me an 
<script type="text/javascript">
  <!--
  showEmailLink("edward","tanguay.info","e-mail");
  //-->
</script>

This protects my site from spammers who collect e-mail addresses by screenscraping the source code since my e-mail is no where in the text.

However, I can't imagine that a motivated spammer could not write a screenscaper somehow which could mechanically determine the e-mail address based on this javascript and HTML code.

How safe is this method of javascript e-mail obsfuscation really?


Solution

  • It's not really a question of "safety" - anything which a regular user can see isn't "safe" because any really determined malicious entity can just act like a regular user and actually render/evaluate the page.

    It's more a question of deterrence - how much do automated harvesters care? I don't have exact numbers, but my guess would be that most harvesters don't bother to fully render or evaluate pages, since there are plenty of "softer" targets for them and it takes a lot longer to fully evaluate a page's scripts which isn't well suited for rapid mass spidering.

    If you really want to deter harvesters, probably the best deterrence currently available is something that involves a CAPTCHA to retrieve the address like Mailhide. However, even this can be foiled if the harvester is determined enough (by methods such as knowingly or even unknowingly crowdsourcing CAPTCHA-breaking, et cetera).