[Web4lib] anti-spam email adress

Fred Edwards fred.edwards at smu.ca
Thu Sep 14 16:13:53 EDT 2006

of course, the only real solution is to not put an email address on
your website... but that's not your goal.

Casey Durfee's solution (munging the address) is something I've
done... sometimes making it even more complex, like putting the whole
address into a function and compartmentalizing the actual address into
variables to be concatenated after an onclick event

you could add to this by making the "human readable" address a
graphic, though truly good spammers can use OCR hacks to get the

and this however is no good if you want to provide viewers the ability
to cut and paste the email address

you could also blend in characters before and after the address that
are the colour of the background of the page... the characters will
get caught up by the spambot but will of course be caught up in a cut
and paste as well and will make for an invalid email address for valid

you could probably do something like this to help as much as possible:

document.write("<a hre" + "f='mai" + "lto:casey.durfee" + "@" +
"spl.or" + "g'>");
document.write("<font color='#ffffff'>..**..</font><br />casey.durfee");
document.write("<br /><font color='#ffffff'>..**..</font></a>");

the problem, of course, with anything like this solution, is that many
spiders can scour the rendered page not just the source... which will
make any pre-rendered solutions moot...

I used to do something to prevent that and would look more like this:

<a href="javascript:\\" onClick="processClick()">e-mail</a>

which will put a nice little link on the page for the user to click

inside the function processClick(), I would munge the address and then
forward the concatenated version to the viewers email program

function processClick() {

var a1="casey.durfee";
var a2="@";
var a3="spl.";
var a4="org"

document.location=("mailto:" + a1 + a2 + a3 + a4);


using document.location like this will prevent any email address from
being rendered and thus escaping more robust spambots.

however, it's still not the solution for cut and paste users,
especially not with the number of people that use web based email and
need to be able to cut and paste, and on most public terminals
web-based mail is the only option

so, the most viable solution to prevent email addresses from being
spam listed is certainly the server-side processed form... however
it's important to remember that email forms, unless really well done,
can open up all kinds of other security risks as well, but that's
another topic

you could add to a form solution by having the address the mail goes
to be a service like Gmail or bigfoot which will allow you to forward
the mail it receives to your actual email address, many web mail sites
include antispam services... Gmail's anti-spam filtering is pretty
good and you can also create a filter to only forward email from a
recognized email address... which you can designate on your form as
something completely unique and random... Gmail will then forward any
"non-spam" to your actual address

otherwise, captcha's then sort of become necessary or using a service
somewhat like Akistmet ( http://akismet.com/)

akismet is used to capture spam on comment forms on many blogs
(particularly Wordpress),  I'm not sure if they do anything for form
generated email...

there's also "Bad Behavior" (
http://www.homelandstupidity.us/software/bad-behavior/) which is a PHP
script solution to prevent spambots from accessing your site

I'm sure there are other solutions out there as well, but in the end a
determined spammer is going to get through anyway so at my library
we've pretty much opted from having email addresses listed on our
website... we have one central email address which is displayed and
that is managed by our reference staff and who accept the
inevitability of spam and who the redirect queries if need be...

Here's some relevant spam related reads:


hope this helps.


Fred Edwards

Systems Technician
Patrick Power Library
Saint Mary's University
Halifax, Nova Scotia    B3H 3C3

Phone:     (902) 420-5096
Fax:       (902) 420-5561
E-mail:    Fred.Edwards at smu.ca
Website:    http://www.smu.ca/library/


On 9/13/06, Casey Durfee <Casey.Durfee at spl.org> wrote:
>  You can do it with javascript --
> document.write("<a hre" + "f='mai" + "lto:casey.durfee" + "@" +
> "spl.or" + "g'>");
> That's not going to catch the attention of most bots because they're
> looking for "mailto" or "___ at __.__" type strings on the page.
> You can also have the email address as an image generated dynamically
> by the GD library or similar.

More information about the Web4lib mailing list