How to show email addresses on the website to avoid spams?
Solution 1
There are multiple different choices for hiding emails on websites, commonly using either the HTML entity version of the email address (as Aziz-Saleh suggested), but from an actual web design point of view, just putting the email address like that on a website isn't the most user friendly thing to do.
For instance, the mailto:
link automatically triggers the browser to open the user's Email Application of choice - but consider this. Not everybody has a dedicated email application. For instance, I don't use Outlook (I'm a Windows user), and unless I have Windows Live Mail installed, my computer can't open that link. I think Chrome can open the links into GMail if you're signed in, but I would need to check that.
Ultimately, by using mailto:
, you are potentially alienating a portion of your userbase that will not be able to use that link in the first place.
I would suggest using email forms, and there are plenty of easy-to-follow tutorials available for both PHP and your language of JSP
, such as this link here: Sending Email in JSP and even on StackOverflow
By using your server to send the email, you get tighter control over how the email is generated, what data the user is allowed to put in, and you could even send them a return email (generated by the server) to confirm that you have received their message. This is a tried-and-tested real-world method of allowing customers and visitors to contact you, whilst still giving you protection and control over the entire process.
TL;DR: Raw mailto:
links might alienate people without dedicated email programs, whereas if you use JSP forms, you can control how they contact you, with what information (you can use fields and the HTML5 required
attribute to mandate certain input fields) and you can even respond with a do-not-reply
email so they know their message was heard (just don't forget to ask for their email address)
Solution 2
In the past I have seen this done with javascript. Basically you assign the email address to javascript variables and change the contents of an element using these. You can also provide a fallback for users with javascript disabled which points them in the direction of a form if you need to. Here's an example
var user = 'foo',
domain = 'bar.com',
element = document.getElementById('email');
element.innerHTML = user + '@' + domain;
//OR
//'<a href="mailto:' + user + '@' + domain + '">Email</a>'
This way bots never see the email address as they do not load javascript.
Solution 3
Well, you can figure out a different way every day. Here's one using jQuery.
<a class="mail" href="mailto:[email protected]">e-mail</a>
Then handle the click with jQuery.
$('a.mail').on('click', function(){
var href = $(this).attr('href');
$(this).attr('href', href.replace('badmail.', ''));
});
The reason I like this is that I can let the spammers spam the dummy mail domain thinking they got yet another e-mail harvested. If I was maintaining my own spam filter, I could collect samples to my bad bucket.
Also, this approach allows you to render the page quite clean with dynamic data and simply have the javascript snippet only once on the whole site to handle the real user clicks.
Works also on mobiles.
Solution 4
The trouble with the JavaScript solutions is that people with JS turned off will also not see the email address. Albeit a minority you need a combination of techniques for the best results.
Many of these techniques are detailed here, but I have provided the solutions only: https://www.ionos.co.uk/digitalguide/e-mail/e-mail-security/protecting-your-e-mail-address-how-to-do-it/
Comments
<p>If you have any questions or suggestions, please write an e-mail to:
us<!-- abc@def -->er@domai<!-- @abc.com -->n.com.
</p>
Hidden Spans
<style type="text/css">
span.spamprotection {display:none;}
</style>
<p>If you have any questions or suggestions, please write an e-mail to:
user<span class="spamprotection">CHARACTER SEQUENCE</span>@domain.com.
</p>
Reverse Strings This may not be friendly for multilingual sites.
<style type="text/css">
span.ltrText {unicode-bidi: bidi-override; direction: rtl}
</style>
<p>If you have any questions or suggestions, please write an e-mail to:
<span class="ltrText"> moc.niamod@resu</span>.
</p>
JavaScript as in many other answers
<script type="text/javascript">
var part1 = "user";
var part2 = Math.pow(2,6);
var part3 = String.fromCharCode(part2);
var part4 = "domain.com"
var part5 = part1 + String.fromCharCode(part2) + part4;
document.write("If you have any questions or suggestions, please write an e-mail to:
<href=" + "mai" + "lto" + ":" + part5 + ">" + part1 + part3 + part4 + "</a>.");
</script>
ROT13 Encryption JavaScript dependant but also helps with GDPR as it's encrypted.
<script type="text/javascript">
function decode(a) {
return a.replace(/[a-zA-Z]/g, function(c){
return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13)
? c : c - 26);
})
};
function openMailer(element) {
var y = decode("znvygb:[email protected]");
element.setAttribute("href", y);
element.setAttribute("onclick", "");
element.firstChild.nodeValue = "Open e-mail software";
};
</script>
<a id="email" href=" " onclick='openMailer(this);'>E-mail: please click</a>
CSS Only Borrowed from here: Protect e-mail address with CSS only
<!doctype html>
<html>
<head>
<title>Protect e-mail with only css</title>
<style type="text/css">
.e-mail:before {
content: attr(data-website) "\0040" attr(data-user);
unicode-bidi: bidi-override;
direction: rtl;
}
</style>
</head>
<body>
<span class="e-mail" data-user="nohj" data-website="moc.liamg"></span>
</body>
</html>
Solution 5
Solution 1:
You can use many publicly available email address encoders like (first result on google):
http://www.wbwip.com/wbw/emailencoder.html
This encodes the emails into their character entity value, this will require more logic form scrapers to decode it.
So an email like: [email protected]
becomes test@gmail.com
which can be used in a mailto as well.
Solution 2:
Use an online email to image converter (again first result on google):
http://www.email2image.com/Convert-Email-to-Image.aspx
To make it as an image. Other services enable you to do this automatically via an API like:
https://www.mashape.com/seikan/img4me-text-to-image-service#!endpoint-Main
Jack
Updated on January 15, 2021Comments
-
Jack over 3 years
I show email on my website as following
<a href="mailto:[email protected]">Email</a>
But I read the following while analysing my website using woorank.com, what should I do to avoid this?
