Having a form on a page instead of an email address stop harvesters?

Forum Moderators: phranque

Message Too Old, No Replies

Having a form on a page instead of an email address stop harvesters?

geoffhodbod

6:20 pm on Jun 8, 2003 (gmt 0)

Hi,

Does having a cgi form to let people email you on a site protect you against email harvesters taking you email address as opposed to just having an underlined email address that users can click on to launch a new message creation window from their email client or is there no advantage in a form?

Birdman

6:41 pm on Jun 8, 2003 (gmt 0)

Yes, it will stop it, as long as the email address is not in the form as a hidden input element. Keep your email address hard-coded in your mail script.

There are other ways to encode your email address to prevent harvesters from getting it.

PHP Bag-O-Tricks II: Encoding email addresses [webmasterworld.com]

g1smd

7:37 pm on Jun 8, 2003 (gmt 0)

An email form keeps bots and screen scrapers away. Good idea.

You can also use other tricks to have a non-scrapable email link on your pages. Some people encode parts of the email address, using entities like < and so on. This isn't foolproof, so should be combined with writing the link using javascript document.write statements, as well as cutting the link up and using more than one javascript command to write it.

jimbeetle

7:59 pm on Jun 8, 2003 (gmt 0)

Formmail forms can also present some security risks. This e-mail form security thread [webmasterworld.com] has some good info and a couple of links to previous threads.

While we're on this, seems to me that using a call to an external js file would mask an e-mail address from bots and cut down on the hundreds of 404s my sites get from mail bots trying to follow encrypted addys. Make any sense?

g1smd

8:37 pm on Jun 8, 2003 (gmt 0)

The formmail script can be exploited by spammers to email miillions of messages through your domain, with spoofed headers, if you aren't careful. There do exist some modified versions where the target address is hard coded into the script which then cuts this abuse out. You should also rename the script, and the script directory, and ban robots from it. This makes it a lot more safe.

External javascript is great. It cuts out most of the screen scrapers. The email address link should be written out as several separate pieces though, just in case a simple robot parses all text looking for anything that matches "xxxxx@xxxxxx" in any part of any file. Add some entity encoding to it and you are several steps ahead of the spammers.

waldemar

8:55 pm on Jun 8, 2003 (gmt 0)

The formmail script can be exploited by spammers to email miillions of messages through your domain, with spoofed headers, if you aren't careful.

Happened to me about three months ago on a regular webmaster@-account. Not funny, to receive about 500.000 "Returned mail: User unknown" mails.

g1smd

1:06 am on Jun 10, 2003 (gmt 0)

John_Caius

3:55 pm on Jun 25, 2003 (gmt 0)

Lorel

2:24 am on Jul 3, 2003 (gmt 0)

I'm using a method I haven't heard anyone mention. I can't remember if I thought this up myself or read about it somewhere. I write out the email address as if I was spelling each word and symbol out and giving instructions to turn all capitalized words into appropriate symbols and remove spaces:

myusername AT mydomain DOT com

This means surfers will have to write in the email but it has cut my spam down considerably.