Question regarding the Antispam plugin

I have installed and am testing the Antispam plugin.

I’ve added a link to the page like this:
Email Us

When you hover over it you can see the email address; likewise when you Inspect the page with developer tools.

I thought this plugin would “hide” the email address from the user? Or am I misunderstanding what it does?

What’s the syntax for adding a “mailto” link that would hide the actual email address?


Hi @jmsstuff , I’ve not used that one but I’ve had great success with the SafeMail Shortcode for this situation:

@jmsstuff, The plugin seems to be working fine in my installation.

I thought this plugin would “hide” the email address from the user? Or am I misunderstanding what it does?

This kind of plugins try to hide the email address from bots/crawlers, not from the user.

How does it work?
The plugin replaces the email address with some javascript which injects the email address into the DOM of the page when run inside a browser.

Which means:

  • Bots that crawl the bare HTML code of the page will not be able to see the email address. They will only see the javascript code.
    Try to right-click the page and choose ‘View page source’. You will not find the email address, but only javascript.
  • When the bare HTML is parsed inside a browser which has javascript turned on, the email address is injected and becomes visible.
    That means that hovering over it will reveal the address and the devtools will show it too.

As a side note:
The Shortcode plugin mentioned by @paulhibbitts, works in a different way. When it finds an email address marked with a shortcode, it replaces the individual characters of the email address with HTML entities in the generated HTML. The browser in turn shows entities as plain (readable) text without the need of javascript.
HTML entities could easily be reversed to plain text by a bot which is a bit more cleaver.

Apart from other differences, from the perspective of a page author, the disadvantage of the Shortcode plugin is that you have to mark an email address in the page manually: [safe-email][/safe-email]. The Antispam plugin automatically searches for email addresses in the page.

Try checking the source itself (Ctrl + U on Chrome) and you will see the difference :wink:

Thank you, I didn’t know about the shortcodes! I’m trying to use the safe-mail shortcode in combination with the mailto, but unfortunately, it’s not working how I want. When you click on the link, it opens my email client but doesn’t decrypt the email address to send to. Makes sense but I’ll need to try something else. Appreciate your help.

Thanks for the explanations, still learning Grav (slowly but surely)…

My end goal is to reduce spam, so I was going to use a mailto link but was hoping to hide the email address it should send to.

I had created a contact form with 2 honeypot fields and a “math check” field, hoping that bots will not answer correctly. I also have the DNS Blacklist plugin enabled, but I’m still getting spam that looks like this:

Name: TrcMokCAzNqanex
Message: CfPBvaIwiyd
What is five times four?: 20

Given the random characters, it seems like automated spam. Unsure how to stop them.

Sorry @jmsstuff , I don’t have any experience with using Grav forms.

@jmsstuff, If fighting spam would be easy, it would have been solved…

You can protect your contact form as much as you like (and you should), but:

  • There are humans trying to make a living by entering forms.
  • Any script can bypass your form and submit a POST request straight to your site.
    E.g a simple Unix bash script:
    curl -X POST \
       -F 'name=TrcMokCAzNqanex' \
       -F '' \
       -F 'message=CfPBvaIwiyd' \

When the first line of defense gets passed, you will need to filter the POST at server side:

  • Check the honeypot
  • Check if IP address is blacklisted (that’s what DNS Blacklist plugin does)
  • Check if name is blacklisted
  • Check if email address is blacklisted
  • Check for spam words in message
  • Check for URLs in message
  • Check …
  • And still you will get spam sooner or later…

Btw. Stop Forum Spam offers a free API that can be embedded in a plugin, to check if IP, username and email address are known to be used by spammers.