Hide Email JavaScript
As a rule I never write an actual email address on a web page. Now, please note that I’m not talking about the page which is displayed, but rather the one that is written. The HTML part; what’s made in NotePad or whatever it is you use to write your mark-up. The part that is crawled by spiders looking for stuff like that. It’s all about privacy and trying to limit spam intake.
Search spiders key on certain things when crawling a page looking for email addresses. Specifically they look for…
mailto:@ (at symbol)- Combination of items or strings
I’m pretty sure the “a” or anchor and “.” play a role depending on the spider’s abilities.
So if you want to put an actual email address on your site, how do you avoid having it crawled, detected, and ultimately exploited? (If you’re looking for cheap software, budget Viagra, and Hot Women, then ignore all of that which follows.)
One way is to do a simple character replacement by way of converting key — or even all — characters into HTML-readable entities using a ISO Latin 1 Character Entities and HTML Escape Sequence Table.
So, in other words, instead of writing:
myemail@mydomain.com
You can put this instead:
myemail (myemail) @ (@ “at” symbol) mydomain (mydomain) . (. “.” dot) com (com)
Doing it this way adds a lot of code, but it is fairly accessible. But there is also a JavaScript option using document.write, as follows:
1) You first want to create a JavaScript document which contains this code:
<!--
function eml_coder(account,domain,dotwhat)
{
document.write('<a href="mailto:'+account+'@'+domain+'.'+dotwhat+'?subject=Email%20Test" title="Email Test">'+account+'@'+domain+'.'+dotwhat+'</a>');
}
//-->
Save it as “eml_coder.js”
2) In the <head></head> of the web document in which this code will be used, place a link to the script as follows:
<script src="eml_coder.js" type="text/javascript"></script>
3) Now you need to enter the data (in bold) and place this where ever you want the email address to appear on the page:
<p><script type="text/javascript"> »»
eml_coder("freddy","testing","com")</script></p>
The HTML output (code written to the page specific to that visitor) will be:
<a href="mailto:freddy@testing.com?subject=Email%20Test" title="Email Test">freddy@testing.com</a>
Thus, the visitor will see this:
Note: If JavaScript is disabled or unsupported on the visitor’s browser, using this option will reveal to them nothing at all so you will want to provide a written-out version, or better yet: a real Contact Form using server-side technology.
Jonathan Fenocchi responds:
Posted: May 30th, 2005 at 8:37 pm →
On CMMWebDesign.com/v3/, I use the technique you mentioned above, but I didn’t completely 100% encode the email addresses. I get spam from a few bots because of this, but it fools the vast majority. The JavaScript method is beyond the shout of a doubt the better performer (though, of course, users without JavaScript won’t see the email address — this is usually why I just use contact forms).
Gez Lemon responds:
Posted: June 3rd, 2005 at 6:55 am →
Email obfuscation has received a lot of attention over the past few years, and it’s evident that a lot of spambots are still looking for obvious phrases such as “mailto”. The technique you outline here is quite a widely used obfuscation technique. A couple of years ago, no spambot would have picked up the email address encoded with character entities, but a few have since learnt that trick. James Craig posted a technique a while back that combines character entities with URL encoded characters. I’ve no idea whether spambots are capable of harvesting addresses from it yet, but if they’re not, it won’t be too long before they can. If it’s possible for a browser to turn it into a mailto link, then it’s possible for a spambot to harvest it; it’s just a matter of time.
The safest way of avoiding spambots is to use forms, as you mention at the end. The problem with this technique is that it has usability implications. Some people prefer to use their email client because they’re familiar with how it works, and can do things like spelling and grammar checking before sending their message. If the email doesn’t reach the recipient, they get informed of it by email. You could write a message saying that the message has been received, but it’s not likely to instil as much trust as they have in their email client. Using an email client also means they get a copy of the email for their records. It all comes down to differentiating between those with good intentions and those with bad intentions, which is incredibly difficult to do.
p.s. I love your request for no spam in the comment section - that will make spammers with morals think twice before posting
Mike Cherim responds:
Posted: June 3rd, 2005 at 10:15 am →
Thanks for that, Gez. I really like the technique by James Craig you refer to. I have wondered about the spam bots getting smarter and reading the character entities. The mix up of techniques seems to be a good way to go.
I do like forms, but I always provide an email option or two — for the reasons you mentioned — so I think I may have to adopt some new technique such as that you described. The attempt to stay ahead of a ever growing mountain of spam headed our way is a full-time job. The spammers never sleep so I guess a few winks for the white hats are out of the question I suppose.
Jeffrey Armstrong responds:
Posted: October 30th, 2005 at 2:29 pm →
Excellent! I enjoyed reading your material.
Sean Armstrong responds:
Posted: October 30th, 2005 at 2:31 pm →
It’s been a long time since I so enjoyed reading posts in the net. Two thumbs up!
Robert Anderson responds:
Posted: October 30th, 2005 at 3:07 pm →
I really liked your comments here. I hope you’re going to update your site soon.
Joshua Taylor responds:
Posted: October 30th, 2005 at 3:09 pm →
brilliant site! happy to be here.