If your wanting to truly protect email addresses while sacrificing accessibility, then use an image of the email address.
The internet rules are simple, if you don't want it stolen or abuse, don't put it out their.
If you use a contact form for initial querys or point of contact, you remove the need to publish an email address.
Any web host of worth will have email filtering tools for you to configure spam filters too.
Trying to encrypt email addresses is stupid because your decreasing the accessibility to screen readers for people who are blind or partially sighted.
It is very common for people to simply use the following format... user.name_at_somedomain.tld and have people either edit out the _at_ or some people put a "Click function" in to the anchor to replace the _at_ and preappend mailto: to complete the mail address.
for example...
Code: Select all
<a href="my.email:mydomain.com" onclick="this.href='mailto:'+ (this.href.split(':')).join('@');">Email
Me</a>
or
Code: Select all
<a href="javascript:;" title="email:mydomain.com" onclick="this.href='mailto:'+ (this.title.split(':')).join('@');">Email
Me</a>
Of the several developer forums I frequent, this is a surprisingly common question on how to encode stuff to stop spam, fact is that you can not stop spam, a spammer will often employ a click agent to decode anything that you employ to obfuscate an email address which is why the first in frontline defence is a contact form and even then the form will be abused by bots and spam agents and hackers... It is a battle that you are never going to defeat no matter how convoluted your tactics, what you make can be broken.
So it is better that you be aware that this is never going to stop spammers and bots and it is best to employ some server side security such as salting and sessions in contact forms and mail filtering on the box that receives the contact form information.
So you want to be checking what kind of security tools you have access to with your web host. If you host from home, then you need to write your own filters in the mail client you use or write your own form handler to pick up on potential spam.
In all web forms you should have a dummy field, something that is like...
Code: Select all
<input name="loginid" type="hidden" value="" readonly>
Which means that when your form is submitted, the "readonly" setting means your expecting an empty field. If this field is not empty, it means that youe web form was most likely cloned by a bot and the "readonly" is being ignored, fact that a dummy field has data in it should instantly be discarded.
You would also be best to employ form salting, this is where you simply have a field that is a md5 hash, the way you calculate this hash is important.
eg
Code: Select all
$salt="a1b2c3d4e5f6";
$md5_salt = md5( $_SERVER['REMOTE_ADDR'] . $salt );
echo "<input type='crc' name='salt' value'{$md5_salt}' readonly>";
The purpose of adding a salt value to the IP address is to stop people using rainbow tables to guess your secret hash, it is important to add a secret salt to help your receiving script form handler to distinguish a genuine form from your site from some spam bot.
You can also empoy other methods of security which include the use of sessions and also AJAX too.
Your site security is only as good as your coding and this includes using the built in PHP functions like strip_tags and stripslashes and others that can be found on the php.net website.
What you shouldn't be afraid of is exposing your email address, how you do expose it is important and that it should be accessible, some screen readers for example understand javascript and can decode it, some can not.
I hope that info is of some use.
