skip to content

JavaScript: Protecting mailto links

In the last few years we have seen the rise of email harvesters and spambots - web robots or spiders that are programmed specifically to harvest email addresses from your website for the purpose of sending spam email.

Email link obfuscation

For webmasters, this means that you can no longer have an email address appear on your website (even just in the HTML code) without exposing yourself to spammers.

Even a single page with your email address is enough to trigger an avalanche of spam - and there's no way to put the genie back in the bottle without changing your email address.

If you have access to server-side scripting then an email form can replace the email links (our Feedback form is a good example), but some people are reluctant to use forms as they can be seen as too impersonal.

So how can we display an email as a link on the page without the danger of having it harvested?

That's where JavaScript comes in handy. By replacing email links in your HTML with properly obfuscated JavaScript code you are raising the bar for spambots as they will not even know there is an email address on the page without executing the code.

Sample output

Obfuscate your email address

Simple encoding:

For (very) basic protection, copy and paste this code where you want the email link to appear:

<script> document.write("<a href=\"mail" + "to:" + new Array("your.name","example.net").join("@") + "\">" + new Array("your.name","example.net").join("@") + "</" + "a>"); </script>

Advanced encoding:

For better protection, copy and paste this code into your HTML:

<script>eval(unescape("%71%77%77%6b%71%38%31%3d%5b%27%25%37%39%25%36%66%25%37%35%25%37%32%25%32%65%25%36%65%25%36%31%25%36%64%25%36%35%27%2c%5b%27%25%36%65%25%36%35%25%37%34%27%2c%27%25%36%35%25%37%38%25%36%31%25%36%64%25%37%30%25%36%63%25%36%35%27%5d%2e%72%65%76%65%72%73%65%28%29%2e%6a%6f%69%6e%28%27%2e%27%29%5d%2e%6a%6f%69%6e%28%27%40%27%29%3b%61%72%74%63%6b%37%39%3d%75%6e%65%73%63%61%70%65%28%71%77%77%6b%71%38%31%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%61%72%74%63%6b%37%39%2e%6c%69%6e%6b%28%27%6d%61%69%27%2b%27%6c%74%6f%3a%27%2b%71%77%77%6b%71%38%31%29%29%3b"));</script>

This new algorithm has been created to be significantly more difficult to reverse engineer than the basic version above which was already cracked by at least one group of spammers.

The advanced version was released into the wild in December 2005 and so far there are no indications that it's been cracked by an automated script. Manual copying of the address is of course always possible.

Google is now indexing email addresses that appear in this format (see below), but this does not expose the address.

Known limitations

While we're finding better ways of protecting email addresses, the harvesters are also working on better algorithms for detecting them. That means that the algorithms used on this page may only have a limited lifespan and should not be relied on to protect your email addresses forever.

We suggest you use a single PHP (or equivalent) function to display all email links on your site/server. That way if you think the encryption (or 'obfuscation' in this case) has been compromised you can immediately change to a different algorithm - more complicated JavaScript or a generated graphic for example.

If you need to cater for users with non-JavaScript browsers your best option is to provide a form that sends email via a server-side script.

Now parsed by Google

In a surprising turn of events it seems that Googlebot has now cracked our algorithm. Search for an email address that appears in obfuscated format now returns the page in question.

The email address is not highlighted in the SERP text snippet as it is for plain text links, however, and in the cached version of the page the text at the top says only These terms only appear in links pointing to this page (which isn't actually the case). In the text version of the cached page the email address doesn't show up.

< JavaScript

User Comments

Post your comment or question

22 July, 2008

Hi, the Smarty (smarty.php.net) have a function that encode mail address very nice too.

I checked out the Smarty encoding on this page and it really isn't that good. Most spambots can already crack at least the first two options using just unescape for the first or html_entity_decode followed by unescape for the second.

Ours (the advanced version) is much, much more secure

top