Avoiding spammer "harvesting" of your site's email addresses

Hi tewald,

don't you think the developer of the bots are smart enough to know that trick and can find #064 as well as the "@" symbol?

Hi Polemic,

the best way to do that it to avoid to show the mail address in the HTML code at all. As a PHP expert I would suggest using PHP :-)

If you are not familiar with PHP: I have set up a little tool where you can compose your own Form Mailer online and have it sent to you by e-mail. All you need it a webspace that supports PHP and where you can send e-mails from the webserver (that is the default setting for most ISPs).

You can give it a try:
http://www.rent-a-tutor.com/tools/makeform.php

Marian

heddesheimer, yes I do believe SOME spambots can identify, translate, and utilize #064 that's why I said it was a "good" html solution - not the best solution.  A server-side script (ASP, PHP...) would work too; however, using the JavaScript solution would equally prevent spambots from gleaning the email address since they are NOT intelligent enough to parse javascript, nor are they ever likely to.

tewald

Another way to approach this is to use late binding.  I'll explain

Let's say you have a form like this:

<FORM ACTION="/cgi-bin/form.cgi">
<INPUT TYPE="HIDDEN" NAME="MAILTO" VALUE="joe@dot.com">
<INPUT TYPE="HIDDEN" NAME="REPLYOK" VALUE="ok.html">
...
</FORM>

This is considered early-binding because all the variables are already initialised when the page is send to the parser.

To use late-binding you can go like this:

<FORM NAME="pagerform" ACTION="cgi-bin/form.cgi">
<INPUT TYPE="HIDDEN" NAME="MAILTO" ID="xmail" VALUE="">
...
<BUTTON ONCLICK="doit()">Submit</BUTTON>
</FORM>

this comes in your <HEAD> section

<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
<!--
function doit()
{var z='joe';
 var y='dot.com';
 var x=z+'@'+y;
 document.all.xmail.value=x;
 document.all.pagerform.submit()
}
//-->
</SCRIPT>

I'll doubt that a robot will actually extract the email adress from this.  You can also put the script above in a separate file and link it to your document.  That way if you look at the source of the document with the form on it, you can't see any email adress.

To do this: place the script in a separate file with a .js extension, upload it to your server and place the following line in the head section of your form page:

<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript" SRC="xscript.js"></SCRIPT>

make sure you change xscript.js with the filename you've givven the script and include the relative path

BTW: I know it sounds silly to think those bots will abay it, but have you tried setting the robots name in your robots.txt file?  If their robots do not obay the robots standards, you can sue them.  Especially if they use the gathered email adresses for unsolicited comercial mail campaignes

Should you require more info on robots.txt just let me know


Ramses says Roooar

Another work around is to have it mailed to an email with the subject set on the form page.  for example: 'PAGER REQUEST' , have your mail program filter those out and forward them to the REAL address

plain & simple



Ramses says RoOOOaar

I prefer not to publish my email address on a webpage and just have a custom built PHP script form mailer with the address hard coded in to the program (where the user doesn't see it until I reply to their email).

OK, was just a solution for people who do not have php or other server-side scripts, except for form.cgi

<a href="mailto:cdevos" onClick="this.href+='@h2d2.nl'">Click here to email me</a>

or

<a href="mailto:cdevos@nowhere.com" onClick="this.href=this.href.replace('nowhere.com', 'h2d2.nl')">Click here to email me</a>

or just tell your users to replace a certain character with the @ like:
Change the - with the @: <a href="mailto:cdevos-h2d2.nl">Click here to email me</a>

regards,
CJ

I like the Javascript based solutions (tewald and ramses) because they appear as though they'd be too much trouble for a spambot to parse et I can still understand them, alter them to suit, and incorporate them easily in the design of the page.  I like Ramses's solution slightly better because it keeps all mention of the address off the source of the page.

I accept that php is probably bullet-proof in this regard, and I wish I knew how to configure it!  Thanks heddesheimer, I tried your cool little tool and got a script from it, but it will be a steep learning curve for me to make that script into a page that mimics the remainder of the ste and also carries the various other contact methods (form-to-mail, ICQ panel, and so on) I ant on the same page.  I'll try it though, and let you know if I can adapt it.

I would imagine the smater spammers have figured the &#064; trick now, and the thing is, I can't risk too weak a protection... the only real way to test the solution I choose will be to "go live" and if it fails and I end up in the spammers' databases it's too late to go back and try plan B.

The "forwarding email through a filter" theory won't work for two reasons - I don't have an "always on" internet account so emails come into the system spasmodically (albeit several times a day) whereas the essence of a pager is speed; and because filtering the mail sent from the form and forwarding would still forward spam... I'd have to filter on dubious words and manually check the dumped mail... too fiddly and time consuming.

CJ's solutions are intriguing in their simplicity... I'll play round with them and see if I can get them to work.  Im still suspicious of anything that has the compoents of my address anywhere near an "@" though... spammers are getting trickier all the time.

Now, just to add to my headaches my ISP has told me the server on which my site is hosted is closing down, so I hve to make urgent plans to shift my site.  So far from worrying about one form I'll be caught up with shifting files, logs, emails, and so on changing DNS data; and generally making sure things run smoothly that I won't be able to implement these suggestions for a few days... perhaps a week.

By all means keep thinking, and I welcome any new suggestions. But wrapping this up might take awhile.  Thanks to all who've contributed so far:-)

PHP isn't the only solution, you can use ASP, Perl or whatever you like. If you have PHP available on your server please say and I'll write you a quick script.

I would really avoid client side JavaScript if possible as (last time I checked) 12% of users have JavaScript unavailable or disabled - and they wouldn't be able to email you at all. Add to that the problems of people who use webmail account - the mailto: link is useless to them.

This question has been abandoned.  I will make a recommendation to the
moderators on its resolution in a week or two.  I appreciate any comments
that would help me to make a recommendation.

Cd&
 

It is time to clean this abandoned question up.  

I am putting it on a clean up list for CS.

<recommendation>
split tewald, ramses,CJ_S

</recommendation>

If anyone participating in the Q disagrees with the recommendation,
please leave a comment for the mods.

Cd&