Email Obfuscation Techniques

Email obfuscation techniques are used to hide email address from spammers. They're used to show email addresses in web pages without the risk of exposing them to spam bots which constantly crawl the web harvesting for them.

In this article, I'll describe 3 techniques I've used to obfuscate email address.

1. Obfuscating the HTML code

This one consists in writing the email using HTML entities and (optionally) <span> tags. For example, if you want to to display the email "user@example.com" you would insert some code like this:

<span>u</span><span>s</span><span>e</span>
<span>r</span><span>@</span><span>e</span>
<span>x</span><span>a</span><span>m</span>
<span>p</span><span>l</span><span>e</span>
<span>.</span><span>c</span><span>o</span>
<span>&#109</span>

The <span> tags are optional but add an extra layer of complexity for spam bots trying to discover email address inside the page code. The advantages of this method is that the email is displayed seamlessly, in the same font as the rest of the text. However this is not a very effective method since most bots do automatic HTML entities translation on the fly removing <span> tags and HTML entities.

2. Using server side code

This one consists in using a server-side script (such as PHP) for generating an image containing the email that you want to display. This is the technique I use in my company website and is much more effective than the first one, although it doesn't display the email in the native page font, so the email will look more or less awkward depending on how different are the server font from the client browser font.

So, instead of inserting the email you would insert something like:

<img src="http://insophia.com/email.php?u=prh" />

Here is the source code of ths script I use in insophia.com (written in PHP using the GD imaging library).

As you can see, the email is not contained in the code at all since the script already knows the domain and automatically adds it. That's what makes this method so effective.

3. Using client-side (javascript) code

Finally, you can use Javascript (client side) code like the one I use in my personal contact page.

For example, if you want to display the email "user@example.com" you would insert a piece of code like this in your HTML:

<script language="javascript" type="text/javascript">
var part1 = "user";
var part2 = "example.com";
document.write(part1 + '@' + part2)
</script>

This technique is also very effective. It requires the browser to be Javascript enabled but that's probably a safe assumption these days, since most web pages requires JS to run.

6 responses

About the first one, you could include extra weird characters between span tags, such as "ñ" (ñ) or "¿" (¿) with the attribute "display: hidden;", so when the bot removes the span tags will get an invalid e-mail address.

— Tux_Paranoid

Yeah, that's a good idea. Actually, that's a whole different technique (using display: hidden CSS tags) which doesn't depend on any of the 3 techniques mentioned in the article.

— Pablo

I would have mentioned the image alternative. Printing the email address into an image, and inserting it in the page. It's principal disadvantage is that you can't copy and paste it... but it's easy and (probably the most) effective against bots.

— matias

Is it presenting the email as an image really that effective? I have the idea that bots can parse images and extract texts from it, as they do with captchas.

I also would like to add something I've discussed with Pablo. All of these ideas attacks the harvest of emails, but conspire against accessibility. My idea to reduce the negative impact is adding a link to a sound file next to the email, then convert the email into speech with festival and send it to the browser.

Matias, the second method uses (dynamically generated) images.

yo genero imagenes dinamicamente con PHP y listo

— Traductor

Pablo Hoffman

Software Engineer & Startup Founder

Email Obfuscation Techniques