views:

2159

answers:

17

Hello all. I've spent the past few days working on updating my personal website. The URL of my personal website is (my first name).(my last name).com, as my last name is rather unusual, and I was lucky enough to pick up the domain name. My e-mail address is (my first name)@(my last name).com. So really, when it comes down to guessing it, it's not very hard.

Anyways, I want to integrate a mailto: link into my website, so people can contact me. And, despite my e-mail address not being very hard to guess, I'd rather not have it harvested by spam bots that just crawl websites for e-mail address patterns and add them to their database.

What is the best way for me to obfuscate my e-mail address, preferably in link form? The methods I know of are:

<a href="mailto:[email protected]">e-mail me</a>

It works, but it also means that as soon as my website hits Google, I'll be wading through spam as spam bots easily pick out my e-mail address.

<img src="images/e-mail.png" />

This is less desirable, because not only will visitors be unable to click on it to send me an e-mail, but smarter spam bots will probably be able to detect the characters that the image contains.

I know that there is probably no perfect solution, but I was just wondering what everyone thought was best. I'm definitely willing to use JavaScript if necessary, as my website already makes use of tons of it.

Thanks in advance!

+3  A: 

Don't use any obfuscation techniques here because it's probably the first place the email harvesters will look to find out how people are obfuscating emails. If you have to have your email address visible on the site don't just copy verbatim someone else's method; obfuscate it in some unique way that no other site has used so that your method won't be known to harvesters before they visit your site.

Sam Hasler
How very recursive.
Paul Tomblin
xDI'm assuming you meant Codebrain's answer?
Unniloct
Unniloct: Sam Hasler's anwswer applies regardless of what the top answer is. By going with the most popular obfuscation technique, you are going with the most likely target of harvesting.
eyelidlessness
Unless the top answer is to not actually use obfuscation :)
JoshJordan
@JoshJordan: agreed, I actually voted for your answer. My point was that any popular obfuscation technique will eventually be noticed by the spammers and they'll write code to deobfuscate it.
Sam Hasler
Currently this page is the 28th result returned by google for [obfuscate e-mail address], although I expect it will rise higher eventually.
Sam Hasler
+1  A: 

I use JavaScript obfuscation, take a look at this one for example:

http://www.jottings.com/obfuscator/

Codebrain
-1: Have you looked at the code it generates? It does not actually obfuscate your email address if you include it in the "link text", and belies its purpose with "mailto:". Worse, it's a solution that requires Javascript, which should not be relied upon for basic content.
eyelidlessness
+41  A: 

The current accepted solution is to create a contact form that allows users to email you. If you receive a lot of spam from that (I don't on my site), then you can add a captcha for good measure, and you'll be far from the "low hanging fruit" at that point.

The fact of the matter is that if you are providing a link that a user can click on to pop open their email client with your address in the To: field, then the computer is able to decipher the email address from the page and so can a spam bot.

JoshJordan
That is to say, the logic to send the email should be written in hidden server-side code so that the address is never made public.
JoshJordan
+1 nice and simple, but sometimes people perfer to see an address.
Dead account
While it's a fine solution, technically, it's a solution that's offputting to many users. Just sayin'.
eyelidlessness
You're absolutely right, but I've never understood why. At most, you are one click away from the web form, just as you would be at *minimum* with an email client. The only thing that adds difficulty is the optional captcha. If a user can't go through that to contact you, was their message important?
JoshJordan
I always like it when there's an option to CC you the message. The one thing that bothers me about contact forms is that it leaves no record in my own email system. (Although a form that CCs any email address can create it's own set of problems.)
Sam Hasler
There's also no indication that the email form actually worked. I've seen too many that were silently broken. Real emails bounce, at least.
Brian Carper
@Brian Carper: Well, thats an implementation detail. The solution assumes that the programmer is intelligent enough to implement appropriate error handling.
JoshJordan
If the email bounces after 30 seconds, isn't it too late to inform the user at that point? If you're using a web form, you may as well not even back it with email, just dump the feedback into a database.
Brian Carper
No, you still have the chance to email the user back to inform them (provided your SMTP server isn't borked), or inform them on the next pageview.
JoshJordan
+23  A: 

I encode the characters as HTML entities (something like this). It doesn't require JS to be enabled and seems to have stopped most of the spam. I suppose a smart bot might still harvest it, but I haven't had any problems.

