21
Sat, Dec
3 New Articles

Hiding Email Addresses on Your Web Page

RPG
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

If you're like me, you receive a lot of unwanted postal mail, and yes, a lot of unwanted email. For me, posting my email address on MCPressOnline.com, RPGIV.com, and RPGxTools.com probably contributes to the daily allocations of spam that I get.

This isn't because any of these Web sites sell my email address; it's from those dirty little "sniffer" programs. You know the ones; they go out to a Web page and read it into a program buffer. Then they scan the buffer for at signs (@) followed by a ".com," ".net," ".org." or dot this and dot that.

About two years ago, I found a Web site (one of many as it turns out) that will take your email address and obfuscate it. The word "obfuscate" is, ironically, a bit obscure itself. It means "to make so confused or opaque as to be difficult to perceive or understand."

Basically, obfuscating an email address on a Web page allows the browser user to utilize the email address ("Click here to send me an email") but prevents spammers from harvesting it for their purposes.

How do you do it? It turns out that you can send any text to a Web browser in plain ASCII, hexadecimal notation, or decimal notation. So the letter "A" for example, can be sent as A, %41, or A. The browser will render any of these three representations as the letter "A" when it is displayed or used by the browser.

An email address harvesting routine that is looking for an at sign (@) followed by a .com or similar extension should be fooled by the obfuscation. In fact, many companies that harvest email address say that they actually use obfuscation to prevent competitors from stealing their "assets." None that I know of attempt to de-obfuscate text they find on Web pages simply because they run through a large volume of Web pages each day.

The trick to obfuscation is to convert This email address is being protected from spambots. You need JavaScript enabled to view it. into a string of hex or decimal identifiers.

There are Web sites that will obfuscate an email address for you. A great Web site that I use for various ASCII and EBCDIC tables is located at LookupTables. This site also shows you the HTML encoding for each character, so if you want to enter an "A" in hex or decimal, you'll find the value on that site.

The two popular methods used to obfuscate include JavaScript generation and converting to hexadecimal or decimal notation.

Method 1: JavaScript

This method involves generating a JavaScript that uses an encrypted or obfuscated email address and sends it to the browser.

While this type of routine is fine for a single email address that appears on a Web page, I don't particularly care for it. These types of obfuscation routines can't be easily managed or adapted to multiple or dynamic email addresses.

For example, if you generate a list of hundreds of email address (for example, on a report "printed" on a Web page), you have to generate hundreds of these JavaScripts. Then, there's always the issue of users not enabling JavaScript in their browsers. Although it's rare, lack of JavaScript support can be an issue.

The University of Waterloo has a Web site that generates a rather thorough JavaScript obfuscator for single email addresses. And here's another one that's slightly less thorough.

Method 2: Encoding

This method involves encoding each character in the email address into either hex or decimal characters. While you can find Web sites to do this for you, they only work on one email address at a time. So, again, if you're writing out data from a database file to the browser and have multiple email addresses, the Web sites aren't very helpful.

This technique is still the preferred methodology when multiple email addresses are being written out to the Web page. Since you're sending only the encoded email address to the Web page, no JavaScript issues come into play.

Sample Obfuscation Routine

Using CGILIB (the free add-on to RPG xTools), I created a simple CGI program that obfuscates any email address (actually any text string) and returns it to the browser page.

The CGILIB service program includes an email obfuscation routine named cgiObfuscate(). Pass it a string of up to 640 bytes, and it will obfuscate it and return it to your CGI program. It's up to the CGI program to send it to the browser (as in the example below). The source for this procedure is listed after the example CGI program.

