Keeping email addresses away from harvester bots is an old problem. I decided to apply some new technology to it.
- You can get rid of email altogether, and put up your own form if people want to write to you. I don’t want to toss out email though. I like email. I want people to be able to email me.
- You can edit your address so it’s not a real email address. That way a simple bot using a regex won’t find it. You’ll see things like “name [at] example.com” or “You can email me by appending the number 4 to my name”. That puts an unacceptable burden on the user, in my opinion. Browsers support email links, and I want the user to be able to click on a link and hav their mail client come up, if they’ve configured that.
I think the third option is the best. But there’s a catch.
Putting an inline
<script> tag in your HTML is considered a bad practice. There
that allows user-created content, like a comment section. If it’s not properly sanitized, it can attack any user who views the page).
Two parts, encoding and decoding
Edited 05-30: I changed the encryption algorithm from what I had originally, because the first version was sometimes producing characters outside the HTML safe range.
Now I have two separate pieces of code, one that will encrypt the email addresses when it renders the HTML, and another that will decrypt them on the client side, after it’s downloaded the encrypted links. This raises a new issue.
On the Ruby side, I have these functions added in
All this does is randomly shift each character by a few positions (eg, “b” becomes “o” or “m”). Again, it’s not very sophisticated. It’s maybe
one step up from rot-13. But it doesn’t have to be cryptographically secure, since all we’re trying to do is confuse some bots.
With this helper, in any template I can write
<%= obfuscated_email_tag 'firstname.lastname@example.org' %> and it will come out looking something like
<a data-controller="obfuscate" data-obfuscate-address-value="BblfbokfG}ke|dpe}f+lzu%dc" href="#">. That doesn’t look anything remotely
like an email address.