The hoax is to use simple ROT programming function (like Caesar cipher) to hide an email address and decode it every time the user clicks on a link. Because of the usage of the mousedown event, any mouse button click is supposed to be calculated.
There are some additional obfuscation techniques as well that are used to protect email addresses as CSS converse technique, hidden <span> addition, and HTML comments insertion.
Mozilla Firefox v79
Google Chrome v80
The library was minified using Terser Plugin in webpack with default parameters. Source map was contained within the manufacture build. Webpack configuration files attachment can be found to the to the source root folder.
To use the library with your HTML documents, take in the email-protector.js file (build directory) using <script> tag. You can download it and include as a local file. Future changes to the project won’t break your webpage:
There are two methods available to pullout your email address link into HTML document.
Using append() method
The first one assumes creating a HTML element with an arbitrary ID and calling append() function with the ID and the encoded email address as parameters:
<!-- script with append() function can be placed anywhere in a HTML document -->
EmailProtector.append('email-protector', '[email protected]');
Please contact me at <span id="email-protector"></span>
Remember that the mailto link will be added as the last child of the provided HTML element. This is comparable behavior as in case of Node.appendChild() method which is called by the append() method.
This function uses window.onload event to add the email link to the specified HTML element, so it can be performed everyplace in a HTML document.
The above code will generate the following result:
Please contact me at
<a id="_k905fu05ixbj1tazna" href="znvygb:[email protected]">
<!-- mailto:[email protected] -->
<!-- pre . -->
<!-- post . -->
<!-- pre @ -->
<!-- post @ -->
Using write() method
Second technique uses document.write() method to print the mailto link just after the <script> tag, where the EmailProtector.write() method was called:
Please contact me at
Notice that there is no parameter corresponding to the ID of a DOM element because the email link is placed where the <script> tag arises.
The above code will generate a very similar result to the previous method:
mailto link parameters can be specified using first (in case of write()) or second (in case of aplly()) argument when calling each method. The argument must be a string in place of encoded email address or an object with any supported link parameters:
email – an ROT encoded email address;
subject – the subject of an email message (should not be encoded);
body – the body of an email (not encoded);
cc – carbon copy of an email (also ROT encoded);
bcc – blind carbon copy (also ROT encoded).
Here is an example of all the above mentioned mailto link parameters passed to the write() function:
The cc and bcc parameters in the example correspond to [email protected] and [email protected] addresses respectively. As stated above they also have to be ROT encoded, because they will be subjected to the decoding process in the same way the main email address is (we don’t want to expose them to spam bots either).
Use the CSS reverse obfuscation technique to hide the real email address displayed as the mailto link label. The email address is written in reverse order and the following CSS code is used to display it right to a user: