If you allow comments on your blog and accept an e-mail address, it is your solemn obligation to protect the address from spammers. I used to rely on security through obscurity, replacing normal characters with HTML entities in an effort to hide the e-mail addresses, but that doesn’t work. Contrary to what we would like to believe, the people who write e-mail harvesters are not drooling illiterate knuckle-draggers. They are aware that people try to hide e-mail addresses from their software, and have modified their code to interpret the entities and harvest the address. I learned this when I masked the notification list e-mail addresses and began receiving spam to the supposedly hidden addresses in a matter of days.

If you use Movable Type, you’re in luck. I found the ideal solution and it’s so simple I regret not having searched for it sooner. I found the answer in the support forum but it’s also in the documentation. Modify your comment template to use the show_email attribute.

You may currently have spam_protect=”1″ but as I already mentioned, HTML entities are not going to protect your email address from everyone. When show_email is set to zero, the name will be a link if a URL was provided, and plain text otherwise. A drawback is that readers won’t be able to email those who have made comments, but they can still make a comment in reply, or visit the URL if one was given. I consider it to be an acceptable limitation given that e-mail addresses will now be safe from the wily clutches of spam bots.