Should I display my email address on my website?

blog

Should I display my email address on my website?

A client raised this question the other day. A friend of theirs had taken a look at their website & advised them that they didn’t think having their email address proudly displayed was a good idea as they would get added to “spam lists“.

Update: here are the legal requirements re UK website information; best not hide that email address!

They suggested a contact form instead. That’s fair enough but the website already had a contact form. I certainly do like simple contact forms as it gives a smooth route for people to contact you. But not everyone likes forms (for one thing this is no audit trail).

And I wouldn’t use a contact form instead of displaying your email address ; I would use it as well as; choice is good.

Captcha or be captured?

I’m not a great fan of attempts to obscure your email address or contact forms; techniques such as captcha (fig1) or displaying your email as an image (instead of natural, HTML text) can be counter productive as, in doing so, we’re actually throwing the baby out with the bath water. By that I mean, by trying to make it harder for bogeymen spammers, you’re also making it harder for legitimate punters to contact you. How is that useful?

Fig1: Captcha is a method to test if you are human; used sometimes as part of a contact form submission

Fig2: Another form of testing; but boy can these be hard to decipher!

What are spammers trying to achieve?

Spammers can’t do a lot useful with your email address; they can try and email you junk*, they can try and send fake emails as if it is from your email address but such spoofing is easily (and automatically) detected more often than not.

*Note: if you fall for an email from your long lost Nigerian cousin who wants to give you $1,000,000 but you need to transfer money first then email spam is not the problem; it’s stupidity.

Can they hack into your online banking with it? No.

Can they take over your life in an Invasion of the body snatchers nightmare? No.

And remember there are many other ways they can gain email addresses. In fact, they could just guess. Eg if your domain is ACMEBIZ.NET then do you have any of these email addresses active? [email protected], [email protected] [email protected]? See, the genie is already out of the bottle.

SPAM, SPAM, SPAM

You’ve also got to bear in mind that email SPAM is just a never ending problem; and one that a contact form or hiding your email address doesn’t really fix (in fact, contact forms can cause more issues than they create).

I use GOOGLE to host jojet.com email and Google are pretty darn good at weeding out spam; we should let them do their job. Using Heath Robinson-esque systems to keep bogeymen spam harvesters at bay can be a red herring.

For more nitty gritty, check out the Wikipedia entry on Email Address harvesting.

Joel

p.s. oh, and can someone tell me the point of splitting your email address up into “jh dot jojet dot com” via a Twitter DM?! Paranoid are we?

Tags: , , , , ,
24 Comments »

24 Responses

  1. Methinks the people who put a ‘spamproof’ email address in DMs may have missed the point somewhat – or perhaps they regularly converse with eloquent spambots?

    An alternative option, not necessarily for use on a professional website but quite good for Twitter etc. is to use a service called scr.im (http://scr.im/) – it puts your email address behind a captcha, but all the user has to do is read the captcha and choose the matching sequence of letters – no typing required. Less secure than a normal captcha but far less hassle for the end user!

  2. Avatar Philippa says:

    By law you have to have your phone no, a physical mail address and an email address on your website. They don’t have to be prominent ( lots of companies hide them in terms and conditions/ privacy pages) but they do have to be there somewhere.

    • Joel_Hughes Joel_Hughes says:

      Hi Philippa,
      many thanks for stopping by & taking the time to comment.

      Agree it’s law (if you’re a UK company) but that doesn’t stop people trying to (and typically failing) out smart the spammers!

      Joel

  3. Avatar clivewalker says:

    I think it’s a good idea to have several different contact methods on your website. I would normally encode the email address although that’s not 100% foolproof against spammers I know. Can you point me to the law thing because, although I know that Ltd companies have some display requirements, I wasn’t sure if this applies to all companies or if it applies to email addresses. Good idea to have a physical address and phone number of course.

  4. I always use a contact form instead of displaying an email address on a “contact” page. And I will then show an email address somewhere else where is it less likely people will find it. I rarely use a Captcha image as I find them frustrating, if I use anything it will be a simple maths question. And then the PHP script will try to seek out naughty words like viagra and what have you and if it detects them, stop the email from sending.

    I think we should always do something to prevent spam, yes certain spam filters can prevent it, but I know someone who gets over 2000 spam emails a day, and most of them come overnight, so when she turns on her computer the following morning it takes her about 30 minutes to download them and have her spam filter clear it out to actually find some relevant emails.

    Since this person has transferred her hosting to my server, the email usage on my server has gone up drastically.

    So in short, if we can do something to prevent them, do so, but don’t go crazy trying to prevent it.

    • Joel_Hughes Joel_Hughes says:

      Hi Andrew,
      thanks for visting and taking the time to comment.

      I like contact form but hate Captcha!

      “And I will then show an email address somewhere else where is it less likely people will find it.”

      …is it just me that sounds odd to? Don’t you want people to find your email address? Don’t let the spammers shape your online presence; don’t forget that some people do NOT like forms.

      it takes her about 30 minutes to download them and have her spam filter clear i

      In which case she needs a proper cloud based anti-spam service, this will clear things up server side which means all spam are quarantined before they get to her inbox and she wouldn’t sit there and download them each morning.

      Joel

  5. Avatar stevelacey says:

    I’m sure there’s been a lot of a studies on the topic, here’s one that springs to mind:

    http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared

    I wouldn’t call it paranoia to obfuscate your email address, personally I use at’s and dot’s and then use JS to transform it into a regular mailto link on my portfolio, and should I need to tweet my address, I take the same approach.

    It’s naive to assume people aren’t scraping this stuff, web pages are easy to crawl and the Twitter API even more so.

    Spammers are no more likely to target me than anyone else, but if they can scrape me along with 1000’s of others in one fowl sweep, suddenly it’s lucrative. I’ll happily utilise such an easy work-around if it keeps but a handful of them from knocking at my inbox’s door.

    • Joel_Hughes Joel_Hughes says:

      Hi Steve,
      My worry is where such tactics actually make is harder for legit people to contact you. E.g. in the article:

      “2. Using CSS display:none”
      ….that looks like a nightmare for screen readers. So, you’re winning on the swings, but you’re losing on the round abouts; typical.

      “3. ROT13 Encryption”
      Using JS? And what does the punter see if JS is off? “silvanfoobar’s Mail”? Sorry, that is completely unacceptable in my book.

      I think these tactics are as dangerous as DIY dentistry; I’d advise common sense and industrial strength anti SPAM.

      Joel

      • Avatar stevelacey says:

        To the contrary, the display none method plays right into the hands of screen readers, it’s common knowledge that they ignore display none’d content completely, so with that consideration alone, the solution is ideal for that audience.

        Your point about ROT13 is true, but that’s why I chose at’s and dot’s, in the rare occurrence of a no-JS user popping along they get a perfectly readable response, just no mailto link… frankly, who cares? If you have JS off you should be expecting the web to be a bit crappy.

        • Joel_Hughes Joel_Hughes says:

          Hi Steve,
          Many screen readers have had issues with ‘display:none’ so, frankly, it’s playing with matches. The ‘ideal for that audience’ is simply to show an email address without any ‘clever’ code which may (or may not) distract spammers. Do you use this technique on client websites?

          frankly, who cares? If you have JS off you should be expecting the web to be a bit crappy.‘ – I can’t agree here Steve. I think responsive web design has shown us that we got lazy with how we designed & coded websites & compressed images etc; more & more web capable diverses will be coming online in the future; which may or may not support JS etc – we have to embrace diversity. Perhaps you should care a little? 🙂

          Joel

      • Avatar stevelacey says:

        I thought the issues screen readers had was they ignore it, hence the alternative CSS hacks for hiding legit text, text-indent -999% etc. etc. fair enough if I’m wrong, I haven’t read that much into the topic.

        I didn’t say I don’t care about non-JS users, I said I don’t care about them seeing at’s and dot’s, it’s still easy to understand and completely usable, and as far as I’m concerned, I’m happy to sacrifice the wonderful experience that is a mailto link for the ~1.3% of my users unable to see it if it means I get less spam.

  6. Avatar Dan George says:

    Great article. How effective is displaying the email address as an image? Interesting comments regarding displaying contact details by law also, didn’t realise this!

  7. Joel_Hughes Joel_Hughes says:

    Hi Dan,
    my issue with displaying email address as an image (with no ALT) is that screen readers et will have no idea what is it. And browsers/clients which typically recognise an email address and then allow a native application to launch when you click the link, won’t work either. Broken.

    Ta for stopping by

    Joel

  8. Completely agree Joel sir! Personally I feel uncomfortable with contact forms. If anyone at all feels the same it may be enough to put them off a valuable contact. Surely the whole idea of a business website is to give yourself a presence, a shop front or at least advertise your existence in some way. Making it easy for people to contact you has to have precedence. It reminds me of those business cards you see with very small phone numbers or emails in unusual fonts which are hard to read in some way or another. Why make things difficult for potential customers?

  9. Hey Joel,

    Right, so my plan is to have a field such as this

    In an external css file
    .special {
    display:none;
    width:0;
    height:0;
    }

    or something like that.

    Then in the PHP processing

    So the idea is that a text field will “appear” on the form however a human user cannot see it, but a bot would not be able to tell the difference. Now, the more complicated the script which checks to see if the text field is being displayed wont be fooled, but it will stop a few of them.

    The PHP would then get the field details and check to see if its empty, if it is empty the email will be sent. Otherwise it will record the IP address and possibly block the IP, redirect the IP to a page explaining why they have been blocked (for the users who have had their computers hacked)

    The average user would not see the field and would be none the wiser. They would not have to do maths, read some crazy letters which no one can understand.

    Would be interested to hear your thoughts on this, you have been doing this kind of thing a little longer than me, so I would appreciate your input!

    Andrew

    • Joel_Hughes Joel_Hughes says:

      Hi Andrew,
      thanks for stopping by.

      I know where you are coming from with this approach but I’m not a great believer in safety through obfuscation.

      I think you mention the main downside yourself “Now, the more complicated the script”; quite. But I think there is a more obvious issue; most bots are only looking for email address and message (textarea) fields; they are looking to supply the minimal amount of details to get the job done; so if this field is not compulsory (which it cannot be) then the script won’t even factor it in.

      My gut feel is that this approach is slightly over engineered. And, given my experience of users, I would bet that one of them would put something in that field and end up being blocked; a false positive.

      I’d go for the simple maths test field if I had to e.g. “Are you a human? What is X + Y?”. Again, this could theoretically be gamed but there is extra complexity involved. However, this approach does at least add something functionally to the form which has to be used by the human user.

      My concern as usual with any strategy here is that we either make the form less usable or start creating false positives. Keeping defences at a sensible minimum and then allowing quality anti-spam or anti-comment spam services do their stuff seems sensible to me. You could argue (quite rightly) that such services can flag false positives but my response would be that, given the sheer numbers of messages which such services analyse, they are much better placed to make that decision than your overage website.

      Still, if you have a site where this is an issue you may want to try your solution and see what happens.

      Joel

Leave a Reply