iBeck.com The Internet Home of the Beck Family

Home

Chris

Fishing

Golf

Patents

Ana

Justin

First Goal

First Hoop

First Par

Golf Swing

Hockey Bag

Newsletters

Our Pets

Directions

Class

What's New


Reformat this page so it looks good on a printout.
Format
for Printing

Anti-Spam Mailto Links

Introduction

Hi. You landed here for one of two reasons. Either you used one of my anti-spam mailto links (and you have JavaScript turned off) or you found this page via a search engine. In either case, read on and I will explain my solution for anti-spam mailto links.

The Problem

We're all sick and tired of SPAM or, more correctly, Junk Email. So, to keep email harvesters from scanning my web sites, I've come up with the following solutions with techniques I borrowed from other web luminaries.

The Web Form Solution

Use a web-based form and send the email with sendmail or qmail on the customer's behalf. If that's not possible or you are concerned about your user's ability to type in their own email address, then read on...

The HTML Entity Solutions

The goal is to obfuscate the underlying HTML so an email harvester cannot parse the email addresses from your source code. When unprotected, nospam@ibeck.com looks like this in the underlying HTML source:

<a href="mailto:nospam@ibeck.com">nospam@ibeck.com</a>

This leaves us with 2 points of vulnerability:

  • The address between the <A>nchor tag
  • The address in the HREF.

It's usually desirable to use text other than the email address between the <A>nchor tag. However, we'll attempt to solve both points.

To hide the email address(es) inside the <A>nchor tag, convert the address(es) to decimal-encoded HTML entities. For example, nospam@ibeck.com would translate like this:

&#110;&#111;&#115;&#112;&#97;&#109;&#64;&#105;&#98;&#101;&am
p;#99;&#107;&#46;&#99;&#111;&#109;

In a decimal-encoded HTML entity, each character in the string is converted to the following format:

&#<ASCII decimal>;

A similar encoding technique could be used for the HREF address(es). For example, the HREF for nospam@ibeck.com looks like this in the HTML source:

"mailto:&#110;&#111;&#115;&#112;&#97;&#109;&#64;&#105;&#98;&
#101;&#99;&#107;&#46;&#99;&#111;&#109;"

However, until we obfuscate the mailto: portion of the HREF, we are still making it too easy for harvesters. We could convert the mailto: portion of the string into HTML entities as well. In this case nospam@ibeck.com looks like this in the HTML:

<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#110;&
#111;&#115;&#112;&#97;&#109;&#64;&#105;&#98;&#101;&#99;&#107
;&#46;&#99;&#111;&#109;">&#110;&#111;&#115;&#112;&#97;&a
mp;#109;&#64;&#105;&#98;&#101;&#99;&#107;&#46;&#99;&#111;&#1
09;</a>

Now, we're doing some serious obfuscation. However, it's still it possible for a harvester to search for &#109;&#97;&#105;&#108;&#116;&#111;&#58; as easily as it searches for mailto:

The Javascript Solution

Much as I dislike using client-side Javascript, this is the only way to really obfuscate the HREF. In this case, nospam@ibeck.com would look like this in the HTML source:

<a href="http://www.ibeck.com/tools/mailto.php" onclick="a='@'; this.href='mail'+'
to:nospam'+a+'ibeck.com'">&#110;&#111;&#115;&#112;&#97;&#109;&#6
4;&#105;&#98;&#101;&#99;&#107;&#46;&#99;&#111;&#109;</a>

Notice that the HREF starts out as an HTTP reference pointing to this page. Next, the onclick event is implemented to modify the *original* HREF with the *hidden* mailto HREF. Furthermore, the Javascript is written to disguise the email address by constructing it on the fly.

Server Side Scripting

It would be very tiresome to hand code these mailto links. You should use a server-side scripting language like PHP, Python, PERL, or (if you have to) ASP so you can wrap all this nonsense up in a function.

Epilogue

It was rather insane of me to spend all this time trying to hide email addresses on mailto links. However, I get a level of satisfaction from preventing email pirates from stealing identities.
Copyright © 1999-2008 Updated: October 19, 2005