Link to home
Start Free TrialLog in
Avatar of prodier
prodier

asked on

Prevent Spammers from Harvesting your Email

Hello,

I was wondering if there was a way to prevent spammers from harvesting your email off your homepage. Several suggestions have been given to me by peers:

1. Make your email address a .gif .
2. Make the "@" symbol a Character like @
3. Use Javascript to create the email address using document.write

Which of these solutions are the best? Is there another solution that is better that I have not stated?

Thanks in advance.
Avatar of Timbo87
Timbo87

A picture of the e-mail address would be the safest measure. Obviously make sure not to link it to a mailto: though or that would defeat the purpose.
Avatar of seanpowell
1. The gif is the most effective, but least user-friendly (what else is new)

2. ASCII encoding no longer works very well - most of the harvesters can bypass it.
3. Same goes for js - most of them now read the script and process it.

The other options are just playing with text and positioning to get text to appear properly once translated - but they all have their drawbacks. Creating an image (since you're not changing your email everyday - is still the only 100% foolproof method.
Avatar of prodier

ASKER

Thanks for the advice guys.

So to clarify, doing something like this:

<a href="mailto:me@coolguy.com"><img src="myemail.gif"></a>

is "still the only 100% foolproof method" ? I thought crawlers could parse HTML and still read the "mailto:"

Am I wrong? or do you mean I should use the image in another way?

Thanks alot for your help.
Yes, another way.

mailto:me@coolguy.com is just as harvestable as writing it out.

In terms of 100% foolproof, it's this:

<p><img src="myemail.gif"></p>

Not user friendly - but rock solid :-)
Just to qualify here:

>>I was wondering if there was a way to prevent spammers from harvesting your email

The image is the only way to "prevent" it.

The other methods will only confuse the older cheaper harvesters. The newer ones will bypass them.
I would go with the image if I were you, but another reasonable method would be:

**********************
<table width="1" height="1" border="0" cellpadding="0" cellspacing="1">
  <tr>
      <td>user</td>
      <td>@</td>
      <td>email</td>
      <td>.com</td>
  </tr>
</table>
**********************


And this would be a clickable one:
**********************
<table width="1" height="1" border="0" cellpadding="0" cellspacing="0">
  <tr>
      <td><a href="#" onClick="MyLink()">user </a></td>
      <td><a href="#" onClick="MyLink()">@</a></td>
      <td><a href="#" onClick="MyLink()">email</a></td>
      <td><a href="#" onClick="MyLink()">.com</a></td>
  </tr>
</table>
<script language="JavaScript">
<!--
function MyLink()
{
window.open("mail" + "to:user" + "@" + "email.com");
}
//-->
</script>
**********************

Although I'm not sure if a common spider would see the table and understand the breakage.
most spammers (some manually look for email addresses) others use scripts. if theyre looking manually - obviously the image will NOT work.

your SAFEST bet is to usa a php, cgi or asp formmail where you DONT put your email address in your html source code, but ONLY in the actual script.

it is IMPOSSIBLE for them to steal your email address this way, because its "executed" and you cant view the source on a past-tense page.
ASKER CERTIFIED SOLUTION
Avatar of jkna_gunn
jkna_gunn

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I use something similar to jkna_gunn.  It can be found at http://www.artatoo.com/scripts/email_antileech.shtml 

On all the sites that I have used it on, no leeching of my e-mail addresses.

-Corey
You should turn the tables on spammers and use their text obfuscation techniques against them.

M<hvbZ/>y em<gg5>ail</gg5> is: Sh<jj65/>alomC&#64;ex<g@6>pert</g@6>sex<v$/>change<dot!>.</dot><CCom>com</CCom>

ShalomC
contact forms :)

use a simple PHP form to process like:  www.kztech.net/contactus.php
the email is never seen yet it is easy for a user to contact you.

also you can try combos of methods, maybe javascript/obsucation/ASCII in combination would throw them?

-kohashi
and images works well -- www.whois.sc has begun using them to make it difficult for spammers for harvest their site.

-kohashi
This is a nifty trick that is not only a great way to stop e-mail harvestors, but it is VERY user friendly:

http://www.tacitintuition.com/spamkiller.html


Only problem is it doesn't work in all browsers (well just Opera 7) ... but it has a fail-safe solution for IE and Mozilla. So check it out!
Another solution that has worked for me is to encode the email address in Unicode.  Seem most spam harvesters do not know how to read Unicode.  (This will not work forever of course - spam is an arms race.)

Here is a page that does the conversion for you.  Just paste the result in for the email address.

http://fantomaster.com/fantomasSuite/mailShield/famshieldsv-e.cgi
(Footnote: I personally don't like to use images because you have to regenerate them every time you change a font, an email address, etc.  Also if a user has his browser configured for large fonts, the image won't scale in the same way as the text.  There is definitely a tradeoff between best usability and good spam reduction [Unicode] and total spam annihilation [image].)
Also worth note that an image only solution is an accessibility problem.  Use of an alt tag would defeat the purpose.
Just to clarify the Unicode thing a bit more:

<a href="mailto:foo@bar.com">foo@bar.com</a>

becomes

<a href="&#109;&#097;&#105;&#108;&#116;&#111;&#058;&#102;&#111;&#111;&#064;&#098;&#097;&#114;
~~~Linebreak inserted by The--Captain for obvious reasons~~~
&#046;&#099;&#111;&#109;">&#102;&#111;&#111;&#064;&#098;&#097;&#114;&#046;&#099;&#111;&#109;</a>
I agree with using Unicode encoding ...I use this on several web sites with no problems .... an additional encoding site is:

http://htmlfixit.com/cgi-bin/tools/encoded_email_masking.cgi

http://htmlfixit.com/tools.php
what about using Creabit Development's proprietary tool, "Advanced HTML Protector" ?

http://www.creabit.com/htmlprotect/

also prevents right-click-save-image, etc., apparently, but I've not used it.

I discovered it when I couldn't save an image in a page, so I looked at the source and couldn't make heads nor tails of it!

Chris.
Hi,
I can suggest two modes:

First is use a guest book service that hidden your email address, people can comunicate with you without know your email.
An example is a my page: http://www.infrarossi.it/contact_2001.htm

Second is use an A.S.P. form, that hidden your email address.
An example (source code is available free for you if accept answer) is at http://www.blubattery.com/contact.asp

bye
Hi
I found an interesting article about Non Spam Email links.
goto http://www.codeproject.com/aspnet/NoSpamEmailHyperlink.asp
 - A very detailed article in 6 parts
cya
Brad
What about using tinyurl.com ?

you can send me a mail here: http://tinyurl.com/yu5rv
I'm using an asp.net approach which places the actual e-mail addresses in the code behind and sets the labels they're assigned to as visible="false" when the page loads.  
A visitor to the page has to click a button to show the e-mail addresses.  This has proven to be effective at hiding from spam spiders.
See http://www.geconsult.com/contact.aspx to see how it works.

Here's a stripped down version of the code (scripted insteaded of using code behind):
<%@Import namespace="System.Web" %>
<%@Import namespace="System.Web.Mail" %>
<%@Import namespace="System.Web.UI" %>
<%@Import namespace="System.Web.UI.WebControls" %>
<script language="vb" runat="server">
Protected defTxt as String
Protected defUrl as String

sub Page_Load(sender as Object, e as EventArgs)
      if not Page.IsPostBack then
            hideEmail
      end if
end sub
sub showEmail
      sample1.text="<span style='color:#0000FF;'>sample1@geconsult.com</span>"
      sample1.NavigateURL="mailto:sample1@geconsult.com"
      sample2.text="<span style='color:#0000FF;'>sample2@geconsult.com</span>"
      sample2.NavigateURL="mailto:sample2@geconsult.com"
end sub

sub hideEmail
      defTxt = "Click button to show"
      defUrl = "hidden.html"

      sample1.Text = defTxt
      sample1.NavigateURL=defUrl
      sample2.Text = defTxt
      sample2.NavigateURL=defUrl
end sub

sub ToggleEmail_OnClick(sender as Object, e as EventArgs)
      if ToggleEmail.text = "SHOW E-mail Addresses" then
            ToggleEmail.text = "HIDE E-mail Addresses"
            showEmail
      else
            ToggleEmail.text = "SHOW E-mail Addresses"
            hideEmail
      end if
end sub
</script>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<html>
<head>
      <title>Sample Hide from Spammers</title>
<style>
      #sample1, #sample2 {
            color: #000090;
            font-style:italic;
      }
      #ToggleEmail {
            background-color: #000080;
            color: #FFFFFF;
            font-weight: bold;
            font-family: Arial, Helvetica, sans-serif;
            cursor:hand;
            width: 200px;
      }
</style>      
</head>

<body>
<form method="post" name="HideFromSpam" id="HideFromSpam" runat="server">
<div style="width: 690; margin-left: 25px; text-align: left;">
<h1>How to Contact Us</h1>
<p><u>Please note</u>: Actual e-mail addresses are hidden when this page loads.  This is done hide the addresses from the "spiders" used by spammers to harvest e-mail addresses from web sites.  Click on the "SHOW e-mail addresses" button below to reveal the addresses as clickable "mailto" links.</p>
<div align="center"><asp:button id="ToggleEmail" runat="server" text="SHOW E-mail Addresses" onClick="ToggleEmail_onClick"/></div>
<br><br>
<ul>
      <li>Sample address1: <asp:hyperlink id="sample1" runat="server"/>
      <li>Sample address2: <asp:hyperlink id="sample2" runat="server"/>
</ul>
</div>
</form>
</body>
</html>

GaryEik.
I'm no JavaScript expert but I really like jkna_gunn's approach and was wondering if there is a way to add the subject line. As in:

mailto:someone@somedomain.com?subject=More Information

Thanks.
Pam

sure just add another parameter to the function

<script language="JavaScript">
    function showAddress(ext,domain,name,_class,addtxt,subject)
   {
       var add = name + '@' + domain + '.' + ext;
       if (addtxt == "")
     addtxt = add;
     document.write('<a href="mail' + 'to:' + add + '?subject=' + subject +'" class="' + _class + '">' + addtxt + '</a>');
    }
</script>

to call it in your script do this :

<script language="JavaScript">showAddress(".com","mydomain","a.smith","class","A Smith","More info");</script>
 
If you're using Dreamweaver, there is a very useful extension called "spamkiller". Just highlight the email link, click the extension and it turns it into unreadable gibberish for robots (and humans) but looks normal in a browser.
Get it here: http://www.dmxzone.com/showDetail.asp?TypeId=3&NewsId=4376 and it's free
I have used http://innerpeace.org/escrambler.shtml on several sites and our e-mail addresses have not been harvested.
I use an ECMAscript to break up my email address, and it works fine for me, is clickable and very compatible, as it works in all browsers.  I haven't had a single spam since I've been using it.  I can't say it'll work for everybody, however, because there is another part of the system, in that I have my email hosted by a service with very strong server-side anti-spam filtration.  

This is the generator:

<script language="JavaScript">
var name = "name"
var domain = "domain.extension"
document.write("<a href='mailto:" + name + '@' + domain.extension + "'>");
document.write(" "+ name + '@' + domain.extension + "</a>");
</script>

I'll add my simplistic approach to this- if you're cool with using Flash, you an simply make a button sized-flash item and placing it in the page.
In the flash, code the button action to the following
on(release){
getURL("mailto:joeBlow@toetag.com");
}
