Joerg Mayer wrote:
As far as I can see from a real-world Bugzilla, Bugzilla's HTML munging means replacing the @ character with the HTML entity "@".
That's a stupid scheme. Even if it replaced all the characters, it would be a stupid scheme:
First, it's takes 10 minutes for a coder to implement a workaround against.
Second, the HTML standard even *requires* you to decode such characters inside the "href=" attribute.
There's absolutely no incentive for a spammer *not* to incorporate a decoder for HTML entities in his/her harvester as far as I can see, and with Bugzilla using HTML entities, it won't take long before one of them does. In fact, most of them probably does already.
A much better scheme would use encryption via Javascript: a) Decryption takes time, for a spam harvester time equals money. b) We can do our best to make sure that the spammer actually needs to *run* the Javascript to decrypt addresses, by for example changing the keys, or even obfuscating the way the key is assembled as a string in the Javascript decrypt() function with some PHP. Running actual Javascript from web pages harvested will slow down a harvester, or crash it, and it's exceedingly difficult, so it's very unlikely that someone is going to do that in a harvester.
That would be an efficient scheme, as far as I can see.
It could be implemented like this: 1) A snippet of PHP code on the server side to encrypt e-mail addresses 2) A snippet of Javascript on the client side to decrypt e-mail addresses 3) mailto: links would look like this:
<a href="javascript:decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234)'"><script type='javascript'>mail me</a>
<a href="javascript:decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234')"><script type=javascript>document.write(decrypt('1234,4231,2343,3421,23432,1234,321,1234,321,234'));</script></a>
I've just tested it, btw. The above method of returning "mailto:joe@example.com" from Javascript works fine, both in IE, Firefox, Opera and Konqueror.
4) Or like this
<head> <script type=javascript> function decrypt_all_mailto() { var links = document.getElementByTagName('A'); for (var i=0;i<links.length;i++) { var href = String(links[i].href); if href.substring(0,10) == "#decryptme" { var decrypted = decrypt(href.substring(10)); links[i].href = "mailto:" + decrypted; links[i].innerHTML = decrypted; } } } </script> </head> <body onload='decrypt_all_mailto()'> <a href='#decryptme1234,4231,2343,3421,23432,1234,321,1234,321,234' /> <a href='#decryptme756,56,43,456,234,8,6,2134,43,576,85,23,111,234' />
PS. It's not an original idea by me, by the way. Can't remember where I read about it, but someone else out there implemented some sort of JavaScript email obfuscator.