Simplify your business
Tuesday, 7 October 2008 1:02 pm

Email obfuscator

Monday, 20 February 2006  

Displaying “mailto” links in web pages is much less widespread than it used to be in the good old days, largely thanks to the proliferation of web scraping spam harvesters.

The email obfuscator uses a simple trick to effectively camouflage an email address which may be embedded in a web page. Considering that HTML supports character encoding (decimal and hex) in web pages, it’s possible to make text just a little more difficult to decipher for spambots, while still making it meaningful for humans.

The PHP version:

<a href="&lt;?php echo obfuscate("mailto:nospam@hotmail.com"); ?&gt;" title="mail me">mail me</a>

function obfuscate($text) {
   $result = '';
   for ($i = 0; $i < strlen($text); $i++) {
      $j = mt_rand(0, 1);
      if ($j) {
         $result .= substr($text, $i, 1);
      } else {
         $k = mt_rand(0, 1);
         if ($k) {
            $result .= '&#'. ord(substr($text, $i, 1)) . ';';
         } else {
            $result .= '&#x'. sprintf("%x", ord(substr($text, $i, 1))) . ';';
         }
      }
   }
   $k = mt_rand(0, 1);
   if ($k) {
      return str_replace('@', '&#64;', $result);
   } else {
      return str_replace('@', '&#x40;', $result);
   }
}

The VBS version:

<a href="<% response.write obfuscate("mailto:nospam@hotmail.com") %>" title="mail me">mail me</a>

function obfuscate(text)
   dim i, j, k
   randomize
   for i = 1 to len(text)
      j = int((2 * rnd) + 1)
      if (j = 2) then
         obfuscate = obfuscate & mid(text, i, 1)
      else
         k = int((2 * rnd) + 1)
         if (k = 2) then
            obfuscate = obfuscate & "&#" & asc(mid(text, i, 1)) & ";"
         else
            obfuscate = obfuscate & "&#x" & lcase(hex(asc(mid(text, i, 1)))) & ";"
         end if
      end if
   next
   k = int((2 * rnd) + 1)
   if (k = 2) then
      obfuscate = replace(obfuscate, "@", "&#64;")
   else
      obfuscate = replace(obfuscate, "@", "&#x40;")
   end if
end function

Because the email obfuscator randomly converts some (but not all) characters, it’s very effective, especially against the dumber (most) spambots. Of course, this technique is not 100% bulletproof but then again, neither is a bulletproof vest.

EDIT: Geert Van Aken applies a slightly different technique to solve the same problem. Instead of randomly converting some characters, he applies a Javascript filter. He provides the source code to ASP, C.NET, VB.NET, Java and PHP versions, as well as a Textpattern plugin.

Posted in ASP, Development, Email, PHP, Programming, Security, Visual Basic, Web by Ivan
Blinklist icon Del.iocio.us icon Furl icon Reddit icon Technorati icon Yahoo! icon

Got something to say?

To protect your privacy, your email address will not be displayed.





Some basic rules for commenting:

  • Watch your language.
  • Keep comments on-topic and relevant.
  • You can use basic XHTML tags for formatting and linking but not bbcode.
  • Comments are moderated, so don't double post if your comment doesn't appear immediately.
  • Please proof-read your comments for spelling and grammar mistakes.
  • Watch your language.