Cloaking Email Address

Steevo wrote:

Any suggestions as to the best programs for cloaking email addresses?

On the server side as part of a mailing list? On the webmaster side
before you upload a page containing email addresses? On the
newsreader/emailer side before you send a message? We're not psychic,
you know.

"Leif K-Brooks" <eu*****@ecritters.biz> wrote in message
news:fq*******************@monger.newsread.com...

Steevo wrote:

Any suggestions as to the best programs for cloaking email addresses?

On the server side as part of a mailing list? On the webmaster side
before you upload a page containing email addresses? On the
newsreader/emailer side before you send a message? We're not psychic,
you know.

Sorry, didn't realise there were so many areas you could cloak email
addresses! I was referring to cloaking emails on webpages instead of having
a mailto: link.
Many thanks

--
Steevo

Steevo wrote:

"Leif K-Brooks" <eu*****@ecritters.biz> wrote in message
news:fq*******************@monger.newsread.com...

Steevo wrote:

Any suggestions as to the best programs for cloaking email addresses?

On the server side as part of a mailing list? On the webmaster side
before you upload a page containing email addresses? On the
newsreader/emailer side before you send a message? We're not psychic,
you know.

Sorry, didn't realise there were so many areas you could cloak email
addresses! I was referring to cloaking emails on webpages instead of having
a mailto: link.

I use a mailto: link. However, the visible "text" for that link --
visibly showing my E-mail address -- is actually a GIF image. My
ISP has a relatively good spam filter on their mail server; thus,
I'm not super cautious.

Spammers do use address harvesters that look at links as well as
the visible text. If you don't want to use a link, just use an
image file.

An example of an image file without a link is at the top of my
<URL:http://www.rossde.com/mail_to_me.html>; near the middle of the
same page is a link without the visible address (with the image of
an envelope). An example of an image and link together is near the
bottom of my <URL:http://www.rossde.com/PGP/pgp_keysign.html>.

--

David E. Ross
<URL:http://www.rossde.com/>

I use Mozilla as my Web browser because I want a browser that
complies with Web standards. See <URL:http://www.mozilla.org/>.

On Sat, 21 May 2005, Steevo wrote:

"Leif K-Brooks" <eu*****@ecritters.biz> wrote in message
news:fq*******************@monger.newsread.com...

Steevo wrote:

Any suggestions as to the best programs for cloaking email addresses?

On the server side as part of a mailing list? On the webmaster side
before you upload a page containing email addresses? On the
newsreader/emailer side before you send a message? We're not psychic,
you know.

Sorry, didn't realise there were so many areas you could cloak email
addresses! I was referring to cloaking emails on webpages instead of having
a mailto: link.

Use a server-side script (e.g. PHP) that has a mail function. That way, the
visitor's browser never needs to know where your mailbox is.

"D. Stussy" <kd****@bde-arc.ampr.org> wrote in message
news:Pi****************************@kd6lvw.ampr.or g...

Use a server-side script (e.g. PHP) that has a mail function. That way,
the
visitor's browser never needs to know where your mailbox is.

Hosting server has many scripts installed, including PHP. Are there any
suggested scripts that are proven to be reliable?
Many thanks

--
Steevo

In article <d6**********@newsg4.svr.pol.co.uk>,
"Steevo" <st****@uk2k.com> wrote:

"D. Stussy" <kd****@bde-arc.ampr.org> wrote in message
news:Pi****************************@kd6lvw.ampr.or g...

Use a server-side script (e.g. PHP) that has a mail function. That way,
the
visitor's browser never needs to know where your mailbox is.

Hosting server has many scripts installed, including PHP. Are there any
suggested scripts that are proven to be reliable?
Many thanks

Yeah. The ones you've research, designed, written, and debugged
yourself.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

On Sat, 21 May 2005, Steevo wrote:

Any suggestions as to the best programs for cloaking email
addresses?

None. If you've got a stable email address, it's going to leak out
anyway, one way or another. Waste of time and effort trying to hide
it - and maddening for your correspondents if you keep changing it.

Spend the time and effort on anti-spam measures instead. That rates
to work regardless of who's found your address.

I'm in a particularly favourable position: being the owner of two of
the three most heavily spammed addresses in the Department (most of
those attempts are rejected out of hand, of course), as well as being
assistant postmaster, I can guarantee a fast track into our blocking
lists for any spammer who manages to get past the existing defences.
But discussing the details of that would take us way beyond what's
on-topic for this group.

good luck

Steevo wrote:

Any suggestions as to the best programs for cloaking email addresses?
Many thanks

href="mailto:rob@rob.com"

The drummer for Def Leppard only has one arm. wrote:

Steevo wrote:

Any suggestions as to the best programs for cloaking email addresses?
Many thanks

href="mailto:rob@rob.com"

That won't work. There's a program called "EFGrabber" that can rip these
quite easily. See <http://tinyurl.com/7zc3w>

Your best option is to keep email addresses off your site completely and use
a server-processed feedback form instead.

If you really *must* have an email link on your site, you'll have to use
Javascript to disguise it. I've posted an example here:
<http://vzone.virgin.net/phil.ronan/scramble.html>

Phil

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

On Mon, 23 May 2005 13:50:38 +0100, Philip Ronan
<in*****@invalid.invalid> wrote:

href="mailto:rob@rob.com"

That won't work.

Practical experiment says that this technique, even just using @
does avoid them being blagged by spammers.

Clearly the spammers could bypass it, but they aren't bothering too.

