Doubtless it will work with some spambots but probably not all. An image is probably the only way to hide email addresses effectively, but if everybody used them, the spambots would simply get OCR upgrades.

Kaled.

I doubt the span idea will help much. It's too easy to simply remove all markup from the page before looking for addresses.

The "me at example dot com" stuff is probably somewhat effective, but confuses people.

The problem with images is accessibility. Don't want to start that discussion up again, though. :) You can put in alt text, of course, which would contain plaintext of your email address. Hopefully, that would just be removed with the rest of the markup.

But, again, it's easy enough to scan each removed tag for email addresses as well. I expect one can find quite a few email addresses in comments, so it would be worth-while to scan inside of removed comments, and perhaps they thought to look inside of tags as well.

I use this site:

<snip>

[infidesign.com...]

It turns the email address into a code that robots can't read, yet it looks and works like plain text. I get no spam at all.

[edited by: trillianjedi at 8:17 pm (utc) on Oct. 9, 2006]
[edit reason] Let's link to the ad free version... [/edit]

That's pretty slick. Thanks. Here's what "example@example.com" looks like:

&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#64;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#99;&#111;&#109;

That TOTALLY rocks. I've even put the same "encoded" text in a href='mailto:' and it works fine in both IE and FF.

I tried to make a quick php function mailto_uni() that would turn my@here.com into:

<a href='mailto:$#53;...'>$#53...</a>

but I cant find a function in php that converts to this kind of unicode. Anyone help?

I can't comment on whether spam bots will decode this format, but it would be fairly trivial. If this method were to be widely adopted, doubtless email harvesters would be updated.

On the plus side, there should be no compatibility issues - all browsers can decode numerical entities into ascii characters without difficulty.

Kaled.

It turns the email address into a code that robots can't read, yet it looks and works like plain text. I get no spam at all.

Lucky you.
For one of my sites I converted the email address on a page. Weeks later I checked Google if they had updated on my new content and I saw the changed page being freshly indexed.
Next thing I did was to search G for my email using plain text and guess what, the page with the coded email addy was displayed.
So, when G can read and interpret the unicode, I believe Spambots do as well. Now I am going to change the email on a bimonthly basis or install a form (with authetification).

Encoding the email is a fairly old trick (used it on sites I built 5-6 years ago. There are some bots that can't decode it, but many of the newer spambots do so it's only partially effective.

Javascript seems to work pretty well, but in the end, if it is something that has to be decoded for the client to see it, then you can bet there are spambots that can decode it as well.

I have done it all, encoding, forms, scripts, images, me (at) that.com and more. Somehow, they all seem to get spam sooner or later. I guess a combo of BOTS and <snip> taking notes...

I think what I will go to next is a single disposable email address to be displayed via PHP include on any site where I need to post an email. Every week or so I will just change one text file and create a new email addy; IE info100@ info101@ and so on, I will then give a legit email to any legit corresponders who my need to contact me in the future when replying to them.

Let the BOTS run wild and drive themselves nuts in the process...

Unless someone has a better idea....?

[edited by: trillianjedi at 9:46 pm (utc) on Oct. 9, 2006]

There are ways to make it, how should I say it, a waste of time for spam bots to try to grab your email. For most of us, that's fine and a perfectly acceptable level of obscurity.

But, we should remember that "security through obscurity" only gives a false sense of protection, as (which has already been mentioned) there are always ways around it, simply because what's hidden from spam bots must at the same time be visible to users.

I have utlized many different methods in the past. Some were more successful, others not so much. The more successful ones I will not mention in detail here, but I can tell you this much: focus on making it difficult for the spam bots. Combining multiple different techniques in one (script, style sheets, encoding, images, etc) usually provides the highest level of "protection". Avoid readily made solutions you find online. The spammers are already aware of how they work and how to get around them. Get ideas from different places. Improve. Combine. Write your own.

So far, my latest implementation has proved quite successful. But it does not protect from spam 100%. The most sophisticated spam bots utilize OCR to grab your address.

But, at least it helps to weed out the amateurs.

Once you find something that works well -- keep it secret ;)

Also, remember that fighting spam is more than just protecting an email address on a webpage. It is about being careful with how it's being used. Once you start getting spammed, there's nothing that can stop it. It will just increase from there. Be prepared to discontinue heavily spammed addresses.

[edited by: DrDoc at 8:41 pm (utc) on Oct. 9, 2006]

This is the ONLY one I have seen to be 100% secure, at least so far:

[automaticlabs.com...]

As a test about 3 years ago, I put an email address up on all our sites that is just for website comments encoded with that, and I have NEVER gotten any spam to that address.

I just wish that I had done that with our main email addresses 6-7 years ago.

There are supposedly now other ways to do it, with asp and php, but I could never get them to work.

Some harvest bots can read the &#101;&#120 stuff.

[edited by: Wlauzon at 6:37 am (utc) on Oct. 10, 2006]

I recently installed a blog using one of the more popular packages and it uses the encoding method to display my email address.

When any technique reaches that level of adoption it definitely becomes worthwhile for spammers to figure out ways to decode the email information. I'd be very surprised if this method holds up.