Spam-proof MailTo Links

Submitted by Kenny on Fri, 07/13/2007 - 22:03

I like providing links for e-mail on web pages, but I hate that spam-bots scrape sites looking for e-mail addresses linked in the usual manner. There are many hacks to try to avoid spam-bots

The Cander Method Version 1 (AKA: "Make The User Do The Work")

Named for a friend that I learned this from, one way to avoid this is to use ineffective links that require a person to modify address before sending it. Here's an example:

<a href="someuser_AT_somedomain_DOT_com">someuser_AT_somedomain_DOT_com</a>

...which appears as...

someuser_AT_somedomain_DOT_com

While this isn't spam-proof, it's spam-resistant. However, as I said, the user would then have to replace _AT_ with @ and _DOT_ with . in order for the e-mail address to be valid.

The Cander Method Version 2 (AKA: "Promiscuous Links, Strong Immune System")

The theory behind this method is "ah, screw it". Well, kinda. This method, also gleamed from the same friend, employs a standard mailto link that is completely vulnerable to spam-bots. Rather than try to trick spam-bots, you just resign yourself to the fact that spam is part of life and it's more important provide users with a good link. The spam protection is then handled by a good spam filter or by redirecting all your e-mail to a Gmail account, which is famously known for it's fantastic spam filtering. While I understand this approach, I still think that a good offense is the best defense.

The Corporate Method

Form e-mail is also a good option if your server supports it. That is, you can setup a script to take text from a standard HTML form and submit it via e-mail to you. This requires a bit more code and monkeying with the server to make sure that the web server is up and functioning and some web hosts may not even allow for this.

The Script-Redirect Method

Another method that I ran across (again, compiled from many sources and some original tinkering) is to provide a redirect that prevents spam-bots from scraping the address. The downside to this method is that you don't display the text of the e-mail address. The upside of this method is that the link works as-is and the user doesn't have to clean up the address before sending the e-mail. Here's how it works:

<a href="mailto.php?u=someuser&d=somedomain.com"
    onclick="target='_blank';"
    onmouseover="this.style.cursor='pointer';">E-mail</a>

Incidentally, the onclick and onmouseover events provide an XHTML Strict method of opening a new window without using extensive Javascript.

Place the preceding link wherever you'd like the e-mail link to occur. You'll notice that the link points to another script called mailto.php and it has a couple query string parameters. The u parameter refers to the username in the e-mail address (everything before the @) and the d parameter refers to the host (everything after the @).

Now that we have the link setup, we need the script that we are actually calling: mailto.php. This is the really easy part. It's one single line that pulls the query string parameters, puts them into standard e-mail address form, and redirects the browser to the mailto link. It's as simple as that. Here's the script for mailto.php:

<?php
    // pull values from query string and
    // redirect to a mailto link
    header("Location: mailto:$_GET[u]@$_GET[d]");
?>

While this may not fool all of the spam-bots out there, it should hopefully cut down on a significant bulk of spam that you might incur from posting a link to your e-mail address.

Category