Hide email address in sourc...


Published on

it hides the email ids

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hide email address in sourc...

  1. 1. Hide email address in source code http://csarven.ca/hiding-email-addresses Home <http://www.csaven.ca//> About <http://www.csaven.ca//about> CV <http://www.csaven.ca//cv> Library <http://www.csaven.ca//library> Articles <http://www.csaven.ca//archives/articles> Atom <http://www.csaven.ca//atom> Methods to hide email addresses from page source Updated: 2006-12-05 Ive compiled a list of methods to hide email addresses from the page source to minimize visibility against the email harvesting spam bots. Each method has its (dis)advantages, therefore I leave it up to the reader to decide which method suits them the most, as there are many factors. Plain http://www.csarven.ca/hiding-email-addresses#plain <a href="mailto:foo@bar.baz">foo@bar.baz</a> /* Output on screen */ foo@bar.baz <http://www.csaven.ca/mailto:foo@bar.baz> The good: Since this is the standard way of defining an email address, it is bound to work in any user-agent and has good usability. If the browser is capable of opening an external email client, then its all for the better. This requires no additional technologies. Unfortunately, email harvesters finds this just way too easy. Written http://www.csarven.ca/hiding-email-addresses#written /* Output on screen */ foo AT bar DOT baz <http://www.csaven.ca/mailto:fooATbarDOTbaz> There is no magic here, it is very similar to first method as it also contains the mailto href attribute value. Hence, once the bot recognizes mailto: it can easily grab the remaining email. Parsing AT, DOT, and the spaces and converting it to a valid email format is a piece of cake. However, there can be many variations to this idea. Consider: foo[*at*]bar[*dot*]baz. Unicode characters http://www.csarven.ca/hiding-email-addresses#unicode /* Output on screen */ foos email <http://www.csaven.ca/mailto:foo@bar.baz> Not a bad idea, however again it is similar to above methods from a bots perspective. It can just as easily interpret the special character entities @, . for the @ and the . characters respectively. A minor plus in this case is that, the user may be able to use their email client. Hex values http://www.csarven.ca/hiding-email-addresses#hex <a href="mailto:%66%6f%6f%40%62%61%72%2e%63%6f%6d">foos email</a> /* Output on screen */ foos email <http://www.csaven.ca/mailto:%66%6f%6f%40%62%61%72%2e%63%6f%6d> Alternativily, Hex values can be used to hide an email address temporarily. A script that is after emails written in Hex values, perhaps would look at the href="mailto: portion and grab the rest of the href value. A decent method nevertheless. HTML Comments http://www.csarven.ca/hiding-email-addresses#htmlcomments foo<!-- >@. -->@<!-- >@. -->bar<!-- >@. -->.<!-- >@. -->baz /* Output on screen */ foo@bar.baz The old known HTML comments takes a shot even at assisting hiding emails. Few contributors recommended this solution to be effective, by specifically confusing the way comments work. Placing the @, ., and > symbols inside of the comment makes it a little more difficult. Unfortunately, user intiated mail client can not be brought up with this method. Fake email http://www.csarven.ca/hiding-email-addresses#fakeemail /* Output on screen */ foo@REMOVETHISbar.baz <http://www.csaven.ca/mailto:foo@REMOVETHISbar.baz> Although this is written, it contains null values which can be indicated (i.e. on a pre made subject) to the user that in order to reach the proper email address one must remove the suggested text. This works well against bots because even though they get the email, it is an invalid one, hence you are safe. On the other hand, its relatively a nuisance, and may cause confusion to the user, if the idea is not described well. A variant of this approach would be to use the DEL element: /*Output on screen*/ foo@REMOVETHISbar.baz HTTP Redirect http://www.csarven.ca/hiding-email-addresses#httpredirect Write a server-side script to return "mailto:foo@bar.baz" link as an HTTP redirect. All modern browsers recognise this, but perhaps not many harvester bots do. This can be done with Apaches mod_rewrite, Javascript or server-side scripting. Here is an example in PHP:1 of 15 12/10/2010 6:00 AM
  2. 2. Hide email address in source code http://csarven.ca/hiding-email-addresses /* Output on screen */ foos email <http://www.csaven.ca/scripts/articles/email_foo.php> /* In email_foo.php file */ <?php header ("Location: mailto:foo@bar.baz"); exit(); ?> In this case the user has to follow the link and rely on their mail application to get a hold of the email address. The user has to copy the email address from the application instead of doing it directly from the webpage. Javascript http://www.csarven.ca/hiding-email-addresses#javascript <script type="text/javascript"> <!-- var string1 = "foo"; var string2 = "@"; var string3 = "bar.baz"; var string4 = string1 + string2 + string3; document.write("<a href=" + "mail" + "to:" + string1 + string2 + string3 + ">" + string4 + "</a>"); //--> </script> There are numerous ways of doing this in Javascript, however the idea is the same. It allows you to break the email into parts, where it cant be easily parsed from the source. This email method is only visible on screen as it renders on browsers which supports Javascript, or those have turned Javascript execution on. Keep in mind that, Javascript is not available to many user-agents, and has an accessibility issue (see: reaching the audience part 1 <http://www.csarven.ca/reaching-the-audience-part-1> .) Again even with this method, it is possible to get to the email, but given some creativity it can be well prevented. Encryption http://www.csarven.ca/hiding-email-addresses#encryption This technique allows you to give an encrypted email in the source. With Javascript for example, we can decrypt the email. In the end this is quite a safe way of going at it to hide emails, and is troublesome to decrypt. Similar accessibility factors apply here as above. Obfuscate AJAX http://www.csarven.ca/hiding-email-addresses#obfuscate-ajax For hiding emails, we can use a neat Sessions and Javascript trick to md5 an identifier for the email which needs to be hidden from source. In this method a server-side script generates a Session and an md5 value for the email attached to the identifier of an element. <span class="_obsf" id="17d8910e9b75ab523e5c3a2fc09c1181"></span> <script type="text/javascript" src="obsf.js"></script> Following this, browser initiates Javascript onload. This script collects the element(s) with the md5 values as their identifier, and submits a POST request. The compliment of this, in other words, the obfuscated value(s) contain the email which needs to be hidden from email harvesters. A Javascript function then fills in the true email once the page has finished loading. Example: obfuscate ajax email <http://www.csaven.ca/scripts/articles/obfuscate_ajax/obfuscate_ajax.example.php> For this to work, server-side scripting, Session cookies, and Javascript, must exist. However, given the availability of these futures, along with the considered audience, it is a good way to hide email addresses by storing the email string temporarily on the server, and then calling the value back with Javascript, which then loads the email. Otherwise, its is in high alert in terms of accessibility. Notes: Thanks to Arpad Ray for introducing his method as an alternative method to hide emails. Source: Obfuscate AJAX <http://rajeczy.com/arpad/lib/index.php?p=misc/obfuscate_ajax> by Arpad Ray Images http://www.csarven.ca/hiding-email-addresses#images For this technique, we make a small image file, which contains our email address. Email hunters nearly have no luck obtaining the information in the image, unless all arrows are pointing to this image, with the words email is in this image, come grab it. Even in that case, it is very difficult to extract the email address as it requires a special harvester that is capable of getting the content (if its text), from an image file. This is very costy with respect to resources required for the work just to grab an email from an image file. Given the vast availability of email addresses on the internet, harvesters can easily ignore this method of obtaining emails, and stick to simpler forms. Even at this stage in our AI development, specific software designed for this has some difficulty in interpreting the information inside images. Consider styling the written word, where it is easy for a human to understand, but it can be very difficult for the computer. Keep in mind that, only user-agents that can render the image properly will display the email address, and there is a great accessibility issue here as visually impaired users will not be able to obtain the email address. CSS pseudo-element :after http://www.csarven.ca/hiding-email-addresses#cssafter p:after { content: "foo40bar.baz"; } <p>email me: </p> /* Output on screen (40 is unicode character entity for the @ symbol): */ email me: foo@bar.baz Great technique for those browsers that can interpret CSS2s :after pseudo-element. The drawback is that not all user-agents fully support CSS2. As browser technologies progress more browsers will be able to interpret this, however there is always a chunk of users left out; including users with screen readers, and text based browsers. This method is also in the same line as using ASCII characters in the HTML source code. CSS unicode-bidi http://www.csarven.ca/hiding-email-addresses#cssunicodebidi span.codedirection { unicode-bidi:bidi-override; direction: rtl; }2 of 15 12/10/2010 6:00 AM
