I'm not worried about the email address being in the open, but my original contact page form was getting hundreds (thousands?) of spam submissions a day until I implemented some simple javascript 'traps' to filter out the bots.
I've still not worked out why a bot wants to fill in a contact form with spam anyway, seems like a real waste of time.
Bots will put something in the field but humans should never see it, so if the server sees anything in there it can safely toss the whole thing.
But other than that, I agree that this is extremely effective against the common sort of drive-by spam bot. (And, obviously, completely useless against any sort of advanced or targeted attack.)
As many have asked, at least for now there's no real spam protection. Asking you to confirm email for every email/referer pair prevents me from adding your email to zillion sites (although confirmations could also get annoying at that point :) and spamming, but of course that doesn't still prevent bots from filling out your form.
I think in a way it's a tradeoff between ease of use, both for you and the visitor. Alternatively we could do heavier registration process and/or let you configure some running on our server, but then setting things up wouldn't be as easy and you might as well just run your own backend. For the visitors forms provide an easy (than, say just email) way to reach out. I guess the question is, do you prefer false positives (spam) or false negatives (folks not reaching out) :)
Regarding having clear text emails in the source, I'd argue (based on nothing but anecdotes) it doesn't matter, much. As throwawaymsft said elsewhere, bots are pretty good at figuring out what "you (at) email (dot) com" means, so in most cases you'd anyway be getting much spam. We considered a token-based approach instead, but decided to go all-in for simplicity. Also, since we're using forms anyway, they're more likely source of spam than some bot crawling just for addresses.
I think you can give the user the option to specify the email hash (MD5 maybe) instead of clear text email.
so either:
<form action="//api.formspree.com/user@example.com">
OR
<form action="//api.formspree.com/b58996c504c5638798eb6b511e6f49af">
You can provide the user a small tool to generate the email hash.
Good luck
This is so seemingly simple but so useful, thanks a lot!
EDIT thanks for explaining, all! :)
On http://www.formspree.com/ at section 1, they say to use "http://api.formspree.com/your@email.com" while it should be "//api.formspree.com/your@email.com".
I just set up a Jekyll site with links to youtube and disqus. Quite important or it won't work.
1. Enter your e-mail address. Click next.
2. Copy the generated code, //api.formspree.com/Kn2JanlPkZ into your form as the action. Obviously this code and e-mail combination is then stored in the Formspree database.
Edit: Ah, you mean that formspree should allow site owners to create accounts. Carry on.
The UX for the user is the same if Formspree were to just generate a random token and store in their DB mapping it to an email, but this way Formspree doesn't need to store anything in their DB.
Edit: http://www.formmail.com/ still seems to be going, in fact.
<form action="mailto:my@email.com" method=post enctype="text/plain"> ... </form>
This doesn't leave your email in the HTML and we also do spam filtering on the form submissions (get a bit of traffic and your contact form will get lot of spam).
(or, better asked: what is the problem these solutions solve?)
1. speed - you can't beat an optimized static sites hosted on a CDN. In part I suppose the increased focus on speed i driven by mobile traffic. 2. Github - front-end developers have now gotten really used to having everything under version control. Dumping the most important content into an unversioned database just doesn't feel as good as having everything as Markdown in Github 3. Jekyll - or rather build tools and static site generators in general. The combination of GitHub and Jekyll and flag ship projects such as the Obama Campaign platform [1] definitively played an essential role in the growth of static site generators we're seeing now.
Our clients range from beginners launching their very first HTML site, over agencies with really cool flows built around Middlemand/GitHub/Draft/Similar services, to companies that are integrating site publishing into their products in various forms.
One of the cool examples is a startup doing a site builder for progressive candidates running for national campaigns. They use our API to handle the publishing, and use our form feature for gathering volunteer submissions and contact mails.
In general I think publishing a website with a form on it, is one of the most basic features of the web. Making it faster, easier and better is a pretty obvious plus for a lot of people.
[1] http://kylerush.net/blog/meet-the-obama-campaigns-250-millio...
Basically, I build static sites for some small businesses in the area. They want to be able to choose where everything goes, to the pixel, so it's easiest to work with just html and css. Then I can upload to BitBalloon and everything works exactly as it did on my laptop. Forms work, everything gets optimized, and setting up my own domains is super simple. And it's cheap.
I could use S3 or something else, and it would be cheaper, but deploying in a half second really is useful. Everything is done right with no effort on my part other than building the site itself.
I also built a site just for fun and host it there. 750,000 page views in the last couple weeks, didn't worry for a second. http://gallerrit.com/ It has also been very easy to push updated versions with no down time.
EDIT: Okay, I missed the part where the email must be registered with them. Assuming no one is interested in spamming with the confirmation email, which seems fair.
For geeks: could not find "Referrer" header.
Apparently the problem is just sending a request https->http. https->https should work fine. Adding SSL asap.
EDIT: now you can also use https://api.formspree.com/your@email.com
Maybe later when you have a real problem, fix it then. Let's cross bridges when we come to the river, that way we'll all have much simpler code!
With a general purpose email, you don't get that.
firstname@domain.com firstletterlastname@domain.com Firstname.lastname@gmail.com
Look, spam happens (unless you obfuscate your address to be unmemorable or unprofessional). Modern email filters are pretty good.
http://regretless.com/scripts/scripts.php#dodosmail
I'm surprised this is being touted as such a new idea, but I guess with static sites making a comeback, it was inevitable.
this seems like a good introductory project to any web framework
when I really sit down to learn node, I think I'll try to make something like this starting out.
Or expose an API for a CSV download, or a data feed, or something.
This project looks interesting because there no need to register unlike SimpleForm.
That is all. Thank you.
Also, the contact form at the bottom of the page uses the API :)
