Lachlan Hunt wrote:
There are various techniques used, such as:
1. Writing the e-mail with JavaScript
2. Encoding characters using percent-encoding in mailto: URIs
3. Encoding characters as HTML character references.
4. Interspersing markup within the e-mail address.
e.g. user<span>@</span>example<!-- -->.com
5. Writing "user [at] example [dot] com" (or other variation)
6. User-Agent sniffing
7. Reversing the text direction using <bdo> or CSS 'direction' and
'unicode-bidi' properties.
One technique I forgot about.
8. using some javascript to look for signs of user interaction, which
would indicate a legitimate user is reading the page, instead of a spam bot.
Here's a simple script to demonstrate the concept:
<a id="email">user [at] example [dot] com</a>
<script>
document.onkeypress = document.onmousemove = function() {
var e = document.getElementById("email");
e.innerHTML = 'user' + '@' + 'example.com';
e.href = 'mailto:user' + '@' + 'example.com';
// Remove the event listeners, since it only needs to run once
document.onkeypress = document.onmousemove = null;
}
</script>
This is a variation of technique 1 which is typically done as the
document loads. I've never seen this done in the wild, it's a technique
I'd thought about a while ago, but never published before.
It should prevent the simple workarounds I outlined in my previous
e-mail for technique 1 because of the extra dependence upon user
interaction. But all it would take is for a spam bot to simulate either
a keypress or mouse movement to indicate real user interaction. It will
also be ineffective against anything that successfully works around
technique 5.
--
Lachlan Hunt
http://lachy.id.au/
******************************************************
The discussion list for http://webstandardsgroup.org/
See http://webstandardsgroup.org/mail/guidelines.cfm
for some hints on posting to the list & getting help
******************************************************