Philip Ronan wrote:

The drummer for Def Leppard only has one arm. wrote:

href="mailto:rob@rob.com"

That won't work.

It seems to work for me, but I include the "mailto:" in the encoding
as well.

--
-bts
-This space intentionally left blank.

Andy Dingley wrote:

On Mon, 23 May 2005 13:50:38 +0100, Philip Ronan
<in*****@invalid.invalid> wrote:

href="mailto:rob@rob.com"

That won't work.

Practical experiment says that this technique, even just using @
does avoid them being blagged by spammers.

Clearly the spammers could bypass it, but they aren't bothering too.

Maybe not yet. But as soon as they do (and I'm sure they will), you're
basically sunk.

You have to be at least *two* steps ahead to beat the spammers. Paranoia
rules.

Phil

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

*** post for FREE via your newsreader at post.newsfeed.com ***

> "Philip" == Philip Ronan <in*****@invalid.invalid> writes:

Philip> Maybe not yet. But as soon as they do (and I'm sure they will), you're
Philip> basically sunk.

Why would they bypass it, when there's already *millions* of
low-hanging fruit out there? Why spend more CPU? They already
achieve their goal, and the smart spammers are moving to zombiefarms
anyway, which get better results preening the local address books.

Philip> You have to be at least *two* steps ahead to beat the
Philip> spammers. Paranoia rules.

In that case:

step 1 - unplug your computer from the internet
step 2 - unplug your computer from the wall

Methinks you are being a bit *overly* paranoid.

Please stick with solutions that are unlikely to be scraped in the
foreseen future, but don't upset blind users or *me*. The entity
encoding trick is painless and productive.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<me****@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
-----= Posted via Newsfeed.Com, Uncensored Usenet News =-----
http://www.newsfeed.com - The #1 Newsgroup Service in the World!
-----== 100,000 Groups! - 19 Servers! - Unlimited Download! =-----

"Randal L. Schwartz" wrote:

Please stick with solutions that are unlikely to be scraped in the
foreseen future, but don't upset blind users or *me*.

You think HTML entities are unlikely to be scraped in the foreseen future. I
don't. I guess we'll just have to disagree there.

What makes you think I'm upsetting blind users? I use a <NOSCRIPT> entity to
provide a readable version of the email address, so that's covered. There's
also a feedback form that people can fill in online. So everyone's happy.
Except you, apparently.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

On Mon, 23 May 2005, Andy Dingley wrote:

On Mon, 23 May 2005 13:50:38 +0100, Philip Ronan <in*****@invalid.invalid> wrote:

href="mailto:rob@rob.com"

That won't work.

Practical experiment says that this technique, even just using @
does avoid them being blagged by spammers.

Clearly the spammers could bypass it, but they aren't bothering too.

Yet. :-)

Philip Ronan wrote:

I use a <NOSCRIPT> entity to
provide a readable version of the email address, so that's covered.

????

You make no sense to me at all. Please elaborate.

--
Bart.

"Bart Lateur" wrote:

Philip Ronan wrote:

I use a <NOSCRIPT> entity to
provide a readable version of the email address, so that's covered.

????

You make no sense to me at all. Please elaborate.

Is it really that complicated?

<SCRIPT type="text/javascript">

generateEmailLink();

</SCRIPT><NOSCRIPT>mail [at] example [dot] com<NOSCRIPT>

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

On Sat, 21 May 2005 11:04:10 -0700, David Ross <no****@nowhere.not>
wrote:

Spammers do use address harvesters that look at links as well as
the visible text. If you don't want to use a link, just use an
image file.

So much for visually impaired visitors.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/
"I feel a wave of morning sickness coming on, and I want to
be standing on your mother's grave when it hits."

On Mon, 23 May 2005 13:50:38 +0100, Philip Ronan
<in*****@invalid.invalid> wrote:

If you really *must* have an email link on your site, you'll have to use
Javascript to disguise it. I've posted an example here:
<http://vzone.virgin.net/phil.ronan/scramble.html>

So much for sensible people who run with Javascript disabled, and
those in networks where Javascript is disallowed by policy.
--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/
"I feel a wave of morning sickness coming on, and I want to
be standing on your mother's grave when it hits."

"Stan Brown" wrote:

On Mon, 23 May 2005 13:50:38 +0100, Philip Ronan
<in*****@invalid.invalid> wrote:

If you really *must* have an email link on your site, you'll have to use
Javascript to disguise it. I've posted an example here:
<http://vzone.virgin.net/phil.ronan/scramble.html>

So much for sensible people who run with Javascript disabled, and
those in networks where Javascript is disallowed by policy.

Boo hoo. All those poor people...!

Just out of interest, what are they supposed to do when they visit
<http://oakroadsystems.com/about/index.htm#Contact>? Your email address
isn't clickable, so you're not helping anyone either. Or were you just
aiming for greater equality by ducking the email link issue altogether?

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Philip Ronan wrote:

"Bart Lateur" wrote:

Philip Ronan wrote:

I use a <NOSCRIPT> entity to
provide a readable version of the email address, so that's covered.

You make no sense to me at all. Please elaborate.

Is it really that complicated?

<SCRIPT type="text/javascript">

generateEmailLink();

</SCRIPT><NOSCRIPT>mail [at] example [dot] com<NOSCRIPT>

Do you *really* believe that it's any harder to detect and process this
(and its obvious variants) than it is to process an entity-encoded email
address? This is the equivalent of installing a solid-steel front door
with a dozen deadbolts while leaving your back door wide open!

Dave

Philip Ronan wrote:

"Stan Brown" wrote:

On Mon, 23 May 2005 13:50:38 +0100, Philip Ronan
<in*****@invalid.invalid> wrote:

If you really *must* have an email link on your site, you'll have to use
Javascript to disguise it. I've posted an example here:
<http://vzone.virgin.net/phil.ronan/scramble.html>

So much for sensible people who run with Javascript disabled, and
those in networks where Javascript is disallowed by policy.

Boo hoo. All those poor people...!

While it's notoriously difficult to get accurate numbers for the general
use of *anything* on the web, the info at
<http://www.thecounter.com/stats/> is interesting. For the past several
months about 5% of their visitors have had JavaScript disabled, and for
several months before that it was about 10%. That's a rather large
number of people to piss off unnecessarily.

Dave

"Dave Anderson" wrote:

Philip Ronan wrote:

</SCRIPT><NOSCRIPT>mail [at] example [dot] com<NOSCRIPT>

Do you *really* believe that it's any harder to detect and process this
(and its obvious variants) than it is to process an entity-encoded email
address? This is the equivalent of installing a solid-steel front door
with a dozen deadbolts while leaving your back door wide open!

Yes, *really*

Take a look at <http://www.google.com/search?q=%22at+*+dot%22>, for example.
Plenty of false hits there.

Extracting entity encoded email addresses is trivial. I can do it with 5
lines of php:

<?php
$f = fopen("http://www.example.com/","r");
$html = fread($f, 0x8000);
$html = html_entity_decode($html);
$e = "/([^a-z0-9_\.\-])([a-z0-9_\.\-]+@[a-z0-9_\.\-]+)([^a-z0-9_\.\-])/i";
preg_match($e, $html, $matches);
?>

I'm not saying javascript makes things absolutely secure. I'm just saying
it's *more* secure. I don't understand why this is causing you problems.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

"Dave Anderson" wrote:

While it's notoriously difficult to get accurate numbers for the general
use of *anything* on the web, the info at
<http://www.thecounter.com/stats/> is interesting. For the past several
months about 5% of their visitors have had JavaScript disabled, and for
several months before that it was about 10%. That's a rather large
number of people to piss off unnecessarily.

Please explain why I'm pissing these people off.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

On Wed, 25 May 2005, Philip Ronan wrote:

So much for sensible people who run with Javascript disabled, and
those in networks where Javascript is disallowed by policy.

Boo hoo. All those poor people...!

If I was in business, I'd love to have competitors like you. I'm sure
I could make a decent living just calmly dealing with the discerning
customers that you managed to piss off.

Meantime you'll have the fun of dealing with those undiscerning
customers whose browsers are typically infected with several viruses,
some of which are collecting their credit card number keystrokes and
reporting them to hacker central. In the UK, at least, there's also
some fairly widespread trojans that establish dial-up connections to
premium phone numbers and clock up considerable phone bills for their
victims. Lots of fun for all the family. They of course never blame
themselves for falling for these infections, but their first reaction
is going to be to blame it on the web site that they're dealing with,
i.e yours. Enjoy.

"Alan J. Flavell" wrote:

If I was in business, I'd love to have competitors like you. I'm sure
I could make a decent living just calmly dealing with the discerning
customers that you managed to piss off.

Meantime you'll have the fun of dealing with those undiscerning
customers whose browsers are typically infected with several viruses,
some of which are collecting their credit card number keystrokes and
reporting them to hacker central. In the UK, at least, there's also
some fairly widespread trojans that establish dial-up connections to
premium phone numbers and clock up considerable phone bills for their
victims. Lots of fun for all the family. They of course never blame
themselves for falling for these infections, but their first reaction
is going to be to blame it on the web site that they're dealing with,
i.e yours. Enjoy.

ROTFLMAO :-D

As it happens, about 95% of the visitors to my site choose to use the
feedback form instead of the email link. I haven't been blamed for any
cataclysmic events so far, but thanks for the warning! I never realized
writing "dot" and "at" instead of "." and "@" could be so (*gasp*)
DANGEROUS!!!

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

In article <BE********************@invalid.invalid>, Philip Ronan writes:

"Stan Brown" wrote:

On Mon, 23 May 2005 13:50:38 +0100, Philip Ronan <in*****@invalid.invalid> wrote:

If you really *must* have an email link on your site, you'll have to use
Javascript to disguise it. I've posted an example here:
<http://vzone.virgin.net/phil.ronan/scramble.html>
So much for sensible people who run with Javascript disabled, and
those in networks where Javascript is disallowed by policy.

Just out of interest, what are they supposed to do when they visit
<http://oakroadsystems.com/about/index.htm#Contact>?
I just went there. The email address was easy to select with my
cursor. I then had no problem doing a copy'n'paste from my browser
to my email client. Are there any email clients that don't support this?
Or were you just
aiming for greater equality by ducking the email link issue altogether?

I don't think that there is any such thing as a standard-compliant
email link, is there?

--
Michael F. Stemper
#include <Standard_Disclaimer>
No animals were harmed in the composition of this message.

"Michael Stemper" wrote:

... <http://oakroadsystems.com/about/index.htm#Contact>

I just went there. The email address was easy to select with my
cursor. I then had no problem doing a copy'n'paste from my browser
to my email client. Are there any email clients that don't support this?

Jolly good. So that took you about 5 seconds, right? Perhaps it would have
taken another 3 seconds to change "at" and "dot" to "@" and "." in my web
page. Big deal.

But most of the visitors to my site can just click on a link to do this. It
takes them no time at all.

Or were you just
aiming for greater equality by ducking the email link issue altogether?

I don't think that there is any such thing as a standard-compliant
email link, is there?

What is your point?

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Philip Ronan wrote:

"Michael Stemper" wrote:

... <http://oakroadsystems.com/about/index.htm#Contact>

I just went there. The email address was easy to select with my
cursor. I then had no problem doing a copy'n'paste from my browser
to my email client.

Jolly good. So that took you about 5 seconds, right? Perhaps it would have
taken another 3 seconds to change "at" and "dot" to "@" and "." in my web
page. Big deal.

FWIW, I find having to copy/paste a plain text email address into my
mail client a very minor annoyance. I don't mind doing it if I really
want to contact someone, but having to edit it beyond that is just too
much trouble, not to mention prone to error. I'd just as soon forget
about it and go away.

--
Reply email address is a bottomless spam bucket.
Please reply to the group so everyone can share.

Philip Ronan <in*****@invalid.invalid> wrote:

The drummer for Def Leppard only has one arm. wrote:

Steevo wrote:

Any suggestions as to the best programs for cloaking email addresses?

href="mailto:rob@rob.com"

That won't work. There's a program called "EFGrabber" that can rip these
quite easily. See <http://tinyurl.com/7zc3w>

Your best option is to keep email addresses off your site completely and use
a server-processed feedback form instead.

If you really *must* have an email link on your site, you'll have to use
Javascript to disguise it. I've posted an example here:
<http://vzone.virgin.net/phil.ronan/scramble.html>

I'm just a beginner, but here is some Javascript I use to hide my
email address. Feel free to comment.

<script type="text/javascript">
<!--
var first = 'ma';
var second = 'il';
var third = 'to:';
var address = 'soliton';
var domain = 'pacific';
var ext = 'net';
document.write('<a href="');
document.write(first+second+third);
document.write(address);
document.write('@');
document.write(domain);
document.write('.');
document.write(ext);
document.write('">');
document.write('<IMG SRC="envelope.png"></a>');
//-->
</script>

"kchayka" wrote:

Philip Ronan wrote:

"Michael Stemper" wrote:

... <http://oakroadsystems.com/about/index.htm#Contact>

I just went there. The email address was easy to select with my
cursor. I then had no problem doing a copy'n'paste from my browser
to my email client.

Jolly good. So that took you about 5 seconds, right? Perhaps it would have
taken another 3 seconds to change "at" and "dot" to "@" and "." in my web
page. Big deal.

FWIW, I find having to copy/paste a plain text email address into my
mail client a very minor annoyance. I don't mind doing it if I really
want to contact someone, but having to edit it beyond that is just too
much trouble, not to mention prone to error. I'd just as soon forget
about it and go away.

So let me get this straight:

(a) Your time is so precious that you'd rather go and look for another
website than spend 3 seconds editing a bit of text that took 5
seconds to copy from your browser into your email client.

(b) Your editing skills are so unreliable that you're likely to make
all sorts of errors changing "at" into "@" and "dot" into "."

How can your time be worth so much if you can't edit a bit of text reliably?
Are you sure you're not going to miss a bit at the beginning or end of the
email address when you copy it? Do you think it would take less than 3
seconds to find another website?

You could of course just use the feedback form on my website. It's on the
same page underneath the email link. You don't even have to scroll your
browser window to find it.

And you think that's too much trouble? Some people are just so hard to
please :-( If Alan J. Flavell ever goes into business, I'm sure he'd
welcome your custom with open arms.

I guess there must be a lot of websites out there that don't meet your
exacting standards. Do you always give up and look elsewhere when you see
something you don't like? You must be Google's #1 customer by now :-D

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Philip Ronan wrote:

"kchayka" wrote:

FWIW, I find having to copy/paste a plain text email address into my
mail client a very minor annoyance. I don't mind doing it if I really
want to contact someone, but having to edit it beyond that is just too
much trouble, not to mention prone to error. I'd just as soon forget
about it and go away.
So let me get this straight:

(a) Your time is so precious that you'd rather go and look for another
website than spend 3 seconds editing a bit of text that took 5
seconds to copy from your browser into your email client.

You read too much into my comment. The "going away" was in reference to
the contact page. I probably wouldn't bother contacting anyone after
all. It would have to be incredibly important for me to do otherwise,
and there just ain't that much out there that's important enough (to me)
to bother.
(b) Your editing skills are so unreliable that you're likely to make
all sorts of errors changing "at" into "@" and "dot" into "."
That's not the whole point. The point is more that I don't want to be
bothered doing more than a simple copy/paste.

Ever hear of "don't make me think"? Making me work to send a simple
email isn't very user-friendly.
You could of course just use the feedback form on my website.
I only use those kinds of forms for a few trusted sites, like my bank,
rarely for anything else. The reason is that if it's important enough
for me to contact someone, it's almost always important enough to file a
copy of the message in one of my mail folders. Those forms don't let me
do that. And before you suggest I copy/paste my entered text in a mail
to myself, see the comment I already made about "too much bother".

