6

I have the following JavaScript code:

<script type='text/javascript'>
    var v2="xxxxx";
    var v7=unescape("%2%3432jklsjdkls%");
    var v5=v2.length;
    var v1="";
    for(var v4=0;v4<v5;v4++){
        v1+=String.fromCharCode(v2.charCodeAt(v4)^v7.charCodeAt(v4));
    }
    document.write('<a href="javascript:void(0)" onclick="window.location=\'mail\u0074o\u003a'+v1+'?subject='+'\'">'+'test(at)test(dot)com<\/a>');
 </script>

This code is on one line and I have no other possibility than this. Now I have to change the email address, but I need the v2 and v7 which I can't create.

Do you know where this snippet comes from? Do you know another algorithm which is secure (not only taking the ASCI values)? Here the ASCII codes, a XOR catenation and the encrypted value + key are used.

Tunaki
  • 116,530
  • 39
  • 281
  • 370
testing
  • 17,950
  • 38
  • 208
  • 373

5 Answers5

18

I would go about something simpler and equally-effective like this:

<a href="javascript:window.location.href = 'mailto:' + ['john','smith.com'].join('@')">john<!---->@<!---->smith.com</a>

  • mailto: link is obfuscated and unreadable for bots
  • html comments are used as junk so spam bots won't read the text of the link, while are hidden to a user. There can be any type of junk for example a <span> with display: none
Zaffy
  • 14,842
  • 8
  • 42
  • 70
9

Here are two external tools mentioned. For both you need to generate your Javascript code first with your email.

JavaScript eMail Encrypter

<!-- Add these lines to <head></head> -->
<script type="text/javascript"> <!--
function UnCryptMailto( s )
{
    var n = 0;
    var r = "";
    for( var i = 0; i < s.length; i++)
    {
        n = s.charCodeAt( i );
        if( n >= 8364 )
        {
            n = 128;
        }
        r += String.fromCharCode( n - 1 );
    }
    return r;
}

function linkTo_UnCryptMailto( s )
{
    location.href=UnCryptMailto( s );
}
// --> </script>

<!-- Use above link to generate your crypted email (example): -->
<a href="javascript:linkTo_UnCryptMailto('nbjmup;uftuAuftu/dpn');">test [at] test [dot] com</a>

ANTI-SPAM EMAIL LINK OBFUSCATOR

<script type="text/javascript" language="javascript">
<!--
// Email obfuscator script 2.1 by Tim Williams, University of Arizona
// Random encryption key feature coded by Andrew Moulden
// This code is freeware provided these four comment lines remain intact
// A wizard to generate this code is at http://www.jottings.com/obfuscator/
{ coded = "34M3@34M3.nmp"
  key = "594NIGdDgELkcwoAbPQirZaYCn1mWhURt0syV7Ojpqf8H3XMFvlezJTS2ux6KB"
  shift=coded.length
  link=""
  for (i=0; i<coded.length; i++) {
    if (key.indexOf(coded.charAt(i))==-1) {
      ltr = coded.charAt(i)
      link += (ltr)
    }
    else {     
      ltr = (key.indexOf(coded.charAt(i))-shift+key.length) % key.length
      link += (key.charAt(ltr))
    }
  }
document.write("<a href='mailto:"+link+"'>Example</a>")
}
//-->
</script><noscript>Sorry, you need Javascript on to email me.</noscript>

This tool was originally conceived and written by Tim Williams of The University of Arizona. The code to randomly generate a different encryption key each time the tool is used was written by Andrew Moulden. Ross Killen of Celtic Productions Ltd has also created a PHP version to enable use of this technique in web applications.

This code is distributed as freeware, provided the authors' credits etc remain exactly as shown.

testing
  • 17,950
  • 38
  • 208
  • 373
2

I just found this page that lists a number of methods that have been tested in a 1.5 year experiment in 2018, e.g.

  • use CSS's direction: rtl
  • add some "null" spans including a bit more advanced css to hide it
  • use some fancy JS to obfuscate the mailto link

Seems like spam bots are getting more advanced.

Peter T.
  • 2,143
  • 5
  • 24
  • 36
1

While I found many solution complicated, a simple javascript could do the trick just replace in the script your domain name.

<a class="email" data-email="support"></a>

<script>
var emailLinks = document.getElementsByClassName('email');
for (i = 0; i < emailLinks.length; i++) {
    var ctrl = emailLinks[i];
    var email = ctrl.getAttribute('data-email') +  '@' + document.location.host;
    ctrl.href= 'mailto:' + email;
    ctrl.innerText = email;
}
</script>
Zyo
  • 1,698
  • 18
  • 24
  • 1
    You can also replace the url in the script with something like `new URL(window.location).host`, to have even less readable data in the script. (This will also make the script work on virtually any site that has a `support@` address without changing it.) – Lerk Oct 28 '19 at 16:11
0

Another great tool to use is the reCAPTCHA tool from Google where it actually protects the email address provided by allowing the user to enter the character seen on the screen before the full email address is revealed. See the link here: reCAPTCHA

heinkasner
  • 385
  • 4
  • 17