A Simple and Effective Solution to Hide Email Addresses from Spam Spiders

by
Laurent Gauthier
(www.opnworks.com)

December 2008

This article describes a simple solution to prevent spam spiders from picking up email addresses from a web page. It retains the user-friendliness of the mailto protocol allowing users to contact you through their preferred email program and is much simpler to deploy than a form-based solution since it does not require any server-side processing.

In fact, using an HTML form to hide emails from spam spiders has several down-sides. First, many users are wary of them since they know that most form collected info goes directly into a database for eternity and is (or can be) later used for unauthorised purposes. Second, when you send mail through a web form you do not get the added benefit of a new address (the to: address) recorded by your mail program. This has the drawback that your antispam agent will probably consider any reply to your message as unsolicited mail (i.e. potential spam).

The solution described here basically works by asking the user to answer a simple question before allowing her/him to open a mailto link. Since bots are basically stupid (when compared to most real people) they fail when confronted to a trivial question and thus are not allowed to access the email address.

This scheme would not be sufficient if we still had a literal mailto link in the html or javascript code. To this end, the other part of the solution is to assemble the email programmatically so it never appears in literal form on or in the web content. Furthermore, the mailbox and domain values can (and should) be obfuscated somehow (you must then pass along the de-obfuscating function) which makes it even more difficult for an automate to outsmart your email masking scheme.

Try it out

Note that the script checks for browser type and version and if IE version 7+ is detected, the user is not prompted with a qualifying question. This is because IE 7 blocks javascript prompts and asks the user to explicitely authorize them. If anybody has a better solution, we would be happy to hear about it.

Send mail to test at mydomain dot com

Sample HTML markup

This is the HTML fragment used for the above example.

<span onmouseover="this.style.cursor='pointer'" title="Contact us by email" onclick=" var currentYear = (new Date()).getFullYear(); ow_filterAndSendSmtpMessage('tset', 'moc.niamodym', 'Test', '*** Note: This is an ANTI-SPAM measure *** \nWhat is the current year (hint: ' + currentYear + ')?', currentYear, 'Sorry, wrong answer...', function(s) {return ow_strrev(s);}); " style="text-decoration: underline;"> test at mydomain dot com</span>

Note that the mailbox and domain names (first two arguments passed to the ow_filterAndSendSmtpMessage() function) are obfuscated (actually they are spelled in reverse). The function to de-obfuscate them is also passed along to the function as the last argument. If obfuscating is not desired, simply specify null as the last argument. In the example, we use the current year as a qualifying answer but you could use a simple math question such as '2 + 2 = ?' or anything else that is extremely easy for a person but very difficult for a bot.

This solution is not bullet-proof. However, one can imagine and implement many variations in the question, the obfuscating algorithm and the way the mailing function is invoked making it very hard for a spider designer to keep up. In any event, spammers are interested by the numbers and will never spend time trying to reverse engineer an email hiding solution that can be changed the next day.

Source code

Get the JavaScript source code.

Resources

Check out these other resources for more info on masking email addresses from spam spiders.

• Defeating the Spam Spiders
  
• How to spam-protect a web-published e-mail address?