4 Ways to Protect Email Addresses on Websites, That Don’t Really WorkWritten by Paul Cunningham on March 17, 2010
The Techbusy.org blog offers us 4 tips for hiding email addresses from spammers and hackers when displaying the address on a web page.
The reason behind it is simple – spammers use spiders (much the same as search engines do) to crawl web pages looking for email addresses in the familiar email@example.com format. When they find one they will add it to their address database and start sending it spam.
It’s true, and if you were to list your email address on your website it would quickly be discovered and you’ll start receiving spam. Of course it’s also true that most email addresses will receive spam shortly after they are created thanks to the many ways in which spammers find your email address.
The 4 techniques proposed by Techbusy.org fall into either the “security by obscurity” category (also known as “things that make you feel more secure but really don’t help”), or the “makes it harder for real people to email you” category.
The former is wasted effort, and the latter is not good for businesses who want to hear from potential customers via email. So let’s take a closer look at the 4 tips.
Write it differently – This means writing the address in a non-standard way, such as paul[@]exchangeserverpro[dot]com. The idea is that by avoiding the @ symbol a web crawler won’t detect that it is an email address.
This technique is poor in two ways – firstly, spammers aren’t silly and will look for other text patterns that indicate it is an email address. Changing @ to [at] is pointless if the crawler also looks for [at]. Secondly, it means a customer has to interpret your obscured email address into its real form and manually type it out, rather than just being able to click a link to send you an email.
Display it as an image – This means making an image such as a JPG that contains the email address and embedding that in your web page.
This technique is also poor in two ways – firstly spammers now use character recognition software in their harvesting arsenal and so can read text in images as well (just as anti-spam products can). Secondly, you are once again making it harder for customers to email you.
Use a CAPTCHA – This means hiding some or all of the email address until the visitor solves a CAPTCHA challenge.
CAPTCHA is a popular spam prevention method on most web forms such as the signup form for a free webmail service. The idea is to present a challenge that an automated process cannot defeat, but is intended to be easy for a real human to defeat.
Unfortunately CAPTCHAs are often broken by spammers either by cracking a flaw in the underlying code, by reading the CAPTCHA text with character recognition, or simply by tricking other humans into answering them. On the other side of that are some CAPTCHA systems that are so sophisticated that spammers cannot defeat them, but this also makes them more difficult for humans which once again can impact your customers.
So for all 4 of these tips there seem to be either serious downsides or they are simply ineffective in stopping spammers. You might be wondering then how you can go about protecting email addresses while still making it possible for customers to reach you.
In a previous post I suggest the use of contact forms. These forms can have strong anti-spam features built into them, such as blocking form submissions from the same sorts of IP addresses that you find on email block lists such as Spamhaus.
If you must publish email addresses on a web page where spammers can discover them, you should certainly invest in effective anti-spam filtering for your network. A good anti-spam product will block spam no matter how the spammer discovered your address in the first place. Implementing such a system will be of far more benefit to your email users than simply trying to obscure email addresses on web pages.