Forum: Ruby on Rails obfuscated email not really obfuscated. but why not?

F8ecb37aed022b3d7f34b24aec653bef?d=identicon&s=25 sol.manager (Guest)
on 2011-03-23 05:41
(Received via mailing list)
I have a page with an email address visible (so humans can print the
page if necessary). I used the following to code to obfuscate the
email. When I view the page source in my browser it appears all is
well, but I was told today by the SEO person at our web developer that
the email address is not obfuscated on this page. He had a printout
with the email address clearly visible after some obfuscated text.

So, is the following incorrect in some way I just can't see?

Email: <%= mail_to @post.employer.email, @post.employer.email, :encode
=> "javascript", :subject => 'request for information: '+ @post.title
%><% end %>
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2011-03-23 09:39
(Received via mailing list)
On 23 Mar 2011, at 04:39, "sol.manager" <sol.manager@gmail.com> wrote:

> I have a page with an email address visible (so humans can print the
> page if necessary). I used the following to code to obfuscate the
> email. When I view the page source in my browser it appears all is
> well, but I was told today by the SEO person at our web developer that
> the email address is not obfuscated on this page. He had a printout
> with the email address clearly visible after some obfuscated text.
>
What does the output look like if you view the HTML source in your
browser?

Fred
F8ecb37aed022b3d7f34b24aec653bef?d=identicon&s=25 sol.manager (Guest)
on 2011-03-23 15:30
(Received via mailing list)
For example, on the web page the following Email: joe.public@gmail.com
had the following source code.

<li>Email: <script type="text/javascript">eval(unescape('%64%6f
%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d
%22%6d%61%69%6c%74%6f%3a%6a%6f%65%2e%70%75%62%6c%69%63%40%67%6d
%61%69%6c%2e%63%6f%6d%3f%73%75%62%6a%65%63%74%3d%6a%6f
%62%25%32%30%61%70%70%6c%69%63%61%6e%74%25%32%30%72%65%73%75%6d
%65%25%32%30%66%6f%72%25%32%30%70%6f%73%74%25%32%30%6f%6e%25%32%30%6a
%6f%62%66%69%6e%64%65%72%75%73%61%2e%63%6f%6d%25%33%41%25%32%30%53%6f
%6c%75%74%69%6f%6e%73%25%32%30%41%73%73%69%73%74%61%6e%74%22%3e%6a%6f
%65%2e%70%75%62%6c%69%63%40%67%6d%61%69%6c%2e%63%6f%6d%3c%2f%61%3e
%27%29%3b'))</script></li>

To me this seems obfuscated, but the SEO person produced a print out
with something similar above but looked more like:
after the </script> and before the </li> his print out had
href="mailto:joe.public@gmail.com?subject=job
%20application">joe.public@gmail.com

I didn't know if this was a difference in web browsers or how he was
able to see this, but he did.

On Mar 23, 4:37am, Frederick Cheung <frederick.che...@gmail.com>
Bdf1f2ad97e7b9c9db1fa70e3cef48bf?d=identicon&s=25 Bryan Crossland (Guest)
on 2011-03-23 15:59
(Received via mailing list)
On Wed, Mar 23, 2011 at 9:29 AM, sol.manager <sol.manager@gmail.com>
wrote:

> %6c%75%74%69%6f%6e%73%25%32%30%41%73%73%69%73%74%61%6e%74%22%3e%6a%6f
> able to see this, but he did.
>
>
That's a good question. What browser and version did he produce that on?

B.
F8ecb37aed022b3d7f34b24aec653bef?d=identicon&s=25 sol.manager (Guest)
on 2011-03-23 16:54
(Received via mailing list)
The problem seems to be that use was using Firebug add-on for Firefox
and was viewing the page in debug mode, so essentially he was seeing
the "front" and the "back" at the same time. Robots don't crawl the
front, the crawl the source. So in the end, I believe this was
operator error and not incorrect obfuscation of an email.
2505b282d57c29be797dc35b245adb4c?d=identicon&s=25 Philip Hallstrom (Guest)
on 2011-03-23 17:11
(Received via mailing list)
On Mar 23, 2011, at 8:33 AM, sol.manager wrote:

> The problem seems to be that use was using Firebug add-on for Firefox
> and was viewing the page in debug mode, so essentially he was seeing
> the "front" and the "back" at the same time. Robots don't crawl the
> front, the crawl the source. So in the end, I believe this was
> operator error and not incorrect obfuscation of an email.

This is also true if you use Safari/Chrome's developer inspector.  A
pure view source will show you the javascript mess.  Inspecting the
element will show you the result of the javascript call...

-philip
56b7e1808013614acdb73cbaaa6938a1?d=identicon&s=25 Michael Pavling (Guest)
on 2011-03-24 10:11
(Received via mailing list)
On 23 March 2011 15:33, sol.manager <sol.manager@gmail.com> wrote:
> The problem seems to be that use was using Firebug add-on for Firefox
> and was viewing the page in debug mode, so essentially he was seeing
> the "front" and the "back" at the same time. Robots don't crawl the
> front, the crawl the source. So in the end, I believe this was
> operator error and not incorrect obfuscation of an email.

Really, don't even bother.
Firstly, you're wrong in your assertion that "Robots don't crawl the
front, they crawl the source" - nice simple robots may well only look
at the source. But it's well known that the big search engines can
determine if sneaky JS or CSS methods have been used to stuff keywords
into source, but hide them from view.

Secondly, you have no idea what *nasty* robots are doing - and I
assume they're the ones you don't want getting the email addresses
from your page (for spamming, etc). There's no reason not to assume
that robots don't view your whole site exactly as users do, including
ignoring robots.txt files - in fact, a robots.txt file is the first
thing I would look at if I want to know where the juicy stuff might
be...

Just work under the premise that whatever works for your users will
work for robots - if the user can click a mailto link, or read a
legible email address, so can a robot, whatever obfuscation you've
tried.

In fact, rather than foiling robots, your method discriminates against
real users who don't have JS-enabled browsers.

If you *really* want to delay spammers, then render email addresses
like "pavling(at)gmail(dot)com" - or some similar method that is
deducible by humans, but unfamiliar enough to not be easily parsed by
scripts (until loads of people use the method, and it's worth having
the script look for matching patterns too...) - of course, users can
no longer click-to-send, and I don't think it's worth the hassle.

Life's too short - use a good spam filter, and don't worry about it.
:-)
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.