That absolutely cannot be crawled- though when flash generates your html, it can be set to put all movie text in meta tags, so you'd have to pull that out, or adjust your prefs.
The php that executes on the server is the best way. The user doesn't even see you address, it just passes the inforation. Anything procressed at the client will be able to be read by email harvesters. If you don't have this kind of access, there are free places (www.bravenet.com comes to mind) that process form to email pages for you, you just have to deal with their ads.
All methode as javascript or flash that hidde email, but wen execute run mail program are only a little delay for spammers.
When they execute script, from email program can read your address.
Only Asp script (or php) are 100% sure for hidde your adress,  if somebody want write you have to compile a form, and address email isn't readable
on html source in never places.
Your email is invisible ... sure at 100%.. in any time.

bye
I've seen a lot of stuff like:

Bill.Gates(at)Microsoft.com  or  Bill.Gates@Micro(remove_this_bit)soft.com  on the newsgroups and such like.
Anyone with half a brain would know what to do, if they wanted to contact you legitimately.

I used to use news@mydomain.com for my newsgroup email address. It's a monster size net for catching spam now of course.

I can't see there being many ways of actually hiding  <mailto:something@somewhere.com>  inside some html so that your browser will see it as a proper mailto link, but a cunning reverse engineering spam sucker will bypass it blindly.
Thanks to jkna_gunn for answering my question. Much appreciated. But please note that in the script after showAddress, there is no "dot" necessary before com because it's already taken care of in the first half of the script. I had to do the second half this way:
<script language="JavaScript">showAddress("com","mydomain","a.smith","class","A Smith","More info");</script>

Otherwise it's perfect and I really do appreciate it.

One question I have is...if one were to put the script in a separate .js file, and then the above was part of the web page, would that not foil the spam bots? Would they be able to harvest a 2-part script like that? Just wondering. I guess if you did a combo of JavaScript and Unicode it might be a little stronger approach.

What if you used SSI just for the script portion? I hope that's not a dumb question.

I guess the other question that always comes up is, how many people disable JavaScript?

Pam
BigSte makes a good point:

"I can't see there being many ways of actually hiding  <mailto:something@somewhere.com>
inside some html so that your browser will see it as a proper mailto link, but a cunning
reverse engineering spam sucker will bypass it blindly."

Especially now that us tricky webmasters are showcasing our secret weapons in a public forum ;)

It is true though.  It's only a matter of time before the spammers grok Unicode, and even parse through JavaScript.
Heck, I'm sure I could write a web crawler that would do both of those things with just a few hours of effort.
I'm not sure most of the solutions posted will accomplish the stated goal: Hide e-mail or web addresses from various automated harvesting tools. Here's why: Can you pick out the address with your eyes? Then you can write a 5-line perl script (maybe shorter) to do it too. How many TLDs are in active use? If if you ignore all but .com and .org, you have a great starting point to go digging for addresses. Look around in the code for 1. quoted strings 2. "unicode" strings 3. simple variable assigments 4. similar obfuscations and I'm sure your script can defeat one type of address hider. Now put the resourced of some of these big spam places behind the coding effort.

I've had a lot of "v1gra" ads come my way at my e-mail address that I had cleverly hidden using variations on methods proposed by Pam1234, dcpleland, and similar. Even the garyeik method still has the data right out there in front of God & everybody in the page's source code. If you can instance a browser, you can instance a raw download. Try it: use a telnet tool but specify port 80 (your telnet tool will probably default to port 23) e.g. www.thispage.com:80 (probably not thispage.com because you may get stuffed into ftp.thispage.com instead which probably isn't listening on port 80). You should see raw HTML (source code). Type a command like GET INDEX.HTML and see what happens.

Here's my take: Look at the page. Can you figure out what the address is, using your eyes? If not, click on View--> Source. Is the address somewhere, anywhere, in the source code, even broken up, obfuscated? Yes? Then some crawler is going to pick it up.

Embedding it in a gif or jpeg, with a irregular font random patterned background to defeat OCR, is pretty foolproof, but of course a spammer scanning your page by eye can still get it. But infrarossi_it had it right: only code that doesn't actually put any part of the address into the code is relatively secure.

So do what I do: Get a number of throwaway e-mail addresses on yahoo or hotmail and use them! No help for corporations or people that need a consistent, knowable address, I know.

Using TinyURL: Never tried that. What a great idea.

-T

Hi Prodier,

Here is one I use and it works perfectly:

<script type="text/javascript"><!--
function m(n,d,s) {document.write('\74'+'a safe href="mail'+'to\72'+n+'\100'+d+'\56'+s+'">'+n+'\100'+d+'\56'+s+'\74'+'/a'+'\76'); }
m("myname", "domain", "extension"); //-->
</script>



The beauty of this script is that there's no need to figure out Unicode codes and it's very short.

Good Vibes!

Lobo
I use a PHP form and have made the coding available here:

<a href="http://www.gospelcom.net/guide/resources/makingforms.php" target="_blank">code</a>

It completely hides the address, also checks address validity and a number of other useful things, as well as displaying
the address visibly (but hidden) for those who would rather click on a mailto link

best wishes

Tony
Robots cannot deal with certain techniques shown above, but it's a matter of time that they will learn to read Unicode, parse thru JavaScript or jump across table cells.
Maybe the "TinyURL" or the "Flash button" will be harder.

BUT

Any method that launches Outlook (or whatever e-mail client you use) will be read by human eye. Your address is clearly written on the "To:" field of the new email.


ASP, PHP or whatever Server Processed Script is the only secure option.
(A three, two or even one field form + a five line script) will suit most of the needs.