  3. 3. Hide email address in source code http://csarven.ca/hiding-email-addresses <p><span class="codedirection">zab.rab@oof</span></p> /* Output on screen: */ email me: foo@bar.baz The key in this method is to change the direction of text from left-to-right (default) to right-to-left. This method is one of my favourites, since this CSS unicode-bidi algorithm is supported by more browsers. This method will display the email backwards for those user-agents without the CSS features, which could be bothersome to invert. CSS display be none http://www.csarven.ca/hiding-email-addresses#cssdisplay p span.hide { display:none; } <p>foo@bar<span class="hide">null</span>.baz</p> /* Output on screen: */ foo@bar.baz Yet, there is a third method to hide emails using CSS. In this case, we just remove some null text from the body of the email with display none. This property is largely supported. If the bot script does not parse through the CSS, then the techniques above can be handy to hide email, otherwise the email may face the possibility of getting spam. Although, not overly difficult to build these scripts, they take longer time to process the stylsheet data, which may or not be a worthwhile exercise. Again, same accessibility issues as the previous CSS technique apply here. Also the good thing with these CSS tricks is that, they are visible on screen, and can be selected and copied to the clipboard. The email is textually available to the user, however they cant click on the link in order to open their email client. Flash http://www.csarven.ca/hiding-email-addresses#flash One can also use Flash to hide emails from spammers. In this case we create a flash file that simply loads a browser function getURL() with mailto scheme. In addition to this, place the following HTML. <object type="application/x-shockwave-flash" data="media/flash/articles/email.swf" codebase="http://fpdownload.macromedia.com /pub/shockwave/cabs/flash/swflash.cab #version=6,0,0,0"> <param name="movie" value="media/email.swf"> </object> Which gives us: So, how could an email harvester find the hidden email in this flash file? One way would be to decompile the flash file. Once the source is available, parsing towards mailto and grabbing the email would be the easy part. We have to give consideration to cost of such task as it can be quite expensive. Finding, fetching, decompiling, selecting source, and finding the email address for a flash file is a lot of work. For a general sweep on the internet, it is much easier for the email spammers to look into other methods. Therefore, Flash also be a useful way to hide emails from spiders. Needless to say accessibility issues rise up with this method, as not only certain UAs do not support Flash, but there is also the possibility of this component failing to load for any reason. For sites that have a focus market (in regards to Flash being present) then I think this is quite sufficient to hide emails. Forms http://www.csarven.ca/hiding-email-addresses#forms <form action="emailmessage.php" method="POST"> <fieldset> <legend>Contact information</legend> <label for="fullname">Fullname</label> <input type="text" name="fullname" value="" id="fullname" size="50" maxsize="50"> <label for="email">Email</label> <input type="text" name="email" value="" id="email" size="30" maxlength="50"> <label for="message">Message</label> <textarea name="message" id="message" rows="5" cols="30"></textarea> <input id="submit" type="submit" name="submit" value="Contact me"> </fieldset> </form> This is a very widely used method since it reveals no email address. Since the email is not in source, it is neither available on viewport. Therefore, the user has to contact you by filling out a form, which eventually gets forwarded to your email. There are some alternative methods to this, where the email is actually accessible if the actioned value is a cgi file and not complex enough. Be careful with this since it technically brings us back to square one. A server-side scripting process for the form values is very safe, and the email spam bots simply pass this source area as it contains no email. A disadvantage for this could be the comment spammers, where they leave their mark on your form, which you might have to put up with later. But thats a different spammer all together. The Question! http://www.csarven.ca/hiding-email-addresses#question This method gives you the chance to reveal your email only to human users. Basically, you can have a form that asks the user a simple question. What is 5 plus 7? If the user submits a correct answer to the question then you can reveal the email address as simple as the plain <http://www.csaven.ca/hiding-email-addresses#plain> method. The user has to take the few extra seconds to go through this, but email hunters have no luck with this method, since there is no way for them to process the question, yet alone know that the close-by text is the gateway for the email. This method can be done with client or server-side scripting. If client-side all the mentioned cases on previous methods apply here as well. An alternating set of simple questions would be ideal. Conclusions First of all, please note that there are many variations to above methods and they can be combined to produce an offspring. The CAPTCHA <http://www.captcha.net/> method for instance is a combination of using images <http://www.csaven.ca//hiding-email-addresses#images> and a question <http://www.csaven.ca//hiding-email-addresses#question> to respond in reference to the image that is displayed. Nevertheless, the ideas are generally similar in nature. When using any of these methods, some care is necessary. For example, in the Javascript method to put together the values we may overlook the fact that the variable in which the email is contained is in plain view. This defeats the purpose, since the parser goes through everything in the source.3 of 15 12/10/2010 6:00 AM
  4. 4. Hide email address in source code http://csarven.ca/hiding-email-addresses One magical spam script? Another point which perhaps needs to be reiterated here is that all these methods can be a victim of some clever script, by going through a large set of methods, where they could be decompiled, decrypted, or even ran through image analyzers. If such email harvesting bot exists, no doubt the emails can be stolen. Having said that, the goal in developing such methods is to fight against resources such scripts are allocated within. The complexity of such script would be too expensive just to grab an email address from a page. Consider the size of the source code and multiply that by the number of sites/pages a bot has to go through in order to have a good number of emails collected. With minimal measures, a greater portion of harvesters can be fooled. Most of the methods mentioned in this article present a way to hide the emails from the source code. However, using images, and changing the actual email deal with the visual aspect of the email on screen. Keep in mind that most of the email harvesters are built to scan the source, and to a good degree, they cannot pass the well designed methods. You may ask, what about screen/output email harvesters? Against them, your possible methods are inverted as you need to reshape the visual aspect of your email. Additionally, considering the methods that heavily depend on the way HTML works, in other words how browsers render them on screen then a spam script can merely mimic this, create a temporary output file, and then parse the remaining result. Possible? Most definitely. Worthy? This question may be more difficult to answer. Again, thank you for all your suggestions, and please keep them coming in order to achieve a solid comprehensive list of methods to hide email address from spam bots. Our goal is to have a diverse set of these methods, and then to select an applicable method. I will update this article from time to time to reflect anything else we might can come up with (see Update date-stamp - a few pending methods will be added as soon as I get some free time. Thank you again for contributing.) All these methods have their pros and cons, and the method you pick is entirely up to your case - always keep your audience in mind. Tags email <http://www.csaven.ca//archives/tags/email> spam <http://www.csaven.ca//archives/tags/spam> standards <http://www.csaven.ca//archives/tags/standards> ux <http://www.csaven.ca//archives/tags/ux> Author Sarven Capadisli <http://csarven.ca/#i> Published 2005-02-11 Replies 99 <http://www.csaven.ca/#comments> Related Articles One plus one equals three or more, and our experience <http://www.csaven.ca//one-plus-one-equals-three-or-more> How to reply back to coloured HTML emails <http://www.csaven.ca//my-responses-are-in-white> Communication Protocols <http://www.csaven.ca//communication-protocols> Web typography guide: readability and legibility <http://www.csaven.ca//web-typography> Microformats introduction to content and user experience <http://www.csaven.ca//microformats-introduction> Related Readings Designing for interaction by Saffer, Dan Dont make me think! by Krug, Steve. Emotional design by Donald A. Norman. Envisioning information by Edward R. Tufte. Information architecture for the World Wide Web by Morville, Peter. Prioritizing Web usability by Nielsen, Jakob Sketching user experiences by Bill Buxton. The design of everyday things by Norman, Donald A. The Elements of user experience by Garrett, Jesse James. The visual display of quantitative information by Edward R. Tufte. The zen of CSS design by Shea, Dave. Universal Principles of Design 115 Ways to Enhance Usability, Influence Perception, Increase Appeal, Make Better Design Decisions, and Teach Through Design. by William Lidwell, Kritina Holden, Jill Butler ; [foreword by Kimberly Elam]. Visual explanations : images and quantities, evidence and narrative by Edward R. Tufte. Entry Reaction Reader Comments (99) 1. Comment by sprint replied <http://www.csaven.ca/#content> on #2005-02-11 00:03:20 <http://www.csaven.ca/#comment_20050211000320> Flash! If you have access to PHP, you can create a form in Flash and send the email address also from Flash to the PHP script. Otherwise, take a Flash button that contains the mailto: order to open the email client. 2. Comment by trovster <http://www.trovster.com> replied <http://www.csaven.ca/#content> on #2005-02-11 00:03:21 <http://www.csaven.ca /#comment_20050211000321> Personally I use a form and so do a lot of websites Ive visited. Although its nice to send an email in your client, or via your webmail, its becoming a necessity to use a form to stop spam. And after a while its no different or more of a hassle. Maybe less than a hassle in fact as you dont have to open a new window/message to send. Its all contained on the current page youre viewing. If you must present an email address, make sure youve sent up spam filters on your inbox! I would suggest using a contact form aswell as an email address, so the option is there to use either. How you present the email address then would be up to you. I would see if there is a combination of the CSS unicode-bidi and Javascript, so it works when clicked or copied. 3. Comment by guenter <http://www.7media.de> replied <http://www.csaven.ca/#content> on #2005-02-11 00:03:22 <http://www.csaven.ca /#comment_20050211000322> What do you think of this method: HTML source standard: E-Mail <http://www.csaven.ca/mailto:name@address.com>4 of 15 12/10/2010 6:00 AM
  5. 5. Hide email address in source code http://csarven.ca/hiding-email-addresses source encrypted with UniCode: Hyperlink Text <http://www.csaven.ca/mailto:name@address.com> How smart are these grabbers to interpret this? (Online tool for unicode-encryption can be found here, in German: http://www.lerneniminternet.de/htm/tip_spam-email.html 4. Comment by alex replied <http://www.csaven.ca/#content> on #2005-02-11 00:03:23 <http://www.csaven.ca/#comment_20050211000323> guenter, this is the same method as described in method iii. spammers can easily replace unicode characters with "real" characters. 5. Comment by juergen replied <http://www.csaven.ca/#content> on #2005-05-12 08:05:56 <http://www.csaven.ca/#comment_20050512080556> concerning "vii. Images" and accessibility: it should be enough to only show the "@" as an image - with, of course, an not to obvious name for this image... 6. Comment by Bat replied <http://www.csaven.ca/#content> on #2005-11-19 16:36:27 <http://www.csaven.ca/#comment_20051119163627> Cool Cleveland, a weekly online newsletter in Ohio publishes email addresses thus: nameATdomain.com This is straight text, not a clickable Mailto function. I suppose user agents can be trained to look for this variation. 7. Comment by Bjrn replied <http://www.csaven.ca/#content> on #2006-01-17 13:14:54 <http://www.csaven.ca/#comment_20060117131454> i linked this site on my blog, because i wrote a similar tutorial some days ago that is not as good as this one here. thanks for your good job ;) 8. Comment by Emil Stenström <http://friendlybit.com> replied <http://www.csaven.ca/#content> on #2006-01-19 18:51:39 <http://www.csaven.ca /#comment_20060119185139> Another option is to link to a .php-script that spitts out random e-mail adresses. This would probably trigger some kind of protection on harvesters and get your site "banned"... could work :) Nice article, its good to have everything on one place. 9. Comment by Mathias replied <http://www.csaven.ca/#content> on #2006-01-31 11:39:28 <http://www.csaven.ca/#comment_20060131113928> I once read that all these complex methods, trying to hide from spambots, are mostly not needed. a simple obfuscation like mathias.rem0veth1s@gmail.com (my addres) should fool most bots. The reason was that the bots doesnt need to be very clever considering all "open" addresses out there. It doesnt pay off. Comments? 10. Comment by TAG replied <http://www.csaven.ca/#content> on #2006-01-31 12:05:20 <http://www.csaven.ca/#comment_20060131120520> Using REMOVEthis in username portion of email is lame - as all email validators can validate domain name and this will be valuable information for them. Its much better to use REMOVE this-like portion in domain name. like User@online.mydomain.com 11. Comment by theCreator <http://www.stockalicious.com> replied <http://www.csaven.ca/#content> on #2006-01-31 12:08:11 <http://www.csaven.ca/#comment_20060131120811> Hmm... My favorite is the Image solution 12. Comment by Bob Houser replied <http://www.csaven.ca/#content> on #2006-01-31 12:08:14 <http://www.csaven.ca/#comment_20060131120814> Dont forget to link to some of the better form software out there. I have used this on on my site and it works great: http://ostermiller.org/contactform/ 13. Comment by khansen replied <http://www.csaven.ca/#content> on #2006-01-31 12:37:49 <http://www.csaven.ca/#comment_20060131123749> Another suggestion: HEX encoding. ASCII: me@mydomain.dom <http://www.csaven.ca/mailto:me%40mydomain.dom> Hex: Email me <http://www.csaven.ca/mailto:%6d%65%40%6d%79%64%6f%6d%61%69%6e%2e%64%6f%6d> Here is an example of a perl script that will convert ASCII addresses to hex: #! /usr/bin/perl # Little perl program to convert ascii email addresses to hex # to avoid spam harvesting from mailto: tags my $addr = shift or die "usage: $0 email@address.domn"; $addr =~ s/(.)/ sprintf(%%%2x,ord($1)) /ge; chomp($addr); print "$addrn"; As documented at: http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg246930.html?OpenDocument Chapter 2, preventing unwanted SPAM. The issue as I see it is to try to confuse the bots while not confusing the humans. 14. Comment by Derek Martin <http://www.derekmartin.ca> replied <http://www.csaven.ca/#content> on #2006-01-31 12:59:44 <http://www.csaven.ca/#comment_20060131125944> On Saturday my blog received over 1000 spam comments, so I decided to do something about it and whipped up some "whitelist" functionality. Email addresses are essentially pseudo-random strings of characters. I do not show email addresses with comments, but each comment has an associated email address. Each comment has an approved (boolean) field. Each comment has a verified (unique) field. When you post a comment, I check to see if there is a previous *approved* comment with that email address. If there is, your comment is immediately& automatically approved to the live site.5 of 15 12/10/2010 6:00 AM
