If you allow comments on your blog and accept an e-mail address, it is your solemn obligation to protect the address from spammers. I used to rely on security through obscurity, replacing normal characters with HTML entities in an effort to hide the e-mail addresses, but that doesn’t work. Contrary to what we would like to believe, the people who write e-mail harvesters are not drooling illiterate knuckle-draggers. They are aware that people try to hide e-mail addresses from their software, and have modified their code to interpret the entities and harvest the address. I learned this when I masked the notification list e-mail addresses and began receiving spam to the supposedly hidden addresses in a matter of days.
If you use Movable Type, you’re in luck. I found the ideal solution and it’s so simple I regret not having searched for it sooner. I found the answer in the support forum but it’s also in the documentation. Modify your comment template to use the show_email attribute.
You may currently have spam_protect=”1″ but as I already mentioned, HTML entities are not going to protect your email address from everyone. When show_email is set to zero, the name will be a link if a URL was provided, and plain text otherwise. A drawback is that readers won’t be able to email those who have made comments, but they can still make a comment in reply, or visit the URL if one was given. I consider it to be an acceptable limitation given that e-mail addresses will now be safe from the wily clutches of spam bots.
I edited my comment template but found out that you can’t have both tags (the show author tag and spam protect tag). If you do it shows two links [jason jason]. I’m assuming that the show author tag makes the spam protect tag redundant. Also, you omitted the beginning and ending “$” on the tag. Was this by accident or intentional?
$MTCommentAuthorLink show_email=”0″$
The spam_protect tag is of no use if you’re not showing the email address. Whoops. I had forgotten the dollar signs, thanks.
That’s what I had thought. Thanks for the clarification.
I agree, thanks for the tidbit.
Thanks. I was looking for a fix for this problem and your post was just what I needed. I don’t understand why MT doesn’t default to this. HTML entity obfuscation is silly. If a web browser can figure it out, surely the spam-bot can figure it out as well. And even if they don’t, I wouldn’t want the commenters to panic seeing their addresses shown to the world.
Yuri: I’m glad to see that you’re concerned about your visitors’ e-mail addresses. They’ll thank you for it.
I agree, MT should have it on by default. The other thing I wish they would do is to require names but not e-mail addresses. Right now you have to require both or none.
Great tip… I wonder. Is there any displaying of email addresses that works? For example: example [at] example [dot] com or any variant? Maybe: The first part of my address is ‘joe’ the second is probably ‘hall’ after the at you should put a ‘pobox’ and then, if you intende the email to get to me and not VeriSign, you’ll need a ‘.com’ at the end.
Joe: I’ve seen people try to obfuscate their e-mail address, but I would imagine it eludes some people that sincerely want to send you an e-mail. I would also presume that the people who write spambots have learned that you can convert [at] or [dot] to ‘@’ or ‘.’ and voila, yet another e-mail address to spam.
This mod should also be applied to “comment preview template” and “individual archive template” (or anywhere comments will be published).
hide my mail