Nine ways to obfuscate e-mail addresses compared

When displaying an e-mail address on a website you obviously want to obfuscate it to avoid it getting harvested by spammers. But which obfuscation method is the best one? I drove a test to find out. Here are the results:

In 2006 I opened nine different e-mail addresses. On this page I published the nine e-mail addresses. But every address has been obfuscated by a different method. I made sure it’s getting indexed by Google by putting a link to that page on the tilllate.com homepage.

Then I waited 1.5 years (see the original post).

For each e-mail address I counted the amount of spam I received. The amount of spam received started by 21MB (for no obfuscation and a total of over 1800 spam mails) and went down to absolutely no spam.

The following three methods are absolutely rock-solid and keep your addresses safe from the harvesters.

1. Changing the code direction with CSS

Here’s how you do it:

<style type="text/css">
span.codedirection { unicode-bidi:bidi-override; direction: rtl; }
</style>
<p><span class="codedirection">moc.etalllit@7raboofnavlis</span></p>

2. Using CSS display:none

<style type="text/css">
p span.displaynone { display:none; }
</style>
<p>silvanfoobar8@<span class="displaynone">null</span>tilllate.com</p>

3. ROT13 Encryption

ROT13 encode the e-mail address with this tool or use the str_rot13 function of PHP and decode it via Javascript.

<script type="text/javascript">
document.write("<n uers=\"znvygb:fvyinasbbone10@gvyyyngr.pbz\" ery=\"absbyybj\">".replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);}));
</script>silvanfoobar's Mail</a>

Thanks, Christoph Burgdorfer for this idea.

This entry was posted in PHP, Web Development and tagged , . Bookmark the permalink.

128 Responses to Nine ways to obfuscate e-mail addresses compared

  1. Patrice says:

    Really like options 1 and 2. A lot nicer than option 3 (which we use on local.ch). Thx a lot for that research!

  2. Patrice says:

    Thinking again I just realized that only option 3 works when you want the mail address to be clickable (aka mailto: links)

  3. Murphy says:

    Thank you!

    I read a ton, and that’s one of the most useful things I’ve read in a while.

  4. Mgccl says:

    Good work…

    Well now you mentioned it…
    if a spammer saw this… what’s gona happen next.

  5. vahur says:

    Spiders will be smarter and i think that its not hard to teach the spiders how to handle those kind of email obfuscation methods.
    Btw, i am still using automatically generated gif files for displaying emails.

  6. Pingback: Thomas Kahl persönlicher Blog » Emailadresse anzeigen und Spam verhindern

  7. James says:

    I use the display:none method myself. Never actually done any testing just though that a spammer (If using something like php) would just do strip_tags(file_get_contents($url)) then a regex for emails. Hope they don’t cotten on, ooops have I just told them? Quick delete this post!

  8. Thomas Jespersen says:

    Offcourse you might wonder if those vermin will now read this blog and learn to bypass your ideas.

  9. David says:

    Java, eh?

  10. rjleaman says:

    Now, this was a worthwhile project! I think this is the first time I’ve come across the CSS methods, but I know it’s certainly the first encounter with stats from such a longterm email obfuscation experiment. Thanks so much for sharing this information!

  11. mik says:

    methods 1 and 2 don’t work if you need to wrap a mailto link around them, and method 3 doesn’t work with javascript turned off.
    i’ve found using a combination of url encoded characters and normal characters works pretty well, but like all these methods, isn’t foolproof.

  12. ninguem says:

    What about a gif image with your email in it? You can’t make it clickable but it conveys the right information otherwise.

  13. Pingback: michaelwales.com » Email Obfuscation

  14. Joe says:

    Who cares? This is the same type of race as CAPTCHA and spam. One hack on top of another until someone realizes that the fundamental issue is this: if you make an email address in any way accessible to a human, spammers will be able to mock whatever action the human did to interpret it.

    And we’re talking about text! If I see the first four characters are “moc.” then I know I should probably reverse it and store both values, just to be safe. And if I see asdf@…example.com — I’m probably already stripping any HTML between the @ and the end. Add a hook to automatically click the email links and run them through an RE to see if it’s an email — and all three solutions are trivially broken.

    @ninguem — Then you start fighting the CAPTCHA fight. Eventually you have to ask yourself whether the amount of engineering it takes to safely display email addresses is worth showing the email. For most situations, I’d venture to guess the answer is no.

  15. Pingback: 9 metodi per offuscare gli indirizzi mail / Melodycode.com - Life is a flash

  16. Felipe says:

    Too bad the display:none method adds garbage to the e-mail when the user copy&paste it, and such differences will be very hard for the user to notice, so you will sure miss some legit e-mail too.

    consider the result: silvanfoobar8@nulltilllate.com
    the user will very likely not see anything wrong there, and this is a problem considering that this method doesn’t allow the mailto: link.

  17. laurentj says:

    CSS methods are really bad. First, it doesn’t work if you want to add a link on them. Second, because there isn’t a link, the user have to select the text to copy the email. But the copied text is not the one he see.

    In term of accessibility, this is really bad too.

  18. Pingback: roScripts - Webmaster resources and websites

  19. Lachlan says:

    The third method is actually my favourite. As, unlike the first two, it works across all browsers. In the even it doesn’t work, you can just direct to user to a holding page with the correct email and explain why they were directed there.

    Just a correction, you wrote “Java”, its actually “JavaScript”. Two vastly different languages.

  20. Pingback: FuzzLinks.com » techblog.tilllate.com » Nine ways to obfuscate e-mail addresses compared

  21. Binny V A says:

    I use the first method in most of my sites. I cannot understand why people use simple encryption for emails – its easy to decrypt the email address using a regular expression.

  22. Pingback: Emailadressen auf Webseiten codieren | Technik, Gothic und Anderes

  23. I like #1 – actually rather shocked that it works!

    Why not use jQuery or some other JS framework to make those links clickable? Wouldn’t be hard to do at all.

  24. Benjamin Meyer says:

    document.write(” fcna.pbqrqverpgvba { havpbqr-ovqv:ovqv-bireevqr; qverpgvba: egy; } fcna.qvfcynlabar { qvfcynl:abar; } zbp.eno@ahyybbs”.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c=(c=c.charCodeAt(0)+13)?c:c-26);}));var x = (document.getElementById(’emailid’)); x.href = “mailto:” + x.text.split(“”).reverse().join(“”);

  25. This ought to make #1 clickable (using jQuery):


    $(document).ready = function() {

    $('span.codedirection').each(function(){
    var email = $(this).html();
    $(this).html('<a href="mailto:'+email+'" rel="nofollow">'+email+'</a>');
    });

    };

  26. Well, it looks like WP garbled up my code, but you can “view source” to see it.

  27. Pingback: Quelle est la meilleure façon de cacher un email pour éviter le SPAM | Korben

  28. Pingback: Блогът на Линковете - Защитаване на публикуваните е-майл адреси от спам

  29. Lars Gunther says:

    a. It takes patience to conduct a test like this! Impressive.

    b. Have you tested your methods with screen readers?

    c. Your code for method 3 is one ugly example of obtrusive JavaScript. How about a best practice alternative?

  30. Me says:

    I always thought spammers would already be operating firefox, output sites as screenshots and apply OCR techniques on the returned screenshots.

  31. Thanks for all your comments!

    I’d like to point out that I did not invent those methods. I just collected them.

    After reading your comments I think you ought to think on what site you’d like to include the e-mail address. As always there’s more than one solution.

    – Should it work without Javascript? Then #3 is a bad idea.
    – Should the site remain accessible? Then I would go for something like “foo AT bar DOT com”
    – Should it look nice? Then avoid the method I just mentioned.
    – Want to avoid the problem completely? Use a feedback form. 🙂

    I think every developer has it’s own preferences…

    Silvan

    PS: Next time I should also include the method using an image which I used here.

  32. Ian Clifton says:

    This is definitely the first long-term study I’ve seen on email obfuscation, nice work!

    I wonder if the “foo AT bar DOT com” method would be relatively foolproof if you wrapped a span around the “AT” and “DOT” (it could color them differently or do nothing at all). It would require a relatively tasking regex and I suspect most spammers would go for the easier addresses.

  33. Pingback: Ocultar las direcciones de email a los bot spammers | eleZeta - Lucas Zallio

  34. Hay says:

    In my opinion, all methods that uses some kind of CSS / JavaScript / client-side hack to make the e-mail unreadable for spambots are bad because they will affect usability as well. As said before in these comments, the two CSS hacks will cripple copy-pasting the links (which is something people tend to do a lot), and the JavaScript hack will not work with people who disabled JavaScript or use screen readers.

    The best way to handle spam is not to do it client-side at all: simply use a good spam filter on your mail server. The same is true for the CAPTCHA i had to fill in to post this comment. I’ve been using Akismet for years on my blog to prevent spam comments and maybe had about 10 spam comments in all that time.

    If for some reason you really, absolutely have to use a client-side method, the least worst solution is a contact form.

  35. mort says:

    I often wonder if spammers just publish articles like this so webmasters use the methods they already know how to break.

  36. Pingback: Three Best Ways To Obfuscate Email Addresses | Hackosis

  37. I personally think the CSS method is the best in most cases. A lot of people have JavaScript turned off, albeit a small number though. These methods can all be broken, no method is fool proof. I’m a fan of the JavaScript rot_13 encryption approach.

    – Dwayne.

  38. Hiding e-mail addresses is great, but I find that even if an address isn’t published, it can still get spam. Once it’s used to send/respond to e-mails, it is exposed to any spyware that the recipient has. I have e-mail addresses that I never posted on a web site and they get a lot of spam.

  39. Alex says:

    Excellent tips here, Silvan.

  40. Pingback: Webmaster Tools: keeping spam down at Just a Blog Site

  41. I use a rather bullet-proof method, but it requires Javascript. See: http://www.bronze-age.com/nospam/

  42. Mohammad says:

    Very nice, Thank you.

  43. Ryan says:

    I read a lot of blogs daily in my downtime, and this is by far the most useful (and shortest) article I have read in 2 weeks. Thanks for an excellent article.

    I stumbled on your web site today Silvan, and I’ve now bookmarked it.

  44. David Mills says:

    You can, of course, obfuscate it so well that no one will bother to try to contact you but your ex-wife, looking for alimony.

    Ever try just not putting it on the page at all?

  45. Thanks for all the positive feedback! I am overwhelmed!

  46. I think it would have been really more interesting to test that with clickable addresses. Display an e-mail this way is to poor to be use on websites.

    And even more important, the first reason for receiving spam is that your e-mail address is in the contacts of a PC infected by virus sending addresses to spammers. So your solutions only work for a never used e-mail.

    It’s probably the best “state of art” or “proof-of-concept” I’ve read but it’s not for real life. The only solutions are a contact form on the website and/or spam filter (or grey list) on the mail server.

  47. Pingback: Impressum? | kip's weblog

  48. Pingback: 9 méthodes pour protéger les adresses emails en ligne

  49. Pingback: Pages tagged "email"

  50. Pingback: hype.yeebase.com

  51. Pingback: This Weeks Top 5 Links | devjargon

  52. Pingback: …weil ich CiT bin! » Langzeitstudie zur Spam-Abwehr

  53. Robert says:

    My foolproof solution is to have a special email.php?addr=
    with the addr encoded using one of the many crypt functions in php. The email.php page sends the browser a cookie and redirects to itself, and if it gets the cookie back, the email address is presented.

  54. Pingback: How to hide your email address from spammers - Graphic Design Forum and Web Design Forum

  55. Pingback: Netzbürger Brenrhad

  56. Pingback: Web Dev Bros » Blog Archive » Methods for hiding/obfuscating emails in your website

  57. Pingback: Relativ wirksamer Spam-Schutz - Netzlogbuch

  58. Pingback: EGM Weblog » Spam-Schutz für E-Mail-Adressen

  59. Pingback: PHP Blogger: Email-Adressen effektiv verschlüsseln - Ein PHP Blog auf deutsch

  60. Pingback: Welcome to my world! » Blog Archive » Convert email addresses in source HTML to images without modifying the source?

  61. William says:

    I really like this study – it was extremely informative. I would have liked to see more data about email addresses in the form of images. I’ve just developed a new technique to have Apache webserver automatically convert all email addresses in HTML source into images in the output stream. It is all seemless and on-the-fly, and all without touching the source format in any way. I’ve written a proof-of-concept /w example on my blog.

  62. Daira S. says:

    Very good article! Must read!

    How about this sophisticated method described in:
    http://www.maurits.vdschee.nl/php_hide_email/
    Is it safe?

    Good luck!

    Daira

  63. Pingback: 9 Techniken um E-Mail-Adressen gegenüber Adresssammlern zu verschleiern im Vergleich « Kreativrauschen

  64. Pingback: Mailadresse verschleifern

  65. Pingback: Accomplishing Accessible Email Obfuscation | .eduGuru

  66. Pingback: Dev, Linux, Tech and Co » Affichez vos emails tout en évitant le spam !

  67. Pingback: E-Mail in Javascript verstecken? - XHTMLforum

  68. Pingback: Two easy ways of obfuscating your email address with CSS | AI NO TENSHi

  69. Pingback: E-mail-Adress-Obfuscation und Spam - XHTMLforum

  70. tekkie says:

    JavaScript method is surely the most convenient and bulletproof option available to obfuscate your email.

    For Mac OS X users there’s a Dashboard widget called obfuscatr. It provides JavaScript or just plain hexadecimal encoding (basically urlencode, not as effective as JavaScript, also confirmed by the above chart) of your email addy.
    See the details at flash tekkie.

    obfuscatr was also featured in MacWorld Italy of March 2008.

  71. Andreas says:

    A while ago, I was thinking about this, too. In my case, I came up with a method similar to #3 (same method of obfuscation, but instead of ROT13, I used a simple algorithm that cannot be reversed with simple search&replace operations). I also created a test-page to see how much spam I get back with different obfuscation methods.

    http://zargony.com/2008/04/20/scramble-email-addresses-in-views-to-reduce-spam

    That time, I wanted to compare the standard email address obfuscation methods included into Ruby on Rails with my JS idea. My (yet unpublished) results are that spammers were able to work around every method except the JS obfuscation I described in my blog. My test doesn’t cover the obfuscation by CSS (#1 and #2), since I didn’t know about it back then – so basically, my obfuscation tests can confirm your results.

  72. Bengo says:

    Your captcha keep erasing my messages, and I am through with you.

  73. Pingback: Thinkubator - A Thoughtprocess Interactive Blog » Blog Archive » Most effective ways to obfuscate email addresses

  74. Jose says:

    Great post! I have just released an open source component and on-line tool that creates obfuscated email addresses using these techniques.

    You can find it at http://liameobfuscator.blogspot.com.

  75. Pingback: How can I protect e-mail addresses on my website from being harvested by spammers? « Dodona gives you answers

  76. Ryan says:

    Method 3 didn’t work for me. I used the script you provided just to test it out and got: silvanfoobar’s Mail

    Does anyone know of another obfuscater that works pretty well and allows you to have a hyperlink?

  77. Ryan says:

    To elaborate, since it didn’t show in my post, the results were just a lot of spaces and diamond symbols containing a question mark in each of them, and a 10(at symbol) for the at.

  78. Pingback: Email Obfuscator Using HTML Numeric Character References, CSS, and JavaScript | Pixel Wise Design

  79. Excellent article. Unfortunately I have to work with an undocumented proprietary content management system written in ASP. I have come up with a simple email obfuscator based on numeric character references, JavaScript and CSS. Take a look at my blog post at pixelwisedesign.com/blog/?p=40 if you are in a similar situation and cannot utilize a server side language.

  80. Bryan says:

    install blowfish in pear and encrypt email address. This way they can be used in server-side contact forms.

  81. Scarf*oo says:

    Can’t believe the CSS techniques actually work in those cases!

  82. Pingback: 10 Essential Website Checks « Erich sieht

  83. Pingback: Obfuscate no more: why your email address should go au naturale - Jason Priem

  84. Pingback: Email-Adressen auf (Blog-)Webseiten anzeigen « Tag4Tag

  85. Pingback: Protecting Email Addresses Online | Larry Ullman's Blog

  86. Uno says:

    Very interesting indeed.

    Also, the contributions of alternative methods in the comments are worth a look.

  87. Pingback: E-Mail Schutz für WordPress (mit Plugin) - codeschnipsel, CSS, E-Mail, PHP, Plugin, Schutz, Spam, Wordpress - ocean90s weblog

  88. Pingback: 50 New CSS Techniques For Your Next Web Design - Programming Blog

  89. SImon says:

    One thing missed here is the right way to create an invalid domain that you can pass to the spammer.

    Say your domain is SOFT.com and so you redirect to NULLSOFT.com well the people who own that domain might not be pleased with the extra emails you just sent them!

    The right way to do this is: “SOFT.com.INVALID”

    Better still is to do both (just in case the spammer strips all occurences of .invalid)

    so you have “NULLSOFT.com.INVALID”

  90. Pingback: CSS Vault Blog » Blog Archive » 5 Great CSS Techniques To Improve Your Website

  91. Pingback: 50 New CSS Techniques For Your Next Web Design | Desinine

  92. Pingback: Sähköpostiosoitteen salaaminen boteilta « it.tassu.org

  93. SpamSpan says:

    I’ve being doing #2 for several years already + JS for nicer display. Have a look at spamspan.com

  94. Pingback: E-Mail Schutz für WordPress (mit Plugin) » codeschnipsel, CSS, E-Mail, PHP, Plugin, Schutz, Spam, Wordpress » ocean90s weblog

  95. Pingback: 50 New CSS Techniques For Your Next Web Design « Photoshop.vn – Your Design Resource

  96. Pingback: 5 Great CSS Techniques To Improve Your Website :: Graficznie

  97. Pingback: Sicherheit Email-Versand - SSL Zertifikate und PGP - Seite 2 - php.de

  98. Pingback: E-Mail Schutz für WordPress (mit Plugin) » Codeschnipsel, E-Mail, Schutz, Shortcode, Spam » ocean90s weblog

  99. Pingback: 5 Great CSS Techniques To Improve Your Website | CSS Heaven

  100. Angus S-F says:

    Saw this interesting article while pursuing some non-js, non-URL-encoded technique.

    Email Obfuscation Helps Spammers | typewriting
    “Google returns 27 million results for “* at * dot com”. That’s 27 million email addresses waiting to be spammed. Google doesn’t allow you to search for the “@” sign, so that’s 27 million email addresses that wouldn’t be available on Google if they were not obfuscated. Email obfuscation not only doesn’t hurt spammers — it actually helps them. Where it doesn’t make it easier, it acts as a placebo, making people feel more comfortable and complacent living in a world of spam. Like everything else, if you don’t want your email address publicly-available, don’t put it on the public web. But if we want to be able to publish email addresses on the web, we can’t continue this half-hearted war on spam, hiding under our beds of obfuscation and hoping they won’t find us.”
    http://typewriting.org/2006/06/19/Email_Obfuscation_Helps_Spammers/

  101. maxpower9000 says:

