Hiding Email From Spammers
By Richard Lowe, Jr.
All right, it's a pretty sure bet that if you put your email address on your website, the spammers will eventually grab it right off your pages. That being true, then how the heck do you allow your visitors and customers to get into contact with you, without opening yourself up to a deluge of
Mailto tags - The spam robots are generally looking for mailto tags. A mailto tag is a hyperlink which contains the word "mailto:" followed by an email address. Clicking on this hyperlink causes the users email program to open up a new message, allowing them to send email to the specified address.
A rule to follow, without exception, is NEVER, ever put your email address directly in a mailto tag anywhere on the internet. This means don't include it on your website, don't enter it into
guest books and don't add it to lists or anything else. If you do, then your email address is fair game to
Keeping the Harvesters Away
Robots.txt: You can keep some email harvesters away from your site by using a Robots.txt file with the various user agents included. Unfortunately, most spam harvesting programs do not even look at the Robots.txt file, so this tactic is not very useful. However, it does not hurt to include them either.
Htaccess file (Apache): If you are running your web site using Apache, you can use the .htaccess file to keep many harvesters away. This is actually very effective, because for some reason virtually all of the harvesters do identify themselves in some way using the user agent field, and this means htaccess can block them.
For Windows systems (using IIS) you can use a wonderful little filter called Isapi_Rewrite to create an htaccess-like file. This is available for free or for a small fee from
Hiding the Email Address
Using a form: One of the best ways to get information from your visitors is to simply code an HTML form and ask them to fill it out. Using a form totally avoids email harvesters (although you have to be careful with CGI routines as well - the popular formmail script is notorious for it's security issues) and is very friendly to most users.
Hiding it in a graphic image:
One method of hiding the email address is to create a graphic which shows the address. This has the advantage in that it is not possible for spam harvesters to decode the address. On the other hand, your visitors will be severely inconvenienced because they will have to type the address into their email messages by hand. So while this solution does help with spam, it also virtually stops all users from sending you messages as well.
If you do use this method, you can use the ALT tag to make things a little more clear. You could, for example, set the ALT tag to "Email rich at richard-lowe dot com" (remember spam harvesters can find email addresses in ALT tags without too much trouble).
Munging the address: You can spell out parts of the email address if you like. This is a common practice in messages posted to newsgroups and such, but it is not so well known on the web. For example, you could say "my email address is 'tom at anyolddomain dot com'".
You could also add extra words or characters, such as
"tom@d..anydomain.com" or "tom_spam@a...". This is also very common in newsgroups but almost never seen on
This has the same problem as hiding the email address in a graphic image - your visitors are not very likely to send you messages because you've asked them to do some extra work.
Unicode: You can make perfectly useful links by coding all or part of the email address in Unicode (a method for including characters from all languages on HTML pages). At this point in time, it's doubtful that any spam harvesters look for Unicode, although it would not be all that difficult to make one that works with it.
For example, an email address in Unicode with the @ sign hidden is: email@example.com - to the user, the @ appears exactly the same as the @.
var sendto = "your_domain.com"
var mailid = "mail" + "to:" + "your_name@" + sendto
document.write("<INPUT TYPE=\"submit\" VALUE=\"Send email\" ");
Other tricks: There are as many other ways to hide an email address as there are stars in the sky. You could, for example, write a Java program or a CGI script to dynamically generate an email address if desired. Each method has it's advantages and disadvantages.
For a successful website, whether it's a hobby site, a personal page or a commercial venture, you must give your visitors some way to contact you. However, you must also protect yourself against spam. In my opinion, the best way to do so is to create a form requesting the information and thus skip email entirely. If you do this, however, be careful that your form routines are secure.
Copyright (C) Richard Lowe Jr. and Claudia Arevalo-Lowe, 1999-2002.
Richard Lowe Jr. is the webmaster of Internet Tips And Secrets at http://www.internet-tips.net
where you can find over 1,000 complete FREE articles about how to improve your internet profits, enjoyment and knowledge.
[ICBS Knowledgebase Home]