Fight Spam with JavaScript

by arse

I only began buying domains and running websites recently, and as I did I noticed a huge increase in the amount of spam I was receiving.

Apparently my email address was being "harvested" from my websites by "email harvesters."

I'm sure many of you are familiar with these harvesters.  But for those who are not, an email harvester is basically a program or script that scours the Internet for email addresses (usually starting at Google with a keyword that will produce lots of email addresses).

These programs can find thousands of email addresses in an hour.  Lists of these addresses will then be sold to other spammers.  And guess what they do with them?

This is why you see email addresses on websites, blogs, etc. like: Joz (AT) GMAIL (DOT) COM_REMOVETHISBIT

This is a good way to avoid your address being harvested, but obviously it would not be hard to modify the programs to replace (AT)'s and (DOT)'s and so on.

Also, this method requires effort on the part of the person emailing and can cause confusion with people new to the Internet.  So, whilst playing with some JavaScript, I worked out a way to defeat spam harvesters and it's really very simple.

My first idea was to use JavaScript's document.write() function to write the email address to the HTML file, but in parts.

As JavaScript is client-side, the HTML file is sent with the JavaScript still intact, but the user's browser will then run the JavaScript commands to product the desired text/HTML.

In this case the desired HTML was:

<a href="mailto:nospamhere@shiz.biz">email me!</a>

If this was simply written to the document as it is above then email harvesters would easily pick it up and begin spamming.  So I wrote it differently:

document.write('<a href="mailto:nospamhere'); document.write('@shiz.biz'); document.write('">email me!</a>');

As the actual HTML (<a href="mailto:nospam shere@shiz.biz">email me!</a>) is written, client-side the email harvesters don't pick it up, but a normal user gets a perfectly fine mailto: link.

I tested this on my website.  I put an email address normally and one done with document.write().

One week later, the email written to the document normally had received three spam emails and the one that had been written using document.write() had received none!

Now it wouldn't be hard for an email spider to defeat this (simply strip all the document.write() calls from any HTML file), but the possibilities are limitless.

You could use variables and scatter them all over the page:

<script> var a="@shiz.biz" </script> hello welcome <script> var b="nospamhere" </script> to my website!<br> you can contact me <script> document.write('<a href="mailto:'); document.write(b + a); </script> "> here!</a>

Simply stripping document.write() would certainly not work here!

I got to thinking, you could completely screw around with these harvesters.  You could even use external documents for the email address.

For example:

index.htm:

<script language="javascript" src="a.htm"></script> hello welcome <script language="javascript" src="b.htm"></script> to my website!< br> you can contact me <script> document.write('<a href="mailto:'); document.write (a + b); </script> ">here</a>

a.htm:

var a="mymail@";

b.htm:

var b="mail.com";

This would totally confuse the email harvesters.

Of course, this will probably only be a temporary solution.  There's too much money to be made in spamming for people not to write JavaScript into their harvesters.

But more complicated scripts could be used.  Email harvesters wouldn't be able to use all of JavaScript's functions.  For example, alert() would totally screw things up for them.

Anyway, that's all.  I hope this article will save some people from too much spam.