    Take a look at this jQuery approach:
    http://gelb3.de/blog/?p=44

  102. Pingback: email verschlüsseln --> ascii in unicode, frage zum script... - Seite 2 - php.de

  103. Pingback: 50 New CSS Techniques For Your Next Web Design | Theme Center

  104. Beegee says:

    I’ve developed a tool that does email obfuscation automatically. Not only that, it’s totally transparent to the user as long as s/he has JavaScript enabled. A non-JS version is used if s/he doesn’t. Please check it out at http://www.privatedaddy.com/ – it’s totally free for all purposes

  105. stk says:

    You’re missing the entity values for > and < to *show* how the code direction is done. Instead, you’re just *doing* it.

    Still, none are buried in a link with a mailto: HREF. I prefer to obfuscate and still provide 1-click access.

    Doesn’t detract from the interest of the article and the thought and planning that went into your study.

    Cheers.

  106. Jeff Silverman says:

    Another option that wasn’t mentioned here:

    For clickable emails that don’t get caught by robots, I generally write {email} into the html itself, and then use a javascript replace to swap that with the email address i want displayed. Because the JS does the work after the DOM is loaded, robots won’t read the emails at all and they are still clickable by the user. You can even do {email}. JQuery has great search & replace functions.

    The same thing can be done with registration forms, to eliminate the need for captcha.

  107. Pingback: 9 formas de ofuscar emails a prueba : Blogografia

  108. Peter says:

    Private Daddy does email obfuscation automatically with a single line of PHP code. take a look @ http://www.privatedaddy.com/ , WP version also available

    HTH,

    Peter

  109. Keith Clark says:

    #3 could work with a fallback or you could use unobtrusive javascript (better method) to swap out email addresses when the page / DOM has loaded. Either of these will work in both JS and no JS environments.

  110. Keith Clark says:

    Sorry my last comment should start…

    “#3 could work with a NOSCRIPT fallback…”

    …looks like html tags aren’t allowed in comments.

  111. Pingback: Computer 101 on KLAKE 97.7 » And there was much rejoicing…..

  112. e-sushi says:

    I think that a good junk-filter in your e-mail client will do more good than making the e-mail on your site unreadable.

    Always remember: if a stupid robot can not read it, people with disabilities will fail too (so much for images btw.). And what about browsers? Not everyone has javascript enabled.

    If you’re really paranoid, simply implement a PHP contact form and slow down the spam by using a captcha tool like recaptcha (just mentioning it because you use it for the comment form on your site too.)

  113. EdelBabe says:

    I agree with the above comment. Why hide your contact information in the first place? Hitting some people with wrong e-mails or images can do more harm than good. If you want to be spam-free, simply do not publish your contact information. 😉

  114. est says:

    Try build email with javascript *and* DOM

    electr
    document.write(document.getElementById(“my_script”).parentNode.firstChild.getAttribute(‘my_chars’)+String.fromCharCode(0x74, 0141, 115-1))
    @gmail.com

  115. Pingback: Las 3 formas más seguras de publicar emails en la web | Omeyas Web

  116. Pingback: 50 New CSS Techniques For Your Next Web Design « SUMERA’S Weblog

  117. Pingback: Email obfuscation « Rootix Blog

  118. Pingback: E-Mail Links schützen | bo! hu? co.

  119. DerFichtl says:

    Best email protection ideas i have found so far … thank you.

    I’ve published it on my blog too:
    http://bohuco.net/blog/2010/02/e-mail-links-schutzen/

  120. Pingback: Email Obfuscation, the Accessible Way | Zing-Ming

  121. Pingback: michael pollak » email verschleiern.

  122. Pingback: Simple measures to choke spambots | Fascination Beach

  123. Pingback: Técnicas para Ofuscar Email | unijimpe

  124. Pingback: Email Obfuscation (with mailto:) to Avoid Spammers

  125. Pingback: Email spam a css method — Stofke on wheels