Protecting a Website Email

Form or encoded mailto?

If a human being, spammer or not, wants to contact you, he will find a solution. But as there are many uncoded email addresses on indexed websites, a spammer, using a robot or not, shouldn't lose time to find yours if it is protected.
To protect an email address and avoid most spambots, three solutions in my opinion:

1. Check if your provider supplies a ready made form or does not disable the PHP function mail(). Some scripts such as the one of this site do not work with Beonex, Off By One and Mozilla 1.2 and if you do not send the original referrer ("HTTP_REFERER").
   This is the method used by the first version of the contact page. This page is very often visited by spambots but I only receive a few messages : a confirmation form blocks most of them and free blocks almost all the others.
2. If the PHP mail() function is enabled, write a form.
   • It will call a PHP script that deletes any script tag in the message and removes control characters.
   • It will verify that the referrer ($HTTP_REFERER) comes from a page of your site and is not blocked and if the browser is identified.
   • It will not transmit anything to the client browser but it will redirect to a page which will convert the client IP address, the time and date, the message and the form variables to session variables and then redirect to a non-indexed page that will mail the session variables.
   • And, by using the referrer (or a session variable), redirect to a result page.
   Inserting a redirection toward the form page is an efficient technique as most robots, at least one third, do not follow a redirection if the domain name does not change, almost all if it changes.
   Coupling the redirection with a script that converts the form variables to session variables also seems to be efficient.
   A contact form using these techniques is used by the contact page and can also be tested with a page from an abandoned project. Many spambots visit it but I don't receive their SPAM.
3. Replace <a href="mailto:myname@myprovider.xy">Contact</a> easily found by
   <script type="text/javascript"> <!-- var tg="<"; /*W3C validator needs that*/ var name="myname"; /*first part of your address*/ var at="@"; /*as all navigators do not accept Unicode (&#64; or hexa &#x040; ...)*/ /*a few browsers (as Mozilla) and robots decode it on the fly*/ var host1="myprovid";/*start of your provider's name*/ var host2="er.xy"; /*end of your provider's name*/ var text="Contact"; /*text you want to display - don't display the address*/ document.write(tg+"a hr"+"ef=mai"+"lto:"+name); document.write(at+host1+host2+">"+text+tg+"/a>"); --> </script> /*you can simplify, use an image instead of text...*/

You can test with the link below or encode any address at the bottom of the page:

This will only work if javascript is enabled.

PHP can easily generate this routine with a list of addresses(var text="<?php echo $text;?>"; ...)

Some robots will still succeed as they calculate the address by using the provider's assigning method or by using your domain name!

With an address unknown to spammers, most spam will be avoided, but you will receive fewer messages.
As any protection, it will discourage many visitors because of browser problems or because they face a form without a prepared message.

You can also have a look at:

• Anti-Spam Script Maker (javascript) and ANTI-SPAM PING JPEG MAKER
• Blackman's E-mail encoder (javascript)
• SpambotDeceiver (javascript)
• E Cloaker (Unicode)
• Obfusticated Email Link Creator (Unicode)
• Safe E-mail Links Scout (javascript and fake address)
• HTML-Email-Cloaker (Unicode+javascript)
• Hiding email address from spambots (CSS2 solution but no mailto and only displayed by Mozilla or Opera)
• Hiding email addresses (CSS solution but no mailto)
• MailMe (a perl script that forwards email)
• E-Mail Protector Script (perl script sending 10,000 fake addresses to identified robots)
• Vorras Antibot (with Python 2.0 installed - not really a freeware)

Asking for a confirmation

To avoid "email grabbers", spambots and mail sent by spambots using the form, this page of the site, as well as all the pages containing the word "email" or "mailto" or "@" redirect the user without "referrer", with an unknown "User Agent", a spotted IP address or host towards a page asking for a confirmation.

The browser is identified at the beginning of the page. A PHP routine such as the following one redirects if necessary:

/*$nav, returned by the browser-sniffing script, is set to "autre" if the browser is unknown*/
if(!isset($_REQUEST["requested_file"]))
{
$page_self=getenv("REQUEST_URI");
$page_referer=getenv("HTTP_REFERER");
$no_ip=getenv("REMOTE_ADDR");
$hote=gethostbyaddr($no_ip);
if (($nav=="autre" && $page_referer=="") || (preg_match("/reverse\.theplanet\./",$hote)&& $page_referer==""))
{
 header("Location:confirmer.php?requested_file=$page_self");
 die();
}
}
/*Code of the requested page follows*/

In case of confirmation, the form in the confirmation page redirects to the requested page thanks to the variable requested_file.

About 5% of the redirected requests are followed by a confirmation.

Looking for the sender

You can also complain by looking at the sender's IP address or host (in the header, properties or source of the message) and finding the origin of the message thanks to IPNetInfo or ADVwhois or eXpress IP Locator button IP Whois.

To get full explanations, appropriate tools and much work, you can download spamspade.

Things are getting more difficult as it seems that some viruses (as Netsky, Bagle, Zafi, Mydoom...) collect (from your contacts' address books) valid email addresses for "spam", "phishing" or "scam" and are now able to spoof all the information of the header, even the sender's IP address. However I couldn't verify it from the few headers that I sometimes download.

Email address encoder

Enter an email address to encode

Click on Encode

The code to copy and paste will appear here

Encoding a list of addresses

If you have many addresses to encode, you can use a javascript function.

<script type="text/javascript"> <!-- /*<![CDATA[*/ function display_email(text_1,text,name,ISP) { var tg="<"; var at="@"; document.write(text_1+tg+"a hr"+"ef=mai"+"lto:"+name); document.write(at+ISP+">"+text+tg+"/a><br />"); } /*]]>*/ --> <!-- The function above is called when necessary --> <!-- If this list is between <ul> or <ol> tags, you have to add "<li>"+ before text_1 and replace <br /> by </li> in the function. View the page source if you want to use a table --> </script> <!-- <script type="text/javascript"> /*<![CDATA[*/ document.write("<b>Contacts :</b><br />"); display_email("Contact 1: ","name of contact 1","name1","ISP1.co.uk"); display_email("Contact 2: ","name of contact 2","name2","ISP2.net"); display_email("Contact 3: ","name of contact 3","name3","ISP3.com"); //etc /*]]>*/ --> </script>

If you have to align, you will have to edit the code and use a table: