tags:

views:

2159

answers:

17
+30  Q: 

Best way to obfuscate an e-mail address on a website?

Hello all. I've spent the past few days working on updating my personal website. The URL of my personal website is (my first name).(my last name).com, as my last name is rather unusual, and I was lucky enough to pick up the domain name. My e-mail address is (my first name)@(my last name).com. So really, when it comes down to guessing it, it's not very hard.

Anyways, I want to integrate a mailto: link into my website, so people can contact me. And, despite my e-mail address not being very hard to guess, I'd rather not have it harvested by spam bots that just crawl websites for e-mail address patterns and add them to their database.

What is the best way for me to obfuscate my e-mail address, preferably in link form? The methods I know of are:

<a href="mailto:[email protected]">e-mail me</a>

It works, but it also means that as soon as my website hits Google, I'll be wading through spam as spam bots easily pick out my e-mail address.

<img src="images/e-mail.png" />

This is less desirable, because not only will visitors be unable to click on it to send me an e-mail, but smarter spam bots will probably be able to detect the characters that the image contains.

I know that there is probably no perfect solution, but I was just wondering what everyone thought was best. I'm definitely willing to use JavaScript if necessary, as my website already makes use of tons of it.

Thanks in advance!

+3  A: 

Don't use any obfuscation techniques here because it's probably the first place the email harvesters will look to find out how people are obfuscating emails. If you have to have your email address visible on the site don't just copy verbatim someone else's method; obfuscate it in some unique way that no other site has used so that your method won't be known to harvesters before they visit your site.

Sam Hasler  2009-04-14 18:26:28
How very recursive.
Paul Tomblin  2009-04-14 18:29:21
xDI'm assuming you meant Codebrain's answer?
Unniloct  2009-04-14 18:30:09
Unniloct: Sam Hasler's anwswer applies regardless of what the top answer is. By going with the most popular obfuscation technique, you are going with the most likely target of harvesting.
eyelidlessness  2009-04-14 19:21:38
Unless the top answer is to not actually use obfuscation :)
JoshJordan  2009-04-14 19:42:43
@JoshJordan: agreed, I actually voted for your answer. My point was that any popular obfuscation technique will eventually be noticed by the spammers and they'll write code to deobfuscate it.
Sam Hasler  2009-04-14 21:26:25
Currently this page is the 28th result returned by google for [obfuscate e-mail address], although I expect it will rise higher eventually.
Sam Hasler  2009-04-14 21:32:59
+1  A: 

I use JavaScript obfuscation, take a look at this one for example:

http://www.jottings.com/obfuscator/

Codebrain  2009-04-14 18:26:47
-1: Have you looked at the code it generates? It does not actually obfuscate your email address if you include it in the "link text", and belies its purpose with "mailto:". Worse, it's a solution that requires Javascript, which should not be relied upon for basic content.
eyelidlessness  2009-04-14 19:19:50
+41  A: 

The current accepted solution is to create a contact form that allows users to email you. If you receive a lot of spam from that (I don't on my site), then you can add a captcha for good measure, and you'll be far from the "low hanging fruit" at that point.

The fact of the matter is that if you are providing a link that a user can click on to pop open their email client with your address in the To: field, then the computer is able to decipher the email address from the page and so can a spam bot.

JoshJordan  2009-04-14 18:28:32
That is to say, the logic to send the email should be written in hidden server-side code so that the address is never made public.
JoshJordan  2009-04-14 18:30:54
+1 nice and simple, but sometimes people perfer to see an address.
Dead account  2009-04-14 18:34:57
While it's a fine solution, technically, it's a solution that's offputting to many users. Just sayin'.
eyelidlessness  2009-04-14 19:14:00
You're absolutely right, but I've never understood why. At most, you are one click away from the web form, just as you would be at *minimum* with an email client. The only thing that adds difficulty is the optional captcha. If a user can't go through that to contact you, was their message important?
JoshJordan  2009-04-14 19:44:47
I always like it when there's an option to CC you the message. The one thing that bothers me about contact forms is that it leaves no record in my own email system. (Although a form that CCs any email address can create it's own set of problems.)
Sam Hasler  2009-04-14 21:29:03
There's also no indication that the email form actually worked. I've seen too many that were silently broken. Real emails bounce, at least.
Brian Carper  2009-04-14 22:24:51
@Brian Carper: Well, thats an implementation detail. The solution assumes that the programmer is intelligent enough to implement appropriate error handling.
JoshJordan  2009-04-14 22:40:19
If the email bounces after 30 seconds, isn't it too late to inform the user at that point? If you're using a web form, you may as well not even back it with email, just dump the feedback into a database.
Brian Carper  2009-04-15 00:47:03
No, you still have the chance to email the user back to inform them (provided your SMTP server isn't borked), or inform them on the next pageview.
JoshJordan  2009-04-15 10:30:36
+23  A: 

I encode the characters as HTML entities (something like this). It doesn't require JS to be enabled and seems to have stopped most of the spam. I suppose a smart bot might still harvest it, but I haven't had any problems.

Christopher Nadeau  2009-04-14 18:29:01
I've used this method in the past, but it was dead simple for *me* to get around it (for parsing my own documents in some cases) so I can't imagine it would be any less so for a bot.
eyelidlessness  2009-04-14 19:16:52
This stops the simplest sort of spambot harvesting (regex looking for any text that resembles and e-mail address), and has no downside: it is just as convenient for the end user as the explict href=mailto:xxx@yy link.
Stephen C. Steel  2009-04-14 19:35:17
I've used this method before and it seems to work pretty well. It's about the only method I could find that works in Lynx/w3m too..
dbr  2009-04-14 20:05:19
This works pretty well because many (most?) of the crawlers/harvesters are incredibly stupid.
Jacco  2009-04-14 22:06:45
+36  A: 

Personally, I've given up on hiding my email address. I find it easier to look into better spam-filtering solutions than worry about obfuscating. You could spend days trying to find the best way to obfuscate your address, and then all it takes is one person to sell your address to a spammer and all that work was useless.

Chad Birch  2009-04-14 18:29:38
+1. Yep, who doesn't filter spam anyway?
Dead account  2009-04-14 18:35:29
No matter how good your spam filtering is there are going to be false negatives (mails that get through that shouldn't). Ultimately you have to live with the e-mail address, but it seems like this kind of unnecessary exposure would increase the recurrence of spam getting through.
Brad Barker  2009-04-14 18:38:38
@Brad in my experience this has not been the case. I use Google hosted mail for my domains and my email address is *extremely* easy to find. I have had 0 false negatives and 1 false positive since I started using it more than 14 months ago. I get several hundred spams a day in my spam folder.
Rex M  2009-04-14 18:53:03
I get a bunch of false negatives with Gmail. YMMV.
eyelidlessness  2009-04-14 19:14:44
Er, I should add: spam isn't a boogeyman that's going to eat your children. Getting an odd spam email isn't the end of the world. Click "report spam" and move on.
eyelidlessness  2009-04-14 19:15:46
@Brad: If it's unnecessary, don't give your address out at all. If it is necessary to give your address out, get ready for spam. You can't make it easy for a human to email you without also making it easy for a spambot to do it.
Chuck  2009-04-14 21:57:55
I just post my email unobfuscated as well. I use gmail, and the spam filter seems to work remarkably well.
Asmor  2009-04-22 18:19:04
A: 

Honestly, your problem may be moot if you asked the question of whether or not a mailto is really what you want to use. A lot of people who use web mail, for example, or do not have the proper mail client setup in their browser are not going to benefit from a mailto. You are exposing your email address for a function that isn't going to work for a large portion of your users.

What you could do instead is use a form to send the e-mail behind the scenes so that the e-mail address is hidden and you don't have to worry about the poor saps who won't benefit from a mailto.

Brad Barker  2009-04-14 18:30:56
Although that poses the question of ... how to stop robots spamming the form, which will lead back to a captcha.
Sohnee  2009-04-15 10:51:24
+3  A: 

You could do as Google do on Google Code (and Groups). Display a par tof the email, and a clickable portion ("..."). Clicking that indicates you want to know the email, and you are asked to fill in a captcha. Afterwards the email (and others?) are visible to you.

Ross  2009-04-14 18:33:10
+1 because now i know how to use google groups
TokenMacGuy  2009-04-15 02:05:13
+5  A: 

Apparently using CSS to change the direction of your text works pretty well. That link has a test of a bunch of other obfuscation methods as well.

Whatever you use is inevitably going to be defeated. Your primary aim should be to avoid annoying the heck out of your users.

Brian Carper  2009-04-14 18:34:33
This stuffs up copy and paste maybe ? IIRC
alex  2009-12-24 01:34:41
When the address is copy-pasted, it will show up backwards. This could be off-putting for users, if you want it to be as easy as possible to contact you.
Christian Davén  2010-02-04 13:35:37
+19  A: 

reCAPTCHA offers a simple email obfuscation service. You don't need to set up an account and can start using it immediately. You can use the service as a link or as a popup.

After the captcha is solved, your email address appears as an href/mailto, so that it can be clicked/followed by users who have configured their email clients to work with their browsers.

Rich Apodaca  2009-04-14 18:55:31
This is a great solution.
JoshJordan  2009-04-14 20:10:57
this is great and will work 99.9% of the time. Thanks for the link to. It will fail when bot is automating a browser.
NTulip  2009-04-15 02:13:52
I don't think the majority of web users will go to the effort of solving a captcha just to email someone.
AndyM  2010-02-05 09:04:37
I am with Andy on this. CAPTCHA are a pain, and reCAPTCHA are an even bigger pain than average as they are often too hard to read. If people emailing you is a conversion point (for instance, allowing customers to inquire about services, order or ask a quote), you really want to make it as easy as possible for them to do so.
Sylverdrag  2010-07-26 06:19:33
+2  A: 

I don't how well this would work. Could you not leave your email address out and make it load using an AJAX call once the page has finished loading. Not sure if spam bots can pick up the altered HTML or if they are clever enough to listen on other HTTP traffic to try and pick email addresses or if they just scan the page as it is received the first time.

uriDium  2009-04-14 20:13:10
+3  A: 

One website I maintain uses a somewhat simplistic JavaScript means of (hopefully) keeping spambots out.

