Is mailto: a universal code?

Hi,

To avoid spam sent in through forms, I was thinking about deleting the mail form and replacing it with the good old-fashioned mailto:, of course with the e-mail address encrypted with javascript. That’s a lot easier than captchas. But is mailto: a universal code? Does it also work if people have an Apple, or have Thunderbird as mail program?

mailto: only works inside the <a> tag in web pages and not with forms.

Expect about 1000000 times as much spam if you use mailto: as you get with a contact form as that’s the first thing the spambots look for.

Also with a form you can use measures to block spammers after they start using the form. With mailto: once the spammer finds it the only solution is to delete the email address completely.

That is blatantly not true.

For starters, this works in my IE9


<body>
        <form action="mailto:me@mydomain.xyz" method="post" enctype="text/plain">
            <input type="text" name="txt1" />
            <input type="submit" name="submit" value="Send" />
        </form>
    </body>

When the send button is clicked, all the name/value pairs in the form are sent to the email address.

However, there are disadvantages to using mailto: including

  1. Some older browsers don’t support it

  2. It requires the user to have an email client program installed on their computer and to have it configured to work with a POP mail account

  3. The contents of the email are not encrypted for privacy.

Expect about 1000000 times as much spam if you use mailto:

Like I wrote, I was gonna encrypt the email address with javascript, so I’d think that’s not correct.

It requires the user to have an email client program installed on their computer and to have it configured to work with a POP mail account

I guess that’s a compelling reason to keep using forms. Thanks. But just out of curiosity: would mailto:, whether used inside a form or as an <a> tag, work with all mail programs, also on Apples?

I would expect it would but I don’t know for sure.

My understanding of how mailto works is that it sends a “message” to the operating system to startup whatever email client program it has set as the default email program. Whether it works this way in all environments I am not sure. Bottom line - imho it’s better and safer to send emails from a server side script where it will work in all cases.

Indeed. I might miss potential clients that are using web mail rather than a mail program.

Thanks again.

As felgall says, there are ways to stop spam send through forms, but once an email address starts to get serious spam, it’s dead.

That said, you can significantly improve the chances of the email address not being harvested by using [noparse]@[/noparse] instead of @ in the text link and the mailto address.

There are pros and cons of both mailto links and forms. Ideally you would offer both, and put suitable security measures and filters in place.

If you only use mailto links then you are ruling out anyone who isn’t at their home computer, and a fair number of people who are. Anyone who doesn’t have an account (that they want to use) configured on the default mail client will be unable to contact you. That includes anyone at a library or internet cafe, anyone who is borrowing a friend’s computer, a significant proportion of people using mobile phones and anyone using their work computer who doesn’t want to use their work email.

If you use Javascript-obfuscated mailto links then you can also rule out anyone who isn’t running Javascript, including a large chunk of people using assistive technology and more mobile phone users.

Do you really want to lose such a large proportion of potential contacts?

If you only use forms then you rule out people who are too inept to type their email address in correctly. That turns out to be a frighteningly high number. You also annoy people who like to keep a copy of all emails they’ve sent, although that’s less of a big deal.

“large proportion” compared to what? Can you quote the source of data you used to arrive at your opinion the proportion of users would be large?

In my experience the number of users with javascript disabled or using assistive technology is relatively tiny.

I was counting all the people you would lose from having only a mailto link, not just those who wouldn’t cope with the requirement for Javascript.

In the absence of supporting data, I am not convinced it will be a “large proportion” although obviously some potential contacts will be lost.

you can also rule out anyone who isn’t running Javascript, including a large chunk of people using assistive technology

We need to keep in mind here that, if “assistive technology” means screen readers, screen magnifiers and speech-control programs like Dragon Naturally Speaking, then Javascript is enabled for a majority of those people (for the same reasons it’s enabled for the majority of any random web user: it’s on by default in the browser and most people are not behind a script-blocking firewall or some such).

The group of disabled who will have Javascript turned off are the people with things like photosensitive epilepsy, balance problems, extreme motion sickness and possibly people with attention disorders (because Javascript is often used to create distractions and goofy animations on pages than real direct basic functionality). If the site fights them that much, they’ll leave.

Mailto links are retarded, and don’t work on my machine (after Evolution did a final, spectacular crash, I removed it from my computer entirely… what a worthless steaming pile of code that is), I highlight the link and copy it, and paste into my mail editor. Problem solved. I do hate accidentally clicking on the things though. Annoying.

In the absence of supporting data,

I don’t think you’ll ever get good data on that… even Yahoo’s “test” was seriously flawed, but in general most analytics on web sites are performed by… you guessed it, Javascript. And tests like the one Yahoo did are too stupid to account for users whose Javascript is disabled via firewalls and plugins rather than in the browser itself. Almost every browser comes with a Javascript parser and such browsers have it enabled by default.

In my experience the number of users with javascript disabled or using assistive technology is relatively tiny.

The number of users with Javascript disabled is probably tiny. The number using assisitive technology, you cannot know, for they are not measurable via analytics in any way, shape or form (well, unless you want to add a survey to your site… but then, most people don’t bother answering surveys which is why they are unreliable in representing all your users). You cannot detect if someone is using a screen reader or other application on their computer on top of their browser. Which is disappointing, for we’d all love to know the stats on these folks.

Yes, it works in my mail program on my mac.

I have no idea how spam messages are sent through forms but my guess will be the use of id or name attributes in the form elements. Wouldn’t it help to fight spammers if you use unique attribute names other than the mostly used “name, email, message, submit” type of words?

ademmeda: have you heard of a honeypot?

These are for the bots that automatically fill in forms. Usually they don’t have Javascript abilities. You add a label-input pair where the label says “don’t fill in! leave blank!” and the input is just a text input. You hide those using CSS or Javascript. Robots will fill it in, since they don’t bother reading directions. Labels will get heard by humans who don’t have CSS or Javascript, so screen reader users might hear the label but know not to fill it in.
Your back-end script processing the form either dumps forms where that input is filled in, or sets those aside so you can check them later, whatever you make it do.

Won’t stop human spammers using a JS-enabled and/or CSS-ready browser though. Those get askime or whatever it’s called.

Unfortunately, there’s no surefire way to stop spam. Encoding the mailto link may help a bit, but it won’t stop spam entirely. If nothing else, there are individuals out there who visit sites and send spam through forms or grab the visible email address and add it to a spam list. As mentioned, a form with a honeypot (a hidden tripwire field that a bot will fill in) does a good job, but it won’t stop individuals posting spam through your form. The internet is a playground for scumbags, and you can’t avoid them unless you keep away from the web entirely. :frowning:

yes, it will work with all the mail applications. Of cource it will not work with webmail applications.