Hope this helps
----------------------
The first Law of Cybernetic Enthomology: "There's always one more bug"
The only bulletproof method is to use a server-side script.

You design a web-based form for the user to fill out.
The form contains a serial number to identify this mailling form from any others
Hitting the Submit button looks up the serial in a database, returns the address. Then it compiles an email, and sends it to that email address.

Since the email address is not on the webpage in any form, encrypted or not, there's nothing for the spammers to find.

We did this in python, and it works well.

Goold Luck

Ian
>The only bulletproof method is to use a server-side script

Yes, I agree with centax as well - the only foolproof way to prevent harvesting of your email address from a web page is to not have it there in the first place.  Why all the attempts at obfuscation?  Obfuscation simply forces the spammer to evolve (much like an overuse of antibiotics in the microbial world).  If you're not trying to tell the world what your email address is, why do you have it on your webpage?

Cheers,
-Jon

well you had many contributions
so let's try something kinda different (but of course inspired by the previouses __ the ones i read at least)*

if you use meaningless tags to make the visible adress reasonably messy, you can work out to print it in a page while spiders will hardly findout, and then use that in a link.

the text will be affected by the size (and styles if you take care) that are defined in the rest of the page.
i'd rather suggest the use of a button or image to mess it up a bit more but you want it to look nice, no ?

then use a delayed javascript function to build the href property (let's say 3 characters by 3, the essential thing being you must not have the full word mailto not a full adress anywhere in the page)

let's say start the function 1sec after loading and then microseconds to proceed
do NOT add a onClick event linking to that function or it may easily be proceeded


if your client does not support javascript, he could still view the adress allright but if he does he could click on the link as long as the page is loaded.
.... (sorry about that)

you can use a similar method combined with the image one to keep your site reasonnably accessible while still being protected.

i'd recommend one last thing : whatever the method, add something opersonnal to it to make it messy and don't ever post that part anywhere. (in my example, the construction of the href or onclick property could be made in a messy or even random order _ good luck to the spammers :)
I encrypt the address using www.hive.com

"The Enkoder Form will encrypt your Email address and convert the result to a self evaluating JavaScript, hiding it from Email-harvesting robots which crawl the web looking for exposed addresses. Your address will be displayed correctly by web-browsers, but will be virtually indecipherable to Email harvesting robots. " - hive.com
This worked for me.......

http://www.jracademy.com/~jtucek/email/ 

Regards,

Stu
The best way to hide your email address?  Don't show it at all.  Create a "contact us" form that interacts with a database.  Then build a page that views the columns in the database and check that page regularly.  Basically it would be the same concept as a web forum, except once the user has sent you a message including their email, you can just move the conversation to email.
Sometimes you simply must publish an email on a web page.

I disagree on the issue of email obfuscation. With so many email addresses in the open space, it is not cost effective for spammers to write javascript parsing engines,  de-obfuscation algorithms, or people.
The only exception to this is unicode masking, which is likely to be tackled by spammers since the search engines deal with it anyway, and spammers use enterprise scale index and search tools (like Verity, Convera, Inktomi etc.).

The problem with TinyUrl is that it is not printer friendly, so a person cannot file the contact details of your corporation for future reference.
The problems with images have already been elaborated upon.

So, if you are to publish email addresses anyway, use whichever method that strikes your fancy, just do not forget to close the question and award the points to whatever solution you choose.

ShalomC
I got my EE news letter today and to my surprise was an reference to this topic.  We had just started to discuss how to deal with this very issue.  As per some marketing demands we had to put the email of our higher profile executives in various pages on our website.  Coporate pitfalls!  I was very happy to read all of your suggestions and wish I could award you all points for many useful suggestions.  But as this is not my question, Thanks will have to do.
>Sometimes you simply must publish an email on a web page.

Why was that again?

>The problem with TinyUrl is that it is not printer friendly

Printer-friendly?  You've lost me entirely...  If you're that much into hard copy, what's wrong with printing out the URL of contact page?

>As per some marketing demands we had to put the email of our higher profile executives in various pages on our website

Bosses with no clue is a different matter altogether.  We all feel your pain.

Cheers,
-Jon

We use the function escramble(){  We use to have a lot of problems when we had the address in plain text, but since we have started using the escramble we have had no SPAM to our accounts.

Here's a link on how to get it to work...
http://www.sailplanehomebuilders.com/email_scrambler.htm


Good Luck
-Glenn
As you've read, there are many ways and it depends on the "look" and amount of effort you want to put into it.  It also depends on whether or not you know how to write PHP, etc.  One website I maintain must show many emails, showing committee chairmen, board members, etc.  The easiest I found is at Hiveware.com http://hiveware.com/enkoder_form.php?real.  You can fill all info in a form (incl. subject or use the advanced form which is quite easy.  One person recommended to you one type of encoding and I put in the email addy of me@my.com to test it out. Their result showed:

<!-- address coding done at http://htmlfixit.com/cgi-bin/tools/uni.cgi -->
<a href='&#109;&#97;&#105;&#108;&#116;&#111;:&#109;&#101;&#64;&#109;&#121;&#46;&#99;
~~~Linebreak inserted by The--Captain for what he thought were obvious reasons~~~
&#111;&#109;'>&#109;&#101;&#64;&#109;&#121;&#46;&#99;&#111;&#109;</a>
<!-- me at my d0t com -->

