Page 1 of 2 12 LastLast
Results 1 to 10 of 18
  1. #1
    Member
    Join Date
    Aug 2006
    Location
    connecticut USA
    Posts
    54

    Mask email addresses from spam harvesters ..

    I have been using this script to mask emails on my commerical sites. The script hides email addresses from the harvesters.

    <script language=javascript>
    <!--
    var username = "webmaster";
    var hostname = "yourdomain.com";
    var linktext = "Email the Webmaster";
    document.write("<a href=" + "mail" + "to:" + username +
    "@" + hostname + ">" + linktext + "</a>")
    //-->
    </script>


    This works well but I did not implement the script right away so I did get some spam mail on certain addresses.
    But now I have been getting a ton of spam mail on all addresses. I am wondering if this script is out of date and the harvesters are reading through it or are my email addresses just being passed around from the time prior to using this script ?

  2. #2
    Administrator Dave's Avatar
    Join Date
    Sep 2004
    Location
    Te Awamutu, New Zealand
    Posts
    3,959
    Blog Entries
    79
    Whether or not harvesters ever read Javascript is up for debate. My opinion is that very few, if any, would try do this. For one thing it's not really worth it for them do read javascript - it would slow them down too much to be worth the few extra addresses they might pick up. Although some people have reported incidents of harvesters reading Javascript, I have yet to see any evidence. Most webmasters still seem to agree that Javascript is a reasonably safe way to hide addresses.

    Having said this, I do think it makes sense to use whatever tricks you have to make it harder for them. You could try to complicate the script a bit, or make the script a separate Javascript file. Nothing is guaranteed but it might help.

    The key here is that Javascript is probably reasonably safe. It's not the safest way to hide your addy. For complete safety I'd go for a contact form rather than any sort of email link.

    Another option is to use a Flash file, since that still seems to be out of reach of harvesters (for now).

    If I had to guess, I'd say it's most likely that your increase in spam is due to your addy being passed around from earlier.

    I suppose a good test would be to make a disposable email address and hide it with the script. As long as you never used it anywhere else (even to send email), you'd know if the script was cracked when you start getting spam. Then close the email account and consider it a lesson learnt. If I get round to it I might try this myself.
    Dave Owen
    MediaCollege.com

  3. #3
    some spammers can see anything that browsers can display to let humans see - using the same technology of course.

    best way is to save the address as an image - but anyone can link to it from their site and then you're spammed. no certain way of avoiding spam when u have an active email account really - even close friends call fall prey to giving their email log-in details to social networking sites, which harvest and spam all their contacts.

  4. #4
    New Member
    Join Date
    Jan 2007
    Location
    Chicago
    Posts
    3
    Quote
    Quote: Tiomago
    View Post
    I have been using this script to mask emails on my commerical sites. The script hides email addresses from the harvesters.

    <script language=javascript>
    <!--
    var username = "webmaster";
    var hostname = "yourdomain.com";
    var linktext = "Email the Webmaster";
    document.write("<a href=" + "mail" + "to:" + username +
    "@" + hostname + ">" + linktext + "</a>")
    //-->
    </script>


    This works well but I did not implement the script right away so I did get some spam mail on certain addresses.
    But now I have been getting a ton of spam mail on all addresses. I am wondering if this script is out of date and the harvesters are reading through it or are my email addresses just being passed around from the time prior to using this script ?
    You may have already seen this article. It may add some additonal security ideas for what you are looking to do.

    Anyone who operates their own website knows that you need to provide a way for visitors to contact you by email. The big challenge is providing easy email access to your visitors, without letting junk mail (SPAM) flood your email inbox. The techniques described in this article have enabled me to dramatically reduce the amount of junk mail I receive on all of my websites.
    Preparing and Pre-Empting
    You need a couple things before you can really take effective action against SPAM. Your email software must be capable of filtering incoming email. All of the major email applications (such as Eudora, Outlook, and Pegasus) support filtering. We will use multiple email addresses to allow us to filter out SPAM and identify the source - you can't combat SPAM effectively without them.


    You need to use a website hosting provider that allows unlimited email aliases or addresses, and/or a catch-all email address. An "alias" is an email address that forwards to some other address (for example, webmaster@domain.com forwarding to your real email address). A "catch-all" email address will forward any emails sent to unknown addresses in your domain. I just use the catch-all, so that every message goes to my real email address. If you have more than a one-person operation, however, multiple accounts and aliases are pretty much a necessity.

    Fighting Back
    The first step in fighting back against the spammers is understanding where they get your email address. You must diligently protect your email address, if you ever hope to stop them. Once your email address gets into the wrong hands, it will be sold on CD-ROM (via junk mail, of course) to thousands of spammers. Once that happens, you've lost the fight.

