do a google for php spam bot traps. they do exist, and work by generating pages of fake email addresses, which link to dynamicly generated pages of more fake email addresses. And no, you can't use "mailto:" in a header() call afaik.

I wouldn't think that most bots read headers.

You can't make that assumption as it only takes one spambot that reads everything and you are back to square one with a system which doesn't really work...

The bots might read the headers if they expect to be able to handle redirects, and if they handle redirects what you are doing probably offers no advantages over the standard mailto: method.

The best protection method is simple but inconviences the user - you ask the user to enter a random selection of letters/words embedded in dynamic images or just on the page itself (less secure but easier).

You then check it at the server side and if it matches you display the e-mail address - it's a very simple tactic that is next to impossible to beat unless you are a real person.

- Tony

Timotheos;

Well IE6 handles your redirect to a mailto: URI ok; but that is the sort of thing I would expect from Microsoft (stuff just "works" like that). No idea where it stands as far as standards are concerned!

Regarding a spambot "not reading headers" - don't count on a spambot not reading anything. If I was s spambot i'd just be looking out for any string that looks like an email address wherever it appeared in the "protocol stack".

Timotheos / Dreamquick;

Regarding creative spambot traps; these are fine for a hobby / personal site; but for a commercial site - especially is your client base is "non-technical" - then in my opinion they would make you look a bit stupid.

Imagine calling a company and asking for a piece of contact information and the receptionist asks you to solve a riddle first. You'd think "you what?". My choice (from creating a professional image point of view) is to have my email address for all to see and click on. I'll deal with the spam.

The other option of course is a form -> email.

Cheers!

Check out Encoding E-mail Addresses [webmasterworld.com].

dmorison,

You're right it may not necessarily project the image you want but my point was the particular method is one of the most secure (excluding the "contact us" form) since there is no easy way to weasel around it. I suggested it because there's very little point having just one viewpoint in a discussion when there are multiple viewpoints available each of which has their own merits.

My point of view is that I trust an email on a page far more than I trust a "contact us" form and this reflects in the solutions I explore.

I'm always trying new ideas in an attempt to reduce margin of error which exists between plaintext email-on-a-page and a situation where your email address isn't actually on the site anymore.

At the moment I'm trying out the challenge/response solution, and while it may not suit all people it does appear to meet my needs.

Previously I've tried;

Simple "armouring" via character replacement, invisible to real users but only effective effective against basic harvesters.

Hybrid of the "armour" method plus UA-level blocking, stops some harvesters but not all.

Header analysis - bit of a nightmare to be honest. 98% of the time it worked perfectly, however the remaining % of false positives are actually worse than getting spam in the first place.

- Tony