Encoded Email Addresses

veronicaIf you want to publish your email address on a website, you’re gonna get spam, but there are a few things you can do to cut down on the amount of spam you get.

The easiest is to not publish your email address on a website. You’ll still get some spam, but your ISP should be able to install a spam filter that you can use to turn off some of it (Earthlink’s Spaminator is a good example of this). (Of course, this negates the whole idea of publishing your email address on your website).

Secondly, you can publish your email address in unlinked graphical form. This means a human that isn’t blind can read your email address and type it in their email program. Scott does a good job of this on his Fuzzy Blog!.

Thirdly, you can encode your email address so that it looks like plain text to a reader, but looks like gobldygook in the source code:

Take my email address: john@inluminent.com. Anyone can email me there, but I don’t want to get a bunch of spam, so I’d like to encode it using character entities, but it’s a lot of work to do it manually, so I naturally turn to a web based email encoding form to turn my email address into this:

j o h n @ i n l u m i n e n t . c o m

Which then goes into my HTML to produce this:


(Special thanks to Steve Hall, one mf my MarketingFix buddies, for reminding me about this tool and giving me the idea of blogging it).

6 Responses to “Encoded Email Addresses”

  • I have my addy plastered over the web… It’s sick. I’m an avid user of Mail’s spam filtering and good ol’ rules to forward everything I want to the right boxes. I usually only get a few of those pesky virus emails a day, not bad considering.

    I’m going to try to turn some of my email links into forms, and see if that helps cut the volume of spam. Until then I shall use your trick.

    I believe railheaddesign.com has a freeware cocoa app to do the conversion…

  • Sorry, but it doesn’t work. Last century, sure, but not anymore. It seems workable because it looks like garbage to us, and we think of spammers as dumb, since they send us breast and penis enlargement spam at the same address, but spam harvesters aren’t written by stupid people, just evil people. If you want to see for yourself, just change that encoded address to something you’ve never used before, and leave it around. It will be harvested. Even I could write a harvester to get entity- and url-encoded addresses. The closest thing to a safe way to have a clickable address is to use javascript to document.write it into the page, in chunks, and throw in the odd String.fromCharCode() just to make sure the harvesters will have to write a full javascript parser (or embed the Mozilla parser). So far, I haven’t had addresses done that way harvested, but every address I’ve ever trusted to entity encoding has been harvested and spammed mercilessly.

    I did see an interesting solution somewhere the other day, though: use [email protected] (or [email protected] would probably work, too). Apparently spam harvesters are bright enough to know that those addresses are a sure path to quick and accurate abuse reports.

  • Phil’s right. My latest tactic is to put a contact form on my web site, rather than my email address. The form is hard-coded to email to me (so it can’t be used as a spam relay).

    That, combined with SpamAssassin and Mail’s junk filter, has pretty much eliminated my spam problem. *fingers crossed*

  • What I’ve found works really well is having an address that is autogenerated on each page-view, but which is only good for 5 days. For example, right now it might say, on my web site:

    [email protected]

    “td” is “time delay”, addresses in that domain follow a set format and expire after a certain number of days. the “xxx’s” are the IP address requesting the page (and spidering the content if that’s what they are)

    I’ve found it works pretty well. It usually takes more than 5 days for a harvested address to get spammed, but if a human clicks on that link to send mail to me, it’ll arrive before the expiration. 🙂

  • There’s a web page where you can test how well you have proofed your site against spambots:


    It uses all the known tricks for finding hidden e-mail addresses, and shows you what it gets.

    My solution has been to hide the mailto link, broken into parts, in a javascript function that writes it back into the page. So far that seems to work. My command of JS isn’t very good–I’d like to generalize it into a more universal function, but haven’t gotten that version working yet.

  • For an address that is being displayed only (not a link), Insert bogus HTML tags into it. So [email protected] becomes [email protected].

    Browsers don’t display HTML they don’t understand, so what gets shown to the user is the real email address. A harvester will grab the whole thing, including the fake HTML.

Leave a Reply