Using JavaScript to hide mailto links from spammers

hi,

I’m working on a site for a client, basically am recoding entire site in plain HTML b/c they don’t want to go thru a CMS anymore… (plus the CMS was generating atrocious markup…)

one thing they have on the site is they use JavaScript to hide email addresses from spammers (I guess this was a CMS option/feature…) I had never seen this done before, and in principle it seems like an ingenious approach, except for the obvious issues (can’t see address if JS is disabled, and the accessibility issues…)

so how could I go about this? can’t do with forms, there a many different addresses on the site (lists of names with email addresses next to them…)

now I found this thread:

response #2 offers a back-end solution… does this solution seem plausible?

how exactly would it work? if we just print address for duration of the session, would spam-bots still find it?

what other solution is there here? (maybe do one form for all addresses, passing the address in a query string when you link to the form? would that expose the address to spam-bots?)

thank you…

Spammers definitely consider having the email address display in the web page to be a big pro for them regardless of how it is encrypted within the page. They can always employ a few thousand people from some country where a few cents an hour is a good wage to manually view web pages and record email addresses if they can’t find any other way to get those email addresses.

As I said in my previous post, “There are pros and cons of both mailto links and contact forms … Ideally, you’d give people the option of which method they want to use.”

The disadvantage of email links is that there are lots of computers where they will not work at all such as schools, libraries, internet cafes etc. The only people guaranteed to be able to use email links are spammers since anything you do to try to block spammers from using an email link will also block at least 10% of your legitimate visitors who could have used the email link if you weren’t trying to block the spammers. So if you do provide an email link then providing an email form is just about mandatory as otherwise you’d be blocking at least 15% of legitimate visitors from being able to email you and possibly a lot more.

That’s true. Although if that happens, you can always set up a new address and give a bounce message on the old one instructing people to use the new one instead.

There are pros and cons of both mailto links and contact forms. The disadvantage of forms is that some people don’t like them - they like using their preferred email client, which has spell-check, maybe formatting, plenty of space to write in rather than the postage-stamp-sized textbox that too many forms have, the option to save drafts and keep a copy of sent messages, no need to type your email address in with the concomitant risk of getting it wrong (which people do a lot). Ideally, you’d give people the option of which method they want to use.

I never rely on Javascript to give necessary information. Unless the point is to only let those with Javascript see that info, but most of the time this isn’t what people really intend.

I prefer to display foms than email addresses but when a customer asks for it, I must obey.

What I do is hide the email address into an standard URL.
For example, if I must obtain john@mydomain.com, I put http://www.mydomain.com/john.php into the HTML. Then I have a Javascript that, if a human user action is detected (mousemove or keypress), transforms the URL into a full working email address (both in the text and the href of the <a>).
In addition to that, I have the page “john.php” that redirects to contact.php (or any other page), where there is a contact form.

This technique provides :

  • no email address into the page (neither HTML nor JS),
  • email links on the fly for human users,
  • a contact form to non-javascript users.

What is not covered :

  • When the email addres is on another domain. I generally create a local alias that forwards to the real address.

The disadvantage of any method of trying to hide the email address in links is that once spammers figure it out there is nothing you can do to get that address back.

The way to protect email addresses from spammers is to use a form and add the email address after it is submitted. That way if you start getting spam you change the server side form validation to filter it out and they still don’t have the address.

I’ve found that replacing the @ with & #064; (without the space, obviously) in both the href and the link text is quite successful at keeping the volume of spam low - it isn’t foolproof, but it is effective.

You can use Javascript to create email addresses by concatenating parameters, but it is not advisable. It makes them outright inaccessible to anyone without Javascript, and potentially makes them harder to use (eg you can’t just right click and copy link address if you want to do anything other than create an email in your browser’s default application) for everyone else.

The spammers will have JavaScript turned off so that the code to hide what they are looking for so that they can’t see it will not be run.

The only way to stop spammers seeing mailto: links is to not use them. They are not very user friendly in any case since not everyone has an email program available for it to link to (eg. your local library or internet cafe).

That wasn’t the best thread to study regarding the issue of JavaScript obscuring of e-mails… I was answering a weird AAA question regarding; NOT supplying an alternative to a JavaScript written e-mail address via NOSCRIPT when the “only e-mail link option” provided was via JavaScript.

Yes, of course it could work to a degree creating a server-side button to click before it actually revealed the e-mail link. Just like logging to this site needs you to click a button first before you can see additional content but I meant click a button and then it [server-side] will insert your mailto link into a paragraph, etc.

Also Using a mixture of Hexadecimal entity references (i.e., substituting random characters/letters) in a direct mailto does tend to work to some extent. Since if the spam-robot just scrapes a text string; the spam-bot will end-up trying to email things like the & ampersand character within an e-mail address - instead of a normal letter, that can be viewed by a human and browser, etc.

That will hide the email address from the 10% of your visitors who don’t have JavaScript making it impossible for them to contact you.

Try MobileFish.com they offer a script generator to hide email addresses.

oh brother, that last one was a stupid suggestion… since email address would be in markup…

maybe link could be generated from back-end with address somehow obfuscated and then parsing when reach the form? or something like that??)

thank you…