Mac OS X Dashboard widget called obfuscatr provides JavaScript encoding, which is much more safe than the one described above. The other possible option is just plain hexadecimal encoding of your email addy, similarly to above. So 2 alternatives available from obfuscatr. See the details at flash tekkie.

obfuscatr was also featured in MacWorld Italy of March 2008.

After Stu came up with the ultra-cool email address obfuscation method through CSS

Just wanted to say that the CSS email obfuscation doesn’t work in Safari (v. 1.2.4)

To extent on his conclusion, however, he did receive some spam on the HTML encoded address. This means he would start getting a lot more spam once his address has been sold and bought.

My original points still hold, but I guess we can conclude that using HTML encoded or Javascript obfuscated addresses is safer than simple plain text mailto links.

As a direct consequence, I have removed my JS “protected” email script from my colophon. Now only the PHP contact form remains.

Additionally, javascript functions and HTML entities are becoming quite wide spread solutions. As more and more people use these two methods of protecting their addresses the spammers will, and already have, account for them in their tools.

The only way of attaining security through obscurity is to make it really obscure. Find your own way of hiding your address and don’t share it with anyone. If you are the only person hiding your address in one specific fashion, a spammer has less to gain by specifying that obfuscation in his tool as he would only obtain one more address.

Additional resources:

• Matt Pritchard ? How to hurt the hackers (look at rule # 5 and the preceding text)

• Bruce Perens ? Slashdot |?Feature : Security Through Obscurity

should point out that I?m using a different method myself, on my colophon contact page. It?s using JavaScript to write the mailto function.

Which still isn’t safe. As I said:

If there is a simple way of viewing an address in a web browser (such as html entities or javascript functions) you can be sure that any email sniffer worth its salt can see it too.

What I meant with my contact form comments was that your comment form accessed a script, ie. a php script, which sent the mail to your address. This would prevent your email from being visible to anyone while still allowing people to send you feedback.

I should point out that I’m using a different method myself, on my colophon contact page. It’s using JavaScript to write the mailto function. Feel free to steal that, whoever wants to.

I don’t know if there is such a thing as an ideal email protection mechanism, but using a contact form, where the email isn’t written as a hidden field, is probably one of the better ways of protection.

Email_Sniffer_Stop – “encodes clear-text to ascii”[via noscope – sidenotes]

Markdown rocks. The only reason I’m using textile is that Markdown doesn’t have a good way to show blockquotes or code tags, IMHO.

Jonathan,

Consider it updated :)—I just stole what it said on the page.

Er, unless I’m very much mistaken, the email address you enter is ASCII. After conversion it becomes HTML entities (still in ASCII).

I am such a pedant! :-)