I made a change to most of the pages in my site yesterday, by hand, and it's just too much. I've been on a project "scraping" the content from my html pages and building a SQL database, so that I can build something like a CMS and make updates to my site without having to spend/waste several hours.

While I'm at it, right now, I have a contact page with an email link. Which is more of a barrier than an email link at the bottom of every page. But I'm spam through the filters because it's to one address.

I'm going to add a footer with explicit copyright info, "Based in Seattle, Washington" and things like that. It would make sense to use leave an empty span in the markup, and set its innerHTML property to <a href="mailto:" using j script on the page load event.

I've done pretty well with computers by knowing enough to have a sense of what I shouldn't do. Frees me up to experiment with everything else. People use client script to do all kinds of things, and this is a legitimate reason to want to hide something from rogue bots. And yet my spider sense is tingling. You'd have to be extremely literal to call an email address a hidden link, but this is one of the times when knowing the details of the search engine are worth as much as good content.

Why not use a JS form?

Actually the best way to do this is with cgi. Can't tell you how to do that. I have a online form that uses cgi to email me the form.

As Dave suggested you can use javascript.

I have used a ASCII encoded email address for years and it works pretty good.

I have have a link for both a javascript and ASCII encoder here.

http://www.spam-whackers.com/blog/e-mail-encoders

Hope that helps.

Connie's right...sort of. The best way to handle any type of email situation is form-to-email with server-side processing. Any client side code (including Javascript) can be decoded and the address can be harvested from there.

If you have to use Javascript, the best thing you could do would be to write your own custom obfuscator; this would make it a lot less likely for a spam harvester or bot to "waste its time" trying to decode your email address.

Another way would be using an image that has the email address on it like "whois" does.

There's also JS (like has been suggested) and then in noscript you can add the email address there using <bdo> and type it in reverse and then <bdo> will display it forward from its backward state.

Makes it very hard for the spam bots to get anything. Irony's using the <bdo> & js method on her site following a discussion about it that she and I had.

Far as I know, it's working out well for her.

Far as I know, it's working out well for her.So well she hasn't had any emails for 12 months :D

Seriously though, what I do is this;

Have 1 contact page which a normal mailto: on it so my customers/clients can simply click it. As I use Box Trapper the sender gets an auto reply which they must reply to to get on my white list. My spam over the last year has gone from over 1000 per day to about 1-5 a day! I can check the mail que for any genuine ones and let those through.

Having said that, prevention is better than cure but I didn't want to change my email address.

I'm using a simple JS script written by our developers + a <bdo dir="rtl"> alternative in the noscript tags for accessibility reasons, but it is not a link, just plain text.

I'm getting spam to those emails, but not very much. This amount of spam can be explained by manual email address harvesting.

<script type="text/javascript" language="javascript">
<!--
var bluejay = "domain.com"
var aardvark = "yourname"
var cabbage = aardvark + "@" + bluejay
var dogfish = "mailto:" + cabbage
document.write(cabbage.link(dogfish));
// -->
</script>

Please change aardvark, bluejay, cabbage and dogfish to your own words

This forwards to yourname@domain.com via javascript with no problem - and no harvesting.

The name is displayed, however, so this should also be changed every few months to avoid human harvesters.

Or use a form :)

Originally posted by SEFL
Connie's right...sort of. The best way to handle any type of email situation is form-to-email with server-side processing. Any client side code (including Javascript) can be decoded and the address can be harvested from there.

If you have to use Javascript, the best thing you could do would be to write your own custom obfuscator; this would make it a lot less likely for a spam harvester or bot to "waste its time" trying to decode your email address.

You've seen the ml DOM tool I'm writing. I tested it against my Excite email address - the one I give out when I have to supply an email address, and collect almost nothing but spam in - and I saw a great deal of:

document.write("<scr")
document.write("ipt>"
document.write(... serve an ad here ...)

Which seems like it's trying to get around something. I could to try obfuscate the address with a similar technique, send a bunch of character values, or a really basic decryption.

But it sounds like regardless of what technical solution I go with, no one is going to mistake a "hidden" email link for spam?

The thing is, I don't care about hiding the email from Google ... I just don't want my server processing 800 lines of .htaccess on every request to ban IP addresses and user agents for known spambots.

