Hiding Email Addresses from Spambots

This is nothing new or earth-shaking.

Spambots are automated email addresses harvesters, also known as spiders. They crawl through web pages searching them for email addresses. Spammers use the addresses collected by the spambots to flood your inbox with ads for porn, drugs, and sketchy software.

In the past it was common to put your email address on web pages so readers could contact you. These days that just results in the spambots getting your address and flooding it with spam.

A solution is to use an online form that users can fill out to send you a message. When the user submits the form, a script runs on the server to process what the user entered on the form, prepare it into an email, and send it to an address. Most of these scripts require your email address to still be present in a field of the HTML of the form's web page, and use that field to determine where to send the message. Such a field might look like this:

<input type="hidden" name="recipient" value="myaddress@mydomain.com">

The spambots have been updated to harvest these addresses as well. I've had to shut down several email aliases due to this, which is quite a nuisance.

So I hacked the script so that my email addresses are hidden in the script instead of being present in the web page. Instead of using the recipient field as the destination address, it uses the recipient field to determine the destination address. The field on the web page now looks like this

<input type="hidden" name="recipient" value="1">

The script uses the value, "1", "2", whatever, to look up a corresponding destination email address.

The email addresses are safely hidden in the script, where nobody can see them. The down side to this is that if you want to add a new address for a new form, you can't just create the form page and be done. You also have to add the address to the script. But this isn't much effort, and happens only rarely (for me anyway!)

There is one other change I made to the script: it will only process a form if the form method is POST. All spiders that I've seen in my web logs use GET. By requiring POST, I avoid getting empty email messages from spiders accessing the script via GET.

Originally I hacked formmail.cgi Version 1.92sn from Matt's Script Archive since that is what my host, WestHost.com, provides. But then I figured somebody probably had something better by now, and they did.

I found a newer script that already has these functions built into it. It is a drop-in replacement that is also supposed to be more secure, and better written. I am now using this newer script, NMS FormMail (the compat version).

It includes a simple section of code to enter the aliasing:

  %recipient_alias   = (
    '1' => 'myaddress1@mydomain.com',
    '2' => 'myaddress2@mydomain.com',
    '3' => 'myaddress3@mydomain.com',
  );

To see an example form, go to this form and View Source.

You can contact me with this form.