  6. 6. Hide email address in source code http://csarven.ca/hiding-email-addresses If there are no previous approved comments using that email address, you are sent an email asking you to click a link to verify youre an actual human, and not just a bot. When you click that link, it passes the unique verify code& commentId via the GET querystring, and you essentially approve your own comment, thus adding yourself to the whitelist. BUT upon this verification I have the site notify me that someone has verified for the first time. In that email I am shown their comment, and given the option to delete it and remove them from the whitelist to prevent future automatically approved comments. If they used a fake email address, they never get the verification email, and their comment is never seen. Finally, I do send copies of all verified& approved comments to myself, so I dont have to surf my old entries to find them. Its working great so far. If you have any questions, feel free to email me at my first name, via my email-domain, geekunity.com 15. Comment by phreq replied <http://www.csaven.ca/#content> on #2006-01-31 13:35:38 <http://www.csaven.ca/#comment_20060131133538> Anyone ever try the enkoder form from automatic labs? Search for enkoder on your fav se. Not sure how it ranks but seems pretty sweet. 16. Comment by boesman replied <http://www.csaven.ca/#content> on #2006-01-31 14:06:03 <http://www.csaven.ca/#comment_20060131140603> Thanks for a great overview. Off-topic: Avoiding spam is good and well but Ive become a lot more casual about it since my ISP implemented the most diabolically elegant and effective anti-spam measure on their mail server. Simply put, they ignore all first smtp connect attempts from unkown ip addresses, and accept the connection if attempted a second time. It relies on the fact that most spam bulk-mailers use a fire-and-forget approach, i.e. ignoring all errors and moving on to the next address (of millions). My spam fell from dozens per day ... to 1 or 2 a month. More info here: http://www.pair.com/support/knowledge_base/e-mail/junk_e-mail_filtering_overview.html#4 How about an equally comprehensive overview of spam control mechanisms and their true effectiveness? 17. Comment by walkingcrow replied <http://www.csaven.ca/#content> on #2006-01-31 14:29:42 <http://www.csaven.ca/#comment_20060131142942> Great overview, but like the last comment having a good anti-spam email service is recommended. I recommend TUFFMAIL (http://www.tuffmail.com). I get a secure (encrypted transport) service, along with a very effective anti-spam policy which has cut spam out of my life for good (1-3 every couple months). Check it out. 18. Comment by phil replied <http://www.csaven.ca/#content> on #2006-01-31 14:35:04 <http://www.csaven.ca/#comment_20060131143504> Ive been using the enkoder. It produces a rather large javascript to scramble the mailto, but what appears on the screen is a plain email address. It displays a line that says "Javascript must be enabled" if java is turned off or not present. So far, so good. Creating the encryption is VERY easy! 19. Comment by Nigel <http://nigelduckworth.com> replied <http://www.csaven.ca/#content> on #2006-01-31 15:04:32 <http://www.csaven.ca /#comment_20060131150432> I have used a JavaScript solution with great success. Basically: [a href="http://domain.com/contact/" onclick="this.href=mai + lto:me + @ + domain. + com;return false;"]contact me[/a] Its a little more complicated than that but thats the essence of it. The href takes you to a contact form if your browser cant execute the onclick function. Sometimes I concatenate the email string in a script: writeemail(prefix,suffix,domain...) and provide an alternate method in noscript tags: contact[at]domain[dot]com 20. Comment by Magnus replied <http://www.csaven.ca/#content> on #2006-01-31 15:11:59 <http://www.csaven.ca/#comment_20060131151159> Using an image is also great if you also want to reduce the numbers of emails sent. People is to lazy to type in the adress themselves. They rather just copy/paste or click. And the emails you still get is the important ones. 21. Comment by jim <http://www.bargaineering.com/articles/> replied <http://www.csaven.ca/#content> on #2006-01-31 16:27:33 <http://www.csaven.ca/#comment_20060131162733> Im a fan of using the forms partly because then your reader doesnt even need to load up an email app (though this could be seen as inconsequential). 22. Comment by drdrang <http://www.leancrew.com/all-this/> replied <http://www.csaven.ca/#content> on #2006-01-31 17:32:38 <http://www.csaven.ca/#comment_20060131173238> Ive used CGI scripts to hide addresses while still giving visitors the ability to click on a link and open their mail program. The links look like this: email me <http://www.csaven.ca//hiding-email-addresses> (http://www.foo.bar/cgi-bin/email.cgi) and the CGI script looks like this #!/usr/bin/perl print v76.; print v109.; print v110.; print v112.; where Ive used Perls v-string notation to obscure the address even in the script (which I suspect is overkill). The script prints out Location: mailto:name@place.com with two newlines at the end. This directs the browser to the mailto: link, which in turn opens whatever mail client the browser is configured to use. 23. Comment by Ted replied <http://www.csaven.ca/#content> on #2006-01-31 18:17:05 <http://www.csaven.ca/#comment_20060131181705>6 of 15 12/10/2010 6:00 AM
  7. 7. Hide email address in source code http://csarven.ca/hiding-email-addresses I am using encryption in a way that leaves a pseudo address, so the spam harvester wastes their resources on non-existent addresses. I do this by not encrypting the @ or the .com or other top-level domain. If javascript is not enabled then the image method works well, note that PHP is great for dynamically creating images from text if you need to do so. 24. Comment by Richard Barnet <http://richardbarnet.com/blog/> replied <http://www.csaven.ca/#content> on #2006-01-31 23:52:14 <http://www.csaven.ca/#comment_20060131235214> I noticed that you dont have an example of a true encryption scheme (using keys and what not). This script: http://www.jracademy.com/~jtucek/email/download.php has you pick prime number keys, then RSA 10-bit encrypts your email address. Crack that, spambots! 25. Comment by MagDealer replied <http://www.csaven.ca/#content> on #2006-02-01 06:43:24 <http://www.csaven.ca/#comment_20060201064324> My favorite solution is one not described here using normal html comments: foo@bar.baz When displayed on screen it will look like this: foo@bar.baz The comments in the html obscure the formation of the address and Ive found that putting the special symbols @, ., and > inside of the comment will make parsing the comment out more difficult. 26. Comment by Sean McManus <http://www.sean.co.uk/index.shtm> replied <http://www.csaven.ca/#content> on #2006-02-01 11:25:41 <http://www.csaven.ca/#comment_20060201112541> The CSS text-reverse trick is stylish but also breaks accessibility guidelines. To be confident the email address is accessible to everyone, you would need to avoid images (except with meaningful alt tags), Javascript and dependence on a stylesheet to make sense. Accessibility guidelines would also rule out most simple CAPCHAs because they depend on vision or hearing to work. Although spam is a big problem, we shouldnt allow it to drive us to excluding people using assistive devices. Properly marked-up forms might be the most inclusive way forward. 27. Comment by a person replied <http://www.csaven.ca/#content> on #2006-02-01 19:22:20 <http://www.csaven.ca/#comment_20060201192220> TAG: Calling someones suggestion lame is unnecessarily inflammatory and doesnt encourage discussion. Consider that getting lists of domain names is easier than web harvesting, so obscuring domains in ones web publishing is quite lacking in effectiveness. Not long after I register new domains I start getting spam to guessed accounts. Fekkers didnt get those addresses via web harvests. If youre talking about domains more technically, meaning subdomains, you could try to keep those obscure since theyre not published like registered domains. But I didnt read that as your point. The REMOVETHIS methods are sadly burdensome. The whole having to cope with harvesters thing is sadly burdensome. The whole spam thing is sadly burdensome. Keep in mind that greed hurts everyone. Many thanks to Sarven Capadisli for offering this well-detailed and described summary. 28. Comment by Susan Snipes <http://www.qdigitalstudio.com> replied <http://www.csaven.ca/#content> on #2006-02-01 21:13:22 <http://www.csaven.ca/#comment_20060201211322> I prefer and recommend the php form method for my clients (method xiv). Besides keeping the spam bots away, I think it has many other benefits: - professional looking - it doesnt require an email app (great for the MANY web email people) - can help guide visitors in how to communicate with you (when including other form elements for options/interests) Thanks also for the reminders about accessibility problems using "images" (method ix). 29. Comment by Paul Harvey <http://www.paulsjourney.com> replied <http://www.csaven.ca/#content> on #2006-02-02 08:42:02 <http://www.csaven.ca/#comment_20060202084202> I just put this on the last line of my page: "Trying to find my email address? Well, you know my first name, and my domain name... Im sure you can figure it out. ;)" What do you think of this? 30. Comment by pogdesign <http://www.pogdesign.co.uk> replied <http://www.csaven.ca/#content> on #2006-02-02 12:36:14 <http://www.csaven.ca /#comment_20060202123614> Best way Ive found is changing the email address to ascii (even the mailto: bit) and not putting your email addy on screen. So the text reads "click here to contact us" and the mailto: link doesnt look like a mail link until its parsed by the browser. I use this on a very busy site, and only get a couple of spam mails a week (probably human input). I use one of the text to ascii sites out there. Simple and quick. 31. Comment by bandi replied <http://www.csaven.ca/#content> on #2006-02-02 16:07:32 <http://www.csaven.ca/#comment_20060202160732> I think you shouldve mentioned the mixture of javascript and written styles: you put in the text written, then transform the pseudo-adresses into real adresses with mailto: links 32. Comment by dave buster replied <http://www.csaven.ca/#content> on #2006-02-02 17:12:55 <http://www.csaven.ca/#comment_20060202171255> Im surprised the article didnt mention khansens (above) HEX technique. Ive used it to great success.7 of 15 12/10/2010 6:00 AM