Forrest, no one would see hiding an email address as spam. Usually the reasons for making text or links invisible is, the site owner is hoping to fool the search engines into ranking them for content no one else can see.

I sincerely doubt you're trying to secretly rank for a yahoo email address. :lol:

That said, you can always rel=nofollow the link if it concerns you.

With regard to the ... serve an ad here ...
Does the site have AdSense or Yahoo! ads on it?

If so, it sounds like whatever you were doing (or using) was breaking the ad code thus the ... serve an ad here ... line.

Originally posted by WebSavvy
I sincerely doubt you're trying to secretly rank for a yahoo email address. :lol:

Nope ... I'm just trying not to be on the receiving end of spam, as well as not be on the sending end.

I'll nofollow the links, too, though. Good suggestion. I personally don't like using forms to email a site owner, I much rather use whatever email client works best for me, so I'm leaning toward not using server-side processing. Even if that would give me a lot more power.

Originally posted by WebSavvy
With regard to the ... serve an ad here ...
Does the site have AdSense or Yahoo! ads on it?

If so, it sounds like whatever you were doing (or using) was breaking the ad code thus the ... serve an ad here ... line.

I don't understand what you're asking. I'll have go back to see what the ads were to answer that part, but I think what was going on is they were hiding their ad serving code, probably to fool ad blockers. My guess is they think software will look for the word script, so they wrote it in two parts and concatenate the results.

I think I have tested just about every way there is to hide mail addresses from harvester bots.

Encoding the characters into unicode server-side and writing them into the source did work for some time, I have had this on one of my sites for 3 years and it started getting spam about 6 months ago. a mailto: link started getting hit after about a month, and the plain text version took about 4 months. All on the same page on the same site.

The two still effective methods (currently) are both set out on
Hiding Email Addresses (http://www.candsdesign.co.uk/articles/coding/hide-email/)

The ASP one will easily transfer to .NET or PHP

I have used the ASCII code for at least 4 years on Condells. The address is click able , and on mouseover you can see the actual e-mail address.

Like you I prefer providing an easy way for someone to contact me. My only problem with using a form is if they enter an incorrect e-mail then you may not be able to respond.

Another problem with using forms is if your not careful, you could open your server up to be used by spammers to send their spam e-mail.

I get about 1 spam email per month at Condells. Of course I have some filters set on the server that helps with some of that.

Other than using a form for contact (and not all forms will hide the address from bots) Server filtering is probably your best defense against receiving email spam.

That and blocking all known e-mail harvesters using .htaccess.

I have a ASCII encoded address on Spam-Whackers, and I've received 2 spam e-mails in a little over a year.

Using javascript means that part of your users will not be able to click on the link and open their e-mail client.

Never tired the graphic approach as Deb suggested, so I'm curious how that would work when graphics are turned off.

As far as the sending goes, having a email address plainly shown on your site has nothing to do with you being a spammer because of emails sent. Spammers forge the headers all the time.

Hiding a e-mail address will not prevent spammers from forging headers and sending e-mail that looks like it came from you. They normally change that every few days.

Connie, whois.sc has this free service now where you can have an email address image generated by their software, hosted on their server, and you just link to it from your pages.

If you provide ALT attribute for the image, and the visitor has images turned off some browsers will display the ALT attribute as a clickable link if it's from an image that was hyperlinked to begin with.

Firefox does this. Test it out by going into your options menu in the toolbar on FF. Then turn images off in your preferences and vist a site that you know has a logo that's hyperlinked and has ALT attribute set. You should see a clickable link there.

On the directory, our logo uses ALT attrib and so do the little circle images at the top. So, when having images turned off in FF a visitor should see clickable links there.

I'm not sure how other browsers handle that though? IE is just plain backwards with everything -- so it'd probably blow itself up. LOL

Deb, if you include the real email address in the alt attribute, the spambots will gratefully pick it up :)

Yep, you're correct about that, Irina. I wasn't even thinking about that.

hmmm ... I wonder if <bdo> works in ALT attrib? (probably not) ... I'll have to try it out and see.

Right now I'm giving myself fits with my compact p3p policy. What a major pain in the butt that is!

I'm afraid tags can never be placed inside attributes :)

Yeah, when I've had sleep, I know that. When I'm tired and overworked, everything sounds possible. LOL.

