So is this no good anymore?

<script language="JavaScript"><!--
// hide script
var sb_domain = "YOURDOMAIN.COM
var sb_user = "EMAILUSERNAME"
var sb_recipient = sb_user + "@" + sb_domain
var sb_url = "mailto:" + sb_recipient
document.write(sb_recipient.link(sb_url));
// --></script>

Plz use pear package(php)

e.g.
<?php
require_once 'HTML/Crypt.php';
$c = new HTML_Crypt('yourname@example.com', 8);
$c->addMailTo();
$c->output();
?>

The result looks like this:

<script language="JavaScript" type="text/javascript">/*<![CDATA[*/var a,s,n;function f493cf3c8130b40d7025ccd0261dcdbb4(s){r="";for(i=0;i<s.length;i++){
n=s.charCodeAt(i);if(n<128){n=n-8;if(n<32){n=127+(n-32);}}
r+=String.fromCharCode(n);}return r;}a="Di(pzmnE*uiqt¦wB\"w}zviumHouiqt6kwu*F\"w}
zviumHouiqt6kwuD7iF";
document.write(f493cf3c8130b40d7025ccd0261dcdbb4(a));//]]>
</script>

[edited by: encyclo at 12:50 am (utc) on July 7, 2007]
[edit reason] no personal URLs thanks [/edit]

You do realize we're telling spammers all our tricks.

Marshall

All email info is images.

On the Email Server SpamAssassin + GREY LISTING.

ZERO SPAM

Kwasher I still use your solution and it seems to work for me. When I want the enquirer to see the email address I either show them an image or spell it out like info at domain dot co dot UK.

You do realize we're telling spammers all our tricks.

Marshall these people are nothing if not clever. I would be very surprised if they were not already aware of all of these methods. However, proportionately the number of people using them is very small. They will be doing alright from the billions of people worldwide who don't protect their email addresses. At this stage it's probably too much bother for them to try to harvest everything.
---------------------------------

Regarding online forms, I have several of these on different websites. A few months ago I placed a simple validation question on them ("what is 5 plus 9", etc.) I offer the answer to the question as an option on a pull down. For those who are not so clever I select the options on the pull downs to make it really obvious. For example in the question above I may offer the following options,

* Red
* Abraham Lincoln
* Coffee
* Fourteen
* Green
* Poland

This system has worked extremely well. I have had a total of only 19 spam submissions since I did this. The submissions are clearly from English speaking humans (selling replica watches mostly) who submit the forms manually.

i've tried every trick in the book .... and some still work for me .... except sometimes i get a happy customer recommending us on web forums and saying "hey, try this company" and posting our email address instead of our URL ....... sigh .....
we can't win ..... until we start hanging spammers ......

an image for people to copy is doubtless the best way; even then, change it every few months, to avoid human harvesters, always using a throwaway address that forwards to the real thing.

Alternatively - when you feel a need to catch people too lazy to type! - use this code:

<script type="text/javascript" language="javascript">
<!--
var bluejay = "domain.com"
var aardvark = "yourname"
var cabbage = aardvark + "@" + bluejay
var dogfish = "mailto:" + cabbage
document.write(cabbage.link(dogfish));
// -->
</script>

Please change aardvark, bluejay, cabbage and dogfish to your own words

This forwards to yourname@domain.com via javascript with no problem - and no harvesting.

The name is displayed, however, so this should also be changed every few months to avoid human harvesters.

Please note - this code has been tested with gmail and outlook express as firefox's prefered mailers; I see no reason why it shouldn't work with other browsers and mailers, but please report any problems here.

[edited by: Quadrille at 11:51 am (utc) on July 7, 2007]

<script>document.write('<a href="mailto:some'+'mail@some'+'domain.net'">some'+'mail@some'+'domain.net</a>';</script>

should be enough!
P!

I've been following this topic very closely. I've seen all the various solutions discussed here and at other fora.

Based on what I've seen to date, I'd say that images are probably the most foolproof way to avoid detection. But, there is always human intervention. Even then, that's a tedious process and one that reduces the playing field considerably.

Anything that requires an "action" concerns me. I would think the bots are smart enough to perform most if not all of the JavaScript actions specified so far. I mean, this is 2007, not 1997. ;)

They might follow some javascript, but the problem for them is that 99% of all javascript they find probably does not hide an email address so the amount of code to be run to find even one address is quite huge, and hopefully not worth it.

Don’t forget feeding the animals and google: anytag = ”href=mailto:mespam@gmail.com”

... and if you obfuscate the variables, as in my example a few posts back, many robot searches will be frustrated.

