11 PHP post instead

I just use a PHP contact page that takes some form variables and puts ‘em in mail. If you wanted, you could even put in options for bcc, cc, priority (?) et c. to make using the form page as versatile as an e-mail client. Some people will still look at the form and run, since it’s giving you no guarantee about encoding or database addition (not more spam!) or IP logging. I guess that’s the price you pay if you want to e-mail me. Not that anyone does, which is my premise for keeping my contact page this way. PS: if anyone wants the php for this mutha or the regular expression that checks e-mail address syntax validity, contact me.

posted at 10:55 am on May 24, 2002 by Steven

12 Using PHP redirects

If you really want to use a mailto: link you can do so by pointing to a PHP page and redirecting from there. I’ve put up an example here:

http://members.evolt.org/simonc/php/spamtest.html

The contents of mailme.php is just:

<?php
header(“Location: mailto:yourname@example.com”);
exit;
?>

Simple, and easily expandable to include more than one email address. Could be combined with any of the above techniques to create ‘live’ links.

The only problem with it is a usability issue – looking at the status bar makes you think you’re going to a webpage, not a mailto link (but that could be worked around by altering the status bar with JavaScript).

posted at 12:15 pm on May 24, 2002 by Simon

13 Quick Comment

Good article, I love reading all the great tips that get posted on ALA. The problem I see with any encoding technique is that as someone has already mentioned, if the browser can parse/render the email link properly there is nothing stopping a spam bot from doing the same.

Sure it might stop them for a bit but you can be sure that someone will find away around any sort of trick. The best solution I have come across and I hope that others will follow suit is to create a mailto page. This page has the simple fields such as From: Subject: and Message: but the To: email address is not given anywhere on the page. Instead a simple reference number is passed when the message is sent – this number is then matched to an email address in a database or static file. Using the servers email program the message is sent to you with out ever posting your email address anywhere.

This method requires your hosting company to allow some sort of CGI or PHP script to be run and access to their sendmail (or equivalent) program, but what hosting company doesn’t offer these sorts of services now a days.

Just my $.02

posted at 02:41 pm on May 24, 2002 by Dr-Strange

14 CGI Solution

Another viable solution for those that can run CGI is to install a modified, improved version of the popular Matt’s Formmail script (http://nms-cgi.sourceforge.net/), specially since the discovery of a big security hole on this popular script that allows spammers to use it as a mail relay or something. Anyways, the coolest thing about this new Formmail script, besides the heightened security measures and general debugging, is the fact that your important mail data can be specified as script variables, so you don’t have to put a “recipient” hidden field containing your email address on the HTML source. I replaced my old Formmail script with this one a while ago and I’m looking forward to see if this measure slows a bit the avalanches of spam over time…

the best thing indeed is using a contact form instead of a simple mailto. Not only for the security issues involved, but also because of the fact that not everyone is neccesarily looking at your site from their office or home computers loaded with their email programs.

posted at 03:24 pm on May 24, 2002 by Beto

15 Throw-away addresses

The author of the Monaural Jerk (http://monauraljerk.org) provides a script that will, given a cron system and a php binary and an installed Qmail server, provide you with a random throw-away email alias. I use this for my clickable address. Who cares if it’s harvested? By the time a spammer gets to it, it’s obsolete and will bounce back to the bastards.

I’m sure that this idea isn’t unique, and could be adapted for most folks in one way or another.

posted at 03:26 pm on May 24, 2002 by GreyDuck

16 Break-up the address in JavaScript

You could also remove the “mailto:” by breaking up the link, like this:

[removed] [removed](”[url=“ma”]email me[/url]”);
[removed]

posted at 05:39 pm on May 24, 2002 by Mr.Brownstone

17 Why not use an email form instead?

Good article, and I’m sure it will benefit people who don’t have access to a database on the backend. I think a better way to handle it is to offer a feedback form, so your email address doesn’t appear anywhere on the site, encoded or not.

posted at 08:17 pm on May 24, 2002 by Marc Garrett

18 RE: a chink in the armour

About three months ago I tried to come up with a solution that doesn’t fall down if the user’s browser isn’t JavaScript-enabled, and doesn’t suffer from the “if a browser can render it, a harvester can read it” problem. I came up with the method described here:

http://www.december14.net/ways/nospam.html

It’s still pretty simple, doesn’t need CGI or PHP scripts, and seems to do the trick. If anyone can see any weaknesses, I’d like to know.

posted at 09:49 am on May 25, 2002 by Keith Bell

19 Another way

Another way to save your email on the web is to place it in a flash movie. I dont know of any bot which can dig through SWF files.
Might be alil too much but its the lazy mans way to protection.

posted at 11:11 am on May 25, 2002 by Yaen

20 Irony

Out of curiosity, are email addy’s on this page (i.e., this ALA Forum page) encoded in any way? Because the irony of including your addy on a publicly-accessible page while talking about how to protect said addy from spambots, is a tad thick.

Another idea for all this: restrain your contact info on your site to an actual “contact info” page, then use robots.txt to dissuade bots from parsing it. Would that work? Do bots still obey robots.txt? I’m getting forgetful in my olde age.

Of course, it wouldn’t help if you’re the type (like myself) who suffers from the delusion that site visitors may at some point be gripped with an spontaneous and impatient desire to email me, but won’t want to go to all the trouble of loadinga contact page to do so.

We could also just, you know, kick spammers in the nuts whenever we meet them. The Nutcracker Vigilante, we can be. I’ll make the shirts.

posted at 12:46 pm on May 25, 2002 by reefdog