Jan
4
2007

Email Phishing Prevention Script

As most people know by now listing your email address on any website directly as a mail to link will probably result in you getting an excessive amount of SPAM or Junk Email. This is from something called email phishing, which in short means that some bot/computer is crawling web pages and adding the email@yourdomain.com to a mailing list. So what can we do to prevent this?

Well besides simply not listing an email address on a website and using the contact us form there are a few options. However, you’ll notice that they wont work forever, and that is the true problem. Since after I right this there is going to be someone that finds a way around it if they haven’t already. But never the less here we go.

The script below was not written by me but I have made a few changes in the way that it works to make it a little more functional.

<?php
# $strEmail. The E-mail address to encode.
# $strDisplay. What will be displayed in the browser. If omitted it takes the e-mail address as it’s value.
# $blnCreateLink. Set to true to creates a link. Set to false (and omit $strDisplay) just displays the e-mail address.
# call the function like so asciiEncodeEmail(“you@doh.com”,”you@doh.com”,”you@doh.com”);

function asciiEncodeEmail($strEmail,$strDisplay,$blnCreateLink) {
$strMailto = “&#109;ailto:”;

for ($i=0; $i < strlen($strEmail); $i++) {
$strEncodedEmail .= “&#”.ord(substr($strEmail,$i)).”;”;
}
if(strlen(trim($strDisplay))>0) {
for ($i=0; $i < strlen($strDisplay); $i++) {
$strEncodedDisplay .= “&#”.ord(substr($strDisplay,$i)).”;”;
}
$strDisplay = $strEncodedDisplay;
}
else {
$strDisplay = $strEncodedEmail;
}
if($blnCreateLink) {
echo “<a href=\””.$strMailto.$strEncodedEmail.”\” title=\””.$strEncodedEmail.”\”>”.$strDisplay.”</a>”;
}
else {
echo $strDisplay;
}
}
?>

So how does that help prevent email phishing…? Well currently most email bots and crawlers don’t actually crawl the rendered version of a website but rather they crawl the code (which is this case would look like junk. So as you can expect eventually they will get smart enough to beat this option too… but I’d rather not require the end user to have JavaScript enabled at this time (although it will eventually come).

However, if you’d like a more advanced option which does use the JavaScript you could use the following option on A List ApartWin the SPAM Arms Race:

function safeAddress($emailAddress, $theText, $theTitle, $xhtml, $isItSafe) {
// Version 1.5 – by Dan Benjamin – http://www.hivelogic.com/
// set $isItSafe = 1 to get escaped HTML, 0 for normal HTML
// set $xhtml = 1 if you want your page to be valid for XHTML 1.x
// you can call it like this:
//<?php echo safeAddress($entity, $linkText, $titleText, 1, 1); ?>

$ent = “”;
$userName = “”;
$domainName = “”;

for ($i = 0; $i < strlen($emailAddress); $i++) {
$c = substr($emailAddress, $i, 1);
if ($c == “@”) {
$userName = $ent;
$ent = “”;
} else {
$ent .= “&#” . ord($c) . “;”;
}
}

$domainName = $ent;

if ($xhtml == 1) {

$endResult = “<script type=\”text/javascript\”>
<!–
document.write(‘<a href=\”mailto:$userName&#64;$domainName\” title=\”$theTitle\”>$theText<\/a>’);
// –>
</script>”;

} else {
$endResult = “<script language=\”JavaScript\” type=\”text/javascript\”>
<!–
document.write(‘<a href=\”mailto:$userName&#64;$domainName\” title=\”$theTitle\”>$theText<\/a>’);
// –>
</script>”;

}
if ($isItSafe) {
return(htmlentities($endResult));
} else {
return($endResult);
}
}

And hopefully one day we will get to where we no longer need to take such methods and that email phishing will be a thing of the past. But until then we must combat the SPAM Arms Race with all that we can.

  • Anonymous

    Saw your post on uwebd. Actually, PHP (or any other server side code) is NEVER returned to the client. Only the rendered HTML is ever transmitted. As a result, PHP-based email encryption is bound to fail as the page will first render and then send the unencrypted text to the client browser.

  • Anonymous

    Saw your post on uwebd. Actually, PHP (or any other server side code) is NEVER returned to the client. Only the rendered HTML is ever transmitted. As a result, PHP-based email encryption is bound to fail as the page will first render and then send the unencrypted text to the client browser.

  • Paul Prewitt

    That is correct, PHP will not make any difference if you have it write out the email@domain.com. This script actually takes the email address and converts it using ASCII characters which is converted for display by browsers but not spam bots… at least not yet.However, in the long run this is only a temporary fix.

  • http://www.paulprewitt.com Paul Prewitt

    That is correct, PHP will not make any difference if you have it write out the email@domain.com. This script actually takes the email address and converts it using ASCII characters which is converted for display by browsers but not spam bots… at least not yet.However, in the long run this is only a temporary fix.

  • http://www.paulprewitt.com Paul Prewitt

    That is correct, PHP will not make any difference if you have it write out the email@domain.com. This script actually takes the email address and converts it using ASCII characters which is converted for display by browsers but not spam bots… at least not yet.

    However, in the long run this is only a temporary fix.

FREE Updates