  8. 8. Hide email address in source code http://csarven.ca/hiding-email-addresses 33. Comment by JC replied <http://www.csaven.ca/#content> on #2006-02-02 18:52:04 <http://www.csaven.ca/#comment_20060202185204> Why go through all this when you can just write your email like this foo[at]bar.baz replacing @ with [at} and no link. 34. Comment by Lady_Trucker replied <http://www.csaven.ca/#content> on #2006-02-02 21:02:05 <http://www.csaven.ca /#comment_20060202210205> I love what Derek Marin wrote! Great idea! 35. Comment by Chad Cloman <http://www.cloman.com/chad/> replied <http://www.csaven.ca/#content> on #2006-02-03 06:08:29 <http://www.csaven.ca/#comment_20060203060829> I like the method at this link <http://jodrell.net/projects/mailto> . Its a PHP script that outputs a javascript script which uses the eval() command to interpret some escaped (javascript unicode?) characters. The resulting HTML is quite cryptic. 36. Comment by bernd replied <http://www.csaven.ca/#content> on #2006-02-03 07:48:04 <http://www.csaven.ca/#comment_20060203074804> Why bother at all? First of all: Every technique used might hurt customers, since there is no guarantee that they can use the mailto: link afterwards without problems. Second: Spamfilters are quite good now. So deal with it on your side, not on your customers side. 37. Comment by jacob harvey <http://recently.rainweb.net> replied <http://www.csaven.ca/#content> on #2006-02-03 09:30:54 <http://www.csaven.ca/#comment_20060203093054> I like Dereks method for handling comment spam, thats similar to what I do besides the authentication email. Mostly Ive found that my method only really allows manual entries of spam, and then with the email I recieve I can delete that comment with a couple clicks. And that spam blocking boesman mentioned is pretty nifty. Form is probably the most effective, accessible method. Ive used the enkoder and it worked fine so far. But what I usually use on my site is a javascript function. Instead of giving the bot all the information in one place. I pass some basic info to the function which assembles everything when clicked. Perhaps I should extend this to "normallly" use the function, but without javascript a click would load up a form to send an email... Thanks for the article. :) 38. Comment by sisco replied <http://www.csaven.ca/#content> on #2006-02-03 17:37:05 <http://www.csaven.ca/#comment_20060203173705> I use this hex encocder which encodes the entire html code for the mailto tag. Never had any spam problems. http://automaticlabs.com/products/enkoderform 39. Comment by Brooklyn replied <http://www.csaven.ca/#content> on #2006-02-04 12:56:18 <http://www.csaven.ca/#comment_20060204125618> Ive used this free service which provides a few solutions. http://w2.syronex.com/jmr/safemailto/ <http://w2.syronex.com/jmr/safemailto/> 40. Comment by Tim McCormack <http://www.brainonfire.net/> replied <http://www.csaven.ca/#content> on #2006-02-06 14:58:17 <http://www.csaven.ca/#comment_20060206145817> I use the encoded-@ method and it works beautifully. Heres why: Spamming is a bulk market. If my bot spends twice as long looking for those few @-encoded addresses or other variants, Ill get less addresses overall. And that hurts my business. Frankly, there are so many completely unhidden email addresses out there, they may never need to rewrite their bots. All theyd catch for their trouble is a couple of savvier web users, who are in fact less likely to respond to the spam anyway. 41. Comment by a hack replied <http://www.csaven.ca/#content> on #2006-02-08 00:42:29 <http://www.csaven.ca/#comment_20060208004229> Some of these are very creative. But personally, I dont think it matters how you try to scramble the address, if its interpretable, it can be scrapped programmatically. In fact, these are now available to anyone who wants to write the program to beat any of these methods. Bottom line. Use a form. Yes it has drawbacks of possibly not getting the users correct reply address. However, they offer security from spam, feedback, a minimum of standardized input to make it easier for you to recognize where the email originated from and more. 42. Comment by Johan replied <http://www.csaven.ca/#content> on #2006-02-08 12:30:56 <http://www.csaven.ca/#comment_20060208123056> I think the automated labs enkoder is really a superb e-mail enkoder! Only you can easily comment *what a large JS is produced here* But you can put in a enkoder.js and just put the functionName(); in script tags where the e-mail needs to appear in the HTML 43. Comment by Moayad Mardini <http://ptips.wordpress.com> replied <http://www.csaven.ca/#content> on #2006-02-09 05:02:46 <http://www.csaven.ca/#comment_20060209050246> Wow!, thats great, I wrote about this article in my blog :) 44. Comment by Amit <http://amitdeshpande.com> replied <http://www.csaven.ca/#content> on #2006-02-09 06:14:11 <http://www.csaven.ca /#comment_20060209061411>8 of 15 12/10/2010 6:00 AM
  9. 9. Hide email address in source code http://csarven.ca/hiding-email-addresses I use this http://www.jracademy.com/~jtucek/email/ Its amazing. 45. Comment by Matt replied <http://www.csaven.ca/#content> on #2006-02-09 22:47:29 <http://www.csaven.ca/#comment_20060209224729> How many bots are still in use ? is it not just as easy for spammers to assume E-Mail addresss exist ie fred{at}domain.com spammer can see bar.baz as a domain so just adds fred, mary, ringo, foo etc at the begining. I use spamcop.net and after 10,000+ spams have had maybe 10 or so that should not have been filterd. I think the ability of anyone to create E-Mail addresss is what needs changing. Just like we need to apply for a phone number we should have a system for handing out E-Mail address that stay with you for life regardless of your IP host. accountability would be a step forward. 46. Comment by Richard replied <http://www.csaven.ca/#content> on #2006-02-10 12:57:16 <http://www.csaven.ca/#comment_20060210125716> I get tons of spam, but none to the address I have on my website. All I do is, I give the address as text [not linkable]. Ive been doing this for years, with not one piece of spam yet (to that address). Is this not a simpler method than those described in Sarvens excellent article? 47. Comment by yayo <http://trashy.sourceforge.net/index.php> replied <http://www.csaven.ca/#content> on #2006-02-22 10:38:38 <http://www.csaven.ca/#comment_20060222103838> Nice page. If you take a look at my website (page http://trashy.sourceforge.net/faq.php#howtocontactauthor ) you will see another interesting way I found to show an email address using only an html table. (Im referring to the 1st one displayed.) bye. yayo 48. Comment by a visitor replied <http://www.csaven.ca/#content> on #2006-03-03 00:48:57 <http://www.csaven.ca/#comment_20060303004857> If you have enough budget, go for an e-Mail Forwarding service that has a capability of filtering those SPAM harversters. Create a FORM that sends all requests/feedbacks to that address. They shall get forwarded to your MailBox. Dont forget to get a good ISP that filters SPAMS too. So you get double filterings. Or else, combine HTML+CSS+JavaScript+ [Server Side Scripting]. Theyre all available on this article. No thing is a "Perfect-10". If no CSS, you got JavaScript and/or Server Side Scripting and vice-versa. 49. Comment by Stephen Clay <http://mrclay.org/> replied <http://www.csaven.ca/#content> on #2006-03-09 10:18:36 <http://www.csaven.ca /#comment_20060309101836> Fake email + timed Javascript. Without JS (or if the browser fails), the user gets a real mailto: link but to user@example.REMOVE_ME.com. Upon page load, the script waits several ms then alters the href to point to the real address. this method without timer <http://www.tonevendor.com/contact> , slightly altered method with timer ("e-mail" link) <http://mrclay.org/> and source <http://mrclay.org/js/email.js> . 