BNDDIR('XTOOLS':'QC2LE')
DFTACTGRP(*NO) ACTGRP(*NEW)
 /COPY XTOOLS/QCPYSRC,CGI
 /COPY XTOOLS/QCPYSRC,utils
 /COPY XTOOLS/QCPYSRC,FindRepl
D szHtml          C                   Const('/mywebsite/+
D                                           obfuscate.html')
D szEmail         S            128A
D szOMail         S            512A
D szObfuscate     S            512A

C                   eval      *INLR = *ON
C                   callp     cgiInit
C                   eval      szEmail = cgiGetVar('EMAIL')
C                   callp     cgiLoadHtmlifs(szHtml)
C                   if        szEMail <> *BLANKS
C                   callp     wrtjoblog(%Trimr(szEmail))
C                   eval      szObfuscate = cgiObfuscate(szEmail:1)
 **  We need to escape any ampersands in the obfuscated text so that
 **  it can be displayed in the browser as '&'; Otherwise it will cause
 **  the browser to try to read it as a control/command.
C                   eval      szObfuscate = FindReplace('&':'&':
C                                              szObfuscate)
C                   callp     wrtjoblog(%Trimr(szObfuscate))
C                   callp     cgiSetVar('OMAIL':szObfuscate)
C                   callp     cgiSetVar('EMAIL':cgiObfuscate(szEmail:1))
C                   endif
C                   callp     cgiWrtSection('*TOP')
C                   callp     cgiWrtSection('*END')
C                   return

To try out this CGI program that is called to obfuscate an email address, click here and enter your email address (or a fake one). I do not record the email addresses entered into this page.

To illustrate how to write your own obfuscation routine, I have included the source code for the cgiObfuscate() routine below. The cgiObfuscate() routine uses two RPG xTools procedures. However, they are relatively easy to replace with non-xTools subprocedures.

 
*************************************************************
** cgiObfuscate() Convert a plain text string to its
** digitized/numeric equivalent.
** e.g., from: A to: Ł
** This allows the users to conceal from Web sniffers,
** things like email addresses that are output to a
** Web page.
** © 2004 Robert Cozzi, Jr.
** All rights reserved 004 Robert Cozzi, Jr.
*************************************************************
P cgiObfuscate B Export

D cgiObfuscate PI 4096A Varying
D szInString 640A Const Varying
D nOption 10I 0 Const OPTIONS(*NOPASS)

D atSign S 10A Inz('@') Varying

D szAsciiValue S 640A Varying
D szObfuscated S 4096A Varying

D I S 10I 0
D nPos S 10I 0
D szCCSID S 10A
D nToCCSID S 10I 0

D DS
D IntValue 10I 0 Inz
D AsciiChar 1A Overlay(IntValue:4)

** Find the @ to verify that it is email.
C if %len(szInString) = 0
C return ''
C endif

C if %Parms >= 2 and nOption <> 0
C eval nPos = %scan(AtSign: szInString)
C if nPos = 0
C return %TrimR(szInString)
C endif
C endif

** Get the CCSID of the Web browser to convert into.
** Typically this is US-ASCII 819, but may be different.
C eval szCCSID = GetEnvVar('CGI_ASCII_CCSID')
C if szCCSID <> *BLANKS
C eval nTOCCSID = CharToNum(szCCSID)
C endif

C if nToCCSID > 0
** Convert the input string to ASCII from this AS/400's CCSID
C eval szAsciiValue =
C ToAscii(%TrimR(szInString):nToCCSID)
C else
C eval szAsciiValue = ToAscii(%TrimR(szInString))
C endif

** Convert to HTML special symbols &#xxx; (decimal)
C for i = 1 to %len(szAsciiValue) by 1
C eval AsciiChar = %subst(szAsciiValue :i:1)
C eval szObfuscated = szObfuscated +
C '&#'+%Char(IntValue) + ';'
C endfor

C return szObfuscated
P cgiObfuscate E

The three RPG xTools routines used by the cgiObfuscate procedure are Get Environment Variable (GETENVVAR), Convert Character to Numeric (CHARTONUM), and Convert EBCDIC to ASCII (TOASCII). These routines simplify the cgiObfuscate implementation.

Bob Cozzi is a programmer/consultant, writer/author, and software developer. His popular RPG xTools add-on subprocedure library for RPG IV is fast becoming a standard with RPG developers. His book The Modern RPG Language has been the most widely used RPG programming book for more than a decade. He, along with others, speaks at and produces the highly popular RPG World conference for RPG programmers.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: