Protecting Email Addresses on Your Website

« posted: October 04, 2007, 07:58:37 PM »


The Internet is, after all, a communications medium. You launch and maintain a website with the intention of getting your word out, and making it easy for people to find and communicate with you. Then the spammers come along and spoil things for everyone. Often when you send legitimate, but unsolicited email to someone, your message is rejected because it's not on their list of approved sources. That's a dumb solution, of course, but understandable when you check your inbox and the incomings just keep incoming ... and incoming ... and incoming - until you have tens or hundreds of junk emails to search through every day, and often miss legitimate messages that were buried in that mess.

Where does this junk all come from? How do these people get your email address?

Most of it comes from unscrupulous bulk mailers. They sell lists containing hundreds of thousands or millions of email addresses, and mailing services to equally unscrupulous clients. The general concept is this: "Hey, if I lay my $9.95 pitch on ten-million people, even if only 0.15% of them bite, I'll make almost a million and a half!" The trouble with this is that it often works, especially if the deal is a little on the shady side; for example offers for penny stocks, sexually oriented products, and offshore prescription drugs. Indeed, people who are greedy, but otherwise intelligent and successful, are still being swindled by the old "Nigerian Letter" frauds - believe it or not!

As long as there are buyers in any market, there will always be sellers. You have heard P.T. Barnum's famous quotation: "There's one (sucker) born every minute." We can therefore rest assured there will always be spam.

Bulk mailers use a couple of different ways to get email addresses. One of the oldest and simplest methods is "spambots." These are web crawlers similar to early search engine spiders, but which look only for email addresses. They then build and maintain mailing lists which they can sell to others. These can be targeted lists, since something about the geographical location and interests of the addressee can be inferred from the address itself (the location of the mail server) and from the nature of the website from which their email address was harvested. They occasionally ping each address to see if it is still valid, thereby easily keeping lists up to date.

You should provide email addresses for your board members, staff and other key people on your contact information page, and special contact links are often appropriate on other pages, such as news releases, program announcements, and special help pages. However, you should never ... NEVER ... do your friends and colleagues the disservice of publishing their email address in its regular form. If you do, you will be assuring that they will soon be receiving lots of junk mail. Here are two simple ways to avoid that.

Using HTML Entities

"@" produces the "@" character
"." produces the "." character

Rather than list an email address as "," at the very least you should encode their email address using the HTML entities for the @-sign and the dot:

The address will display in the regular way (as in the above paragraph), but will not be recognized by simple spambots.

Using JavaScript

The above technique fooled spambots for a long time. But, of course, bulk mailers are not dumb. It's an easy matter for programmer to teach their spiders to recognize the simple methods webmasters employ in an attempt to evade them. A better method has therefore recently appeared which uses a simple JavaScript function to assemble email addresses from parameters passed to them. You do not need to know anything about JavaScript in order to make use of this method. Here is how this is done:

Ordinarily, you would use "mailto" links on your web pages. When clicked, these invoke a new message form via whatever email client your visitor is using. The regular form is:

<a href="">John Doe</a>

Instead of that, enter this:

<a href="javascript:AddrAssy('johndoe','');">John Doe</a>

Copy this little script and paste it in the "head" section of your page's HTML source, just about the </head> tag:

<script language="javascript" type="text/javascript">
function AddrAssy(xx, yy) {
     location.href = 'mailto:' + xx + '@' + yy;

By way of explanation - the "John Doe" hyperlink calls an address assembly script named "AddrAssy," passing two parameters, "johndoe" and "" The script receives these parameters and defines them as variable named "xx" and "yy." It then creates a conventional mailto link by concatenating them with the text "mailto;" and "@" with the variables in the appropriate order, to form a single string, which is then passed back to the hyperlink. The link then executes, and an email message for containing the correctly assembled and formatted address pops up.

Here is an example to demonstrate how easy this method is for anyone to use. This was achieved simply by copying the above link and JavaScript into this document. As you pass your cursor over the link below, notice what appears in the status bar beneath the window. Then click the link to see that it works just like an ordinary mailto link:

Send Email to John Doe

Internet Explorer Nuisance

When working on your web page using the latest versions of Internet Explorer, you will occasionally see this message pop up in a yellow warning bar:

"To help protect your security, Internet Explorer has restricted this webpage from running scripts or ActiveX controls that could access your computer. Check here for options..."

Right-click the warning bar, then click "Allow Blocked Content ...", then click "Yes" to dismiss it. This nonsensical warning only appears when working with your page off-line. This nuisance will not appear after the page is uploaded to your web server, since IE will then be able to recognize the scripting content as harmless utility code.