Aaron Saray

open source programmer,
web developer

entrepreneur, author
and musician

My Blog

contains PHP, Web and business/entrepreneurial related content. Please join in the conversation!

Hide Email Addresses while still using mailto: Header Redirect

Posted on August 3, 2010 by Aaron

Everyone I’ve spoken to recently no longer puts mailto:// links in their code for fear that the owner of that address will get more spam. However, there are still legitimate uses for a link like this. In order to foil very simple email parsing bots, I’ve come up with the following script.

Let’s say you have the website http://blahblah.com – and on that website, user joe would like to have his email address of joe@blahblah.com accessible via a mailto:// link. He doesn’t want people to use a contact form – but doesn’t want spam either. I would form his e-mail link in the following manner:

?View Code HTML
1
And, if you would like to contact joe, you can <a href="email.php?user=joe">email joe</a> directly.

The content of the PHP file would be the following:

?View Code PHP
1
2
3
4
5
6
7
8
9
$user = isset($_GET['user']) ? $_GET['user'] : '';

if ($user) {
    $email = $user . '@' . $_SERVER['SERVER_NAME'];
    header("Location: mailto://{$email}");
}
else {
    header('HTTP/1.0 404 Not Found');
}

This simply forms the proper e-mail address from the user get parameter and sends back a different redirect. The thought is simple email scrapers will not detect it as an email address and will leave the ‘link’ alone.

Final thought: if your site requires javascript, you could put an onclick handler on the link to send another parameter along with the script. The script could then verify that the onclick has happened by checking the presence of the additional GET parameter. If it is not present, it could be attributed to a bot (that doesn’t handle javascript, hopefully) – and not provide the e-mail address.

This entry was posted in PHP and tagged . Bookmark the permalink.

3 Responses to Hide Email Addresses while still using mailto: Header Redirect

  1. Sjan Evardsson says:
    August 3, 2010 at 9:15 am

    Just so your readers are aware – as always you would want to sanitize the input. Without checking the input you could easily do:
    email.php?user=spamvictim@somewhereelse.com?cc=sjan

    And you generate a mailto link that works for multiple addresses. Not that it is all that useful in this case (where you are just popping up the user’s email client with a prepopulated address) but I can see this type of script being copied and used for automated messaging or web-form messaging, in which case abuse is a real possibility.

    Reply
  2. Aaron says:
    August 3, 2010 at 9:22 am

    Yah – interesting idea. The above script would have to check to make sure the email address valid in any way anyways. But, yah, I don’t see a lot of problems with this as it is filling the user’s own email program with an email address that they would have to guess :) Thanks for the comment!

    Reply
  3. Joel Clermont says:
    August 3, 2010 at 9:34 am

    Or if the site uses JavaScript you could obfuscate it using hive logic’s enkoder. http://hivelogic.com/enkoder

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>