--- title: "Combating Spam With Email Obfuscation" date: 2023-11-22T10:30:00+01:00 categories: - webdesign tags: - spam - email --- The articles here at _Brain Baking_ end with a footer that contains the author bio and ways to contact me, including my preferred channel, email. Instead of including a simple `` link, however, the email link, when clicked on, is being replaced by the actual email address with the help of a small JavaScript function. Why? The question shouldn't be _why_---everyone knows why: to help keep spam bots at bay. The question instead should be _how_, as recent emails clearly indicate that the current method still isn't waterproof. It's not that I receive heaps of spam on a daily basis: _Brain Baking_ simply isn't popular enough for that. Still, I'd like to quickly go over a few methods you can employ to keep bots from scraping off email addresses too easily from your website. Others like [Spencer Mortensen](https://spencermortensen.com/articles/email-obfuscation/) tested these methods by setting up different email addresses and monitoring the incoming amounts of spam. Silvan Mühlemann even [waited 1.5 years](https://web.archive.org/web/20110218074628/http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared/) to see the impact of each approach! The easiest method, applied as early as the dawn of the internet, is to simply **remove a few characters** or to spell out the `@` symbol. Instead of putting up a link, you write: 'contact me via `info at mydomain dot com`'. Unfortunately, that simply doesn't work anymore. Even a very simple string matcher can still pick up the address. What you're doing here is making it difficult for your visitors to email you while also making it easy for scrapers to steal the address. A slightly more involved approach is to resort to **HTML Character Entries** that will replace characters like `.com` with `.com`. You can use [encoders like these](http://www.wbwip.com/wbw/emailencoder.html) to speed up the process. Again, most spam bots are clever enough to scan for encoded `@` signs with common domain TLDs, so I don't think this will get you very far. What about **adding JavaScript** to inject the `href` attribute (or perhaps the `` tag itself) after clicking on a link? Depending on the implementation, the success varies. I've been using a simple ROT13 replacement mechanism that's good enough. A simple click listener replaces the inner HTML of a `` element: ```js const meel = document.querySelector('.meel'); const enc = "kcihsf@pfowbpoywbu.qca" meel.addEventListener('click', function() { meel.setAttribute('class', '') meel.innerHTML = enc.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+12)?c:c-26);}); }) ``` Remember that you'll need `