For an untrusted site, I would probably decide contact wasn't all that
important after all.
I guess there must be a lot of websites out there that don't meet your
exacting standards.
There surely is a lot of crap out there. And my standards aren't so
exacting. I just want good usability in a design that adapts well to my
not-exactly-average browsing environment. All the rest is fluff, AFAIC.
Do you always give up and look elsewhere when you see
something you don't like?

Not always, but a lot more often than I think I should have to.

BTW, I wasn't expecting you change anything on your site based on my
comments, was just giving a perspective you might not have considered
before. I didn't really expect you to get so antagonistic about it, but
I suppose I should have. :-\

--
Reply email address is a bottomless spam bucket.
Please reply to the group so everyone can share.

Gazing into my crystal ball I observed kchayka <us****@c-net.us> writing
in news:3f************@individual.net:

You could of course just use the feedback form on my website.
I only use those kinds of forms for a few trusted sites, like my bank,
rarely for anything else. The reason is that if it's important enough
for me to contact someone, it's almost always important enough to file
a copy of the message in one of my mail folders. Those forms don't let
me do that.

I hate that.
And before you suggest I copy/paste my entered text in a mail
to myself, see the comment I already made about "too much bother".

I really hate doing that, but sometimes, I have to.
For an untrusted site, I would probably decide contact wasn't all that
important after all.

One of the reasons I always put a cc:me checkbox on the form to send the
user a copy of the email as well. It adds a little more server side
checking (for wellformed email), but I think it's worth the time to do
something nice for the user.

--
Adrienne Boswell
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

Philip Ronan wrote:

</SCRIPT><NOSCRIPT>mail [at] example [dot] com<NOSCRIPT>

Wow! You think

mail@example.com

isn't safe, but

mail [at] example [dot] com

is?!? Jeezes. Yours is as good a simple common pattern as the numerical
entities are, except the entities can be handled by the browsers.

Spiders don't use browsers.

--
Bart.

Bart Lateur <ba*********@pandora.be> wrote:

Spiders don't use browsers.

Some do[1], which also defeats most javascript "solutions".

[1] http://www.mailutilities.com/aee/

--
Spartanicus

On Wed, 25 May 2005, Philip Ronan wrote:

"Dave Anderson" wrote:

While it's notoriously difficult to get accurate numbers for the general
use of *anything* on the web, the info at
<http://www.thecounter.com/stats/> is interesting. For the past several
months about 5% of their visitors have had JavaScript disabled, and for
several months before that it was about 10%. That's a rather large
number of people to piss off unnecessarily.

Please explain why I'm pissing these people off.

I assume that he concluded that because these 5-10% of visitors, should they
come to your site, won't see your javascript encoded mailbox link.

Why not use a tool that ALL users will see - a server-side operation?

[I do understand that a few web-hosting operations may not allow those.
However, you didn't say that you had such a restriction....]

"D. Stussy" wrote:

On Wed, 25 May 2005, Philip Ronan wrote:

Please explain why I'm pissing these people off.
I assume that he concluded that because these 5-10% of visitors, should they
come to your site, won't see your javascript encoded mailbox link.

No, they just see my email address.
Why not use a tool that ALL users will see - a server-side operation?

[I do understand that a few web-hosting operations may not allow those.
However, you didn't say that you had such a restriction....]

Or how about an email link AND a server-processed form?

Oh, wait a minute. I'm doing that already. Please review this thread before
you say anything else.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

"kchayka" wrote:

You read too much into my comment. The "going away" was in reference to
the contact page. I probably wouldn't bother contacting anyone after
all.
Suppose you want to contact speakers.example.com to ask if they can provide
a replacement for a broken speaker in your car. If you think it will take
more than 5 seconds to extract an email address from their contact page,
then you're liable to decide that replacing your speaker isn't that
important after all??
... The point is more that I don't want to be
bothered doing more than a simple copy/paste.

Let me just summarize my earlier posts:

1. About 90% of my sites visitors have Javascript enabled. They can use the
email link with a single click

2. About 90% of the people that contact me through the web site use the
feedback form instead of the email link. They can also send me an email with
a single click.

3. Visitors without Javascript who want to use their own email client have
to spend an extra 3 seconds formatting the email address after they have
copied and pasted it into their mail client. Based on the above figures,
this accounts for about 1% of cases. I'm not excluding anybody.

4. So 99% of the visitors to my site can reach me with a single click, while
the other 1% have to spend a few extra seconds then they would if my email
address was formatted normally. Overall, I'm making things much *easier* for
people.

5. Meanwhile, I can respond to emails faster because I don't have to waste
time weeding out spam from my mailbox. People have no trouble contacting me
because I use minimal spam filtering so genuine emails are never bounced
back.

I must say I'm starting to get a bit tired of all this ciwah dogma.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Adrienne wrote:

One of the reasons I always put a cc:me checkbox on the form to send the
user a copy of the email as well. It adds a little more server side
checking (for wellformed email), but I think it's worth the time to do
something nice for the user.

Thats a good idea, I hadn't thought of doing that.

"junk" wrote:

Adrienne wrote:

One of the reasons I always put a cc:me checkbox on the form to send the
user a copy of the email as well. It adds a little more server side
checking (for wellformed email), but I think it's worth the time to do
something nice for the user.

Thats a good idea, I hadn't thought of doing that.

Think twice before you do.

Suppose I want to send an anonymous email to sp*****@example.com. All I have
to do is fill in your feedback form with my "marketing message", provide
sp*****@example.com as my email address and click the "Cc:" checkbox.

