Email Obfuscation Techniques

[Arno Hautala]

On Tue, Apr 12, 2011 at 02:47, Wander Nauta <info at wandernauta.nl> wrote:

> I agree, entity-encoded mailto: links work quite well. They may not work

> forever, though, and some Drew McLellan made a good point here:


A while back, around the time I sent the original message to this
list, I hadn't realized that the source for Enkoder was available, so
I I set out to reverse engineer the algorithm and implement my own
filter. When I realized that it was selecting multiple layers from
many obfuscation techniques, I gave up and wrote my own.

https://gist.github.com/830730

It's a filter for nanoc [1] that converts all mailto links to AT / DOT
obfuscated links and also inserts ROT 13 obfuscation that is unwrapped
using JavaScript. The unwrapped ROT 13 content also replaces the AT /
DOT link, so the user either sees an AT / DOT email address (JS turned
off), or a fully functional address (JS turned on). Both are
clickable.

It's quite similar to what Enkoder does, but also provides the AT /
DOT fallback.

Enkoder also uses several randomized layers of JS obfuscation, which I
don't think are any more effective than a single layer. With tools
like "jrunscript", a scraper can evaluate the JS obfuscation just as
easily as the browser does. Adding more and more layers just marginaly
increases complexity and resource consumption.

It's also surprising just how effective the AT / DOT method is [2] and
quite a bit more so than entities. This would seem to indicate that
harvesters aren't yet searching for "* at * dot com". Here we are
almost 5 years later and 7 times as many results for that search.

Sometimes I wonder if it's even worth the obfuscation effort.

[1]: http://nanoc.stoneship.org/
[2]: http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared/

-- 
arno  s  hautala    /-|   arno at alum.wpi.edu

pgp b2c9d448