email address security using php??

Is there a way of using php to keep spam-bots from harvesting email addresses from a web page by calling a php function that would do the same thing as a "mailto:" link in html?

I'm thinking php doesn't show up in source file code on a browser, so maybe it would work.

I just need a link on the webpage that says "Email Me" and calls a php function that would open a mail form from the resident email client on the user's computer. It would of course, show the "To" address to the user, (but hopefully not to any non-human bots) who would fill out the rest of the email and send it on its way just like a normal "mailto:" link does.

Any suggestions on how to go about this, or am I all wet??

PHP runs serverside.  The mailto: is an association within the browser, so basically it's handled by the user's browser. If I've written a sophisticated harvester, I'm going to make it look like a browser, and I'll be able to get the target of a mailto: no matter what you might try to do to stop me from doing that.  The only thing that can stop the harvesters is not to use mailto:'s and to prevent the automated harvesting by using phrases that don't look obviously like email addresses (don't  include the @ symbol for example), so this is why you see a lot of people using phrases instead like:  "email me at bob AT mydomain dot com".  The other thing I see people do is use an image or flash, that has rendered the email address as a graphic. None of these techniques are going to stop a really persistent spammer from harvesting your address, but it certainly can deter rank and file bot driven harvesters that just look for patterns like something@something.com, or the mailto: link.

When you say you want an "Email Me" link, are you saying the link is only to email you specifically or would it be used to email the person associated with the current page.

Wither way, you could create a web form for the users to send an email. They will fill out their email/contact info and enter in the body of the message. When the user submits the form, process it on the back-end with PHP and email the results to yourself. That way the email addresses are never exposed. But, you may need to implement a captcha to prevent bots from submitting the form.

Thanks, guys -

The webpage is a listing of officers and directors of a small fraternal organization. Each listed person would have a link that when clicked would call an email form from the viewer's familiar email client in order to contact that person. Very simple, except for the potential of spam harvesters. Viewers could email membership inquires, etc., and the officers/directors would have a simple place to email each other back and forth using their regular email client. I'm sure they would still receive some crackpot messages, but I'm trying to limit their exposure to automated email address harvesters.

Obfuscation like "robertlob at huges dot net" or "spamtrap.robertlob@huges.net" where they are supposed to modify the address on the mail form by removing the "spamtrap." just complicate things. Most of these folks are elderly and not computer gurus. Using a php form would work, but it doesn't use their familiar email client, nor leave a copy of the "sent" message. Captcha, I'm afraid, would mess up their mind.

I was hoping to use a php script to do the lifting while keeping the actual email address invisible in the source code view. My attempt (below) loads when the page loads so the address does show in the source code view all the time, just like the regular "mailto:" link. Which defeats the purpose.

<?php
$mailRobert = 'mailto:robertlob@hughes.net';
$href_anchor = "a href= " . $mailRobert . " /a";
$mailLine = "You can email me <" . $href_anchor . "> Here";
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
</head>

<body>
<?php echo $mailLine; ?>
</body>
</html>

Could I incorporate some Javascript to call similar php code only "on click", and auto delete it once the client email form appeared on screen? Would that at least limit source code exposure to a few seconds while the email client form was called?

Opinions, suggestions all appreciated.

[attachment deleted by admin]

As gizmola stated, the mailto links are on the client-side, so there is nothing you can do via PHP to prevent harvesters - if the link is available to a human it is available to a harvester.

However, there is one trick I used many years ago that was successful. But, that was a long time back and I would think that this could be circumvented by today's scripts. Using JavaScript you can obfuscate the email address in such a manner that the email address in the source code is not valid, but will be read correctly when clicked. Basically, this consists of changing some of the characters in the email address to their character codes (sort of like using ">" for the ">" symbol). I used to have code for this, but can't seem to find it. Or you can create "links" with an onclick event that include a "safe" value that the JS function then converts to an email address and launches the email client. Or, you could combine the two to make your chances even better at preventing harvesting.

But, if you decide to go this route you need to be warned. If you go with a method that fails - for even one harvester - you risk inundating your users to tons of spam and possible malicious emails. If I were you I would set up some test email accounts and use them to test with for a good while before even attempting to use the email addresses of actual users. You would need to have these test emails on a page that is "in use" though. Not just some hidden page in your htdocs directory.

Here are some links to some possible solutions:

http://www.hcidata.info/obfuscate-email-address.htm

http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared/

http://www.hide-email-script.com/

http://www.alistapart.com/articles/gracefulemailobfuscation/

The first two are pages that will generate an obfuscated email address for you. If you awnt to do that, then you should figure out how it is done and create a process to do the same thing via PHP.

The third solution incorporates a server-side and client-side solution.

The fourth one is a very interesting article which I only scanned. The author used nine different virgin email address and then posted them using different obfuscation techniques and then waited 1.5 years to see the results. But, some of (if not all) of the solutions only obfuscate for the purposes of displaying the link o the page and NOT creating a mailto link, which is what you want. I would start with that one and then review the others to see what else you can do. As I said, you need to be very careful when potentially exposing user's email addresses. Good luck.

mj-

Thank you so much. Lots of reading and better ideas than I was coming up with. Appreciate the assistance. I already have one of them in the works.