Fog Creek Software
Discussion Board

Beating comment spam and email harvesters

There may be a simple solution to comment spam and email posted on the page being collected by bots.

Say you want to be out in plain sight, but still inaccessible to bot. Use two Javascript variables, a="john@s" and b="" and put them in adjoining <div>s or something to that effect.

You can go as paranoid as you want, including generating separate characters from a map, whatever. The bots won't be able to read the concatenated string.

The only downside, javascript has to be enabled of course.

Sunday, November 2, 2003

Seen this in web pages. I guess it's just a matter of time before bots figure it out :-)

Just write your address as a JPG/GIF, or use a redirector like

Frederic Faure
Sunday, November 2, 2003

Writing as a .jpg or .gif means it's not clickable. If you make it clickable then the bot can read the link in the source code.

The trick that works at present is to post the correct  email address as a .jpg or a .gif and then encode the href in the source code. use <a /a> instead of <<a /a>

If you really want to you can encode every letter <a href= %6a%6f%65%6c%40 etc>

The list of encodings can be found at

If you think a spam bot can find that then what you can do is download
and this will encode the link in an even more complicated way.

Stephen Jones
Sunday, November 2, 2003

Anything can be done by code on the server side, can be undone by code used by the spammers.

The only sure-fire way to prevent e-mail address harvesting is to never reveal the e-mail address. Use a form, like Joel does here, and you're 100% safe.

Brad Wilson (
Sunday, November 2, 2003

Sure, not providing a clickable link is an issue for some users, but I don't think it's that big a deal.

Frederic Faure
Sunday, November 2, 2003

As an extreme, TMDA (disposable and time-limited addresses) can also be used if you have an email server. 

Sunday, November 2, 2003

"This is yet another javascript-based email address shield against spam harvester-bots. This version is for static web pages, and has a handy "helper page" that will generate the necessary inline javascript code for you. "

Clickable email links.

I think the best solution is forms that submit to a server and never reveal the receiver's address. Also with non-obvious form field names.
Sunday, November 2, 2003

Even though these online email forms aren't really secure. For example, click on my name (which takes you to the source) and check the source. You'll find my email addy there. A simple (well, not "simple" as in "hello world", but still "simple") perl script can have most of the email addy's from this site in a very small amount of time.

What you need is an interface between the reply form script and the mail script.

It basically does two things:

1. Takes the email addy from the reply script, creating a UID and storing both.

2. Converts the UID from the mail form to the email addy in the datastore, then forwards the form to the mail script.

Not the prettiest of jobs, but it's a work around which wouldn't require writing your own mailer that grab the UIDs. Although most mail scripts could probably be easliy modified too.


Jack of all
Sunday, November 2, 2003

Ignore my bit about the JoS mail form... my mind must be going/gone.

Jack of all
Sunday, November 2, 2003

a few weeks ago i started getting 5-10 spam messages a day to my double-protected email address. (multiple html  spans, some encoding).

maybe a human typed it in, since i've seen other human-assisted spam attacks on my site.

or maybe they finally started hosting IE or something and said 'find mailto and click on it', with the mail app being an address harvester.

next step is to have unique mail addresses for each user. i have the code, have to integrate it.

Tuesday, November 4, 2003

*  Recent Topics

*  Fog Creek Home