While it's theoretically possible for spammers to defeat all the methods mentioned above, few will bother with any but the easiest; why would they? They can get millions with a simple trawl; they won't lose sleep (or even know) if they've missed a few.

Especially as those who try hardest not to be found are quite possibly those least likely to fall for their cr*p anyway!

Once 10% of sites hide addresses, they may break sweat - at the moment, I doubt it's 1%.

quite huge, and hopefully not worth it

In fact it's insignificant on today's machines. Having the parser check for, say, the three most popular javascript obfuscation methods would only slow it down slightly.

But it's definitely true that the extra effort is the deterrent. Someone said spammers are clever. Truth is, spammers are lazy :-)

If they weren't lazy JS obfuscation would have stopped working years ago. Because it works so well the first spammers to start defeating it will be getting virgin (read unspammed) email addresses. There may be less to harvest but they're infinitely more valuable from a spam perspective.

As many have said, use forms with CAPTCHA, and if you absolutely have to display an email address use an image.

JS obfuscation works right now but there will come a time when it stops working on a massive scale. i.e. when a popular spam harvesting software maker finally either writes in some form of JS parsing or enlists the aid of the IE shell on Windows machines.

The crazy thing is that it hasn't happened already.

Hhhh. Captcha possiblly defeated already... [theregister.co.uk...] ... and spammers now noted as using the same technology to stealth their spam past the anti-spam scanners... [theregister.co.uk...]

[edited by: g1smd at 10:09 pm (utc) on July 7, 2007]

I wonder; it's been claimed before. Last time it turned out out to be three-cent an hour humans, I think.

But even if it hasn't happened yet, it's only a matter of time.

The 'validation question' system seems to be untouched; it'll be a while before robots can fiddle a drop-down menu. I hope!

The questions could be fun:

1. What part of the anatomy should spammers be strung up by?
2. Which is the best browser for Google fans?
3. Which Internet entrepeneur is no longer the world's richest man?
4. How many days did Paris Hilton serve - the first time?

the newest captcha images that i have seen are made up of two bits - half as a normal image (the lefthand half) and the other half as a background image referenced in the css.
not sure how they get the page to understand what the whole image reads, though. maybe they write the css file as php, and rotate the image in the css.

these things are getting more and more complicated every month. and to think that we were once able to just use a simple mailto: link. those were the days!

to think that we were once able to just use a simple mailto: link. those were the days!

Those were never the days: viewers' computers were (are) rarely set up to handle mailto links properly. Personally, I've got mine fixed (mailto: links are captured and open a new gmail message) but whenever I'm using a public computer, invariably Outlook Express or Mail opens much to my annoyance. Nobody likes the surprise of having a link launch an email program.

Contact forms are clearly the way to go! Even if all your contact form says is "please give us your email address (and optionally, some comments) -- we'll get right back to you" that should be enough to keep the spam at bay. I think your customers will thank you, too. Screen reader customers can use forms perfectly well, unlike some of the other crazy methods proposed here. I don't think hidden-capcha methods should be employed, but I do like the user-based capcha methods: "Our widgets are red. Prove you're not a robot, tell us what color our widgets are."

From the other methods posted here, I think CSS and form-submission javascript are the best. Images suck, especially when your email address is listed as jon_widgets@example.com. Too much typing, a big opportunity for misspelling

jon king is right, i forgot a bracket:

<script>
document.write('<a href="mailto:some'+'mail@some'+'domain.net'">some'+'mail@some'+'domain.net</a>');
</script>

pontifex...

<script>document.write('<a href="mailto:some'+'mail@some'+'domain.net'">some'+'mail@some'+'domain.net</a>');</script>

...should be enough!

You don't think that can be parsed? I'm not being a smart arse either. ;) I'd really like to know. I just find it hard to believe that anything that is "coded" can't be parsed.

The people at Project Honey Pot [projecthoneypot.org] have a great guide: How to Avoid Being Harvested by Spambots [projecthoneypot.org]. According to them:

There are, however, at least two techniques which appear not only to currently be 100% successful at protecting email addresses, but are likely to remain so for some time. The first technique uses Javascript to obscure the address, the second hides the email address in an image.

The 'validation question' system seems to be untouched; it'll be a while before robots can fiddle a drop-down menu. I hope!

I've been using this on both a forum and a form, the forum one has been in use for about 8-9 months and I haven't had a bot registration since.