50. Comment by Frontier <http://www.circusoc.com> replied <http://www.csaven.ca/#content> on #2006-04-20 19:24:35 <http://www.csaven.ca /#comment_20060420192435> On my page I use the simple rot13 javascript encryption from http://scott.yang.id.au/2003/06/obfuscate-email-address-with-javascript-rot13/ and it seems really good. But I wasnt happy that people eithout javascript couldnt read it at all. Like those with screen readers or lynx. So heres my solution: have the [script language="JavaScript"] elements around the javascript code. Rot13.write(rot13d email address with mailto); Then put [noscript] elements around a link free readable obfuscation like: mail to: foobar At this domain This makes it so that if javascript is enabled, you only see a working link, but if its not, you get enough info to figure it out. This seems to me like a good way to do it because it complies well enough to w3m and is transparent for people with modern browsers. For the [noscript] bit, use the most bloated human-readable email hider in the world <http://mardeg.sitesled.com> to generate a random-text logo of the email address, which uses inline CSS to shrink it down to resemble normal text. This will still be visible even with javascript and images turned off. 51. Comment by Eric replied <http://www.csaven.ca/#content> on #2006-05-10 15:56:21 <http://www.csaven.ca/#comment_20060510155621> You can combine the encoding method and the JavaScript method for a mask thats virtually unbreakable: function email() { if (!document.getElementsByTagName) return; var anchors = document.getElementsByTagName("a"); for (var i = 0; i < anchors.length; i++) { var anchor = anchors[i]; if (anchor.getAttribute("href") && anchor.getAttribute("rel") == "email") { anchor.href = "mail" + "to:" + "%79%6F%75%" + "%40" + "72%65%6D%61%69%6C"; } } } Add this function to an external JavaScript file, include it with your HTML document, and put onload="email();" in the body tag. Now write all your contact links like this: <a href="contact.html" rel="email">. If the user has JavaScript, they will see a mailto: link. If they dont, they will see a link to your contact page. This is XHTML-compliant. 52. Comment by Trevkin replied <http://www.csaven.ca/#content> on #2006-05-23 10:30:27 <http://www.csaven.ca/#comment_20060523103027> Though a laudable effort i fear this is all a little pointless. This has probably been mentioned but if you are using your own domain in a business context. The spammers will just throw random commonly used prefixes at it anyway. eg. if my site were www.spannermonkeys.com then any spammer worth his salt will try sales@spannermonkeys.com support@spannermonkeys.com9 of 15 12/10/2010 6:00 AM
  10. 10. Hide email address in source code http://csarven.ca/hiding-email-addresses etc even to the point of harvesting common names from the about us section of the site and using them as prefixes too. Think i have depressed myself now, boo. 53. Comment by Paul <http://www.hide-email-script.com/> replied <http://www.csaven.ca/#content> on #2006-06-13 18:18:30 <http://www.csaven.ca /#comment_20060613181830> Well I Ive been using a js script to obfuscate my email for years and they work! Personally I think that the really complex ones that encrypt your email arent all that useful since even the simple ones require a human to figure out the logic behind them and anytime ia human is involved all they need to do is click the link to see what email pops up in the email client. Anyway, I created my own, free email cloaking script <http://www.hide-email-script.com/> for folks to check out. BTW, I often seperate my email addresses by a dot, eg: my.name@mydomain.com. The extra dot also throws off the spam trollers and makes it harder for the auto-generators to guess your prefix. 54. Comment by noone <http://lightwavers.net> replied <http://www.csaven.ca/#content> on #2006-06-21 09:59:21 <http://www.csaven.ca /#comment_20060621095921> I use my little obfuscate php. works nice so far, but not bulletproof: http://lightwavers.net/mail.php 55. Comment by Tobias replied <http://www.csaven.ca/#content> on #2006-07-30 12:19:39 <http://www.csaven.ca/#comment_20060730121939> Something I have found is to enter the mailto link at tinyurl.com. Then, I simply link to the tiny URL, which redirects to the email address. Works great, and is SO easy. 56. Comment by Justin Halsall <http://juice10.com/blog/> replied <http://www.csaven.ca/#content> on #2006-11-25 02:31:14 <http://www.csaven.ca/#comment_20061125023114> This is a method that fixes the inaccessibility problems of: <http://juice10.com/blog/articles/2006/11/13/semantic-spam-proof-email-display> p span.displaynone { display:none; } foo@barnull.baz 57. Comment by jule_ replied <http://www.csaven.ca/#content> on #2006-11-27 09:32:59 <http://www.csaven.ca/#comment_20061127093259> Nice article, thanks a lot! Another method to display your email-address without harvesters being able to recognize it is CSSfont: http://www.cssplay.co.uk/menu/cssfont.html 58. Comment by Mischa replied <http://www.csaven.ca/#content> on #2006-11-29 04:09:31 <http://www.csaven.ca/#comment_20061129040931> I like Tobias TinyURL Solution. Are there any disadvantages? Isnt it supposable likely that email-spiders follow all the links in a page with the goal to find new addresses at the target pages? If that was so they would grab the "tinyurled" email address, isnt it? 59. Comment by somebody replied <http://www.csaven.ca/#content> on #2006-12-13 04:31:10 <http://www.csaven.ca/#comment_20061213043110> Another tactic is using .htaccess to password-protect the webpage containing the e-mail address. How this works: Your website has a page to the e-mail address. You tell your visitors that when they enter the page, they have to type a password. Once they typed the correct password, they can see your e-mail. How many automatic e-mail harvestors would be smart against that? 60. Comment by Johari replied <http://www.csaven.ca/#content> on #2006-12-26 20:24:16 <http://www.csaven.ca/#comment_20061226202416> I usethe form (with no email address) quite a bit, as in most of my situations a customer benefits greatly from being directed by the right questions, as opposed to an open, free-for-all email. However, I do make sure to send them a copy of the email when they submit it, with a reply-to address. This opened the possibility of harvesters being able to collect my reply-to address so I added an extra, hidden field into the form that must be left blank for the email to be considered legitimate. Most harvesters that fillout form automatically will fill in every field. Seems to work well. 61. Comment by Hans replied <http://www.csaven.ca/#content> on #2007-01-12 07:00:02 <http://www.csaven.ca/#comment_20070112070002> Hello, which e-mail address is "relevant" for spam bots? Is it the link (mailto:xy@example.com) or the text - or both? 62. Comment by Joe replied <http://www.csaven.ca/#content> on #2007-02-06 05:10:36 <http://www.csaven.ca/#comment_20070206051036> Forms seem popular, however arent there similar problems with those - trying to find accessible captchas? 63. Comment by Pete Victor replied <http://www.csaven.ca/#content> on #2007-02-09 09:02:42 <http://www.csaven.ca/#comment_20070209090242> I think a good approach is to offer the user both form- and link-based contact options. There are good security advantages to forms, but when Im the user, I like to have my message in my Sent box and to actually know the address Im sending to. 64. Comment by Holly Wild replied <http://www.csaven.ca/#content> on #2007-02-20 14:10:40 <http://www.csaven.ca/#comment_20070220141040> Is there any script in the frontpage form format that i can use to stop hackster who have harvested our e-mails? We get so much spam. Does this in anyway effect real mail we should be recieving?10 of 15 12/10/2010 6:00 AM
  11. 11. Hide email address in source code http://csarven.ca/hiding-email-addresses 65. Comment by Kevin replied <http://www.csaven.ca/#content> on #2007-02-20 16:30:33 <http://www.csaven.ca/#comment_20070220163033> Great article, I found this site that obscures you email address using CATCHA. http://www.emailcover.com 66. Comment by Lee Newberg replied <http://www.csaven.ca/#content> on #2007-03-07 07:54:18 <http://www.csaven.ca/#comment_20070307075418> How about using form technology as follows?: <form action="http://address.com/getEmail.cgi" method="post"> <input type="submit" value="Get E-mail Address"/> <input type="hidden" name="name" value="myname"/> </form> The cgi script returns a page with the e-mail address plain as day. Perhaps spambots arent daring enough to submit forms. This is exceedingly old technology (no Javascript, php, etc.) and should be accessible to darn near everyone. 67. Comment by Nicolas replied <http://www.csaven.ca/#content> on #2007-06-01 01:15:17 <http://www.csaven.ca/#comment_20070601011517> A long long time ago, when I started using the internet, spam didnt exist. I decided to buy my own domain name. Then I got spam, but it was too late to hide. My address is everywhere, and I would have to change it, with all the trouble that would cause me. So Im keeping it, and I dont mind putting it in clear everywhere. I have a spam *fighting* system doing a very good job. Ah, I also leave randomly-generated addresses in the source code of my pages, to collect spam for my spam fighting system :) It is working pretty well! 68. Comment by Wojciech Bednarski <http://wojciechbednarski.com> replied <http://www.csaven.ca/#content> on #2007-08-04 21:19:57 <http://www.csaven.ca/#comment_20070804211957> Interesting idea is changing a part of email address every year, and put it in a code normally as plain text. For example for this year: 2007foo@bar.baz About “CSS unicode-bidi”; it is funny, because when you mark and copy email address you get revers text. Exactly like in the code :- ) 69. Comment by John Ortt replied <http://www.csaven.ca/#content> on #2007-08-15 10:34:49 <http://www.csaven.ca/#comment_20070815103449> One other possibility is to use a short term address which changes regularly, i.e. june07@mydomain.com and simply reply to all legitimate contacts telling them to use your real address in future. Then you delete the e-mail forward in July. 70. Comment by Mekett replied <http://www.csaven.ca/#content> on #2007-09-23 02:55:17 <http://www.csaven.ca/#comment_20070923025517> Note: my Opera 9.23 doesnt handle mailto redirects :( And it doesnt display the content, I send after the redirect header. (For example an anchor tag with the email address.) So I need to watch the USER AGENT string... 71. Comment by Andrej Upits replied <http://www.csaven.ca/#content> on #2007-09-24 14:57:38 <http://www.csaven.ca /#comment_20070924145738> Here is a technique I ran into recently http://www.explainth.at/en/tricks/cheatmail.shtml 72. Comment by Carlo <http://perassi.org/> replied <http://www.csaven.ca/#content> on #2007-09-27 02:15:57 <http://www.csaven.ca /#comment_20070927021557> I put here (An accessible email cloaking technique <http://perassi.org/2007/09/24/an-accessible-email-cloaking-technique/> ) a script that mix two techniques you described. 73. Comment by Lordleiter <http://www.lordleiter.com> replied <http://www.csaven.ca/#content> on #2007-10-31 13:51:12 <http://www.csaven.ca/#comment_20071031135112> I notice that you didnt list the mod_rewrite solution. I found this the other day and it blew my mind - http://www.spamshiv.com/solutions/mod-rewrite.php <http://www.spamshiv.com/solutions/mod-rewrite.php> . This solution using Apaches mod_rewrite to write out mailto link like a plain URL. Its totally awesome. 74. Comment by Evans photoEvan <http://www.waetzman.com> replied <http://www.csaven.ca/#content> on #2007-11-12 09:16:25 <http://www.csaven.ca/#comment_20071112091625> Heres a little diddy I put together: <script> function protect(name, address, display){ var link = name + "@" + address if(!display) { display = link; } document.write("<a href=mailto:" + link + ">" + display + "</a>"); } </script> Then, in the body copy, use this script in lue of a "mailto" call: <script>protect("evan", "waetzman", "email me");</script>11 of 15 12/10/2010 6:00 AM
  12. 12. Hide email address in source code http://csarven.ca/hiding-email-addresses This writes the code in the DOM& the front end user cant see a difference (looks like a regular email link). The spiders dont see anything. The 3rd line in the script makes the "display" optional. If you dont put something in there, itll default to the email address. This has been cross browser/cross platform tested. Hope this helps - Evan 75. Comment by David replied <http://www.csaven.ca/#content> on #2007-12-23 09:52:06 <http://www.csaven.ca/#comment_20071223095206> Evan, I like your method but the end of the email address (.com, .org, etc.) seems to be missing from your code? Though it can be easily added I think. I suppose you could also add a subject line "tag" as well. Also, theres no need to designate what type of script is being used, like javascript? Best, David 76. Comment by Darren <http://headfirstproductions.ca> replied <http://www.csaven.ca/#content> on #2007-12-28 12:20:09 <http://www.csaven.ca/#comment_20071228122009> If your using php you can use the Ming library => http://ca3.php.net/ming to create flash. I belive that php5 here comes with it packaged in => http://www.entropy.ch/software /macosx/php/. You could create a simple button and text to create the mailto link. They have a simple example at the bottom of that page at the php.net site link above. 77. Comment by Justin Zajac replied <http://www.csaven.ca/#content> on #2008-01-24 17:38:05 <http://www.csaven.ca/#comment_20080124173805> Great article, thanks! ...just a word of caution: The HTTP Redirect method does not work in Safari 3, because it wont parse a Location header that contains ":" Instead, youll get the following error in safari: Safari can’t open the page “http://www.yoursite.com/emailto.php” because it cannot redirect to locations starting with “http:”. 78. Comment by Graham Cameron replied <http://www.csaven.ca/#content> on #2008-01-31 10:35:46 <http://www.csaven.ca /#comment_20080131103546> Look at the source code of this page below. A multi-pronged approach that would appear truly bullet-proof to bots: http://itelegram.com/telegram/contact.asp Look at the source code, and notice the results of a cut and paste on the email address. 79. Comment by Justin Zajac replied <http://www.csaven.ca/#content> on #2008-02-04 15:58:46 <http://www.csaven.ca/#comment_20080204155846> Theres also a gotcha with the Hex encoding method. Google converts the hex back to the original text when it indexes your site, so the naked email address will appear in both the google listing for your page, and the google cache of your page. 80. Comment by Peter replied <http://www.csaven.ca/#content> on #2008-02-04 16:33:52 <http://www.csaven.ca/#comment_20080204163352> thanks for all the hints and tricks... great to have all in one spoot, much appreciated! me and my friends have been using 3 diffrent scripts apart from a contact form with "captcha" with great result... my personaly favorite is "Email Protector" linked over to contact form for those who dont have javascript enabled... Email Protector by Jim (RSA encryption 10 bit) http://www.jracademy.com/~jtucek/email/download.php The Enkoder by Dan http://hivelogic.com/enkoder/form Email Address Munger - Email Address Encoder http://www.addressmunger.com/ http://www.addressmunger.com/contact_form_generator/ // Sweden 81. Comment by Tuemmel replied <http://www.csaven.ca/#content> on #2008-03-10 17:34:28 <http://www.csaven.ca/#comment_20080310173428> Hi there, I didnt know therere so many ways to protect email addresse on the web. http://www.fincy.com/spameater However, using the javascript version above, Ive written a prog that converts the email address into ascii-code. For better protection the email address and the ascii-letters in a letter-array are also splitted and mixed up with some randoms. This might sound complicated, but its not since theres a form available that generates all encrypted htm(l)-files, pictures of your email address and an external javascript file automatically. All you have to do is to choose the picture style and throw your page into the program. After encrypting youll receive the encoded files to download. So thats also for ppl who are not so qualified in programming. Hope it will help someone. Cheers Tümmel 82. Comment by Namdnal Siroj replied <http://www.csaven.ca/#content> on #2008-05-12 18:31:44 <http://www.csaven.ca12 of 15 12/10/2010 6:00 AM
  13. 13. Hide email address in source code http://csarven.ca/hiding-email-addresses /#comment_20080512183144> I think that once your website is visible enough to spammers, they will just spam you at info@, mail@, etcetera. Hiding the emailaddress is mostly about hiding the domain name, and they already know the domain-> theyre visiting it. IDEA -> use a form where people fill in their email adress to get your address. An automatically generated email could be sent to them. Another automatic email could be sent to you. That way you know who has your email address. This might be slightly user unfriendly but can be good for some situations. IDEA -> Use a catch-all email address to receive email. Use the viewers IP address for the email address that they are given on your website. i.e. This could be useful to keep track of who is emailing you. When the email is real, you give them your genuine address. When the email is spam, you have their IP. This is probably not completely spam-proof, but maybe there are other ways to use email addresses based on user-info, to track who is emailing you and get info about the spammer. UNSPAM -> An initative of unspam.com to forbid compliant robots from harvesting email addresses. Usage: <meta name="no-email-collection" value="[link to your terms]"> Replace the [link to your terms] with a link to your terms of use page. Alternatively you may include a link to www.unspam.com/noemailcollection I dont know how well the unspam idea really works, but I like it and it might scare off some parties. 