Ashley Sheridan​

Anti-Spam Email Script

Posted on


Often in forums and blogs, I see people asking how to cut back on spammers getting to their email addresses on a page. The most frequent solution to this problem is to disguise the email, in the hope that the spam bots (scripts purposely built for scouring the webs' pages for email addresses) will be unable to recognise the non-standard format. Below are just some of the ways of email obfuscation:

  • foo (at) bar (dot) com - inconveniences everyone, as most humans will not even use an address formatted in this way.
  • replace the email with an image - fine until OCR techniques are used on the image.
  • foo @bar . com - although using spaces in an email address retains a lot of readability for people, it also poses little problems to modern spam bots.
emails = Array("gppAcas/dpn"); function emailLink(emailNum) { emailString = ''; for(i=0; i<emails[emailNum].length; i++) { ascii = emails[emailNum].charCodeAt(i); ascii --; character = String.fromCharCode(ascii); emailString += character; } output = '<a href="' + 'ma' + 'ilto: ' + emailString + '">'; output += emailString; output += '</a>'; document.write(output); return true; }

The script above uses several key techniques to disguise the email, and I'm fairly confident that it will be some time before spam bots are sophisticated enough to extract an email from the script.

  • Email links are written to the page with JavaScript, and as far as I know, no spam bots (or search engines) can process JavaScript.
  • Addresses are stored in the script file using a single-phase Caesar Cypher, so cannot be simply extracted as text from the script file.

Line 1 is where the email addresses are kept. Each array element represents a different address. Each character is replaced by the one which follows it in the alphabet, and special characters such as '@' and '.' are replaced by a 'A' and '/' respectively (as these are the next characters to occur in the ASCII table.)

The function begins on line 3, accepting as a parameter, the index of the email address in the above array to use. This will be 0 for the first one, 1 for the second, etc.

Line 6 sets up a loop to iterate through all the characters in the encrypted email address, as a character-by-character conversion needs to take place.

Lines 8-11 obtain the ASCII code from the character, subtracts 1 from this value and creates a new character from the new value, adding it to a string which will contain the whole correct address once the loop has completed.

Lines 13-15 create the HTML to output, making sure that the word "mailto" is not in one piece, as this could be a potential give-away to spam bots that an email address actually exists.

The function is best stored in an external script file, as it allows for easier updating for larger sites. You would then call the script with this code to include it in your web page:

<script language="javascript" type="text/javascript" src="email.js"></script>

And finally use it with this code:

<script language="javascript" type="text/javascript">emailLink(0);</script> <noscript>Message to display if script is disabled/not available</noscript>