5 Ways to Obscure your Email Address

Do you own a blog, maintain a website, participate in a forum, or are your contact details listed on your company’s website? If so, your email address probably appears in several different places on the web, ripe for the picking.

One way spammers generate email lists is to harvest email addresses off of websites. Far too often, we make it easy for them by simply rendering our email address in ASCII text, or in an easy to use link format. We are trying to make it easy for our readers to contact us, but we’re making it easy for spammers to find us too.

Whether your email address appears on your website, is listed on a contact list posted online, or is part of your identity on forums or social networking sites, if it appears as text that a bot or spider can read, it is going to make it onto a list… probably several, in fact. In this post, we will show you how to present your email address five different ways, so that humans you want to hear from can easily contact you, but spammers will be left out in the cold.

1. Simple substitution

This old school trick is better suited for forums as opposed to rendering an email address anyone can use, as it will not be clickable, and the human will have to figure out what to remove/change in order to send you an email. Spell out the punctuation, or add components that a user will realize need to be deleted to render your actual email address. Here are two ways you could do this – userATexampleDOTcom or user@REMOVEexample.com.

2. Metacharacter substitution

This improvement on substitution replaces the @ and the . with their HTML codes, &#64 and &#46. In a browser, a human won’t know the difference and the link will be clickable, but spiders crawling your site are often simple enough to be fooled by this trick. Here’s what it should look like

3. Encode an href using HTML codes

Using the free email encoder at Web Designz you can convert your ASCII email address into HTML codes. An email user@example.com with a text display “email me” becomes  a string of HTML characters. When input into the html of a page, it’s clickable and renders in a browser just fine.

4. Encode an href using Javascript

You can embed your email address in a clickable link using Javascript. You can visit the Project Honeypot site for a form you can fill out to generate the Javascript for you, but the general format is fairly easy to follow. It breaks your email address up into four sections, creates an array populated with the pieces in reverse, and then concatenates the pieces in the proper order.
<script type='text/javascript'>var a = new Array('m','le.co','examp','user@');document.write
("<a href='mailto:"+a[3]+a[2]+a[1]+a[0]+"'>"+a[3]+a[2]+a[1]+a[0]+"</a>");</script>

As long as the user has not disabled Javascript in their browser, this works for them quite nicely. You may want to add this string
<img src="image_of_your_email.gif"></noscript>
and use an image file for users who disable Javascript. It won’t be clickable to them, but they will be able to read it and spiders won’t.

5. Contact Forms

If you are running a site of your own, or if one user of a multiuser site doesn’t mind playing postmaster, use a contact form and let your server send the email on behalf of the visitor. When combined with Akismet, this provides a very effective guard against spam, while still enabling visitors to get in touch with you. This is one of the best ways, as there is no way for anyone to derive your email address from the form, makes it easy for users to contact you, and can be used in conjunction with captchas and Akismet for even more protection.

So with these five different ways to obscure your email address, you have several choices for how to protect your inbox from spam, while still being reachable by your readers.

Which do you prefer, or what other methods do you use to hide your email address while still being available to your readers?

Written by Ed Fisher

An InfoTech professional, aficionado of capsaicin, and Coffea canephora (but not together,) I’ve been getting my geek on full-time since 1993, and have worked with information technology in some capacity since 1986. Stated simply, if you need to get information securely from a to b, I’m your guy. I’m like "The Transporter," but for data, and without the car. And with a little more hair.


  1. Robert · February 5, 2011

    I dounbt 1 and 2 are very effective. The same people who are “smart” enough to send out billions of emails certainly can handle a little character checking and substitution when they are slurping up email addresses.

  2. Ian W. Rudge · February 14, 2011

    Metacharacters, hex or octal are definitely not effective. A client suffered an inundation of spam after a new website was commissioned with just such ‘protection.’

    There is, after all, a php function which will decode such encodings with a single program statememt.

    Simple substitution may be moderately effective provided the inserted text does not become standardized and predictable. I can forsee, though, that any string of characters of the form @CAPITALS or CAPITALS@ could be assumed to be an anti-harvesting measure and replaced, it being extremely unlikely to find such a string in a real address.

    Substituting the ‘@’ symbol, and not using ‘mailto’ constructs would seem to be the most effective items of this kind, since most ‘bots would be completely unable to locate an email address in a page if neither of these telltales was present.

  3. Jen Williams · February 16, 2011

    I also use 1 most because it is simple to apply and not a burden for the user – at least a moderately intelligent one. :) I have seen some sites use images for email addresses – i.e. instead of typing text, they place a picture. The result is that spambots completely ignore it, while users can read it without a problem. Well, it is not possible to copy the email address, you need to type it into the mail program, which isn’t very convenient, especially if the address is a long one but still it is one more approach to obscure an email address.

  4. Ed Fisher · February 17, 2011

    Hi Robert,
    You’re right. I should have made more clear that I was listing them from least to most effective. Simple substitution is still better than nothing though, and eases the burder on end users who want to send email, or those who don’t have another way to encode, such as when commenting in forums that won’t allow you to HTML or scripting languages.

  5. Ed Fisher · February 17, 2011

    Hi Ian,
    The only issue I see is balancing the ‘hiding from bots’ with the ‘target audience can figure it out.’ A technical blog like this one would be able to sub almost anything in and the majority of readers would be okay. A restaurant would have to opt for something much more obvious to ensure non-technical users ‘get it.’

  6. Ed Fisher · February 17, 2011

    You’re right on the point I tried to make with my other responses…#1 may be the easier to defeat, but it is also the easiest for non-technical users (potential customers) to use. If someone might want to give me money, I want to make it as easy for them to do so as I can. If that means I need to manually weed out a little spam, or have a better spam filter on the front end, that’s just a cost of doing business in my book.

Leave A Reply