One thing I wouldn't do is get to complacent in the question you ask, keep it unique. I installed a bot on a forum for amusement purposes that can carry on a somewhat intelligent conversation. It uses a large database that contains keyphrases, but it can also match the pattern of speech the keyphrase is in. Teaching it the answer to what's 3 plus 2 is relatively trivial. It also stores questions it had trouble with. This is actually quite old technology based on the ALICE bot. Adapting it to a spam bot I'd imagine would not be that hard if it isn't being used already. No doubt it will be if everyone starts using a question for captcha.

I have found a solution to this problem.

I don't give out my email address anywhere on the site, but even that isn't enough. Some spammers fill in my contact form, and get a good email address from my reply.

The newest step that I've taken is not to stick with using any one email address for myself for too long. Once it gets spammed enough, I use an autoreply for that address that contains a link to my contact page, along with my apology for the inconvenience.

I no longer give an email address on my business cards either.

Try using the method I described above to validate your form submissions. It works.

I've been using contact forms with a trivia captcha instead of email for most websites, and an email in an image for another. So far, no problems, and as far as I can recall zero spam since I moved to these methods.

I think it's time we moved to email 2.0: we need to make the methods of obfuscation that we are using accessible to the general public. For example, what if it were possible for an email address to come with a verification response, rather like the captcha question that many of us are routinely adding to contact forms? If a bot had to actually go and seek out the answer to a question, that could suppress a considerable amount of spam (until such time as spammers start using bots with advanced AI capabilities, of course).

Captcha possiblly defeated already.

Captchas are far from being defeated and you all keep focusing on those squiggly lines as the end-all-be-all of captchas and that's not it.

My captcha simply asks a math question "What's 5+6?" and the bots can't answer it because it also requires javascript enabled.

I would think the bots are smart enough to perform most if not all of the JavaScript actions specified so far. I mean, this is 2007, not 1997

You would think that but it would wrong then as most bots still DO NOT use Javascript.

Email addresses in graphics are annoying and unfriendly

Why show me something I have to type in myself?

If a typo is made, then you further frustrate your visitor with a bounced email they now have to correct.

That's why I opt for the CONTACT US form, it's easy, I can change the email address behind it at any time, and it can be secured with a captcha (regardless of what the naysayers say).

[edited by: incrediBILL at 9:50 pm (utc) on July 8, 2007]

Email addresses in graphics are annoying and unfriendly

Why show me something I have to type in myself?

I should specify, I'm using the graphic as well as a contact form, and not instead of it. It's good to offer a choice, and some people do prefer to type the email rather than use the contact form.

Why show me something I have to type in myself?

I guess you could ask that same question when it comes to business cards, stationery, etc? ;)

I think most users are aware of email spam issues and typing in an email address hopefully doesn't present too much of an inconvenience. That brings up a good point too, make the email address a bit more friendlier so it is easier to type in. ;)

I too utilize forms a majority of the time. But, I have some instances where an email address has to be displayed due to printing of documents and an unlinked image works just fine. If someone needs to contact someone at that email, they will make their best effort to type it in correctly.

"Contact Us" links don't translate well in printed documents either. :(

typing in an email address hopefully doesn't present too much of an inconvenience

Oh no?

Having to open an email program and/or another window for webmail is a PITA!

If the email is on a printed document, that's another matter, but if it's all online and I have to jump through hoops to send a lousy note to someone, the tone is probably a bit harsher after being annoyed with wasting my time.

Offering it as an alternative is fine, but as the only method... GRRRR

I like to provide both a contact form and a javascript encoded email link; gives the visitor a choice as to what to do.

One thing to bear in mind, when using the form they do not get a copy of what they sent, with normal email they do.

I vote for giving choices (plural) to the user

As a user, regular mailto: links might be simple but if I'm NOT using my own machine (at a friends/in a net cafe/whatever) then it doesn't feel appropriate to fire up and use the default email app

As an author for a few sites, I use javascript to split and then concatenate hex codes (A = &#065; B = &#066; etc) in mailto AND formmail links, all via (disposable) gmail accounts. So far, the amount of spam emails that make it to an inbox is negligible... the few that do get through are (I suspect) sent by 'random address guessing' soft and/or wet ware

For visitors who can see <noscript> sections... users have to click a link to fire a change in the CSS from display:none to display:inline. It's abit clumsy... but there are only so many hours in a day :(

"Contact Us" links don't translate well in printed documents either. :(

try using a print="media" css file with

#wrapper a[href]:after{
content: " (" attr(href) ") ";
font-size: 90%;
color:#0066CC;
}
:)

when using the form they do not get a copy of what they sent

Any half-decent formmail script should make it easy to add CC and BCC recipients :)