Email links call a JS function:

function sendEmail(name, domain) {
    location.href = 'mailto:' + name + '@' + domain;
}

To make sure only users who have JS enabled can see the link, write them out with this:

function writeEmailLink(realName, name, domain) {
    document.write('<a href="javascript:sendEmail(\''
      + name + '\', \'' + domain + '\')">');
    document.write(realName);
    document.write('</a>');
}

The use of one JS function to write out a link that calls another means that there are two layers of protection.

Stewart  2009-04-14 22:17:22
+8  A: 

You mentioned this is for your personal website. On my personal site (for example, bobsomers.com) I just have a paragraph that says this:

The best way to get in contact with me before the new site is up is to send me an email. My email address is my first name at this website. If you can't figure it out from that hint, well, you might find email more of a challenge than figuring out my address.

People seem to be able to figure that out just fine, as I get legitimate email all the time. Sometimes the best solutions don't require writing any code. :)

Bob Somers  2009-04-15 01:56:02
+1 it's captcha, alright :P
Lucas  2009-04-15 03:53:51
A: 

I use a different approach, and so far has worked for me. My solution is written in PHP and JavaScript, but should to be able to ported to any other server language or plain JS. I use this regex to capture user inputted emails from my CMS

$regex = '/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b/i';

I then run the result through this function 

function stopEmailHarvesting($match) {
    $find = array('.', '@');
    $replace = array(' dot ', ' at ');
    $match = str_replace($find, $replace, $match);
    return '<span class="obfuscate-email">' . $match . '</span>';
}

This renders an email as alex at domain dot com dot au.

Now, to tidy up things, I run this jQuery function on DOM ready.

var emailLinks = {
    init: function() {
     $('.obfuscate-email').each(function() {    
         var email = $(this).text();
         email = email.replace(/ at /, '@');
         email = email.replace(/ dot /g, '.');
         $(this).replaceWith('<a href="mailto:' + email  + '" title="Email \'' + email + '\'">' + email + '</a>');        
     });
    }
}

This then renders the email as it should, and so far no spam has came through. Mind you, my sites are not terribly popular, but I think this is a decent solution. Don't forget to include a good spam filter on your email, just in case.

alex  2009-04-15 02:12:21
This seems like a particularly easy solution for bots to get around, particularly because you're indicating right there in the source code that you've obfuscated the email address, and the obfuscation is done in plain english.
eyelidlessness  2009-04-15 20:57:16
@eyelidlessness, I realise this, it could easily be circumvented by a bot that knew what it was looking for, but I am hoping that noone stumbles on any of my small business sites and says "I want to scrape all emails in the future from this page." Maybe I should add some extra characters in...
alex  2009-04-15 23:02:08
...around the `at` and `dot` strings. Would a bot actually look for class names with the word obfuscate in them ?
alex  2009-04-15 23:02:53
Personally if I were using a method like this, I would probably generate a one-time random string to inject into the address after converting @ and . to at and dot, then remove that string as well. Yes, I imagine that smarter bots will look for "obfuscate" and "email", and especially "at" and "dot".
eyelidlessness  2009-04-16 02:36:23
That's a pretty good idea, will look at implementing this in the future. Thanks for the edit on my post too!
alex  2009-04-16 02:56:36
Sounds non-js-user proof.
Tchalvak  2009-12-23 15:43:37
Well if you can't understand `someone at example dot com`, well... you may have more problems than not having JS.
alex  2009-12-24 01:33:30
A: 

If you work with PHP, you can grab a free script that does that automatically. It's called "Private Daddy" and we use it for our own online audio streaming service. Just one line of code and it works out of the box... you can grab it here

Cheers,

Reuven

Reuven  2009-12-23 15:27:59
A: 

If you say on your site that "My e-mail address is (my first name)@(my last name).com.", and your first name and last name are pretty darn obvious, that seems to be the best spam protection you're going to get.

Dean J  2009-12-23 15:30:36
aren't parentheses actually allowed in full-fledged emails? seems like that could be a valid email address. :p
Tchalvak  2009-12-23 15:37:40
Which is another reason spam bots will miss your inbox. :-)
Dean J  2010-01-04 15:10:26
A: 

Check this out.

The 'Enkoder Form' will encrypt your Email address and convert the result to a self evaluating JavaScript, hiding it from Email-harvesting robots which crawl the web looking for exposed addresses. Your address will be displayed correctly by web-browsers, but will be virtually indecipherable to Email harvesting robots.

Zaki  2010-03-03 10:41:25
A: 

One guy tested nine different ways of presenting an email address on a page and then published results on his blog.

His three best ways were:

  1. Changing the code direction with CSS
  2. Using CSS display:none
  3. ROT13 Encryption

Caveat -- this was posted two years ago. Spam bots might've gotten smarter.

Doug Harris  2010-08-03 19:38:21

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?