Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

New form of spam protection

I’ve had an idea for a new way of hiding email addresses from spam harvesters—shield the address behind a form that must be submitted via POST. Site visitors can now click a button on my Contact page to reveal my email address. Spammers could always circumvent the system by writing a harvester that parses HTML pages for forms and submits every single one, but I’m hoping they won’t bother.

Posted 11th September 2002 at 10:34 pm

This is New form of spam protection by Simon Willison, posted on 11th September 2002.

View blog reactions

Next: Wining and Dining

Previous: RSS 1.0 feed now available

11 comments

  1. Hehe, very clever. My plan is to put my e-mail address in a PGP-encrypted, gzipped PDF available through ftp. I wonder if spammers can write a script for THAT.

    Micah - 12th September 2002 06:38 - #

  2. Simon, I went for a solution even simpler: once the form has been submitted, send back to the user a header("mailto:foo@bar.baz"); and their mail client will pop up. It works in Lynx too, tested.

    Antonio Cavedoni - 12th September 2002 10:31 - #

  3. i just don't see this as a solution - the thinking is that spammers won't be able to get your email address - true, but that isn't actually their main goal - their goal is to get messages throught to people and automating a form submission isn't too hard i don't think

    john - 12th September 2002 23:16 - #

  4. how do I " send back to the user a header ("mailto:foo@bar.baz") " thanks

    haremking - 11th December 2003 02:22 - #

  5. Using PHP sending back a header is as simple as using the header function as demonstrated in the PHP script included below. however, using PHP I found that I had to send the header "location: mailto:foo@bar.baz" for it to work (instead of just "mailto:foo@bar.baz").

    <?php
	if( isset( $_POST['retrieve'] ) )
	{
		header("location: mailto:foo@bar.baz");
	}
	else
	{
?>
<html>
<head><title>Mailto test</title></head>
<body>
<form action="<?= $PHP_SELF ?>" method="post">
<input type="submit" name="retrieve" value=" Retrieve " />
</body>
</html>
<?php
	}
?>

    Jonas Rabbe - 5th February 2004 11:38 - #

  6. Just a follow-up on my previous comment. After making the php script I included in the comments above, I thought a little about it, and revised the form to be: 
    <form action="mail.php" method="post" name="emailform">
<input type="hidden" name="retrieve" value="1" />
</form>
    furthermore, I have included a javascript: 
    <script language="javascript">
<!--
function email()
{
	document.emailform.submit();
}

// -->
</script>
    This enables me to make email links in the form <a href="javascript:email();">email me</a> and that makes me happy. The functionality is the same as clicking on a mailto link. For completeness the mail.php file contains the following php code: 
    <?php
	if( isset( $_POST['retrieve'] ) )
	{
		header('location: mailto: foo@bar.baz');
	}
	else
	{
		header('location: http://www.bar.baz');
	}
?>
    The else clause forwards a user, who goes to www.bar.baz/mail.php through the browser, back to your homepage. If you have any questions that aren't covered in these two posts, goto my page and click the "contact" link in the menu to send me an email. smile - Jonas

    Jonas Rabbe - 5th February 2004 12:28 - #

  7. Just testing

    Terry - 17th February 2004 01:45 - #

  8. asdf

    asdf - 5th March 2004 13:49 - #

  9. New lines are not converted to breaks; use paragraph tags instead. XHTML must be well formed. The following tags are allowed: a, p,

    cliparts - 6th November 2004 19:01 - #

  10. John,

    Sorry it was so long ago, but I thought I would reply for posterity's sake. You said:

    "i just don't see this as a solution - the thinking is that spammers won't be able to get your email address - true, but that isn't actually their main goal - their goal is to get messages throught to people and automating a form submission isn't too hard i don't think"

    I would have to disagree, at least partially. The people who are implementing spidering tools to snag your e-mail address from a Web page are not *necessarily* the spammers themselves, but are usually/often/sometimes/occasionally/rarely those who are harvesting the e-mail addresses to sell to spammers. Their end goal is not to spam you, but rather, to have a nice, long list of valid e-mail addresses they can sell for mucho dinero.

    Simon,

    What I have done is to entirely remove my e-mail address in any form from my site. It is entirely gone (thank you PHP!). Instead, I have a form where a user can select who they want to send the e-mail to (me at home, me at work, or any other description I wanted to add there) and then they submit the form. The e-mail addresses are entirely hidden in the PHP and the sender of the e-mail would only see my e-mail address if I were to respond to his/her e-mail.

    That way, I am entirely protected (at least from address harvesters, as mentioned above).

    BTW, sorry I'm so late to the party on this. I just came across this article.

    Nathan Logan - 3rd December 2004 17:04 - #

  11. Looking at all the trouble people (bots) go through to get the email address of a website it's very very simple to write a small script that could post your form to get your email address. To me this is a sure no go.

    Henrik Gemal - 7th April 2005 07:03 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2002/09/11/newFormOfSpamProtection

A django site