Anti spam email hiding techniques

Writing email addresses in clear in web pages is not a good idea: spam bot browse the web and collect email address to lately send unrequested spam. But, sometime it could be useful to put an email address in a web page, and there could be several possibility:

  1. Using an image: a transparent gif with the text of the email. Spambot needs to have some Optical Character Recognization to understand your email (complex enough), but a real user browsing your site cannot copy-and-paste your email, nor cannot click on a simple link to send you an email.
  2. Using a form: let the user send you an email whithout knowing your address. The user will know your email address when you respond to its email. This requires your site to have some server-side capability (CGI/PHP/Servlet) to accomplish this job. But spambot scripts can exploit the form to send you emails: this requires additional work for spam guys, but when you realize that spammers has exploited it you can add to the form some additional mechanism (like "see this image and report what you read", or "3+2=?" or easy question like "Which color was it the white horse of Napoleon?")
  3. Scrambling email addresses: you can do some cryptography on email addresses and using javascript the client's browser will be able to decrypt addresses. The spambot will need to be able to execute javascripts to decode your emails. Complex, but I believe that some can do it.
  4. Adding garbage emails in your pages: you can place some (hidden)links on randomly generated pages on your site so that the spambot, following that links will fall in pages generating infinite email addresses and collecting hundreds of thousand email address with the good ones (this means that the spammer guy will have to discard them manually, or discard all the data collected from that point on. You usually will put a 10+ links on the top and on the bottom of your pages linking random generated pages containing random emails.

A sample of html fragment using javascript for scrambling emails (that I am using) could be the following:

<script language="JavaScript">
function mail(name, domain, ext, params) {
  var addr = name + "@" + domain + "." + ext;
  var protocol = "ma" + "il" + "to";
  var url = protocol + ":" + addr + params;
  var a = "<a href=" + url + ">";
  var _a = "</a>";
  document.write(a + addr + _a);

<strong>Write me: </strong><script language="JavaScript">mail("lviggiano", "tiscali", "it", "");</script>

I aways combine this technique with the garbage email generation. A sample a gargbage email generator written in php (as I had some difficult finding java-enabled hosting for my site) is the following:


	function randomString($size) { 
		$chars = "abcdefghijklmnopqrstuvwxyz"; //0123456789"; 
		$count = strlen($chars);
  		$i = 0;
  		$retval = ""; 
		while ($i <= $size) { 
			$num = rand() % $count; 
			$char = substr($chars, $num, 1); 
			$retval = $retval . $char; 
		return $retval;

	function randomSuffix() {
		$suffixes = array("com", "net", "org", "biz", "info", "name", "fr", 
                                  "de", "it", "", "ch", "ru", "tv", "info");
		$idx = rand() % count($suffixes);
		return $suffixes[$idx];

	function randomEmail() {
		$name = randomString(rand(5,10));
		$surname = randomString(rand(5,10));
		$domain = randomString(rand(5,10));
		$suffix = randomSuffix();
		$mailType = rand() % 2;
		if ($mailType == 0) {
			return $name . "." . $surname . "@" . $domain . "." . $suffix;
		} else {
			return $name . "@" . $domain . "." . $suffix;
	function doMail() {
		$emailPerPage = 50;
		for ($emailCount = 0; $emailCount < $emailPerPage; $emailCount++) { 
			$email = randomEmail();
			print("\t\t<a href=\"mailto:");

		<title><?= randomString(10) ?></title>

		Not enough? 
		<a href="emails.php?<?= randomString(5) ?>=<?= rand(0,9999999) ?>">
			Get more!


A spambot could fall in loop, as at the end of the page there's a link to the page itself (with a random parameter to try avoiding the spambot to understand that the page is the same; with servlet this could be accomplished better).
In the top and the bottom of every page I simply put some hidden links (the text of the link is a transparent 1x1 pixel sized gif or just a non printable blank space) to the garbage-email-page (self-linking to make spambot loop infinitely).
You can notice that from the user point of view it's completely invisible, but the html source does the trick.
In this way the real user browsing your site is completely unaware of anti spam measures you used to protect your email address.
I am thinking on a javascript that browse the content of the current page using regular expression to search text like "name at domain dot com" replacing it with fully readable and clickable mailto:// links. I googled a little to find a script like this but I didn't find, so I think I'll do myself if I'll have some spare time for it.
Someone has to report more (or better) anti-spam techniques to protect email in web sites? If yes, I'll add to this post.

One Response to “Anti spam email hiding techniques”  

  1. 1 Luigi

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


June 2005
    Jul »

Follow me

twitter flickr LinkedIn feed

Subscribe by email

Enter your email address:



Tag Cloud