Stopping Spammers From Getting Your Email Address

This article was originally written for ArrowQuick Solutions, a technology consultancy for small businesses.

Posted on November 23, 2010

Your website probably has email addresses listed somewhere on it — if you’d like to have customers contact you, at least. Unfortunately, spammers can find these email addresses and add them to their spam lists. How can we stop spammers from getting their hands on these addresses?


Obviously, the best way to prevent spammers from gathering email addresses is to not publish the email addresses at all. Using a simple form-to-email script can effectively hide the recipient’s email address.

A sample Contact Us form.

A sample Contact Us form.

Forms are good if you need specific information from the user, but as an email link replacement they have a few problems: they are generally less friendly than email, and they have their own spam problem.


A better method is to mask the text of the email address so that the spam bots don’t recognize them. Here are some methods that can be used.


An email address embedded in an image.

This email address is actually an image.

One method is to replace the text of the email address with an image. Spambots aren’t able to read the text inside an image, while humans can easily.

Downside: You can’t include the email address in the code, so you can’t link the image to the email address — users will have to manually type the email address (which may cause frustration or confusion). You also can’t provide a text alternative for search engines or blind users.

X at X dot com

Rather than use the normal email address, you could use a format that mimics natural language. For example, write out “info [at] arrowquick [dot] com” or some variation. Humans can (usually) read it, but bots won’t recognize that it represents an email address.

Example webpage with emails obfuscated.

This website uses "X at X dot com" obfuscation for user comments.

Like image obfuscation, you can’t make the email address clickable, but at least it is available in text form so blind users can read it. If your audience is fairly tech savvy, then this is a no-hassle way to prevent spam.

Javascript Obfuscation

As the name suggests, this method uses Javascript code to obfuscate the email address. Actually, it’s the other way around: Javascript is used to print the email address or clarify it.

Example of Javascript code to generate an email link.

Example of Javascript code to generate an email link.

The email address and link will appear normal to users that have Javascript turned on. There is still the small percentage of those without Javascript (or who choose to disable it) that won’t see anything, which usually includes blind users.

Unicode Obfuscation

Unicode obfuscation takes a different tack from Javascript obfuscation. Rather than using scripting,  this method uses alternate encodings of some or all of the characters in the email address.

HTML allows us to use the numeric code for characters. Usually this is used for special characters that aren’t easily typed — for example, “—” represents a dash. But you can use the numeric version for any character, and naïve spambots won’t bother to decode them. Best of all, it’s supported by all browsers and is completely transparent to users.

For example, here is ArrowQuick’s main email address using Unicode obfuscation for the link:

<a href="&#109;&#97;i&#108;&#116;o:i&#110;fo&#64;&#97;rr&#111;w&#113;uick.&#99;om">email us</a>

Because this method has no downsides, it’s my favorite. Is it effective? It seems so.


“CAPTCHA” stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. What this method does is present the user with a challenge question that can only be answered by a human.

Usually this takes the form of letters, words, and/or numbers that the user must key in to continue.’s MailHide provides one of the better implementations; in addition to making it hard for spambots to crack it, users effectively digitize books at the same time. Good CAPTCHAs will also provide an alternative challenge for blind users (such as an audio challenge).

A ReCAPTCHA MailHide example.

A ReCAPTCHA MailHide example.

Unfortunately, although CAPTCHAs are pretty effective at stopping spam, they are pretty annoying to users. Adding extra hoops for users to jump through is always something you want to avoid, and sometimes the challenge question is ambiguous. Hosted services like MailHide also take the user away from your website briefly.


No obfuscation method is foolproof. It will never be perfect; there is a constant “arms race” between spammers and the rest of us. Even if we are successful blocking the spambots, the spammers could still hire cheap human labor to collect or parse the email addresses.

As web developers, we always strive to prevent our customers’ email addresses from getting collected by spambots. Whether it’s part of the design or the content in the site, an email address can be protected. All of these methods mentioned above can be manually implemented for each email address, or, if you are using content management software, can automatically protect you.

Leave a Reply