Comments on: How to spam-protect a web-published e-mail address?

Question: How to spam-protect a web-published e-mail address?

jdroth — Sun, 04 Jun 2006 11:57:19 -0800

I need to post an e-mail address to the contact page of a website. What's the safest way to do this? (Is there a safe way?)

In the past I've used the Hivelogic email enkoder. Can anyone vouch for the efficacy of this method? I've considered using the enkoder with an additional layer of misdirection: for example, creating a dummy contact1@grs.org address which, if it became a spam target, would be changed to contact2@grs.org, etc.

What about posting the address as an image? Is this effective?

I need to get my contact information up, but I'm pretty darn wary about doing so...

By: moift

moift — Sun, 04 Jun 2006 12:20:09 -0800

I'd avoid using any standard solution like the one in your link. It's not strong encryption and if there are enough adopters to make the clientele attractive to spammers they'll break it and spider for it. A home-rolled solution like an image (with no mailto: link or compromising alt text) would have to be typed into a spam database manually, and it's really never going to get any more difficult than that. (That is, unless spammers are doing mass-OCR, but I think that's unlikely considering the volume of easier pickings)

By: agropyron

agropyron — Sun, 04 Jun 2006 12:35:59 -0800

What about a form where people can submit a message that gets emailed to you?

By: jepler

jepler — Sun, 04 Jun 2006 12:37:06 -0800

I put my e-mail address (jepler@unpy.net) online freely, and I have done so since before anyone had heard of spam. If you want people to be able to contact you easily, you pay a price.

But with good spam detection software, like the free spambayes, spam is a very managable annoyance. Last month, I got 10368 messages, including 6875 spam, about 300 addressed directly to me, and the rest on various mailing lists. Of those, about 60 (<1 %) had to be manually classified as spam or not.br>
You may worry "what if I miss a message because it was caught as spam", but if you use a system that inconveniences your correspondent (e.g., forcing her to manually tanscribe an address that is shown as an image) you will also deter people from communicating with you. "enkoder" is such a scheme, because it only works for people who enable javascript in their web browser.

By: devilsbrigade

devilsbrigade — Sun, 04 Jun 2006 12:41:58 -0800

If you make it slightly nonstandard, it'll fool anything automated. That's the best you can hope for. Personally, find email addresses that are the actual hyperlink (email:blah) with NOSPAMemail@domain.comNOSPAM, since you can click that and take it out in your email client fairly easily.

By: gfrobe

gfrobe — Sun, 04 Jun 2006 12:42:09 -0800

Why not just sign up for a throwaway Hotmail address and use that?

By: gfrobe

gfrobe — Sun, 04 Jun 2006 12:44:36 -0800

Sorry, just realized I misread your question. Disregard my suggestion..

By: jdroth

jdroth — Sun, 04 Jun 2006 13:08:09 -0800

@ jepler
You have an excellent point. I use spamsieve on a Mac and it's excellent. It does take time to sort through the spam every day, though, and I'd hate to have to spend more time at. Still, I may consider just giving in.

@agropyron
This morning I set up a separate page with a comments section -- comments will forward to me. I was hoping to add an actual e-mail address, too, though.

@devilsbrigade
Yours may be the best solution. We'll see...

By: kindall

kindall — Sun, 04 Jun 2006 13:54:19 -0800

I like using onMouseOver/onClick handlers to change the link's URL to a programmatically-determined (not hardcoded) e-mail address just before the user clicks on it. A spammer would have to be running a crawler that not only runs JavaScript to render the page, but which also simulates the JavaScript click event hierarchy on every link on the page.

<a href="mailto:spamtrap@jerrykindall.com" onMouseOver='myrealaddr="sendtome"' onClick='url=this.href.split("@"); url[0]=myrealaddr; url[0]="mailto:"+url[0]; this.href=url.join("@")'>send me mail</a>

How this works:

1) the href goes to an invalid email address at the same domain. In my example I use spamtrap@jerrykindall.com. I actually want this address on spammers' lists because it helps my mail server identify spam.

2) onMouseOver sets the variable myrealaddr to my real address (at the domain) when the user mouses over the e-mail link.

3) onClick changes the target of the link using the value of the variable when the user clicks the link.