But why stop there? I could set up a web server to bombard your site with
POST requests containing bogus referrer headers via an anonymous proxy. At
just ten hits a second, I could send almost a million emails this way in a
single day.

You'd get a copy of every single one of course, but that wouldn't be my
problem.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

On Wed, 25 May 2005 17:03:40 +0100,
Philip Ronan <in*****@invalid.invalid> posted:

As it happens, about 95% of the visitors to my site choose to use the
feedback form instead of the email link. I haven't been blamed for any
cataclysmic events so far, but thanks for the warning! I never realized
writing "dot" and "at" instead of "." and "@" could be so (*gasp*)
DANGEROUS!!!

Now, have you thought about why that might be? Could it be that a
significant number of people couldn't handle a munged e-mail address, and
didn't mail you at all, or used the alternative and never said anything
about it?

As do many, I dislike using forms. I don't get to keep a record of my
message, without playing cut and paste (i.e. I have a collection of files
outside of my mail client). Many forms are designed by complete morons,
expecting you to type a message in a 5 line by 20 character hole in the
page, or to fill in a plethora of details unrelated to my query, etc.

Muck us about, and we just go elsewhere. In the wrong circumstances, one
lost customer can be disastrous. They might be a big job, or refer
countless more to you, or worse, tell many how annoying it was having to
deal with you.

--
If you insist on e-mailing me, use the reply-to address (it's real but
temporary). But please reply to the group, like you're supposed to.

This message was sent without a virus, please delete some files yourself.

Tim wrote:

On Wed, 25 May 2005 17:03:40 +0100,
Philip Ronan <in*****@invalid.invalid> posted:

As it happens, about 95% of the visitors to my site choose to use the
feedback form instead of the email link. I haven't been blamed for any
cataclysmic events so far, but thanks for the warning! I never realized
writing "dot" and "at" instead of "." and "@" could be so (*gasp*)
DANGEROUS!!!

Now, have you thought about why that might be? Could it be that a
significant number of people couldn't handle a munged e-mail address, and
didn't mail you at all, or used the alternative and never said anything
about it?

As do many, I dislike using forms. I don't get to keep a record of my
message, without playing cut and paste (i.e. I have a collection of files
outside of my mail client).

I agree with you there, but I've come across at least two sites for far
that solve the problem by giving me the option to have a copy of my
message e-mailed back to me.
Many forms are designed by complete morons,
expecting you to type a message in a 5 line by 20 character hole in the
page,
That, I never understand. For free-form entry, I provide text boxes like
10em high and 40em or 80% wide.

or to fill in a plethora of details unrelated to my query, etc.
I don't usually see that, unless they're optional fields. It *is* to
your own benefit for the customer service people to ask you to use
checkboxes or drop-down lists to characterize the nature of your
correspondence so that they can route it efficiently. It also makes it
easier for them to track the categories of correspondence that they get,
which improves their ability to staff appropriately to meet their
customers' needs.

Muck us about, and we just go elsewhere. In the wrong circumstances, one
lost customer can be disastrous. They might be a big job, or refer
countless more to you, or worse, tell many how annoying it was having to
deal with you.
Oh, please. ONE BIG CUSTOMER, ooo, how scary. Never mind that another
ONE BIG CUSTOMER might be pissed off over the opposite "transgression".

"Tim" wrote:

On Wed, 25 May 2005 17:03:40 +0100,
Philip Ronan <in*****@invalid.invalid> posted:

As it happens, about 95% of the visitors to my site choose to use the
feedback form instead of the email link. I haven't been blamed for any
cataclysmic events so far, but thanks for the warning! I never realized
writing "dot" and "at" instead of "." and "@" could be so (*gasp*)
DANGEROUS!!!
Now, have you thought about why that might be?

Um, I was being sarcastic(!?)
Muck us about, and we just go elsewhere.
Go right ahead. I'm trying to strike a balance between avoiding floods of
spam while providing clients with a useful means of contact that they can
use without having their email swallowed by an over-zealous spam blocker. I
won't repeat myself, but if you go back through this thread you'll see that
bare email addresses (with or without html entities and/or mailto: links)
are a liability. What I'm suggesting is the best alternative, under the
circumstances, IMHO.

If people *need* to contact me, then they *can*. Quite easily. Even if they
don't have Javascript enabled. Even if they have a phobia about using
feedback forms. Even if they have an obsessive need to retain a copy of
every message they ever send. If they're going to throw their hands up in
horror and go elsewhere, then frankly I'd see that as an added bonus. I deal
with enough pedantry in my job as it is.

In any case, I doubt that many obsessive HTML dogmatists are likely to have
either (a) any need for my services, or (b) any money to pay for them.
In the wrong circumstances, one
lost customer can be disastrous. They might be a big job, or refer
countless more to you, or worse, tell many how annoying it was having to
deal with you.

ROFL :-D

Yeah right, they're probably all muttering away to each other in the
corridors of Wall Street right now:

A: Grrr, I'm *so* ANNOYED!! I tried to contact a website yesterday.
Had to copy an email address off a web page, and *then* edit the
thingtoo. Don't ever go there!! It's just so infuriating!!!!

B: Gee, that's too bad. Wasn't there a feedback form or something you
could use instead?

A: Er, yeah... but I really *HATE* having to fill those things in.
They make me really ANGRY!!!! I'm gonna give the billion dollar
contract to someone else, goddammit!! Grrr... Rarrgh... etc..

