Protect the email address from spam bots, a reusable approach for WordPress

The problem: your client really wants to publish her email address on the website. Visitors should be able to click on it and being redirected to the default email application (like Thunderbird). And obviously they should be able to select the email, copy and paste and stuffs.

But still, you don’t want any spam harvesters (or spam bot) taking advantage of it and filling up your email box with ton of enlargement proposals, right?

I wasn’t fully satisfied of my discoveries on the topics. I wanted something to be reused with ease. The good part is that now I have at my disposal a new command to use at wish.

Quick update: For more options, you would like to give a look at a rewritten function, as explained in Protect the email address from spam bots, a reusable approach for WordPress (advanced).

For who have little time, jump to the final version.

And now, let’s get into the dirt!

The concept is to hide the email address to spam bots and still to present to the user something to be grabbed easily, like copy and paste stuffs. And it should be clickable, too.

A spam bot hunts for lines like:

<!-- example 1: an anchor that targets an email -->
<a href="mailto:example@mail.com">

<!-- example 2: the command to target an email -->
"mailto:example@email.com"
</a>

Because it tends to optimize effords for benefits. So we have to hide that information.

On the other hand, presenting the email as a series of single characters incapsulated into tags should be enough to stop the harvester in getting the plain email. An other approach is to insert <!-- @ . --> between each characters, getting the harvester quite confused.

Harvesters usually can’t deal with Javascript: it would demand them too many resources, slowing them down for very little earn (they go for the mass).

Evil!

But the evil part of the function is that if even a harvester would take the time to read into our script, we scrambled the email, so that the bad dude will grab an useless email. Also, in case you will have a catch-all setting, even the domain has been scrambled.

The function takes the email, scramble it, and write it into a Javascript script, inoculated into the HTML. At the click, it de-scrambles the address, keeping it into a variable, and sends a mailto: command directly to the default mail application.

It should also be easy for future uses. In fact, I want to write something like this, and have all the job done.

<?php email_masking('info@email.com'); ?>

So I’m going to show you the function I use for this.

Let’s start!

Good, in the function.php let’s write down a new function:

function email_masking($email_address) {
//	our code here, still to be soon written
}

Then, let’s grab the email as parameter to work it around.

function email_masking($email_address) {
	$scrambled_email = null;
	$spanned_email = null;
	$scrambling_set = 'abcdefghijklmnopqrstuvxyz1234567890';
	for($i=0; $i< (strlen($email_address)); $i++) {
		$x = substr($email_address, $i, 1);
		$spanned_email .= "<span>$x</span>";
		$scrambled_email .= $x . substr($scrambling_set, ($i % strlen($scrambling_set)), 1);
	}
	print $scrambled;
}

Briefly, $scrambling_set contains the set of characters we use to scramble the email. It can contain any kind of symbols. You can put your own set, it does not matter, really. The most random, the better.

Then, shortly, for each character that composes the email, we add one more just after it.

We set then a variable $spanned_email that contains a spanned version of the email to be printed as visible text.

The last line print $scrambled; serves the temporary purpose to verify what we end up having with all the scrambling stuff working fine. If everything works as expected, we can replace it with the following code.

$output = '<a href="#">';
$output .= '<span onclick="';
$v ="'$scrambled_email'";
$output .= "var adr=$v; var s = ''; for(i=0;i*2<adr.length;i++) s += adr[i*2]; document.location='mailto:'+s; return false\"><script>(((document).write))('$spanned_email')</script></span>";
$output .= '</a>';
print $output;

It looks messy but basically it fills up the variable $output with the script to de-scramble what we had scrambled before.

As a result a spambot that would scan the script will get the scrambled email, definitely useless. Even the domain is scrambled, so we don’t “catch-all” the spam. The real email is kept hidden inside the variable #s.

It’s only on the click that the script sends the command mailto: ... to the browser, and consequently to the email application.

Second step, a command document.write prints the variable $spanned_email. It could be vulnerable, that’s why I span the text.

Finally, as you may have already seen, the script is encapsulated in an anchor (the <a> tag). So the cursor mutates in the hand when the mouse passes over it.

Sweet, huh?

The final function

/* Email Masking
----------------------------------------------------------------------------*/
/*	source: http://carlorizzante.com
	it masks the email provided as argument, 
	give attention at the scrambling set
	you would like to write your own set */

function optima_email_masking($email_address) {
	$scrambled_email = null;
	$spanned_email = null;
	$scrambling_set = 'abcdefghijklmnopqrstuvxyz1234567890';
	for($i=0; $i< (strlen($email_address)); $i++) {
		$x = substr($email_address, $i, 1);
		$spanned_email .= "<span>$x</span>";
		$scrambled_email .= $x . substr($scrambling_set, ($i % strlen($scrambling_set)), 1);
	}
	$output = '<a href="#">';
	$output .= '<span onclick="';
	$v = "'$scrambled_email'";
	$output .= "var adr=$v; var s = ''; for(i=0;i*2<adr.length;i++) s += adr[i*2]; document.location='mailto:'+s; return false\"><script>(((document).write))('$spanned_email')</script></span>";
	$output .= '</a>';
	print $output;
}

How to use it?

Copy and paste the function above in the function.php file. Then, use the syntax below, to scramble the email.

<?php email_masking('your@email.com'); ?>

Feel free to suggest how to improve it.

Important note. Credit has to be given to Mads Olsen who concretely supported me in the task.