Protecting Email Addresses in Web Pages

The simplest way to provide a way for visitors to your web page to contact you is to supply an email link in the page. This looks like <a href="">contact me</a> where you just substitute your email address and the text you want to display for the link.

Using this method has two major disadvantages that result in the recommentdation that you avoid using it. The first disadvantage is that it will not work for everyone because it relies on an external email program being linked to the browser and on your visitor having an email account defined in that program. That will mean that people visiting your page from internet cafes, libraries and similar will not be able to use the link and even some people using other computers may not be able to use it. That means that you are going to need to provide an alternative method for people who don't have an acccount in a separate email program to use to contact you.

The second disadvantage is that coding the contact link that way means that you have your email address hard coded in the web page and spam spiders are constantly hunting through web pages looking for email addresses coded like that so that they can send their spam to those addresses.So not only do you have some legitimate visitors who are unable to use the link but you also have spammers obtaining your address from the link and bombarding you with spam.

Applying any form of encryption to the link might help at least short term against spam but doesn't work long term against spam and does make the link even less useable for real visitors. Any form of HTML obfuscation of the email address is trivial for a spambot to decode. If you use JavaScript to obfuscate the email address in the link then the spambot has to do slightly more work to decode it (and probably will evenually) while that also means that your link now doesn't work for those of your visitors without JavaScript.

Forgetting about having an actual link and just displaying the address in your web page makes it harder for your legitimate visitors to use since they now have to copy the address into their email program instead of it being copied automatically when they click on the link. Also it doesn't matter to the spambots whether the email address is the destination of a link or is hard coded in the page as either way it can be read. The only way of making it really hard for the spambot to read the email address is to embed the address into an image and even that will only delay the time that spambots become sophisticated enough to extract the address from the image. Also by placing the address in an image you force legitimate visitors to retype rather than copy the address and you prevent those who are unable to see the image for whatever reason from obtaining the email address at all (since using the alt attribute in this instance to provide the equivalent information defeats the purpose of using an image in the first place.

Whichever way you code the email address in the web page will prevent some of your visitors using it and will allow the spambots to eventually obtain the address. The biggest issue with spammers obtaining your address is that once they have it there is then nothing further you can do to prevent them sending you lots of spam.

The alternative to using an email link which resolves both of the disadvantages of the email link is to use a contact form instead. This means that instead of their using their own email program to create the email to send to you they fill out the details for their email in a form on your web page itself. This avoids the need for them to have a separate email program.

Provided that you add the destination email address in the form2mail script that is processing the form rather than hard coding it in the web page there is no way for the spambots to obtain the email address from the page since the address isn't in the page. The only way that anyone can send emails (spam or not) to that address is to enter the information into the form.

This method also has two disadvantages which are different from those of the email link and which unlike the disadvantages of the email link are at least partly solvable. The first of the disadvantages is that the sender doesn't get to keep a copy of the email that they are sending. You can reslove this by adding the sending address as a cc: to the email so that it goes to them as well as to you. This also has a disadvantage in that if the email was sent by a spammer they now have your email address to start sending you spam. You can resolve that by sending the email separately to them using the to: address simply indicating that it is a copy of the email that they sent without telling them the address it was really sent to.

The second disadvantage is that spammers can still send you spam by filling out the form on your page even though they don't know your address. You can reduce the chances of spambots managing to send you spam by building features into your contact form to help test if it is a real person filling out the form (such techniques are commonly called CAPTCHA). Depending on exactly what you place in the form to do this you may also make the form more difficult or even impossible for some real people to use the form (depending on what disabilities that they have) but unlike with an email link, where you can't leave strengthening the way you have it obfuscated until after the spammers have obtained the address in order to keep it as user friendly to real visitors as possible, with a contact form you have no such concern. Even when a spambot is sufficiently clever to bypass the measures built into your form and send you the spam the spambot still doesn't have your address. Once you start receiving too much spam you can increase the security measures in the form to block the spambots again. While every such increase in the security of the form will block out more real visitors trying to use it you can compromise between making it usable for real visitors and blocking the spambots.

There is no perfect solution to enabling all your legitimate visitors to contact you while blocking out all the spambots but the options available when using a contact form rather than a link mean that the spammers never obtain your email address and so you can continue to use the same one rather than having to change it every time the spambots obtain your address.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow