Simple anti-mail-harvester Javascript code

In my continuous quest to fight spam, I think I’ve found a simple solution to an aspect of this problem. It isn’t the definitive one, and we can consider it a variation on the theme of the captcha, even if there’s no image involved, because there must be a “human intelligence” involved in the interaction.

We know that one of the problems behind spam are mail-harvesters: servers that search for email addresses in the Internet (see Project Honey Pot). I don’t know exactly how they work, but I think that they find a web server someway (trying IPs or searching for HTTP addresses on search engines), then they start to suck every accessible page on it and search in the HTML text for acceptable email addresses. But we know that a web page can have a behaviour, too: I think it’s very difficult that mail-harvesters “run” the pages they get, because that would be very resource intensive and slow. Besides running them, they should fire all registered events and follow their consequences: definitely too much work.

That said, my idea is simple: manually encrypt your email and embed the encrypted string in the page; it will be decrypted on demand based on user action and opportunity. An example is the link with my name under “Author” in the sidebar of my blog site: when you pass on it with the mouse, an event is fired that decrypts my email and puts it in the href attribute with the mailto protocol; then you can click on it and send me an email with your email client.

It seems at least strange that a harvester can do these actions in a timely fashion.

To encrypt the email, I used a simple ASCII Encryption Javascript source file found somewhere (thanks to David Salsinha). I choose this algorithm because it has the interesting property to produce a different encrypted string every time for a given input string.

If you want to use this trick, you can encrypt your text here , and copy the result from here directly in your page source.

Then use this code (or a similar one):

<a data="...encrypted string..."
onmouseover="this.href= unEncrypt(unescape(this.getAttribute('data')));">
Diego Caravana
</a>

[EDIT] Changed slightly the script to obtain a stronger separation between the encrypted data and the code to decrypt it; now to reach that point, there must be at least a partial DOM of the place, besides a Javascript engine.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>