I want to put a single mailto link in a footer. Using plain text invites spamming, so I’ve been looking for some obfuscation method. Those I’ve tried so far produce a link that opens my e-mail client successfully, but I can see the plain text version in the browser status bar when I hover over the link. Won’t a bot see exactly the same ?
Thanks for your repy.
I realise nothing’s perfect, I just don’t want to be wide open to spamming.
I’ve seen schemes that create hex code, but that looks too easy to circumvent. It’s not clear to me why a JS solution should be any better, since the code is presumably there for all (bots) to see if they wish ?
I sometimes use JavaScript to obfuscate email addresses. All the bots see is the gobbledygook code in the HTML. There’s no surefire way to obfuscate an email address (short of not placing it in the HTML).
I often use this encoder form, which is very handy. It turns the email address (or HTML code if you want to encode more) into what looks like jibberish in HTML, and that’s what the bots see, but the browser is able to turn it back into a readable email address:
So the only spammers who can misuse the email address are the flesh and blood ones sitting at their computer and manually spamming. But they do a lot less damage than the bots.
The alternative, of course, is to use a form, in which case the email address can be hidden altogether. But life everything else, that’s not a perfect solution either, as some people will mistype their email address etc. 
Thank you. I’ve now tried ‘enkoder’ and it certainly does the stuff to the point of displaying the link correctly.
I’ve always understood that crawlers saw the web page ‘just as the browser sees it’, which I took to mean that everything would be seen in its rendered form, negating any JS coding like ‘enkoder’. But from what you say, this isn’t true ?
As you say, I could use a form, but this is only a link in the footer back to me (the designer), and I don’t want to make it any harder for legitimate users.
As an aside, we do have a form on this web site, for visitors to respond (the site lists tourist accommodation). The accommodation e-mail addresses are held in a MySQL database, and we still get the occasional spammed ‘enquiry’. It’s not yet reached the point where we’ll introduce a CAPTCHA.
Just use a non-personal address, get a decent mail service [READ: google apps for domains], let service worry about spam and call it a day.
Yes, but not as the browser renders it. The browser sees it as code.
we still get the occasional spammed ‘enquiry’.
Yes, probably because some spammer is manually filling out the form.
It’s not yet reached the point where we’ll introduce a CAPTCHA.
Captcha is horrid, and really just makes life harder for all the legitimate users. There are better options, in my view, like a ‘honey pot’ field that is hidden from most users and designed to trip up the bots.
Thank you.
Yes, I’d rather hoped that these occasional bouts of spamming were being done manually. Clicking a link in each accommodation listing opens the form and when this is submitted the script extracts the appropriate address from the database and sends the e-mail (though the address is never displayed). Surely a bot could do that too ?
I entirely agree that CAPTCHA is horrid. I’m not familiar with ‘honeypot’ fields, but I’ll have to find out more.
Honeypots are great IMHO.
When a bot fills out a form, it fills in every field. So you put in a hidden field (display: none) and then set a rule in the PHP that if that field is filled in, the form aborts. In the rare cases that someone will have CSS turned off (and can thus see the honey pot field), you can either leave a message: “don’t fill in this field!” or you could say “what is 5 plus five?” and allow for the answer 10/ten. To trick the bot, you can give the form field a name of “email” or something like that, so the bot thinks it’s meant to stick an email address in there.
With this method, I’m sure I’ve never had a single bot attack in any form I’ve put online.
Thanks. That seems a brilliantly simple idea. I’ll give it a go.
Here’s one link I have on the topic, though I think it says more than strictly needed:
Many thanks for your help. I’ll follow it up as soon as I can. It must be late (or early) in Australia !
When a bot fills out a form, it fills in every field.
Not always. I’ve had plenty of forms where the bot, for whatever reason, stopped halfway through (and so missed the honeypot, which was nearly the last question).
So I put those honeypots near the tops of forms.
Also, display: none, when used on form elements, is one of those rare occasions where a screen reader will still render the elements. So always have a label explaining as if the user sees the label/input normally.
You can also mix a honeypot with a bit of Javascript. On some of the forms on the Fronteers.nl site, if you have Javascript on (whether with a screen reader or not) there is no honeypot to be found and you don’t have to fill anything in. But if you have Javascript off, the honeypot appears and you are told “Fill in No” (which I misread many times as “No fill in” which meant I kept hitting the spam gate, arg).
Be darned. Why do they do that?
Thank you, that’s very timely, as I’m just setting up testing my honeypot. I’ve hidden it by CSS positioning, so I fully expect a screen reader to find it.
I have set the input legend to say ‘Do not complete this field’, but I’m not sure that’s the best way to put it for those not fluent in English.
The default input text is blank, but I could equally put a message in there too, and test that it’s not been changed.
Be darned. Why do they do that?
No idea.
Juicy Studio: Screen Readers and display: none
I dunno about VO, but Orca and NVDA will also. And visibility: hidden as well.
I have set the input legend to say ‘Do not complete this field’, but I’m not sure that’s the best way to put it for those not fluent in English.
How do those not fluent in English fill out the rest of your form?
Fair question, but you don’t have to be FLUENT in English to follow legends like ‘Name’, ‘e-mail address’, but the instruction ‘Do not complete this field’ is probably harder to understand.
I’m sure your English is fluent, but you said yourself that you confused ‘Fill in No’ with ‘No fill in’ (and then presumably you DID fill it in, and fell foul of the trap as you say). I might have read the first as ‘Fill in number’ !
Perhaps plain ‘Do not fill in’ would be a better choice of words in my case.
I just tested VO, and it skipped over the honeypot that was set to display: none.
Thanks for the link. 
As I mentioned, I decided to ask a simple question for those who can see the input field—something like a simple math question. Or maybe something like: “what color is a pink rose?” … although that might be too confusiong, being such a weird question.
You linked to Mike Cherim earlier. He uses “Is fire hot?” which gets a pretty unanimous “yes”.
Got hit by some guy’s blog’s captcha-question: did you cry when littlefoot died? (or something like that). It was a set of radio buttons with “no” selected by default. Of course I didn’t answer it: I was informed that I was either a bot, or a psychopath : )
I decided to ask a simple question for those who can see the input field—something like a simple math question. Or maybe something like: “what color is a pink rose?”
Surely you need a question to which you can accurately predict the answer, without possibility of error ? Or you could test for a range of answers, by why make it difficult ?