The problem here is that there &#  ; codes are easily identifiable and harvesters will catch you quickly.

Contact forms are okay if that is the look you want and if that fits your scheme, but most I've looked at (even in these postings) show the name, domain, and extension with various characters inbetween.  This too can be easily harvested.

The same email addy (me@my.com) from the super easy to use Hiveware looks like this in the coding and I've been using it a while now and there has been no harvesting since.  It looks like this:

<script type="text/javascript">
//<![CDATA[
function hiveware_enkoder(){var i,j,x,y,x=
"x=\"783d22344f29536935333433783d5c2237303336363833643234333733323336333933" +
"32363433363635333633363336333333363633333733363336363533363634333336343336" +
"33333332363533363636333633353337333133333634333236353332333533373332333233" +
"37333733393333363233363332333333393337333033333634333633323232333533323362" +
"37393338333233643237323233333637336236333336333636663731333233323238363033" +
"36333933643338333733303362363233363339336337353336333832653636333336633635" +
"36343335366536373733333233343638333233363662363932343336336233643331333633" +
"32323937393336366237393233333733623364373433363635366536363333363537333631" +
"33363633363137343336333036353235333433383237323033363635323732343337336237" +
"38323933323665373337353336333536323733333636333734373633363632323836343335" +
"363932633333333233323239323233323339336237303337336437395c22343336333b793d" +
"2739333733273b666f343336367228693d33333633303b693c35333336782e6c6534333536" +
"6e677468333332333b692b3d3233363632297b79343336332b3d756e393336366573636135" +
"333633706528273533353625272b78333332332e737562323333367374722835333636692c" +
"322934333633293b7d79223b6a3d6576616c28782e636861724174283029293b783d782e73" +
"75627374722831293b793d27273b666f7228693d303b693c782e6c656e6774683b692b3d38" +
"297b792b3d782e73756273747228692c34293b7d666f7228693d343b693c782e6c656e6774" +
"683b692b3d38297b792b3d782e73756273747228692c34293b7d793d792e73756273747228" +
"6a293b\";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}y";
while(x=eval(x));}hiveware_enkoder();
//]]>

Try it out, it can't hurt and doesn't get easier.  http://hiveware.com/enkoder_form.php?real

Best of luck!

Greetngs,
I maintain several web sites and find the technique of breaking up the email address has prevented address harvesting, so far at least.
The technique I use is similar to several already documented on this page.  My source was from
     SimplytheBest.net                     http://simplythebest.net/info/dhtml_scripts.html
Here is a sample from my pets page at http://home.att.net\KD_dog
The Email is linked to a graphic and will launchs the users email program in a new message.
This is the source code, as it appears in a table cell:
<td width="258" align="center"><p align="center">&nbsp;&nbsp;<img border="0" src="images/emailbear.gif" width="81" height="89"><br>
                                <script language="JavaScript">
                                <!--
                                // Courtesy of SimplytheBest.net http://simplythebest.net/info/dhtml_scripts.html
                                // hide script
                                var stb_domain = "att.net"
                                var stb_user = "KD_dog"
                                var stb_recipient = stb_user + "@" + stb_domain
                                var stb_url = "mailto:" + stb_recipient
                                document.write(stb_recipient.link(stb_url));
                                // -->
                                </script>
                                </td>

Woody
want a fool proof solution?

set up a guestbook on your website.
password protect the "view" page and remove the link to view the entries on the sign page.

your email address will be NOWHERE in the source, only drawback is youll have to log into your site to view your emails, and if you use an email provider other than outlook youll have to login to your email seperately, unless of course youre familiar with programming.. then you could create a script all bunched as one.

a good guestbook script:
http://www.sakki.net/gb_1.asp

a good password protection script:
http://webwizguide.com/asp/sample_scripts/database_login_script.asp

of course combining the two will take a bit of html/asp knowledge but if you know the basic's it would be no problem.
php, cgi type guestbooks and login pages would be acceptible as well.


but the absolute BEST method to protecting your email address is to use formmail.
free formmail:
http://formmail.to/formmail.to/
http://www.bravenet.com/webtools/emailfwd/index.php

and others have linked to formmail scripts, but i suggest the above links if you don't have your own scripting access, its the ONLY way to 100% avoid spammers snatching your email.
I have used a VERY SIMPLE method for years to avoid the spam:

Change the email address occasionally.

With forwarding, it is very simple to make a new email address every other month
or so and then forward it to your regular email address.  I use incremental numbers
so that I can keep track of the changes (e.g., gb2@clingman.net, gb3@clingman.net, etc.).
When one email address begins receiving spam, I simply make the change to the next
email address and move on from there.

I find that it usually takes a couple of months to start getting the spam, and so
I plan on changing my email three or four times a year.  (Though for some
reason, the spammers haven't harvested my most recent email address for
over a year now.)
changing the email address isn't really an option - how many people would you need to tell? and how many would actually change their address book?
Jazzle --

Thank you for the clarification question.

I meant that the address on my website is only for initial contact.  I never use that address
in writing to anyone.  A person writes to me at the link on the website, and then when I
reply, they start using my real email address.  Then when I have to change the address
on the website, I don't have to notifiy anyone.  I keep the old website email address open
for a few weeks to make sure I've caught any stragglers, and then I simply shut it off.
The very best way to eliminate your email address from being harvested on your website is to not list it. PERIOD! To still allow your site visitors the ability to email you, use a form that in return sends their questions, comments, etc to you. The form can be as simple or complex as your needs allow and while your server side scripts are sending you the email, you can go a step further and document this contact in a database for later reference all at the same time with no interaction on your part. The would be client that asked some silly question while you were too busy to be bothered, may in return choose you for the next project after you re-contact him/her a few days later to make sure that his problem had been totally resolved.  
I think everyone agrees that a form would work but to say the solution is to "not list it. PERIOD!" is not always realistic. You may have a client or boss who will insist on an email link and say "make it work!" So we can be hard noses and say "then deal with the spam if you won't listen" - and that would be fair - but I think most of us want to do the best job we can and remain professional, explaining that, with all due respect, we believe an email link is the second-best choice.

Not everyone is going to "get it" when we recommend not using an email link. They see everybody else doing it, including people they really trust - and they can't understand why we say it's not a good idea. What's wrong with us, they reason, and why can't we give them what they want?

We can teach them a lesson, I guess, and let the spam floodgates open and then say "told you so." But I'd rather convince them the best I can, and failing that, try to use all the technology available to me to make the email link work. Then I'll explain that there is no way to prevent the email link from inviting spam but that I've put some safeguards in place to make it less likely.

I always recommend a form, and I always make what I consider to be a convincing argument for it. Usually they listen. But not always.

Pam
I concur.

Cheers,
-Jon
Something I heard the other day was to just indicate the format of the e-mail address and leave the actual interpretation up to the user. i.e.
"e-mail address format is first initial concatenated to last name followed by, @Hotmail.com" - or whatever applies to yourself.

I don't know how good a solution it is, but I did think it was an interesting concept
I have just gone through and tried lots of the above coding into pages and many of the solutions work quite well. I think there are so many solutions here there is guarenteed one will work for now. But as with everything else including all the latest anti-spam software there is big money involved in spamming so any solution is really only going to last for a small period of time. Keeping the code at the server back-end as <b>garyeik</b> posted as the backend in asp.net works very well for now.

No matter what we do the only way to try is for people to get a hold of the spam harvesting software and run it against your own site and see how it goes.

I think some points should be awarded to some people and close this of for now as there is plenty of solutions here

Cheers,

Stephen
Can someone suggest which of these solutions would be the safest option for a page with a large list of email addresses?
I imagine the form approach would generate a lot of emails to me, that I'd need to edit and forward to the correct recipient.
Anyone know of such a site?
Roy Low  
The form method emails should be handled with processing rules either on the server, or by the client that would "forward" to the correct person(s). No need to be doing the work that could ( and should ) be handled automatically for you.

I imagine that you could have, on your form, a list of radio buttons, and selection of any of these would direct the form action to a different PHP processing page, or whatever, which would send it on appropriately.

Incidentally, there's even software now which will go round the web and automatically find a form, and submit a message to it! I'm getting a few of these now. At least, they can't sell the email addresses on like other spammers, but it could become a bit of a problem.

Tony
you can reasonably afford the form method even for a large list of adresses.
it will be veru fast (2-3 secs max) as long as u send small plaintext emails
the number of adresses does not really matter at all in this case
the only important question is are u gonna send so many mails that the server will be overloaded ?
... and the answer is probably 'no' as you need people to read the emails as well (as i understand this is a seriel of local mails)
i'd suggest to list in a <select> the available correspondants screennames of that specific user and send the id through the form. you make a lookup and it's fine.

if you need a mailto and you want the thing to be visible
display the adress using any of the good above systems (hash thing is good, splitting through different html elements is dangerous as most spiders will parse that properly, create and output as image using php is easy and rather efficient but for how long is a mystery as it's becomming too pupular, other javascript methods seem good but i did not test any oof them)

... and cliquable
this is not chauvinism, but i think the most secure is mine but it relies on javascript in order to work properly

the point is bots may parse javascript, but that means parse the source.
they usually don't have the dom architecture loaded as a regular navigator
use getElementById to fetch the field/image, or whatever

EITHER (less secure but reasonnably good) construct dynamically (better after loading than inline) the different onClick (or even href) attributes, splitting 3 by 3 will let in the code ('mai','lto',':th','esc','ree','nna','me@'(refer to @ using the corresponding javascript element),'ser','ver','.co','m') such chunks in different variables with different names, the reconstruction is done directly in the attribute so it can't be parsed
OR reconstruct the email in a destination's page and output it as a redirection (meta tags should accept the mailto syntax by needs to be checked) using similar methods.

the important thing is a bot that loads the pages and execute all the scripts and only then does the parsing would be much slower than regular ones which only look through the original source !

