17

How do you prevent emails being gathered from web pages by email spiders? Does mailto: linking them increase the likelihood of them being picked up? Is URL-encoding useful?

Obviously the best counter-measure is to only show email addresses to logged-in users, or to provide a contact form instead of an email address. But in terms of purely client-side solutions, what is available?

Zaz
  • 46,476
  • 14
  • 84
  • 101
  • For the solutions part, have a look at: http://stackoverflow.com/questions/308772/what-are-some-ways-to-protect-emails-on-websites-from-spambots – Yi Jiang Sep 08 '10 at 01:24
  • I'm not sure if email obfuscation is all that great a solution (as provided in @Yi's comment above. But @James Black is right about using an email form wherever possible, and using server side code to process the message. – Chase Florell Sep 08 '10 at 01:28

5 Answers5

9

Most email spiders don't have javascript interpreters, so if you really need the mailto: you can inject it with javascript... just make sure the address is obscured in the javascript somehow, e.g. 

myLink.href='mai'+'lto:'+'bob'
           +'@'
           +'example.com';

If you need to display the email address on the page, a common solution is to generate an image using something like php's gd (although the javascript injection should work ok for this too).

The idea is to remove the email addresses from the HTML and inject them with javascript. That way the email address doesn't appear in its original form in any of the HTTP traffic, which is what the spider is looking at.

Dagg Nabbit
  • 75,346
  • 19
  • 113
  • 141
5

Years later, I've created the following jQuery for a different website:

$(".email").each(function() {
    $(this).html( $(this).html().replace("...", "@").replace(/\.\.\./g, ".") );
    $(this).attr( "href", $(this).attr("href").replace("...", "@").replace(/\.\.\./g, ".") );
});

Emails are then written as:

<a href="mailto:bob.smith...example...com" class="email">bob.smith...example...com</a>

It's not perfect, but it's very simple and seems to thwart most email harvesters. The advantage to this method is that someone not using JavaScript will probably be able to work out what the actual email address is.

Check out this study on various email obfuscation methods.

Zaz
  • 46,476
  • 14
  • 84
  • 101
4

I tend to avoid a mailto as it makes it too easy for people to harvest email addresses.

If you are going to have contact pages on your website, then just have a form, and when they submit your server-side code and use the appropriate email address.

If you need to be able to have other people's addresses available, use numbers, names, usernames, some way to identify them.

If you just have an email address in a span it is likely to be picked up, even if you try to hide it, as these programs can be pretty complex, as finding email addresses is what they are about.

As with most secrets, if you don't want others to get them, don't put them on the page.

James Black
  • 41,583
  • 10
  • 86
  • 166
  • The emails are on the page, in ``s. Other than removing the emails addresses, is there anything I can do to decrease the probability of them being picked up by email spiders? – Zaz Sep 08 '10 at 01:38
1

I usually split them up into separate parts and then re-combine them using javascript. The final javascript does a document.write to write out the html.

i.e. 

var mail = "mailto";
var namepart = "test.user";
var domainpart = "example";
var tld = "com"; 
var address = namepart + "@" + domainpart + "." + tld;
document.write("<a href=" + mail + ":" + address + '">' + address + "</a>";
Scott
  • 1,862
  • 1
  • 33
  • 53
0

If you don't need the mail link you could replace the @ symbol with [at]

Example: sam [at] example.com

SillySam
  • 98
  • 7