    Spam Source #1: Domain Name Registrations
    When you register a domain name, you must provide a contact email address. If you give them your real email address, you've just given it to everyone, including the spammers. Instead, use a portable email address (like Hotmail) to set up your domain. If you have multiple domains, you can also use an alias (domains@yourdomain.com) on your primary domain for all registrations. With an alias, you can use your email software to filter out and save any emails that come to that address from your registrar's domain.

    Spam Source #2: Web Forms & Email Newsletters
    If you give your real email address on any web form, or use it to subscribe to an email newsletter, you are asking for trouble. Instead, create a unique email address for each website or newsletter. I just use the website's domain name for this. For example, if you subscribe to VirtuallyIgnorant's GetWebSmart Newsletter as "getwebsmart@yourdomain.com" and let your catch-all address route it to you, you will always know where the email came from. If that address ever starts receiving junk mail, you can filter it out using your email software. If you submit to search engines or free-for-all links pages (FFA's), use a unique email address.

    Spam Source #3: Your Website
    The biggest source of email addresses used by spammers is your website. Most websites list multiple contact addresses, etc. Any time an email address appears on your website in plain text, even if it's hidden in a JavaScript or form field, you're opening yourself up to having that email address captured.

    The Big Battle: Securing Your Website From Spambots
    Almost every website operator wants search engine spiders to visit. After all, search engines are the best source of free traffic on the web. In the event that you don't want them to visit, they are easily kept at bay with a properly formatted "robots.txt" file.


    Unfortunately, there's another group of spiders out there crawling the web, with an entirely different purpose. These are the spiders that visit site after site, collecting email addresses. You may know them as spambots, email harvesters, or any number of unpublishable names.

    When it comes to controlling these rogue spiders, a robots.txt file simply won't get the job done. In fact, most spam robots ignore robots.txt. That doesn't mean you have to give up, and just let them have their way. The following techniques will stop these spiders in their tracks.

    Technique #1: Use JavaScript To Mask Email Addresses
    One of the weaknesses that spiders of all kinds suffer from is an inability to process scripts. Adding a small snippet of JavaScript in place of an email address effectively renders the address invisible to spiders, while leaving it accessible to your visitors with all but the most primitive web browsers.

    In the three examples below, simply substitute your username (the first half of your email address, everything before the @ symbol) and your hostname (everything after the @ symbol). To use the scripts, just insert them into your page's HTML wherever you need them to be displayed.

    Example 1: Creating A Spam-Proof Mailto Link
    This snippet of JavaScript code creates a clickable link that launches the visitor's email application, assuming that their system is configured to work with "mailto:" hyperlinks. You can replace the link text with your own message, but see example 2 if you want to display your email address as the link text.

    <script language=javascript>
    <!--
    var username = "username";
    var hostname = "yourdomain.com";
    var linktext = "Click Here To Send Me Email";
    document.write("<a href=" + "mail" + "to:" + username +
    "@" + hostname + ">" + linktext + "</a>")
    //-->
    </script>

    Example 2: A Spam-Proof Mailto Link With Your Email Address Showing
    Some visitors won't be able to use a mailto link. This snippet shows your email address in the link so they can copy and paste, or type it by hand:

    <script language=javascript>
    <!--
    var username = "username";
    var hostname = "yourdomain.com";
    var linktext = username + "@" + hostname;
    document.write("<a href=" + "mail" + "to:" + username +
    "@" + hostname + ">" + linktext + "</a>")
    //-->
    </script>

    Example 3: Display Your Email Address Without A Mailto Link
    Here's a snippet that displays your email address a clickable link:

    <script language=javascript>
    <!--
    var username = "username";
    var hostname = "yourdomain.com";
    var linktext = username + "@" + hostname;
    document.write(username + "@" + hostname)
    //-->
    </script>

  5. #5
    bear in mind that these links are grossly inaccessible to users with no script enabled.

    it's not necessarily so bad to give spammers ur addy so long as u have protection. i have links on every page of my main web site and get a few thousand emails in my spam folder each month but googlemail is great at catching them in the spam folder so it's really not much of a prob. i rarely get any landing in my inbox.

  6. #6
    Member
    Join Date
    Aug 2006
    Location
    connecticut USA
    Posts
    54

    spam preventing artical

    Thanks for posting the artical, I had neglected to think about the spam occuring from my contact info on my domain registrations. Also I had made my web site emails not catch all to limit my spam but like the idea of setting them to catch all and then filtering out the spam. For a while I used MaCafee spam filter and tried bouncing back emails.It was very time consuming and I could not tell if it was working . Any opinion on bouncing back spam ?

