Skip over navigation

Attack of the Spambots!

By on Jun 13, 2005 in Web Applications, Web Design, Web Engineering

E-mail is definitely one of Loud Dog’s critical business tools. It touches everything – from project management to developing new business. In fact, our first contact with new clients is frequently through e-mail.

Unfortunately, if your company displays an e-mail addresse on its website, it will be found by a spambot – an automated program that scours the web for e-mail addresses. This article explores how we can defeat the spambots!

First, a general philosophy.

Protecting your e-mail address is a compromise. It is possible to fully protect your e-mail address: create a difficult-to-guess e-mail address and don’t tell it to anyone.

The usefulness of an e-mail address graphed against its protection follows a bell curve:


A highly-protected e-mail address will not be useful: no one knows it exists. Nor will an e-mail with little protection: the flood of spam will render it useless again.

The right level of protection depends on the e-mail address and what you intend to use it for.

If you’re thinking about your company, it makes sense to accept more spam in order to make it easier for your customers (or potential customers) to reach you. Modern anti-spam programs are good enough to reduce the amount to a manageable amount.

On the other hand, if it’s your personal address, or if it’s a specific company address, it probably makes sense to stringently protect it.

Protecting your e-mail address.

There are a variety of ways to protect your e-mail addresses – basically by removing that pattern from your site. The guidelines explained above apply here as well: each level of protection makes it more difficult for your users to reach you.

Contact Us Form

The best protection is a contact us form. There are no e-mail addresses on the page, and thus nothing for a spambot to grab. The problem we have with the Contact Us form is that it’s not especially user friendly. Some users report that they like to have a copy of what they sent stored in their e-mail program; others simply say that the feeling they get is one of submitting a question to a large machine – which, in fact, is what they are doing.

The best way to make your current and future customers comfortable with you is to enable them to have a personal connection: this is why “” is better than “,” and why an e-mail address is better than a submit button.

Images and descriptions

Some people advocate displaying an email address as an image. Here’s my e-mail address: myemail.gif. Looks like you should be able to click on it, right? That is so frustrating. Even if it didn’t look like you could click on it, it tells your customers that your concerns about getting spam are more important than letting them contact you easily. Yes, it’s not hard to open up an Outlook window and type the address in, but staying on hold with the phone company also isn’t hard.

Along this same line, some people advocate displaying e-mail addresses like “josh AT abc DOT com.” This may be fine for an individual, but it’s not appropriate for a corporate site, and eventually spambots will be able to understand them.

A better way: obscuring e-mail addresses

The third way of protecting your e-mail addresses depends on making e-mail addresses difficult for spambots to read, but easy for humans. These techniques are not foolproof, but they can offer a fairly high level of protection.

Using HTML entities to encode the e-mail address.

HTML entities are numerical designations of characters. “a” is “a” for instance. If a spambot is looking for a pattern, replacing that “@” with a “@” may confuse some spambots. You could take it a step farther and encode the entire e-mail address. Obviously, sophisticated spambots will be able to figure this out, however.

Using mixed entities to encode the e-mail address.

The next level in obscurity to mix it up, literally. We use an algorithm that randomly substitutes HTML entities, Hexadecimal entities and normal characters in an email address. ends up looking like %65ma%69l@abc.c%6f%6d. Hopefully, this will further confuse spambots.

Using JavaScript to obscure the address.

The final step is to use JavaScript to confuse spambots. There are thousands of different ways of doing this, and quick Google search will bring up dozens.

Combining them all.

We combine all of these into a single solution that so far works well, while giving visitors a great (expected) experience.

We use PHP to dynamically create an external javascript function that looks like this (for

function safe(text){ var alink = new Array; var name = new Array; alink['josh'] = 'mailto:josh@%61bc.%63om'; name['josh'] = ''; document.write('<a href="' + alink[text]+ '">' + name[text] + ''); }

We then refer to email addresses in our pages as
<script language="javascript">safe('josh');</script>

The whole example can be found here.

Further reading.

Project Honeypot

Spambot Beware

Win the SPAM Arms Race at A List Apart

Center for Democracy and Technology Report

Hey! This wasn't written by a gang of elk! It was written by , who does awesome work at Loud Dog, a digital branding firm in San Francisco that helps businesses express themselves authentically via identities, websites, and marketing collateral.

If you want us to do awesome work for you, if you have a question, or if you're just feeling lonely and want to chat, we want to hear from you!

Get in touch

Leave a Reply

Your email address will not be published. Required fields are marked *