The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. It implements the technique at the SpamSpan website (a German version is also available). The problem with most email address obfuscators is that they rely upon JavaScript being enabled on the client side. This makes the technique inaccessible to people with screen readers. SpamSpan however will produce clickable links if JavaScript is enabled, and will show the email address as example [at] example [dot] com if the browser does not support JavaScript or if JavaScript is disabled.

This technique is unlikely to be absolutely foolproof. It is possible in theory for a determined spambot to harvest addresses from your site no matter how you disguise them. But research suggests that the by far the great majority of spambots do not bother to attempt to collect addresses which have been hidden using JavaScript. Indeed, most spambots cannot currently read JavaScript at all.

Here are a links to the results of a few experiments into the efficacy of JavaScript obfuscation. Let me know if you know of any more.

http://www.cdt.org/speech/spam/030319spamreport.shtml (2003)

http://nikitathespider.com/articles/IngenReklamTack.html (2006)

http://nadeausoftware.com/articles/2007/05/stop_spammer_email_harvesters... (2007)

http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-... (2008)

Drupal 6.
This branch is in need of a co-maintainer.

Initial release for Drupal 7.

peterx was a temporary maintainer for the D7 version and fixed some issues while working on a site using Spamspan.

The filter api has changed substantially in D7, so there has been some fairly major rewriting of the code. There are a few changes to be aware of in particular:

  • The module no longer uses compressed javascript. Maintenance of this was more trouble than it was worth. Given the small size of the code, there will be no performance impact
  • The spamspan utility function (which can be used by themes or modules to convert email addresses in text) now has an extra (optional) parameter, to allow settings to be passed. Please see the code for details.
  • The configuration options to specify class names have been removed. There really is no benefit in being able to specify class names, the code was complicated, the options were confusing to users and there was no straightforward way to port them to D7.

As usual, please report any bugs found.

The 7.x-1.2 branch lets you replace the dots as well as the @. There is a test page in the admin area to show you the defaults and a form for testing changes.

7.x-1.2 also has the start of a form link substitution, a much safer way to handle email. In the long term, Spamspan should be converted to reuse code from the Email field module.

Project Information

Downloads