BTW, the p3p policy is validating now and Bobby is recognizing it. There are a few different things that need to be done if you're using dynamic pages or even parsing HTML as PHP.

I might write an article about it over at the article board on the main part of IHY.

:)

yeah,yeah, you've been saying for about one year you are going to write an article. :D

Irina stopped writing them as well. Goodness. :)

LMAO. It hasn't been "a year" ... and you know I've been busy.

Soon as this stuff is tied up and deployed, I'll spend some time and write a few articles for you. :)

One on web accessibility, one on P3P Policies, and one on Last-Modified Headers with PHP.

For anyone using php includes, or pages that are html being parsed as php -- the file doesn't send a "last modified" header to bots because it's dynamic and the server has no way to know what other content has been updated so it doesn't send the header.

So, your page could be updated every day and the bots wouldn't know it because to them it looks like a 304 (nothing modified) header.

You actually have to add other code before headers are passed that will send the last-modified header.

That should be an article that would be helpful, I'd imagine. :)

I'm doing a site like that right now... so I'll be looking for that information.

Originally posted by ihelpyou
Irina stopped writing them as well. Goodness. :)

Irina is making her darn site WAI-AAA compliant. It's taking ages. Once I've finished with that, I'll be writing again, don't worry :)

Originally posted by Quadrille
<script type="text/javascript" language="javascript">
<!--
var bluejay = "domain.com"
var aardvark = "yourname"
var cabbage = aardvark + "@" + bluejay
var dogfish = "mailto:" + cabbage
document.write(cabbage.link(dogfish));
// -->
</script>

Please change aardvark, bluejay, cabbage and dogfish to your own words If the variable names need to be changed you could use a php script to generate the javascript with random variable names. ;)

BTW the "language" attribute is deprecated. :D

Or use a form :) Contact forms have become so prevalent that in my mini directories I now have links to them to complement the email data which is now frequently missing:
Contact: use form (this is a link)
Email: email link
And I use a php script to ASCII encode the email addresses.

Originally posted by Connie
Like you I prefer providing an easy way for someone to contact me. My only problem with using a form is if they enter an incorrect e-mail then you may not be able to respond.
You can at least check to see if the domain name is valid:function is_domain ($email) {

// take a given email address and split it into the username and domain.
list($userName, $mailDomain) = split("@", $email);
if (checkdnsrr($mailDomain, "MX")) {
return TRUE;
}
return $mailDomain;

} // function is_domain ($email) I use the returned $mailDomain as part of the error message.
Another problem with using forms is if your not careful, you could open your server up to be used by spammers to send their spam e-mail. Be careful, then. :cool:

HiYa Denny! :hi:

Nice to see you again. :)

Originally posted by WebSavvy
HiYa Denny! :hi:

Nice to see you again. :) Thanks! :hi:

I have not seen you at httpme.com. Are you still with them?

I haven't moved there yet. I need to get finished with what we're doing before I can move it. It's too hard to do that in the middle of something big.

We're doing a quality control cleanup on the directory -- which means the Team & I are going through each site, one by one, manually, and removing listings that have gone bad.

We've been at it for over 6 weeks now, and we're nearly finished. When we're done, the directory will be squeaky clean. :)

Then too, I'm putting up another new design which really completely rocks if I do say so myself. ;)

Sorry about hijacking your thread, Forrest. :)

BTW, I've been thinking about something ... bots can't "get" cookies but real people can.

What if you stored your website email address in a setcookie (php) and then if the visitor is human, it sets the cookie and displays the email address on the page.

If it's a bot -- it gets squat. :D

Originally posted by WebSavvy
BTW, I've been thinking about something ... bots can't "get" cookies but real people can.

What if you stored your website email address in a setcookie (php) and then if the visitor is human, it sets the cookie and displays the email address on the page.

If it's a bot -- it gets squat. :D

I'm not sure I follow? If IE and FF can accept cookies, wouldn't it be pretty easy to write a bot that does the same thing?

I'm trying to avoid server side scripting, although I'm not sure that will ultimately be possible. For now, though, my site is static html and some client scripting.

BTW, all spam prevention efforts will be in vain in you use and allow a catchall. Best to pick a few and blackhole all others. support@ etc are too easy a target.

I never let info@, sales@, webmaster@, contact@, support@, or anything like that, be valid email addresses.

echo echo echo :)