19 thoughts on “(Almost) Unspammable Email Addresses”

  1. Jeff says:

    In case you didn’t know, this does the same thing as in Markdown. It is quite effective.

  2. “Convert it to ASCII with this tool.”

    Er, unless I’m very much mistaken, the email address you enter is ASCII. After conversion it becomes HTML entities (still in ASCII).

    I am such a pedant! 🙂

  3. Joen says:

    Jeff,

    Markdown rocks. The only reason I’m using textile is that Markdown doesn’t have a good way to show blockquotes or code tags, IMHO.

    Jonathan,

    Consider it updated :)—I just stole what it said on the page.

  4. Jonas Rabbe says:

    Won’t help much, since you have a <a href="mailto:..." >... tag it’s quite easy to find where there is an email address, converting it back to ASCII is trivial. If there is a simple way of viewing an address in a web browser (such as html entities or javascript functions) you can be sure that any email sniffer worth its salt can see it too.

    I don’t know if there is such a thing as an ideal email protection mechanism, but using a contact form, where the email isn’t written as a hidden field, is probably one of the better ways of protection.

  5. Joen says:

    Good point Jonas.

    I should point out that I’m using a different method myself, on my colophon contact page. It’s using JavaScript to write the mailto function. Feel free to steal that, whoever wants to.

  6. Jonas Rabbe says:

    should point out that I?m using a different method myself, on my colophon contact page. It?s using JavaScript to write the mailto function.

    Which still isn’t safe. As I said:

    If there is a simple way of viewing an address in a web browser (such as html entities or javascript functions) you can be sure that any email sniffer worth its salt can see it too.

    What I meant with my contact form comments was that your comment form accessed a script, ie. a php script, which sent the mail to your address. This would prevent your email from being visible to anyone while still allowing people to send you feedback.

  7. Jonas Rabbe says:

    Encoding your email address is security through obscurity which is, if not problematic, at least controversial. The wiki entry for security through obscurity likens it to hiding a spare key under your doormat. In theory anyone can enter your house using the spare key, but you rely on the hiding place being secret. Encoding your email address as HTML entities is very much the same. Just as the doormat is one of the first places a burglar would look, HTML entities are easily recognized and converted to reveal the email address. The same is in fact the case for javascript functions. Any javascript interpreter will be able to interpret the javascript and reveal the email address.

    Additionally, javascript functions and HTML entities are becoming quite wide spread solutions. As more and more people use these two methods of protecting their addresses the spammers will, and already have, account for them in their tools.

    The only way of attaining security through obscurity is to make it really obscure. Find your own way of hiding your address and don’t share it with anyone. If you are the only person hiding your address in one specific fashion, a spammer has less to gain by specifying that obfuscation in his tool as he would only obtain one more address.

    Additional resources:

  8. Joen says:

    Thanks, Jonas, for adding these links and these comments.

    As a direct consequence, I have removed my JS “protected” email script from my colophon. Now only the PHP contact form remains.

  9. Jonas Rabbe says:

    Good thing I got your email before you did that, otherwise I wouldn’t be able to spam you…

  10. Joen says:

    Oh you would too … using my contact form !

  11. Jonas Rabbe says:

    It’s just such a hassle to spam someone using their contact form…

  12. Jonas Rabbe says:

    Just thought I’d pitch in another side to the story. Phil Ringnalda did an unscientific test of using HTML encoding vs. plain text email, and the suprising conclusion is that spammers are lazy .

    To extent on his conclusion, however, he did receive some spam on the HTML encoded address. This means he would start getting a lot more spam once his address has been sold and bought.

    My original points still hold, but I guess we can conclude that using HTML encoded or Javascript obfuscated addresses is safer than simple plain text mailto links.

  13. After Stu came up with the ultra-cool email address obfuscation method through CSS, I quickly wrote the obfuscate_email() PHP function. And today, I uploaded my very own email obfuscator. As if there weren’t enough already, I know.

  14. Joen says:

    I have seen it, Mathias, it’s very nice. Good addition.

  15. Jonas Rabbe says:

    After Stu came up with the ultra-cool email address obfuscation method through CSS

    Just wanted to say that the CSS email obfuscation doesn’t work in Safari (v. 1.2.4)

  16. tekkie says:

    HTML entities are surely not the best available option to obfuscate as you can all also confirm from this chart.

    Mac OS X Dashboard widget called obfuscatr provides JavaScript encoding, which is much more safe than the one described above. The other possible option is just plain hexadecimal encoding of your email addy, similarly to above. So 2 alternatives available from obfuscatr. See the details at flash tekkie.

    obfuscatr was also featured in MacWorld Italy of March 2008.

Comments are closed.