83. Comment by Tony - AQK <http://www.tonyking.tk> replied <http://www.csaven.ca/#content> on #2008-05-14 21:27:36 <http://www.csaven.ca/#comment_20080514212736> Yeah, Ive investigated most of these methods. The Flash methods seems worthy, but much to my horror, I recently found one of my Flash embedded-text on Google! Google had actually disassembled the swf and put the legible stuff online. If they can do it, so can a malevolent spam-spider. Temporary measure: One way, perhaps, is to put the email-id in pieces in a text file, and have the swf load it and re-assemble it at object-time. This is what I am developing now. ANYTHING to avoid capchas! ;-) But Im sure eventually a nasty email-harvester would figure their way thru this. If they havent already... Thanx fer some great ideas.. too bad I already thought of most of them.. ;-) 84. Comment by Ron replied <http://www.csaven.ca/#content> on #2008-05-23 17:27:37 <http://www.csaven.ca/#comment_20080523172737> Anyone like to comment on this one? http://www.jottings.com/obfuscator.htm 85. Comment by Joe replied <http://www.csaven.ca/#content> on #2008-05-28 08:38:27 <http://www.csaven.ca/#comment_20080528083827> All the "spammers" have to do is read a few webpages like this one and come up with numerous ways with simple perl scripts to find real mailto tags or addresses with html comments or just plain text with @ changed to "at" or "[at]". how can anyone trust some other site to not sell the email adresses? php scripts etc seem complicated for casual bloggers etc... I think an image with no mailto link is about the only way that seems reasonable from what Ive read here. 86. Comment by Mike <http://www.percocomarble.com> replied <http://www.csaven.ca/#content> on #2008-06-25 12:48:16 <http://www.csaven.ca/#comment_20080625124816> Something not mentioned here is that document.write() function of javascript does not work with XML or XHTML (served as application/xhtml+xml). There used to be a hosted cgi script that worked pretty good, but I dont remember what happened to the host (and the source was never disclosed for the obvious reasons). That really is the best thing. Come up with your own solution and DO NOT tell anyone what it is! Then the likely hood of it being negated by spam bots is GREATLY reduced! 87. Comment by Michal replied <http://www.csaven.ca/#content> on #2008-06-30 04:48:14 <http://www.csaven.ca/#comment_20080630044814> Thanks for huge list of hints, however, I think those who are afraid readers of their pages are too lazy to read their address coded in form of an image and write it into mail client need to invest to a good spam filter and use a script-based "encryption" (if they can survive customers without script allowed will not read it). For those who expect e-mails from people who consciously decided to write having a good reason for that, for those (including me) showing address in form of an image without "mailto:" ref is not a problem. At the same time it is definitely problem for bots. 88. Comment by no spammer replied <http://www.csaven.ca/#content> on #2008-08-07 18:39:48 <http://www.csaven.ca/#comment_20080807183948> What about this one? http://www.maurits.vdschee.nl/php_hide_email/ 89. Comment by William White <http://www.willswebworks.com/blog/> replied <http://www.csaven.ca/#content> on #2008-08-08 02:08:08 <http://www.csaven.ca/#comment_20080808020808> I really like this study - it was extremely informative. I would have liked to see more data about email addresses in the form of images. I’ve just developed a new technique to have Apache webserver automatically convert all email addresses in HTML source into images in the output stream. It is all seemless and on-the-fly, and all without touching the source format in any way. I’ve written a proof-of-concept /w example <http://www.willswebworks.com/blog/2008/08/convert-email-addresses-in-source-html-to-images-without- modifying-the-source/> on my blog. 90. Comment by Marc Arbour replied <http://www.csaven.ca/#content> on #2008-08-08 18:39:59 <http://www.csaven.ca /#comment_20080808183959>13 of 15 12/10/2010 6:00 AM
  14. 14. Hide email address in source code http://csarven.ca/hiding-email-addresses Here is another tool to encrypt your email address. http://www.securedhostingonly.com/knowledge/protect_your_email_address.php It goes along EXACTLY what examples are being given here. I like this website since its a mere fill-copy-paste to my protected email address on my web page. Regards Marc 91. Comment by Tim replied <http://www.csaven.ca/#content> on #2008-08-16 09:16:45 <http://www.csaven.ca/#comment_20080816091645> Hi, I am using http://www.mobilefish.com/services/hideemail/hideemail.php <http://www.mobilefish.com/services/hideemail/hideemail.php> to protect my email address against spam bots. This site also contains other useful tools. 92. Comment by Patric replied <http://www.csaven.ca/#content> on #2008-12-15 18:26:25 <http://www.csaven.ca/#comment_20081215182625> I think the best way is to output your email adress as usual, along with a few fake ones that is hidden from human visitors (i.e only visible in the source code). Add zxy0spam@yoursite.com and qwerty.asdf@yoursite.com and automatically flag any mail to any of these two adresses as fake. Then, when you are checking your email, the software needs to check these two accounts first to harvest spam, and then download emails from your real adress - excluding the ones that previously has been marked as spam. The only problem might be to find this kind of software :D 93. Comment by David replied <http://www.csaven.ca/#content> on #2009-01-15 05:58:00 <http://www.csaven.ca/#comment_20090115055800> The question I ask myself is, why would spammers waste resources trying to decrypt even the most basic of these methods? The kind of people who would go to the small trouble of even the most basic methods are surely smart enough to not open any spam let alone buy something or pay anyone money. 94. Comment by Boris <http://www.visarts.de> replied <http://www.csaven.ca/#content> on #2009-05-17 09:14:14 <http://www.csaven.ca /#comment_20090517091414> Is there some solution for encrypting emails in flash? Some actionscript encrypter? Approach for flash movies mentioned in this article is quite inefficient! Google is able to grab any text data containing in swf incl emails. So dont be surprised about seeing your email adress on google... And spam bots use google to obtain email-adresses!! Please let me know if you know any solution for that problem. 95. Comment by Man And Cat replied <http://www.csaven.ca/#content> on #2009-08-10 17:56:48 <http://www.csaven.ca /#comment_20090810175648> Hello! Im using my own template class which has a function to split the e-mail into smaller strings, then joins them back using HTML comments between them. The dummy address test.address@some.email.server.net would look like this: test.address@some.email.server.net The more dots are in the address, the larger the text it is. It also generates an anchor HTML element: <a href="">onclick="window.location=ma+il+to: + this.innerHTML.replace(/<!(?:--[sS]*?--s*)?>s*/g, ); return false;">the obfuscated e-mail addres The browser displays the address correctly, and the link works. Ive tested it on IE7, FF2, Chrome and Netscape. This also enables the users email client. I wonder if the bots are smart enough to extract the ReX from the JavaScript replace function in order to get the correct email address. 96. Comment by Scopulus <http://www.scopulus.co.uk> replied <http://www.csaven.ca/#content> on #2009-08-13 11:01:59 <http://www.csaven.ca /#comment_20090813110159> The only problem is that once your email is out there its out there. Plus some directorys list your email address. If you combine two or more of the suggestions in this article then you should minimise your email spreading further. We have used @ for @ and a redirect php. I have checked and most of all the big firms do not try any of these methods. I think the reason is they want people to contact them and they are prepared to deal with the spam as all businesses have too deal with the problem at some level. Either that or the alpha geek is over paid. 97. Comment by Daniel replied <http://www.csaven.ca/#content> on #2009-10-30 11:55:23 <http://www.csaven.ca/#comment_20091030115523> Im using the reCAPTCHA mailhide http://mailhide.recaptcha.net/ 98. Comment by Chris replied <http://www.csaven.ca/#content> on #2010-01-06 00:36:33 <http://www.csaven.ca/#comment_20100106003633> Why not combine a couple? How about having an image that people can read as an email address, couple with a javascript that pieces together the email address? 99. Comment by vuduu replied <http://www.csaven.ca/#content> on #2010-01-22 07:39:38 <http://www.csaven.ca/#comment_20100122073938> I found another cleverly way in www.firmasec.com website,14 of 15 12/10/2010 6:00 AM
  15. 15. Hide email address in source code http://csarven.ca/hiding-email-addresses explode from "@" and "." for 3 or 4 piece. replace "@" to "@picture" replace texts with php "strrev" function display replaced texts with css+xhtml unicode-bidi:bidi-override;direction:rtl; also few times i see a null spans and images between exploded texts and image Comments are currently closed for this article. Sarven Capadisli <http://csarven.ca/> csarven info@csarven.ca Montréal QC CA Add contact information to address book <http://h2vx.com/vcf/csarven.ca/%23i> License <http://creativecommons.org/licenses/by-sa/3.0/> Sitemap <http://www.csaven.ca/sitemap>15 of 15 12/10/2010 6:00 AM