 |
James Thornton |
| Internet Business Consultant | Call Toll Free: 1 (800) 409-2501 |
| About James | Google Profile | Electric Speed | The Electors | Juced | Contact Me |
|---|
Redirect mailto: for Spam Prevention
|
I hate spam almost as much as I hate city traffic so I don't use mailto: links on my website. If you don't know the problem with mailto: links, read Why No mailto?, by Jakob Nielsen.
Several years ago, I thought of using mailto redirects to reduce spam by separating e-mail addresses from Web pages while still providing a way for users to click an e-mail address link and have it open their local mailer. Instead of using a mailto: link, I use a script that redirects to a mailto: URI, similar to how you would redirect to a Web page (for more complete protection, combine a mailto redirect with a Graphic@):
| HTML Code | Rendered Link | |
|---|---|---|
| Normal mailto: | <a href="mailto:fakeuser@electricspeed.com">Fake
User</a> |
Fake User |
| Redirect mailto: | <a href="/email/?u=james&d=electricpspeed.com">James
Thornton</a> |
James Thornton | Note: Do NOT send e-mail to fakeuser@electricspeed.com, it is a spamtrap. |
Upon a mailto: redirect, IE 5.5+ and Mozilla 5.0+ browsers may change the browser window to a blank page as it opens the e-mail software -- Opera and older versions of Netscape and IE handle the mailto: redirect without drama. Regardless, hitting the back button returns you to the page that you were on. Also, Salvatore Previti came up with a solution to circument
this issue by including an iframe and setting it as the target of the redirect-mailto hyperlink. While not all browsers support iframes, the newer browsers do, and these are the browsers with the issue. I have included an iframe example in the OpenACS example located in "Graphic @ for Spam Prevention".
Here's some example code:
Perl
#!/usr/bin/perl -w
# redirect-mailto.pl
use CGI qw(:cgi);
$user = param("u");
$domain = param("d");
print redirect( -URL => "mailto:$user\@$domain" );
OpenACS
AOLserver needs this patch to nsd/return.c;
otherwise, it includes the mailto:
link in the server response.
# redirect-mailto.tcl
set_form_variables
ns_returnredirect "mailto:${u}@${d}"
PHP
<?php
// redirect-mailto.php
header("Location: mailto:$_GET[u]@$_GET[d]");
?>
ColdFusion
<!--- redirect-mailto.cfm ---> <cflocation url="mailto:#URL.u@#URL.d#">
ASP
<%
'redirect-mailto.asp
response.redirect("mailto:" & Request.QueryString("u") & "@" & Request.QueryString("d"))
%>
Place this script in a directory such as /email, and for extra protection, put the /email path in your robots.txt file to exclude obedient robots from crawling it and grabbing the output of the link. You could even include some code that compares the user agent to those listed in http://www.robotstxt.org/wc/active/all.txt, and if it is a robot, return nothing.
 |
James Thornton, jamesthornton.com>Services: Postgres Developer |
Electric Speed: Online Marketing Promotion |
Reader's Comments
This redirect method works slick...and the iframe trick works fine for IE6, but...the iframe trick fails if the originating email link was inside a javascript-launched popup window. After calling the email client, the popup window goes blank. Odd. Any thoughts to a work-around solution? Thx...
-- Gary Varner, July 1, 2003
Bravo, this redirection method is the only Spam protection I have seen that works with every browser. I do suggest an alternate implementation method for those pages of HTML not using any server side includes, preventing any easy browser version detection for iframes use. Instead I used a JavaScript popup timed to self close with the redirect script like this: <A href="../mailto.pl?u=name&d=domain" onclick="return Timeout_popup('../mailto.pl?u=name&d=domain');return false"> display_name</A> The "return false" may be included in Timeout_popup (whichever JavaScript popup script you choose to use). "Return false" stops the browser from also using the "href=" link. The popup self closes whether the browser blanked it or not. For browsers that don't support JavaScript onclick, the "href=" then opens correctly. The only downside is that if the browser is one of the misbehaving 5+ and also has JavaScript support turned off, it will still blank the current window requiring use of the back button. But this seems a reasonable working solution even in that case.
-- David Dodson, December 4, 2003
Use the services of:
to generate your own redirecting email addresses without the need to host your own scripting program. Just be sure to:
1. Include a mailto: in front of the submitted email address, and
2. Only use standard keyboard characters, such as: lower-case a through z and 0 through 9 and =equal=sign= and ?question?mark? and &ersand& and %percent%sign% and 'single'quotation'mark'For example:
I want to convert this address into a tinyURL equivalent:mike@some.where?subject=Hello&body=Wassup%20Mike?
So, I go to http://tinyurl.com/ and enter this string of characters into the "Enter a long URL to make tiny:" toolbox:
mailto:mike@some.where?subject=Hello&body=Wassup%20Mike?
and hit the Make TinyURL! button, and voila!, the next page that gets generated will display my input string and its tinyURL equivalent registered in their database:
Now all I have to do is use it instead of its original mailto:email@address hyperlink and kiss those spammers goodbye!
Hint:
Anything you enter into tinyURL's "Enter a long URL to make tiny:" toolbox will get converted, so don't enter anything which might pose a problem for some browsers. For example, this will pose a problem in my Opera browser 5.11 for Windows98 by giving me an "illegal url" message after I get it's tinyURL and use it on a webpage (the problem won't immediately show up when tested from tinyURL's generated output page):señor.rodriguez@some.where-else (this may give no error, but we haven't substituted its tinyURL equivalent, yet)
http://tinyurl.com/69s83 (test this link and see what happens in your browser.....)
No problems, yet, maybe? But what if we put the non-standard character in the subject?:
señor.rodriguez@some.where-else?subject=Attention%20to:%20Señor%20Rodriguez
And then test its tinyURL equivalent:
But, replace the tilde 'n' with the letter 'n', or the more phonetically rendered: 'ni', and no problems will occur:
senior.rodriguez@some.where-else?subject=Attention%20to:%20Senior%20Rodriguez
And then test its tinyURL equivalent:
This next example isn't illegal in my browser, but it sure doesn't give the intended result. It's also unnecessary to add any additional protection through the use of HTML code, since we're already using http:// redirection. Although using mailto: instead of mailto: and @ instead of @ symbols and . instead of .periods. is another way to fool those spammers. (Notice how I get away without using a semicolon at the end of each of the HTML codes for each of the seven characters of mailto: but is required at the end of that string of codes.)
HTML code as it is viewed (and skipped over) by the email address, harvesting webbot:
<a href="mailto:me@some.where-else">mailto:me@some.where-else</a>So, we mistakenly and unnecessarily go to http://tinyurl.com/ and enter the character string:
mailto:me@some.where-else
and get its tinyURL:
http://tinyurl.com/5sj4u
The surfer sees this link behind this link-text in his browser (hover your cursor over the link to view its URL and then click on it):
mailto:me@some.where-elseDoesn't work? Does it? The browser is busy looking up a host name called: mailto:me@some.where-else
But if we put a mailto: in front, rather than all that HTML code for mailto: and only use the HTML code for the @ symbol and .periods. using this:
mailto:me@some.where-else
then clicking on this:
will either produce an unintended yucky mess, or worse, your browser will complain again that this is illegal!
-- Vinyasi ---, November 25, 2004
Instead of using http://tinyurl.com, you can use http://shurl.orgReason: With Shurl.org it's possible to use your own name in the url. If your e-mail address is someone@somewhere.com then your Shurl.org url may be http://shurl.org/someone that redirects to mail:someone@somewhere.com
-- Jan Swartling, November 30, 2004
Prevent e-mail from harvesting your e-mail addresses just to make your Gif email: STOP SPAM - Make Your Email Invisible to SPAMMERS
-- Vladimir Bosev, August 6, 2005
I tried a different approach, which - like most approaches - has some limitations, that might be overcome by putting some more work into this. One of them is, that this can be only used on php pages.Three steps to a secure mailto: link.
First of all, add a <?php include("spamprot.php"); ?> onto the top of your page ( content revealed later on )
Then add this piece of javascript to the document with the mailto link in it:
<script language="javascript"> function Protect() { var st = document.cookie mylink = document.getElementById("mylink"); st = st.replace("%40","@"); st = st.replace("%3A",":"); st = st.replace("mail=",""); mylink.href = st; } </script>
The link in the body is declared this way: <a href="" id="mylink" onclick="javascript:Protect();" >Mail me</a>
The content of the spamprot.php is this: <?php setcookie("mail","mailto:admin@artviper.ch"); ?>
I tried to read out the email with several tools, php scripts and others - nothing. The email keeps hidden.
Any questions, ideas, critcism? http://www.artviper.net
-- Frank Herget, May 28, 2006
What about when the robots become smart enough to decode the email address out of the syntax of your redirect? If enough people use this method, then it will be inevitable. [1960's monotone robot voice] resistance is futile! [/1960's monotone robot voice]
-- Brendan Ford, June 18, 2008