If you're such a business expert, perhaps you could give *your* views on
how best to deal with the trade-off between spam avoidance and email
reachability (or whatever management consultants call that sort of thing). I
think you'll find that a lot of commercial websites don't contain any email
addresses at all. Now, have you thought about why that might be..?

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Philip Ronan wrote:

"Dave Anderson" wrote:

Philip Ronan wrote:

</SCRIPT><NOSCRIPT>mail [at] example [dot] com<NOSCRIPT>
Do you *really* believe that it's any harder to detect and process this
(and its obvious variants) than it is to process an entity-encoded email
address? This is the equivalent of installing a solid-steel front door
with a dozen deadbolts while leaving your back door wide open!

Yes, *really*

Take a look at <http://www.google.com/search?q=%22at+*+dot%22>, for example.
Plenty of false hits there.

That would matter if spammers cared about false hits, but all the
evidence I've seen says that they don't. Given that they're usually
stealing someone else's resources to send their crap, why should they?
AFAICT they'd be happy with a scheme which harvests as little as 10%
real addresses, which should be pretty easy to accomplish.
Extracting entity encoded email addresses is trivial. I can do it with 5
lines of php:

<?php
$f = fopen("http://www.example.com/","r");
$html = fread($f, 0x8000);
$html = html_entity_decode($html);
$e = "/([^a-z0-9_\.\-])([a-z0-9_\.\-]+@[a-z0-9_\.\-]+)([^a-z0-9_\.\-])/i";
preg_match($e, $html, $matches);
?>
So? I've never claimed that it's difficult to extract entity-encoded
addresses. What I have claimed, and you haven't refuted, is that it's
about as easy to extract addresses using "... [at] ... [dot] ..." and
its obvious variants. When a new generation of spammer tools arrives
that does either of these, I'd expect it to do both.

Given that, the JavaScript encoding of the mailto link provides
essentially zero useful additional security over entity-encoding it --
since the email address is exposed anyway by being present in "... [at]
.... [dot] ..." form -- and creates a (minor) nuisance for a significant
number of your visitors.
I'm not saying javascript makes things absolutely secure. I'm just saying
it's *more* secure. I don't understand why this is causing you problems.

See above. JavaScript-encoded link == solid-steel front door; "... [at]
.... [dot] ..." encoded address == wide-open back door. Simple.

Dave

Philip Ronan wrote:

"D. Stussy" wrote:

On Wed, 25 May 2005, Philip Ronan wrote:

Please explain why I'm pissing these people off.

I assume that he concluded that because these 5-10% of visitors, should they
come to your site, won't see your javascript encoded mailbox link.

No, they just see my email address.

While I've no doubt that "pissing people off" is an accurate description
of the effect of many uses of JavaScript on the web, it's an
exaggeration in this case since you have provided an (inferior, but
generally usable) alternative for visitors with JavaScript disabled; my
apologies for sending things off at a tangent.

The real issue is whether JavaScript-encoding the mailto link provides
any real security for the email address relative to more
generally-accessible schemes such as entity-encoding the link; in the
presence of your "... [at] ... [dot] ..." alternative, it doesn't --
since that alternative exposes what the JavaScript-encoding is intended
to protect. In this context, there are no benefits to using JavaScript,
only costs -- so why bother doing it?

Dave

"Dave Anderson" wrote:

Philip Ronan wrote:

"Dave Anderson" wrote:

Philip Ronan wrote:

</SCRIPT><NOSCRIPT>mail [at] example [dot] com<NOSCRIPT>

Do you *really* believe that it's any harder to detect and process this
(and its obvious variants) than it is to process an entity-encoded email
address? This is the equivalent of installing a solid-steel front door
with a dozen deadbolts while leaving your back door wide open!

Yes, *really*

Take a look at <http://www.google.com/search?q=%22at+*+dot%22>, for example.
Plenty of false hits there.

That would matter if spammers cared about false hits, but all the
evidence I've seen says that they don't. Given that they're usually
stealing someone else's resources to send their crap, why should they?
AFAICT they'd be happy with a scheme which harvests as little as 10%
real addresses, which should be pretty easy to accomplish.

You seem to have conveniently forgotten that the words "at" and "dot" crop
up quite frequently in the English language. OTOH, email addresses obey a
strict syntax that means they can be extracted very easily and very
reliably.

Furthermore, if a spammer comes across an email address encoded using HTML
entities, then he can be more or less *certain* that it's a real address.
That's a significant advantage given the existence of pages like this:
<http://ktmatu.com/cgi-bin/rea.pl> and this:
<http://www.hostedscripts.com/scripts/antispam.html>

I also think you're wring in asserting that spammers are happy with a 10%
hit rate. If they're sending out 10 emails per second from a hijacked
server, of which only one is a valid address, then it would take about 2
weeks to send 1 million emails to real recipients. It's very likely that the
hijacked server would be detected and taken offline long before this happens

Why don't you try writing some code to extract email addresses written using
'at/dot" instead of "@/." (and the "obvious" variants)? I think you'll find
this is not as easy as you say it is.

Or could you at least look for an email harvesting application that does
this already? I don't think you'll have much luck.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

"Dave Anderson" wrote:

The real issue is whether JavaScript-encoding the mailto link provides
any real security for the email address relative to more
generally-accessible schemes such as entity-encoding the link; in the
presence of your "... [at] ... [dot] ..." alternative, it doesn't --
since that alternative exposes what the JavaScript-encoding is intended
to protect.

