What's the safest way to put a clickable e-mail address on the web?
June 25, 2005 4:39 PM   Subscribe

If you're making a webpage, don't even put a clickable email address on it; make your address into an image, such as a JPEG or GIF. Legitimate emailers will have to type it out, but that's really not much more of a hassle than removing NOSPAMREMOVETHISTEXT or whatever.

As for message boards and such, I'd just use a series of disposable Yahoo-type addresses, dispensing them when they get too spammy. Only give your permanent email to people you really trust.
posted by lisa g at 4:48 PM on June 25, 2005

I've found that character-encoding email addresses has (so far) prevented the spammeisters from finding mailto: links on my pages.
posted by cbrody at 4:51 PM on June 25, 2005

I prefer disposable forwarding addresses. If an address starts collecting spam, just delete it and generate a new address. Sneakemail offers a good service.
posted by Galvatron at 5:09 PM on June 25, 2005

I think this is a nice tool to encode e-mail addresses. It spits out a Java Script code, which should be impossible for spambots to read.

However, if you have many addresses on one page, the page could be slow to load. But I've had my addresses on my websites encoded with that form, and it's worked really well. No spam so far, and I've had them on my web sites for over a year now.
posted by einarorn at 5:17 PM on June 25, 2005

Do consider the usability/accessibility implications of obfuscating your e-mail address - particularly in the case of using an image.

Plenty of people browse the web without images or JavaScript - either by choice or by necessity (using a screenreader, etc.). Getting spam is no fun, but neither is making it a pain in the ass to e-mail you.
posted by shaun at 5:29 PM on June 25, 2005

The only way I've found to save myself from spam in regards to websites is this:

I put an email address on my website (jairusthegreat@awesome.com). I only check this email address every once in a while. When I get an email I want to respond to, I reply from a different address (jairustheSUPERgreat@awesome.com).

I only ever use the second address for communication, and it's never, ever posted anywhere. I only ever use the first address for posting everywhere, and I check it not-nearly-so regularly.

Hence, the email address that everyone uses never gets any spam, and I don't have to worry too much about the other address, as I only go through the inbox once in a while.
posted by Jairus at 5:36 PM on June 25, 2005

Some friends of mine are developers of an Anti-spam product, so they seem fairly up to date on spamming techniques. They seem to be of the opinion that email harvesting isn't common any more - it's more work than it's worth. Instead, these days, spamming is done by zombie boxes brute-forcing email addressed for every host (ie using dictionary and random combinations, or other methods, to generate a bazillion variations on, say ****@[the_host_site].com).

So obfuscation is no defense at all to the bulk of spammers.

So, it might be ok to use minimal obfuscation (not sure), but choosing an email name that doesn't seem generateable is probably as (or more) important. I Am Not An Anti-Spam Developer, but I guess that would mean:

Johnson56 = poor choice
Johnson = worse choice
Johnson_of_the_56th = seems better
J0hns0n56 = not really sure if this helps, but it will confuse people, so use with caution.
Johnson.the.webmaster = Much better than Johnson, or Webmaster, but may be generatable.
posted by -harlequin- at 5:52 PM on June 25, 2005

I use something like <img src="email.gif" alt="my email is bobo at bobo dot com">, pretty much like lisa g said, but the alt text should help if someone is browsing without images. Sure it presents usability problems but the spam thing is just too troublesome.

Keep in mind obfuscation is only a short term solution to spam, eventually your email will end up in some database somehow and spam will start coming in.

One thing I've been meaning to do is to put up a web form on my contact page, so someone just has to type a message and click submit.
posted by bobo123 at 5:53 PM on June 25, 2005

If you are on a server that allows any kind of server-side scripting, you can try this.

1. Include a link ("Email Me") that links to, "somescript.php".
2. That script does a HTTP-redirect to "mailto: myemail@host.com":

<?php

header("Location: mailto:myemail@host.com"); 

?> 

The idea is, email harvesters shouldn't follow HTTP redirects, or understand what's coming through in the HTTP headers. However, web browsers will, and when they're "redirected" to a mailto: protocol, they should open the system's email client.

I don't have any proof that this works, but I used this method on a website for about a year, and the spammers never got to my email address. Admittedly, if lots of people start using this method, you can bet email harvesters will start looking at HTTP headers...
posted by Jimbob at 6:36 PM on June 25, 2005

You can also play simple HTML tricks: make each letter a td in a table, or wrap parts of the address in nested span and div blocks. You can make the job of the email harvester arbitrarily complicated.
posted by event at 6:44 PM on June 25, 2005

Use JavaScript. Not to write out the e-mail link -- no, spammers are wise to that now. Instead, make a dummy link that goes to "mailto:foo-12985@domain.com" and use a JavaScript that changes "foo-12985" to just plain "foo" on mouseover (e.g. onMouseOver='this.href=this.href.replace("-12985", "")'. Then set up your e-mail server to blacklist any IP address that tries to send you mail on the "wrong" address -- those are open relays, public proxies, and/or zombies used by the people who scraped your decoy address.