OTHER
u can check if DOM is loaded using a javascript in the first page
load any javascript in a '.js' file

... any ideas, comments, where am i mistaken ?
Maybe this will work...

Go to http://web.onetel.net.uk/~sherilc/az/encrypt++/pages/ecdc.html?encrypted=

Then once you have encrypted your email address with MY ENCRYPTION SCRIPT!!! (Happy me!) - put the following in the required webpages:


This should go in between <head> and </head>:

<script language="javascript" type="text/javascript" src="http://web.onetel.net.uk/~sherilc/az/encrypt++/resources/dc.js"></script>
<script language="javascript" type="text/javascript">function gotoEmail(enc){location="mailto:"+decrypt(enc);}</script>

Then this can go anywhere in the body (I have used an example for my email address):

<a href="javascript:;" onClick="enc('10$10/00e70@10w00q30E00q10K10/31j08b47K38E87w10K00e60]00a31');">Email me!</a>

This worked perfectly for me... Don't know if anybody could find a way around it.
the script looks great
why is the script executed, btw, i don't quite get it
i would a thought of something like
onClick="eval(enc('stuff'));"
or in a similar way change the href property to mailto:yourmail@thing.com

a little draught then, we need a server-side version as otherwise your mail still has to appear somewhere, or you have to store crypted versions of the mails on the server as well as non-crypted which does not make databases manipulations easy

a php version ?
>I'm using an asp.net approach which places the actual e-mail addresses in the code behind and sets the labels they're
>assigned to as visible="false" when the page loads

This technique sounds like it relies on the browser to hide the email address - not a good idea (in fact, a very bad idea).  I would say that it is very like that the percentage of spam harvesters that would still pick up your email address is close to 100 percent, if my initial assumption is correct.

<puts on PE hat>

rowlow - please post your questions in your own post using your own points.  
Thank you.

<removes PE hat>

Here's an approach which I don't think has been mentioned.  If you are being forced to put email addresses in a web page (since I think we all agree that the reasons for doing so are shaky, at best), why not just use the old honeypot technique?  Put a few bogus addresses out there (hide them from humans, but not from web spiders/robots/harvesters - a different, but actually useful application of garyeik's technique), and obfuscate the hell out of the real addresses (using some of the encoding techniques mentioned above) - I'd avoid azcn2503's suggestion, though, unless you believe his website will be around forever (and given the URL he provides for the src, I seriously doubt it will - he states "Don't know if anybody could find a way around it.", but no one has to - they just have to wait for his website to go down).

All that remains is to block/blacklist anyone that attempts to mail you using the honeypot [fake] addresses.

seanpowell's approach using an image is not too bad, either - at least then a human has to harvest your address (assuming you clutter the image with other garbage that looks like alphanumeric so you fool any OCR harvesters out there - don't laugh - I've seen it done, and with image generation done on-the-fly no less).

Combine that with the honeypot idea and you shouldn't get too much spam.  

Of course, the BOFH in me says that if boss is so insistent on having email addresses on a webpage, then just throw them out there.  Once the spam starts flooding in (and you inform boss that this is due to listing email addresses on webpages), boss will beg you to implement it the "right" way (ie CGI, PHP or other "backend" technologies that simply never list the address in any way on the actual page).  If boss is so dumb that he insists on email address in web pages, he will likely not be smart enough to understand the obfuscation techniques previously discussed, and presumably will not take you to task for not implementing them - I mean, that's why he hired *you*, right?

Cheers,
-Jon


I also think davecman has an interesting approach - not a bad idea if you have administrative control of your mail server.  If you implement his technique with some of the ones I and others have mentioned you should be able to seriously cut down on the amount of spam received from harvesting robots.

BTW - I assume you are already emplying some sort of spam blocking techniques on your mailserver, if possible (ie spamassassin, spam RBL lists, etc)

Cheers,
-Jon
SPAM FILTERS

<< All that remains is to block/blacklist anyone that attempts to mail you using the honeypot [fake] addresses.

spammers are scumbags as they disturb you by sending unwanted emails, but also cause they overload the net.
don't behave in that same way. at least if you change adresses, send an automatic mail as a response with the proper adress, or better try an object or image tag, refering to an address on the server that will dispaly the proper address in the email inline even if you change it after sending. any of the above technique will work fairly easily.

needless to reming that spam filters are costly and unefficient and/or will block genuine mails.
-----------------------------------------------------

