Page 1 of 1

Protecting e-mail address without forms...

Posted: Thu Apr 23, 2009 2:55 am
by nicolasm
Let's say I want to show a normal mailto: link to my visitors (not an html form),
so they can contact me through their favorite e-mail client, or webmail site.

but off course I don't want the address harvested by spambots.

Let's say I set up a .php file to display the e-mail link:

<href="mailto:whoever@wherever.com">whoever@wherever.com</a>

...but only if a CAPTCHA in a previous page was successfully answered.

Is this secure, or should I stick to the html form? (and all the anti-injection validation techniques)

Re: Protecting e-mail address without forms...

Posted: Thu Apr 23, 2009 10:20 am
by jazz090
you could do one thing:

setup a page called mailto.php

instead of setting links as "mailto:email@adress.com", encrypt it once with mcrypt and then with base64 and call it $email
now set the links as <a href="mailto.php?e=$email">send email<a>

then in mailto.php decode the base64 encrypted email and decrypt with mcrypt and simply call a location header: header("Location: mailto:$decrypted_email")

however, i recomend that u set up a page that circumvents mailto and send the email with php itself (no encryption or email exposure in needed)

Re: Protecting e-mail address without forms...

Posted: Thu Apr 23, 2009 11:01 am
by kaisellgren
The CAPTCHA would definitely block at least 99% of your spam bots. However, this is not very practical. There are no bullet proof solutions. Bots can also interpret response header. Another thing is that you could encode the characters, which could prevent many bots:

Code: Select all

function obfuscate($email)
{
 $encoded_email = '';
 for ($a = 0,$b = strlen($email);$a < $b;$a++)
 {
  $encoded_email .= '&#'.(mt_rand(0,1) == 0 ? 'x'.dechex(ord($email[$a])) : ord($email[$a]));
 }
 return $encoded_email;
}
 
echo obfuscate('kaisellgren@gmail.com');
This is what the source code now looks like:
0&#x6b&#97&#105&#115&#x65&#108&#108&#x67&#114&#x65&#110&#x40&#x67&#109&#x61&#x69&#x6c&#x2e&#x63&#111&#109
It is still possible for a bot to decode it. So, you could add some words into the email address like "myemailREMOVETHIS@email.com".

Btw, the above encryption/decryption scheme is superfluous.

If you want even better "protection", you could make a JavaScript script that generates the link.

Re: Protecting e-mail address without forms...

Posted: Thu Apr 23, 2009 9:15 pm
by nicolasm
Thanks everyone... I didn't get the base64 thing, nor why it should be useful, or visible to human users
(sorry, I'm a newbie).

I think I'll just stick to the Form+Captcha approach. You are all right that, every little security measure adds up.