Malicious bots scrape the web in search of email addresses and plain text email addresses are more likely to be spammed.
-
tripleee about 10 yearsPHP would not be my platform of choice, but the fundamental approach of using a contact form solves (this part of) the problem elegantly. Next up, combatting form spam. In addition to adding a CAPTCHA, of course, similarly make sure that the form's source does not reveal any email address.
-
tripleee about 10 yearsAny bot worth their salt will be able to crack encoded emails. It is surprising that not all of them do, but in the general case, this is not a safe option. If you go for it anyway, picking a less popular variant is probably going to last longer.
-
Jack about 10 yearsyou are right but the only problem of using a "contact page" is that users wont be able to add my email address to their contact list; therefore, everytime they want to send an email need to visit the website.
-
Singular1ty about 10 years@JackMoore, ah okay, well that's an interesting situation. I would suppose that's a little unusual, although what you could do, is when you send the email back to the user, you can set the Header of the email to your own email address, which will then allow the user to add it as a contact (instead of always using do-not-reply or similar)
-
Guntram Blohm about 10 yearsI strongly suggest not using contact pages. Typing into much too small form fields is a hassle, not being able to attach anything as well, and i guess the percentage of people who want sent mail in their sent folder is much higher than the percentage of people who do not use a mail program.
-
Guntram Blohm about 10 yearsThis will prevent an unsophisticated user from getting the mail address off the source code of your web site, but it won't prevent a bot at all.
-
SigmaSteve over 7 yearsI think this approach is excellent. If you're displaying the email address rather than 'e-mail' though then be sure to use an image converter.
-
Isaac Rabinovitch about 6 yearsAnd no longer works, because it relies on the old version of ReCaptcha. I wish the different parts of Google would talk to each other.
-
Socowi almost 6 yearsThe General Data Protection Regulation (GDPR) is another point against contact pages.
-
lmenus almost 6 years@Socowi How so?
-
Socowi almost 6 years@lmenus Since the user has to enter her eMail address into the form, the website owner has to make sure to handle her eMail address accordingly to the GDPR. The users eMail address has to be encrypted before being sent to the server (shouldn't be a problem. Your website should use https anyway). The user has to be informed about how her eMail address is used, how long it is stored and so on.
-
Eoin over 4 years@Socowi would you also have to inform the user of that information if they are using a mailto link? Pretty much any digital interaction would require that.
-
Eoin over 4 yearsBut if people have disabled JS then they also can't see the link. Needs to be a fallback for that purpose. It can be achieved with
<a href="mailto<!--comment-->me@
... or<a href=""><span class="hidden">text</span>
-
AlainIb over 4 yearsi used your CSS Only solution thanks. nowadays did realy people disabling JS ? all websites use it a lot ( we can say it's mandatory )
-
Eoin over 4 yearsI agree, but some people do. I wouldn't say the CSS only version is the best or most secure. I'd honestly use a combination.
-
JustinLovinger about 4 years@Eoin No. Your server doesn't see their email if you use a mailto link, so it isn't subject to GDPR.
-
Eoin about 4 years@PaintingInAir it's not relevant to the server. If someone sends you an email you are obliged to protect that personal information. You are not allowed to add them to a mailing list without permission or a very good reason, you are not allowed to publish the email around the web. If you never hear from them ever again, you are kind of supposed to delete the email address after a while. Pretty impractical, but the same rules apply whether you acquire the email via a form or otherwise. Just a few extra technical details apply if you are using a form.
-
Eoin about 4 years@AlainIb the reason many people disable it is because of tracking e.g. Analytics, Facebook, Adverts etc.
-
vrugtehagel about 4 yearsIt will also prevent disabled users from being able to send you an email.
-
OutstandingBill almost 4 yearsI found the reverse string idea interesting. It didn't work for me though because it reverses again when you copy from the page.
-
Eoin almost 4 years@OutstandingBill we aren't protecting against copy and paste though, we are protecting against bots. That doesn't mean your point is not valid, I don't really know the answer. What I would say, is that these types of solution where it is really obfuscation as opposed to true security aren't usually the most secure. I'd go with a JavaScript solution usually.
-
Davy Baert almost 3 yearsJust make the mailto link with a readable email address. <a href="mailto:{email}">{email}</a> This way people without an email client can just copy paste. Contact pages also need to be protected with captcha which is annoying for the end user. And as mentioned you are now responsible for the storage of the users' personal information, AND making sure their message reaches you correctly. I'm all for mailto links if I can get away with it :p But scraping is a big problem.
-
Davy Baert almost 3 yearsI like these kinds of solutions where you give the spammer false positives. Always better than giving them a challenge they'll most likely accept :p
-
Davy Baert almost 3 yearsI agree, unless your e-mail is super simple. ([email protected]) I won't use images, people won't bother with typing it over. Or make mistakes in the process.
-
A.Alessio over 2 yearsHi, I am not very familiar with JS. Could you please explain shortly your code? I am especially interested in the part with
<a href=mailto:{{[email protected]}}>{{[email protected]}}</a>
. Are the bots thanks to this code gonna get the address of cia/fbi and send the spam e-mail to them then? Thank you in advance. -
Herman Toothrot about 2 yearsDoes adding the reversal string invalidate some of the benefits of using JS encryption?
-
Eoin about 2 years@HermanToothrot I'm not really sure. I wouldn't consider it an amazing solution, but bots won't worry about CSS as it's styling only that's why it works.
-
Nabil Kadimi about 2 years@A.Alessio Hi! I added an explanation