I'm creating a public internet facing website which contains the email address of their salespeople.
What kind of programming options do I have to generate the "mailto" and display the email from that address but limit the spambots from picking up the address?
Recaptcha has an excellent capture based email protection. You can see it implemented at the bottom of any page in my website using the Site Feedback link.
I know that Facebook does it by displaying an image instead of text. Sure, they could use OCR on the image, but why bother for just one email address?
If you really didn't want spam bots to get an email address, the best way is to never show it to anyone. Show a link to "Contact this person" which brings up a form. On the server side, send the contents of that form to the recipient, with a reply-to of the sender's email address. Include a little blurb at the bottom of their message that "if this email is spam, please 'click here' to block this user", which will then block the IP of the sender. I've used this method on a number of occasions and have never had a single complaint.
You can obfuscate it but IMHO whatever you do, one day spammers will get your email address. The future is in spam filters, not trying to keep email addresses secret.
What I have done in the past is use javascript to build the mailto: link. This is nice for the users because they can just click on the link and I don't know of any spambots that take the time to execute javascript yet.
I think I got the idea from Jakob Nielsen's useit.com website.
In the page header I have this piece of javascript:
<script name="mailto" language="JavaScript">
//<![CDATA[
function load()
{
c1 = "bcl"
c2 = "brian"
c3 = "lane"
c4 = "com"
// Fill in the addresses
document.getElementById("contact1").innerHTML = "<a href=" + "mail" + "to:" + c1 + "@" + c2 + c3 + "." + c4 + ">" + c1 + "@" + c2 + c3 + "." + c4 + "</a>";
}
//]]>
</script>
Tell it to load it when the page loads:
<body onload="load()">
And then in the body of the page I put a link to a spamtrap:
<span id="contact1"><a href="mailto:spam@brianlane.com">spam@brianlane.com</a></span>
I have a solution, well, more of a theory. Problem is, the bots parse the page. they can get the text. even if it's being put into the page in some sophisticated way through Javascript.
So, just you CSS3 pseudo element! it won't be a link, but your email will be visible, and will never be an actual text. something like this:
.email::after{ content:'myemail@gmail.com'; }
Again, it's a theory, I've no idea how far these evil people can go to get it, but I think this be pretty safe.
I now in the opinion this isn't a problem since email servers have become good at filtering spam and there's no reason to make any elaborate tricks to "protect" email text on webpages.
Have a look at PrivateDaddy - I think it does exactly what you're looking for: fully automatic, unobtrusive email cloaking that even works with browsers where JavaScript support is disabled. You can get it here (free of course)
If this is not a static HTML page, but a ASP.NET, JSP, Coldfusion, or PHP page then you could have a drop down box with a list of all your sales people, a text box for comments, and a "Contact Us" (ie, Submit button). When the button is clicked, it will call a server-side code which creates the email and sends it to your local mail server for delivery. The outside world will never know the email address of your sales people, nor the email format (ie, firstname.lastname@yourcompany.com) of your company.
You can use something like email obfuscation
This is a difficult problem. If you post an e-mail such that it can be parsed by a web browser so that it's clickable, then it can be parsed by a spambot. If it's not clickable (e.g. if it's an image), it's more difficult for users. On one side is perfect, seamless experience for users and on the other side is perfect spam-blocking. A simple CSS or javascript to take in an email address as separate tokens is usually better than nothing, though.
You could only show a part of the e-mail address "us...@mail.com" as a link that redirects to a captcha, then display the full e-mail address like Google Groups does.
We used to do classic ASP string cat for email addresses, the grand idea being that spambots read source, but don't parse server-side code. I have NO idea if that actually works.
Would something that I wrote work for you?
http://kevin-le.appspot.com/viewSource/sourceShare/asmRevealer.js
...and you could see the demo here:
http://kevin-le.appspot.com/extra/contact
It works with mailto, so it's convenient for users, but spambots won't be able to pick up which is your requirements. It'll be obvious once you spend 1 minute looking at the demo.
I got the same problem too and i came up with a quick but effective method to help my website out.
Basically bots just read the content of the web page but in 99.999% they do not trigger events, it would require a great amount of dedication and work, things hacker don't usually do in favor of bigger numbers and quicker effects.
So i came up with this function:
function emptyMail() {
let mail = document.querySelector('#your_mail');
let mailValue = mail.href;
mail.href = "";
mail.addEventListener('mouseover', function() {
mail.href= mailValue;
})
}
This worked for me i hope it can help you too.
I see the mailto: protocol almost dead anyway... It is convenient, but too easy to parse and gather.
Plus it has its downsides: if you are on a Web cafe, it won't work because it will call whatever default e-mail client it has (if it has any!) and it is not set up on your account. Same if you use exclusively online e-mail managers...
A possible workaround is to decorate e-mails, relying on users to type or correct them: foo (at) example.com or foo-NOSPAM@REMOVE-THIS-example.com are common schemes (hoping spammers doesn't try to decipher these common schemes!), graphical e-mail addresses are another way.
Or, as pointed out, if you can, the best option is to have a contact form, with some reasonable form of protection against robots, that would be usable from everywhere. Although people might be defiant on forms asking for e-mails (for response!), so a disclaimer might be useful too... :-)