  7. #7
    New Member
    Join Date
    Jan 2007
    Location
    US - East Coast
    Posts
    1
    The danger of reusing a script like this that might be in use by thousands or tens of thousands of other people is that if a spammer wanted to, he could sit down and in about five minutes write a little subroutine that dissects it and pulls out the relevant details. If enough people use the script, it might be worth his while. However, his success would depend on it being exactly the same from site to site, except for the actual username and hostname, which is the part he's going after. His program would recognize the script from the words that haven't changed, and grab the ones that have. And then he'd have your email address. So rather than just reusing the script, as is, it would be a great idea to modify it, even just a bit. It's not too hard, even if you're not a programmer, and it would make it that much harder for the spammer's program to recognize it.

    In this example, the username is "bob" and the email domain is "bigtreecity.com" (both made up).

    Here's the script, as is, using our example names above:

    Code:
    <script language=javascript>
    <!--
    var username = "bob";
    var hostname = "bigtreecity.com";
    var linktext = "Email the Webmaster";
    document.write("<a href=" + "mail" + "to:" + username +
    "@" + hostname + ">" + linktext + "</a>")
    //-->
    </script>
    And here it is with some slight modifications:

    Code:
    <script language=javascript>
    <!--
    var username = "username";
    var npart = "bob";
    var hostname = "yourdomain.com";
    var apart = "bigtreecity.com";
    var linktext = "Email the Webmaster";
    document.write("<a href=" + "mail" + "to:" + npart +
    "@" + apart + ">" + linktext + "</a>")
    //-->
    </script>
    I left the original username and hostname variables in there as decoys for a spammer looking for those very obvious words. The real username is now called npart (short for name part). The real hostname is now called apart (short for address part). In the line that begins with "document.write", I replaced the variable "username" with "npart" and the variable "hostname" with "apart" so the final result gives the web page visitor the exact same email address as the first example. But a program designed to read the standard form of that script would be left confused and probably think the email address was "username@yourdomain.com" instead of the correct "bob@bigtreecity.com".

    Of course you can modify it even more if you want, to disguise things even better. You could break up words and then combine them again later, for example:

    Code:
    <script language=javascript>
    <!--
    var username = "username";
    var npart = "bob";
    var hostname = "yourdomain.com";
    var apart1 = "bigtree";
    var apart2 = "city.com";
    var linktext = "Email the Webmaster";
    document.write("<a href=" + "mail" + "to:" + npart +
    "@" + apart1 + apart2 + ">" + linktext + "</a>")
    //-->
    </script>
    Here I've broken the domain name into two parts, apart1 and apart2, to make it less obvious. A computer might think the domain is "city.com" and completely ignore the "bigtree" part. The user will see the correct address, though, because the script puts the apart1 and apart2 back together on the "document.write" line (that's all one line between the parentheses) to make the full address.

    I think that would be enough to fool even a program that's been trained to recognize this script. And if necessary, you could break things up even more or use fancier javascript (like string replace) to make the address almost unrecognizable until it's put back together for the web page visitor.
    Last edited by kentucho; 28th Jan 2007 at 06:08.

  8. #8
    New Member
    Join Date
    Feb 2008
    Location
    San Jose, CA
    Posts
    1
    Quote
    Quote: kentucho
    View Post
    Code:
    <script language=javascript>
    <!--
    var username = "username";
    var npart = "bob";
    var hostname = "yourdomain.com";
    var apart1 = "bigtree";
    var apart2 = "city.com";
    var linktext = "Email the Webmaster";
    document.write("<a href=" + "mail" + "to:" + npart +
    "@" + apart1 + apart2 + ">" + linktext + "</a>")
    //-->
    </script>
    Is this script still considered a good way to mask an email address? The reason I ask is that this post is just over a year old now.

    Also, if this is still a good way to mask an email address, is this script (everything in between and including the <script></script>) pasted into the body of the html?

    sorry for such a rookie-like question, still learning this masking thing.

    Thanks in advance!

  9. #9
    it's alright. most spammers will harvest only obvious addresses and won't bother with javascripted emails


    but for accessibility it's better to do the proper html and get a good spam filter. get gmail perhaps

  10. #10
    New Member
    Join Date
    Apr 2008
    Location
    Solana Beach, CA
    Posts
    1

    Hiding email addresses

    One last thing you can (should) do:

    Create a callable js function like:

    fmtMailLink( namepart, domainpart)

    with implementation as per prior posts and place it into a common.js file
    and include it in your page source via:

    <script language="JavaScript" type="text/javascript" src="/includes/common.js"></script>

    Now on your page source just insert
    <script language="JavaScript" type="text/javascript">fmtMailLink("bob","domainName.com")></script>

    Not much for spamBots to find will show in the viewSource.

    If paranoid, you can even obfuscate the name of the routine
    and make it have more parameters that you concatenate to form the email address.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Subscribe to us on YouTube