No, what the Javascript is protecting is an email address formatted
according to RFC822. These can be picked up quite easily by spambots. Using
Javascript means the address can't be picked up so easily (or reliably). So
it's safer.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Philip Ronan <in*****@invalid.invalid> posted:

As it happens, about 95% of the visitors to my site choose to use the
feedback form instead of the email link. I haven't been blamed for any
cataclysmic events so far, but thanks for the warning! I never realized
writing "dot" and "at" instead of "." and "@" could be so (*gasp*)
DANGEROUS!!!

Tim wrote:
Now, have you thought about why that might be? Could it be that a
significant number of people couldn't handle a munged e-mail address, and
didn't mail you at all, or used the alternative and never said anything
about it?

As do many, I dislike using forms. I don't get to keep a record of my
message, without playing cut and paste (i.e. I have a collection of files
outside of my mail client).

Harlan Messinger <hm*******************@comcast.net> posted:

I agree with you there, but I've come across at least two sites for far
that solve the problem by giving me the option to have a copy of my
message e-mailed back to me.
There's a rather large problem with that, as it's often implemented. It
allows spammers to use the form. There really isn't any good way to
determine whether someone's providing their own address, or is abusing the
form.

or to fill in a plethora of details unrelated to my query, etc. I don't usually see that, unless they're optional fields. It *is* to
your own benefit for the customer service people to ask you to use
checkboxes or drop-down lists to characterize the nature of your
correspondence so that they can route it efficiently. It also makes it
easier for them to track the categories of correspondence that they get,
which improves their ability to staff appropriately to meet their
customers' needs.
I see it quite a bit, and it's rarely relevant to the message I'm sending
them. What's worse, those occasions tend to be the ones that won't let you
send a message without filling in such details.
Muck us about, and we just go elsewhere. In the wrong circumstances, one
lost customer can be disastrous. They might be a big job, or refer
countless more to you, or worse, tell many how annoying it was having to
deal with you.

Oh, please. ONE BIG CUSTOMER, ooo, how scary. Never mind that another
ONE BIG CUSTOMER might be pissed off over the opposite "transgression".

As someone who is in business, I know the value, or hazards, of word of
mouth. You really aren't doing yourself any favours if you lose a $10,000
job thanks to an annoying website. Even if you only ever thought that you
were likely to earn $100 from individual users of your service, you really
can't tell when you're going to get some customer who wants a bulk job
done.

--
If you insist on e-mailing me, use the reply-to address (it's real but
temporary). But please reply to the group, like you're supposed to.

This message was sent without a virus, please delete some files yourself.

Tim wrote:

Muck us about, and we just go elsewhere.
Philip Ronan <in*****@invalid.invalid> posted:

Go right ahead. I'm trying to strike a balance between avoiding floods of
spam while providing clients with a useful means of contact that they can
use without having their email swallowed by an over-zealous spam blocker. I
won't repeat myself, but if you go back through this thread you'll see that
bare email addresses (with or without html entities and/or mailto: links)
are a liability. What I'm suggesting is the best alternative, under the
circumstances, IMHO.
What I've seen hasn't been the "best" alternatives. While some webmasters
may think that they're the best way for them to avoid spam, they're
certainly not been the best way to allow people to contact them.
In the wrong circumstances, one lost customer can be disastrous. They
might be a big job, or refer countless more to you, or worse, tell many
how annoying it was having to deal with you.

ROFL :-D

Yeah right, they're probably all muttering away to each other in the
corridors of Wall Street right now:

A: Grrr, I'm *so* ANNOYED!! I tried to contact a website yesterday.
Had to copy an email address off a web page, and *then* edit the
thingtoo. Don't ever go there!! It's just so infuriating!!!!

B: Gee, that's too bad. Wasn't there a feedback form or something you
could use instead?

A: Er, yeah... but I really *HATE* having to fill those things in.
They make me really ANGRY!!!! I'm gonna give the billion dollar
contract to someone else, goddammit!! Grrr... Rarrgh... etc..

Try: I tried to contact a business the other day, but couldn't get through
their messaging system to use it in a sensible manner. I went elsewhere.

Whether that be e-mail, voice mail, or mobile phones. We really have got
better things to do than turn two minutes of effort in contacting someone
into ten minutes of being mucked about, whatever the reason.

It seems a modern phenomena that businesses aren't concerned about losing
any customer. In the past, all were important. In some cases it was even
worth putting up with the sheer bloody annoying ones.
If you're such a business expert, perhaps you could give *your* views on
how best to deal with the trade-off between spam avoidance and email
reachability (or whatever management consultants call that sort of thing).
You really want me to re-invent the wheel for you? There's a plethora of
sites that tell you that, some even have intelligent suggestions.

1. Make it easy for customers to contact you with a real e-mail address.
2. Make it easy for them to use a form to contact you.
3. Do cautious spam filtering, implemented in an intelligent way.

There's plenty of "do nots", but there's one very important one:

1. Do not make it hard for people to contact you.
I think you'll find that a lot of commercial websites don't contain any
email addresses at all. Now, have you thought about why that might be..?

Because they don't understand the medium. (How many businesses have
useless websites that tell you nothing about them or their products?) They
often have next to useless advertising in other mediums, too.

Because they don't implement good anti-spam techniques.

Because they reckon that they do most of their trade some other way (and of
course, because they've limited the ways that customers can contact them).

--
If you insist on e-mailing me, use the reply-to address (it's real but
temporary). But please reply to the group, like you're supposed to.

This message was sent without a virus, please delete some files yourself.