You want to get even tricker, you can combine Jimbob's trick with this one -- link to a dummy URL, and the "real" URL only gets substituted when you mouseover the link. In your PHP redirect script, you can check for 1) a cookie that was set by a PHP script on the main page of the site, 2) a referrer that was on your site, 3) the value of a hidden form field that was on a form that was submitted to get to the PHP mailto redirect, 4) the X/Y coordinates you get if you use an image as a submit button. Combine those techniques and you have created a "gauntlet" that humans will run without effort but that robots will have a tough time with.
posted by kindall at 6:45 PM on June 25, 2005

And you want to get extra-clever on top of THAT, entity-encode the onMouseOver. ;)
posted by kindall at 6:48 PM on June 25, 2005

Another interesting technique I've seen used: the user puts their e-mail address in a form on your site. Your site sends them an e-mail with your return address on it. They reply to that to initiate contact. That way, they have to give you their address to get yours, and they also get to keep a cc of their original message to you.
posted by kindall at 6:50 PM on June 25, 2005

Oops - didn't realize you wanted clickable. The HTML tricks won't work with clickable addresses. Apologies.
posted by event at 6:51 PM on June 25, 2005

If you can move to a gmail account (need one? IM or e-mail me -- address in profile), you can take advantage of their stellar spam blocker. I sign up for shit all the time, but I don't have to worry about the ensuing spam. Gmail learned what was spam within a week.

Also, with gmail, you can edit your address so that joe@gmail.com becomes joe+site@gmail.com. Any e-mail sent to joe+site@gmail.com goes to joe@gmail.com with the label "site." (Use any label you want.) Then you can easily tell who got your e-mail from that place. If it gets spammed up, just tell gmail to automatically delete all messages labeled "site," repost your address with a new label, and it's like you started fresh.

Sorry if this is poorly worded; if you want some help setting this up, e-mail me.
posted by NickDouglas at 6:58 PM on June 25, 2005

Just replace @ with @.

That's all it takes.
posted by waldo at 8:45 PM on June 25, 2005

in case waldo doesn't drop by again for a while, he wrote (I've added spaces between the last six characters):

> Just replace @ with & # 0 6 4 ;
posted by anadem at 9:20 PM on June 25, 2005

Spammers are Lazy. It's just one sample, but an interesting find, nonetheless:

This morning, when I got my third actual email through the [numerically] encoded one (I guess the "Harvester Test" headline wasn't quite clear enough), I finally remembered to turn it off and take it out. The final tally, for the encoded address: 46 spams, 3 actual emails; for the unencoded address: 2632 spams. Apparently, if you don't have time to really harden an address, it's worth taking the time to at least convert it to NCRs. Lazy spammers.
posted by gsb at 10:31 PM on June 25, 2005

I've done similar to what NickDouglas has done. I have one Gmail account I keep for personal correspondence and legit sites (Amazon, Ebay, etc). I create another Gmail address, use it liberally whenever registering for a message board or whatnot, and have it automatically forward to my main email address. The address hasn't caught on with spammers as of yet, but if it does I can always have emails forwarded to my archive, so I won't get alerted with Gmail notifier.
posted by apple scruff at 11:18 PM on June 25, 2005

If you can move to a gmail account (need one? IM or e-mail me -- address in profile), you can take advantage of their stellar spam blocker.

Gmail's spam blocker sucks. I get 1000+ spam messages a week to my gmail account.
posted by rajbot at 11:46 PM on June 25, 2005

Make that 1000+/week to my inbox, and 4000+/week to my spam folder. Gmail sucks.
posted by rajbot at 11:52 PM on June 25, 2005

The JavaScript that I use takes username, domain and link text as separate and then later joins them.

so: i assign josh, domain.com, and e-mail me, and then it creates mailto [username]+[domain]/"[link text]"
posted by thejoshu at 12:35 AM on June 26, 2005

rajbot : You must be doing something wrong. I get a handful to my (easily guessed by a zombie box) Gmail address each week, and it all goes in the spam folder. I suspect your problem isn't a Gmail one.
posted by coach_mcguirk at 5:07 PM on June 26, 2005

I make web sites as a living and use server side forms that the visitor fill out to send a message. I use PHP and there are a bunch of free scripts online. If you want to make custom forms without learning PHP, then I would recommend phpFormGenerator.
posted by FakeOutdoorsman at 8:03 PM on June 26, 2005

Rajbot, even after clicking "report as spam" on all your inbox spams? That's weird.
posted by NickDouglas at 10:00 PM on June 26, 2005

Thanks for correcting my code, anadem -- & # 0 6 4 ; worked great on preview, but not so much when posting it.

And, yes, Robot Johnny, replacing @ with & # 0 6 4 ; (spaces removed, of course) will really do the trick. Every browser interprets it as "@", and spammers don't decode HTML entities. That's all it takes.
posted by waldo at 10:52 AM on June 27, 2005

« Older Re: Student loan consolidation...   |   If you were putting together a... Newer »