E-Mail @ddress Decoder
Version 1.1.2
by Jasper Yeh


A JavaScript e-mail address obfuscator using ROT-13.5


Copyright (c) 2010, Jasper Yeh

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.


The script can be downloaded from source control at https://svn.nullstack.net/public/Misc/tags/emad-1.1.2.


EM@D is an open-source JavaScript to hide email addresses and phone numbers from spam bots and spiders crawling the web for such items of contact. Such pieces of “eyes-only” information are stored on the web page in ROT-13.5 and are decoded when the document is loaded in a browser that supports JavaScript. Since, in general, bots only process the raw HTML of the page, the information remains safe.

What is ROT-13.5?

ROT-13 is a simple substitution cipher where each alphabetic character is replaced with the one 13 letters later. The effect is that A is replaced with N, B with O, Z with M, etc., thus making the message unreadable at a glance. All non-alphabetic characters are left as is. ROT-13.5 is simply ROT-13 with the addition that numeric characters are rotated through 5 (i.e. 0 becomes 5, 1 becomes 6, 9 becomes 4) to support phone numbers.

Why ROT-13.5? Why not stronger encryption? Why not just ROT-13?

Two reasons: it should be simple enough for people who make the pages to do, and the address may consist of numeric characters only (i.e. phone number). Since bots generally only look at the HTML code, such a simple cipher will suffice to confuse the bot into pulling the wrong information.



<script language=”javascript” type=”text/javascript” src=”PATH“></script>

<body … onLoad=”…emad();…” … >

<a href=”mailto:” id=”emad001″></a>

<a name=”anything” id=”emad002″>961-221-0597</a>


PATH should be the full URL to the EM@D library.

onLoad=”…” should be used to call the JavaScript function emad(); and remember to return false so that the browser will continue executing connected event handlers. The function itself always returns false. If you don’t know how to implement this, see examples below.

Now for everything that you want to decipher, place the ROT-13.5 encoded text on your page, and enclose it with an <a href=…> or <a name=…> tag with the id attribute set to something that starts with emad.

Note: The mailto: is in plain text. For links, decoding only starts after the first colon in the href attribute. This assures bots that it is finding an e-mail address or other protocol because it will identify mailto: or http:// followed by ROT-13.5 encoded characters.


onLoad="return emad();"
onLoad="something();emad();return somethingelse();
onLoad="something();emad();return false;
onLoad="something();return (somethingelse() || emad());"

Additional Notes

Of course, the client would need to support JavaScript. There’s some funny code that, for IE and Netscape, is only available to versions 4+. Most other browsers can probably handle it as well, since most of them came after IE4 and Netscape4.

There is no guarantee that this will necessarily fool every harvester in existence. Though extremely unlikely, it is feasible that some moron will decide that instead of bulk volume of addresses, he or she would go for breaking all these supposed methods of hiding e-mail addresses for the sake of doing so… in which case a well-coded script could decipher even things like benny.gorilla-AT-i.love.bananas-DOT-com… Still, it is even more unlikely that the script would have JavaScript processing capability

Change Log

Version 1.1.2 (2010-11-12)

  • Updated webpage URL and fixed the license notice in source comments.

Version 1.1.1 (2006-06-16)

  • Updated additional info URL in source files.

Version 1.1.0 (2006-05-25)

  • Fixed bug in IE6 where innerHTML becomes the same as the href (this is, of course, due to 2 bugs in IE that have an entirely unexpected result that is *almost* correct).

Version 1.0 (2005-04-10)

  • Initial release.

Leave a Reply