For bonus points, URL-encode the myrealaddr assignment:

<a href="mailto:spamtrap@jerrykindall.com" onMouseOver='myrealaddr=unescape("%73%65%6e%64%74%6f%6d%65")' onClick='url=this.href.split("@"); url[0]=myrealaddr; url[0]="mailto:"+url[0]; this.href=url.join("@")'>send me mail</a>

For bonus bonus points, entity-encode all the tag attributes of the above. I won't post the result here because it'll ruin the layout of this page. I've posted it on my server.

There are other tricks I like but that's one of the simplest and most effective, IMHO.

By: Sharcho

Sharcho — Sun, 04 Jun 2006 14:08:11 -0800

Here's my unobtrusive JavaScript solution that gives a clickable E-mail address. Unlike other JavaScript encoding techniques, it is still accessible for people that don't have JavaScript enabled.
http://pastebin.com/758420

By: waldo

waldo — Sun, 04 Jun 2006 14:38:01 -0800

Simply replace the @ with an @ -- spammers have never harvested such addresses, as demonstrated by the Center for Democracy & Technology in their awesome March 2003 study.

Why? Because the sort of person who disguises their e-mail address is the kind of person that is going to report spam to Spamcop and the like, and decidedly not the kind of person who would ever buy anything from spam.

By: schwa

schwa — Sun, 04 Jun 2006 14:45:39 -0800

Sharcho wins for best solution! Very graceful.

I wonder how many spam spider's are capabile of executing Javascript though.

I took sharcho's code and will be using it on my site. I am going to change it a little so the fallback e-mail address is actually a link to a HTML form contact page.

By: randomination

randomination — Sun, 04 Jun 2006 15:15:22 -0800

You might want to take the 'nospam' idea and riff on it, if you're worried about crawlers being able to decode the script.

My own page displays something along the lines of "E-mail me at quin@haddockquinparker.com, removing the fish from the address first." And then everytime the page loads, a simple Javascript routine chooses from haddock, perch, trout, salmon, cod and about 12 other creatures. The logic is that automated e-mail crawlers aren't clever enough to figure out what part of the address is the interloping aquatic lifeform.

You could also do something like NOSPAMquin@quinnospamparker.no.spam.arrrgh.no.spam.spam.spam.STOPIT!.spam.GAH!.com but you might think that's silly.

By: smackfu

smackfu — Sun, 04 Jun 2006 15:40:17 -0800

What about a form where people can submit a message that gets emailed to you?

Those tend to get spammed just as much — although I suppose they don't get your email on mailing lists.

By: SenshiNeko

SenshiNeko — Sun, 04 Jun 2006 15:51:21 -0800

Posted on my site I use name [at] domain [dot] com in the email link, and when I post it elsewhere (as in comments), nameNO@SPAMdomain.moc

By: kindall

kindall — Sun, 04 Jun 2006 15:53:03 -0800

I wonder how many spam spider's are capabile of executing Javascript though.

A fair number. They just use the Internet Explorer built into Windows, typically. However, while these will get inline tags created with document.write, they won't catch things fired off by an event, as that would require that something simulate a click on each link on the page and run any attached JavaScripts.

Robots also generally don't follow form tags, which is another way to hide your e-mail address (have the form handler script send a redirect to a mailto: URL).

By: Sharcho

Sharcho — Sun, 04 Jun 2006 17:24:21 -0800

Just to clarify that I didn't write the code mentioned above. I've managed to trace back where I originally found it. The original version.

There's also another version linked there that uses the same concept that kindall mentioned to prevent JavaScript-capable spiders.

I've never received any spam in a JavaScript encoded address, so I don't think it's an issue.

By: schwa

schwa — Sun, 04 Jun 2006 18:33:28 -0800

Sharcho,

Still a lovely little script. I've modified it so that it works with:

foo [at] bar.com

Here's the modified code:

http://toxicsoftware.com/scripts/utilities.js

By: flabdablet

flabdablet — Mon, 05 Jun 2006 04:15:14 -0800

Whichever disguise method you end up with, just use a Gmail address and let Google filter the spam for you. I've had the same mail address for years, about 70% of what gets sent to it is spam, and my POP3 client just doesn't see it.

The only spam I still get arrives via my (even older) Yahoo account.

I used to comb through my Gmail spam folder every now and again just to see if there was anything valuable in there. There never was, so these days I don't bother. As far as I can tell, Gmail's spam filtering Just Works.