Christopher Nadeau
I've used this method in the past, but it was dead simple for *me* to get around it (for parsing my own documents in some cases) so I can't imagine it would be any less so for a bot.
eyelidlessness
This stops the simplest sort of spambot harvesting (regex looking for any text that resembles and e-mail address), and has no downside: it is just as convenient for the end user as the explict href=mailto:xxx@yy link.
Stephen C. Steel
I've used this method before and it seems to work pretty well. It's about the only method I could find that works in Lynx/w3m too..
dbr
This works pretty well because many (most?) of the crawlers/harvesters are incredibly stupid.
Jacco
+36  A: 

Personally, I've given up on hiding my email address. I find it easier to look into better spam-filtering solutions than worry about obfuscating. You could spend days trying to find the best way to obfuscate your address, and then all it takes is one person to sell your address to a spammer and all that work was useless.

Chad Birch
+1. Yep, who doesn't filter spam anyway?
Dead account
No matter how good your spam filtering is there are going to be false negatives (mails that get through that shouldn't). Ultimately you have to live with the e-mail address, but it seems like this kind of unnecessary exposure would increase the recurrence of spam getting through.
Brad Barker
@Brad in my experience this has not been the case. I use Google hosted mail for my domains and my email address is *extremely* easy to find. I have had 0 false negatives and 1 false positive since I started using it more than 14 months ago. I get several hundred spams a day in my spam folder.
Rex M
I get a bunch of false negatives with Gmail. YMMV.
eyelidlessness
Er, I should add: spam isn't a boogeyman that's going to eat your children. Getting an odd spam email isn't the end of the world. Click "report spam" and move on.
eyelidlessness
@Brad: If it's unnecessary, don't give your address out at all. If it is necessary to give your address out, get ready for spam. You can't make it easy for a human to email you without also making it easy for a spambot to do it.
Chuck
I just post my email unobfuscated as well. I use gmail, and the spam filter seems to work remarkably well.
Asmor
A: 

Honestly, your problem may be moot if you asked the question of whether or not a mailto is really what you want to use. A lot of people who use web mail, for example, or do not have the proper mail client setup in their browser are not going to benefit from a mailto. You are exposing your email address for a function that isn't going to work for a large portion of your users.

What you could do instead is use a form to send the e-mail behind the scenes so that the e-mail address is hidden and you don't have to worry about the poor saps who won't benefit from a mailto.

Brad Barker
Although that poses the question of ... how to stop robots spamming the form, which will lead back to a captcha.
Sohnee
+3  A: 

You could do as Google do on Google Code (and Groups). Display a par tof the email, and a clickable portion ("..."). Clicking that indicates you want to know the email, and you are asked to fill in a captcha. Afterwards the email (and others?) are visible to you.

Ross
+1 because now i know how to use google groups
TokenMacGuy
+5  A: 

Apparently using CSS to change the direction of your text works pretty well. That link has a test of a bunch of other obfuscation methods as well.

Whatever you use is inevitably going to be defeated. Your primary aim should be to avoid annoying the heck out of your users.

Brian Carper
This stuffs up copy and paste maybe ? IIRC
alex
When the address is copy-pasted, it will show up backwards. This could be off-putting for users, if you want it to be as easy as possible to contact you.
Christian Davén
+19  A: 

reCAPTCHA offers a simple email obfuscation service. You don't need to set up an account and can start using it immediately. You can use the service as a link or as a popup.

After the captcha is solved, your email address appears as an href/mailto, so that it can be clicked/followed by users who have configured their email clients to work with their browsers.

Rich Apodaca
This is a great solution.
JoshJordan
this is great and will work 99.9% of the time. Thanks for the link to. It will fail when bot is automating a browser.
NTulip
I don't think the majority of web users will go to the effort of solving a captcha just to email someone.
AndyM
I am with Andy on this. CAPTCHA are a pain, and reCAPTCHA are an even bigger pain than average as they are often too hard to read. If people emailing you is a conversion point (for instance, allowing customers to inquire about services, order or ask a quote), you really want to make it as easy as possible for them to do so.
Sylverdrag
+2  A: 

I don't how well this would work. Could you not leave your email address out and make it load using an AJAX call once the page has finished loading. Not sure if spam bots can pick up the altered HTML or if they are clever enough to listen on other HTTP traffic to try and pick email addresses or if they just scan the page as it is received the first time.

uriDium
+3  A: 

One website I maintain uses a somewhat simplistic JavaScript means of (hopefully) keeping spambots out.

Email links call a JS function:

function sendEmail(name, domain) {
    location.href = 'mailto:' + name + '@' + domain;
}

To make sure only users who have JS enabled can see the link, write them out with this:

function writeEmailLink(realName, name, domain) {
    document.write('<a href="javascript:sendEmail(\''
      + name + '\', \'' + domain + '\')">');
    document.write(realName);
    document.write('</a>');
}   

The use of one JS function to write out a link that calls another means that there are two layers of protection.

Stewart
+8  A: 

You mentioned this is for your personal website. On my personal site (for example, bobsomers.com) I just have a paragraph that says this:

The best way to get in contact with me before the new site is up is to send me an email. My email address is my first name at this website. If you can't figure it out from that hint, well, you might find email more of a challenge than figuring out my address.

People seem to be able to figure that out just fine, as I get legitimate email all the time. Sometimes the best solutions don't require writing any code. :)

Bob Somers
+1 it's captcha, alright :P
Lucas
A: 

I use a different approach, and so far has worked for me. My solution is written in PHP and JavaScript, but should to be able to ported to any other server language or plain JS. I use this regex to capture user inputted emails from my CMS

$regex = '/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b/i';

I then run the result through this function

function stopEmailHarvesting($match) {
    $find = array('.', '@');
    $replace = array(' dot ', ' at ');
    $match = str_replace($find, $replace, $match);
    return '<span class="obfuscate-email">' . $match . '</span>';
}

This renders an email as alex at domain dot com dot au.

Now, to tidy up things, I run this jQuery function on DOM ready.

var emailLinks = {
    init: function() {
     $('.obfuscate-email').each(function() {    
         var email = $(this).text();
         email = email.replace(/ at /, '@');
         email = email.replace(/ dot /g, '.');
         $(this).replaceWith('<a href="mailto:' + email  + '" title="Email \'' + email + '\'">' + email + '</a>');        
     });
    }
}

This then renders the email as it should, and so far no spam has came through. Mind you, my sites are not terribly popular, but I think this is a decent solution. Don't forget to include a good spam filter on your email, just in case.

alex
This seems like a particularly easy solution for bots to get around, particularly because you're indicating right there in the source code that you've obfuscated the email address, and the obfuscation is done in plain english.
eyelidlessness
@eyelidlessness, I realise this, it could easily be circumvented by a bot that knew what it was looking for, but I am hoping that noone stumbles on any of my small business sites and says "I want to scrape all emails in the future from this page." Maybe I should add some extra characters in...
alex
...around the `at` and `dot` strings. Would a bot actually look for class names with the word obfuscate in them ?
alex
Personally if I were using a method like this, I would probably generate a one-time random string to inject into the address after converting @ and . to at and dot, then remove that string as well. Yes, I imagine that smarter bots will look for "obfuscate" and "email", and especially "at" and "dot".
eyelidlessness
That's a pretty good idea, will look at implementing this in the future. Thanks for the edit on my post too!
alex
Sounds non-js-user proof.
Tchalvak
Well if you can't understand `someone at example dot com`, well... you may have more problems than not having JS.
alex
A: 

If you work with PHP, you can grab a free script that does that automatically. It's called "Private Daddy" and we use it for our own online audio streaming service. Just one line of code and it works out of the box... you can grab it here

Cheers,

Reuven

Reuven
A: 

If you say on your site that "My e-mail address is (my first name)@(my last name).com.", and your first name and last name are pretty darn obvious, that seems to be the best spam protection you're going to get.

Dean J
aren't parentheses actually allowed in full-fledged emails? seems like that could be a valid email address. :p
Tchalvak
Which is another reason spam bots will miss your inbox. :-)
Dean J
A: 

Check this out.

The 'Enkoder Form' will encrypt your Email address and convert the result to a self evaluating JavaScript, hiding it from Email-harvesting robots which crawl the web looking for exposed addresses. Your address will be displayed correctly by web-browsers, but will be virtually indecipherable to Email harvesting robots.

Zaki
A: 

One guy tested nine different ways of presenting an email address on a page and then published results on his blog.

His three best ways were:

  1. Changing the code direction with CSS
  2. Using CSS display:none
  3. ROT13 Encryption

Caveat -- this was posted two years ago. Spam bots might've gotten smarter.

Doug Harris