DISPLAY INLINE IN AN IMAGE

<< seanpowell's approach using an image is not too bad, either - at least then a human has to harvest your address (assuming you clutter the image with other garbage that looks like alphanumeric so you fool any OCR harvesters out there - don't laugh - I've seen it done, and with image generation done on-the-fly no less). >>

images on the fly : got a sample code at hand

FUNCTION            (text to dispaly , reverse bg and text color + underline in one case , precise different way to dispay
                            this one is not precise but will look rather fine for strings from 10 to 20 chars)
function creer_onglet($texte,$reverse_colors=0,$font=3,$imX=0,$imY=35,$oX=10,$oY=10,$qual=80,$chem="onglets"){
if(!$imX)$imX=strlen($texte)*7+20;
global $URL;$chem="$URL/$chem";
if(!is_dir($chem) && !mkdir($chem) or !$im=imagecreate($imX,$imY))return false;

if(($bg=ImageColorAllocate($im,200,200,0))===false or ($tx=ImageColorAllocate($im,128,0,0))===false)return false;
if(substr($texte,0,7)=="projet_" and (($bg=ImageColorAllocate($im,192,192,128))===false or ($tx=ImageColorAllocate($im,64,64,128))===false))return false;
if(substr($texte,0,3)=="BI_" and (($bg=ImageColorAllocate($im,128,128,64))===false or ($tx=ImageColorAllocate($im,0,96,96))===false))return false;

if($reverse_colors){list($bg,$tx)=array($tx,$bg);$rev.="-rev";}else imageline ($im,oX+10,$oY+15,$imX-$oX-6,$oY+15,$tx);
if(!ImageFill($im,0,0,$bg) or !imagestring ($im,$font,$oX,$oY,str_replace("_"," ",$texte),$tx)
or !@imagejpeg($im,"$chem/".no_accents($texte.$rev).".jpeg",$qual))return false;return true;}

IMPLEMENT
foreach($onglets as $texte => $cible){$rev="";//creer_onglet($texte);//imagepstext($im,$onglet,"times",10,10,10);      
      if($cible!=$chemin)$rev="-rev";
      if(!file_exists("../onglets/".no_accents($texte).$rev.".jpeg") and !creer_onglet($texte,$rev))
            echo "<a href=\"$PHP_SELF?chemin=$cible\">$texte&nbsp;&nbsp;~~~>&nbsp;&nbsp;$cible</a>&nbsp;&nbsp;&nbsp;";
      else echo"<img src=\"../onglets/".no_accents($texte).$rev.".jpeg\" alt=\"$cible.$rev\"
                  onClick=\"javascript:document.forms['main'].elements['chemin'].value='$cible';document.main.submit();\">&nbsp;&nbsp;&nbsp;";}

COMMENTS
- this function is meant to output image tabs, but you can use it to display emails in a very similar way, just input mailtos in array $onglets (onglets FR <=> tab EN)
- noaccents will take off all unwanted chars. i don't provide it as it is a french design that mainly takes accents away.
images are named by the content in this version. this should be changed, and then any characted will be fine.
if u use a db to display emails, just simply name the files bu the id, or rather 'TAB$id', or something similar
- the middle part of the func will display different colors depending on the begining of text. you probably won't need this.
- you only have to provide the first argument, others will default rather properly.
----------------------------------------------------------

SPAM

let's stop spammers
use abuse@server.dom adresses, they often end up closing the account, and sometimes take steps against the end-spammer !

we need some active fight against spammers : start by shutting any open mail relay on the internet
...unless they provide some proper filtering and take actions against identified spammers.

if we need to block adresses, why not block those from any mail server that provides such service ?
there should be a time when they have to stop making them available.
----------------------------------------------------------

OTHER ISSUES (back in topic)
well basically anything that will let u check that a real user is working.  (!!! most rely on client-side scripts)

WITHOUT user interference => check for dom existence and execution
- change the color of a cell, using a different one every two secs. upon pressing the link, the mail adress is re-created only if the color is the proper one. (use transparent or 0 width cell to hide the ugly thing)
- use a dummy function that checks if an image on your page has been properly downloaded and displayed.
some bots may load a proper dom but they probably don't download images yet.

WITH
- use one of the former technique to hide the link to the page that actually will let u send the email (wether by form or mailto)
there is very little chance that any bot will reconstruct the link properly and follow it, and parse a different method and sent it...
- use a dummy submit like a simple 10 table cells, and one of them active will just change to the next every second.
your users need to click on the active to send the mail, you can make the active one bigger to always keep it an easy click, or even better keep the other columns to 0 size.
this can even be worked without user interface, but if the user does not have javascript, it just does not work.
- more dummy but simple and efficient : th email is messed using one of the above.
you draw a chessboard and just write validation is done by clicking on f6 for ex (changes each time you load)
all the other will simply lock the thing if they are clicked, or rather simply reload the page.
any bot will process the onclick events one by one and get stuck.
----------------------------------------------------

FIND WHO THE BOTS ARE
using some of the above techniques (espetially the last) makes it VERY easy !!
just detect any client that makes several mistakes. you could even be nasty and display all links as plain : one of them pointing to the page wher the adress is actually displayed, and all the others to a log-info page.
Hi  mplungjan,

Since there's a wealth of valuable info in the posted comments I'd PAQ it for future reference. Hoever Prodier may have a hard time splitting points among so many great suggestions! ;o)

Good Vibes!

Lobo
Avatar of prodier

ASKER

Thanks to all who participated, many possible solutions were given. In the end jkna_gunn's response was the one that fit best for me.