A LIST Apart: For People Who Make Websites

No. 248

Discuss: Graceful E-Mail Obfuscation

by Roel Van Gils

Pages

 <  1 2 3 4 >  Last »

11 By interactivity: On mouseover?

I wonder why it is not mentioned to ‘build’ the email address with a mouse-over and an innerhtml javascript swap, this is what I always do:

http://blog.thingsdesigner.com/index.php?/archives/199-Spam-safe-email-link.html

posted at 03:58 pm on November 6, 2007 by Matthijs Rouw

12 JavaScript solutions no longer good enough

Most bots are now using rhino (a java implementation of javascript) to parse and execute scripts on pages. Thus, they would have no trouble defeating this.

posted at 03:58 pm on November 6, 2007 by Jason Harwig

13 Alternative

For some time, I’ve been using CSS and Javascript to hide emails from harvesters and, so far, it proved to be quite effective. You can read more about this on my blog.

posted at 03:58 pm on November 6, 2007 by Tudor Barbu

14 Re: + in e-mail addresses

@Gareth Adams:

You’re right. I’m aware of the fact that, according to the RFC, a plus sign is allowed for the local part of an e-mail address. In reality, however, e-mail service providers typically don’t allow user to create addresses that contain a plus sign. I did point this out in the article.

Though, you can easily adapt the regex (both the JavaScript and the PHP one) so that the @ is replaced with something else (instead of ‘+’).

posted at 04:06 pm on November 6, 2007 by Roel Van Gils

15 Just filter it

why are we discussing this? Just use email with a good filter like SpamAssasian, or route all your mail through Gmail and/or Google Apps for your Domain.
I have my email address plastered all over the internet, and i see maybe 1 SPAM per week in my inbox, while my gmail spam folder fills up with 100+ per day. The false-negative rate is zero, as far as I can tell for the past several months. So instead of trying ultimately futile methods of security through obscurity, just let Google or someone else do the hard work for you.

posted at 04:08 pm on November 6, 2007 by joe lion

16

@joe:

So the idea of thousands of spam messages being sent to your mail server doesn’t bother you as long as you don’t see them in your in-box? Does it concern you that bandwidth is being wasted on these messages?

To me it’s like heating your house in the summer and then running air conditioning to lessen the heat. Sure, if your air conditioner is powerful enough, you can lower the temperature to a comfortable level — but look at all the power you’ll waste in the process.

I agree that no solution is pefect (so does the author, and says so) and that some spam will inevitably find its way to your server. But it still better to try to prevent addresses from being harvested. Belt and suspenders. Better levees and better evacuation procedures.

posted at 05:04 pm on November 6, 2007 by Jeffrey Zeldman

17

I wonder why it is not mentioned to ‘build’ the email address with a mouse-over and an innerhtml javascript swap.

Possibly because this is then unusable to anyone who can’t use a mouse?

For me, the bigger problem is that it requires a specific server type, or use of a specific language. I want something that I can use on different platforms, with different server languages that meets the original requirements plus platform independence.

But I accept I’m probably in cloud-cuckoo land for the time being: so I’ll just stick to my contact forms and/or published email addresses with spam filters…

posted at 05:20 pm on November 6, 2007 by Jack Pickard

18 + is indeed valid and VERY useful in email address

I think you’re missing the point when you’re saying that “e-mail service providers typically don’t allow user to create addresses that contain a +” The point of plus addressing is to add on to your email address. It’s a great “native” feature to fight spam by allowing you to track who sold your email or block specific incoming emails, all from a single email account… (It works great with gmail btw).

I think your solution is interesting (although it would seem that it might strain the server too much for what it does, but that’s just a guess at this point) but since this article is on ALA, it would be good if it was updated to replace “+” in your regex. I think most people will just use your script without modifications and thus ALA will effectively participate in indirectly furthering the obsolescence of plus addressing which is itself a great anti-spam feature… Sort of ironic since the point of your article is to fight spam ;) No?

posted at 05:23 pm on November 6, 2007 by Yann B

19 + DOES have to be URL encoded

“A “+â€? is typically not allowed in real e-mail addresses and it doesn’t have to be URL-encoded”

That’s wrong on both accounts, actually. As Yann B already pointed out, ““ is perfectly valid in an email address. As for URL encoding, if you don’t encode the ““, it gets turned into a space when the query string is decoded. So, unless that’s the desired effect, you DO have to encode “+” in a URL.

posted at 05:25 pm on November 6, 2007 by Ryan Kennedy

20 Gave up long ago

On sites I build, I don’t have email links anymore. Everything goes to a form, which in turn has a logic question (not a captcha image) to defeat bots. Yes, that presents a certain barrier to users, but if the forms are accessbile and the user even slightly motivated, it works. The email servers are no longer swamped and the request forms don’t become porn magnets.

posted at 05:28 pm on November 6, 2007 by Fergus Miller

Pages

 <  1 2 3 4 >  Last »

Got something to say?

Discuss this article. We reserve the right to delete flames, trolls, and wood nymphs.

Create a new account or sign in below if you’d like to leave a comment.

Remember me

Forgot your password?

Subscribe to this article's comments: RSS (what’s this?)