15
May
11

Obfuscate email, but make your self email-able

Using a simple obfuscating script on your website’s published email addresses can reduce the amount of email spam by 90% or more. Email spam primarily comes from email harvesting bots, similar to search engine bots, that scour the internet looking for email addresses to spam. There are several ways to obfuscate email addresses.

Common methods to obfuscate email addresses:

  • Encoding
  • Javascript
  • Flash
  • Using an Image instead of text

Javascript and Flash obfuscation basically create a text version of your email that cannot be read by all but the most complex email harvesting robots. These methods work well at stopping email harvesting (Flash is far better than Javascript), but your visitors must have flash installed or javascript enabled for these to work or they too cannot see your email address.

Example of what a Javascript email would look like to a computer. (From: seowebsitepromotion.com)
<script type="text/javascript">
//<![CDATA[
var email = "questions"
var domain = "ecommerce-blog.org"
document.write("" + email + "@" + domain + "")
//]]>
</script>

These can also be called externally or through an action script which is even more effective.

Images of an email address can be used in place of text. While this is probably as effective at stopping spam as flash and Javascript, it completely prevents copying the text. This makes it very annoying to try and email the site owner as contact addresses are often long and can be complex. Users are very prone to mis-entering email characters and this generally leads to frustration and annoyance by everyone. I recommend not using this method.

Encoding is by far my preferred method of email obfuscation. While it is not as effective as the other methods, it stops the majority of spambots. It does not create browser compatibility or usability issues. It is as easy to use as copying and pasting some html onto a web-page when it is being created.

Encoding can be done with a hex, decimal, and others. HTML interprets these encoded characters as the ones we see and read. This way your visitors sees an A while a computer sees an &#x41;.

Some good encoding tools:
http://www.ianr.unl.edu/email/encode/ – This is a simple and very effective encoding generator.
http://www.seowebsitepromotion.com/obfuscate_email.asp This script offers a variety of encoding and javascript obfuscation techniques.

Email Obfuscation Comparison:

Method Usability Effectiveness Difficulty
Flash Bad Extremely Good Hard
Javascript Ok Very Good Medium
Image Bad Very Good Medium
HTML Encoding Great Good Easy

Enjoyed reading this post?
Subscribe to the RSS feed and have all new posts delivered straight to you.
11 Comments:
  1. sun 15 May, 2008

    LOL, I had to laugh when you suggested using Flash to obfuscate e-mail. I think images are fine. Having a long, complex, and/or annoying e-mail address is a usability issue in general that typing out makes apparent. Just use a simpler prefix or be considerate of domain names usability before registering.

  2. jestep 20 May, 2008

    Flash is certainly a ridiculous method to obfuscate anything, but I included since I have seen it a few times. Javascript is probably safe nowadays since the vast majority of users have javascript enabled.

  3. Shopping Cart Software 21 May, 2008

    This is actually a good idea. I might use this in my personal site aswell.

  4. Rich 28 May, 2008

    @jestep: No need to worry about users not having javascript installed. Remember that you can use < noscript > tags to provide content for users that have disabled javascript. Then, you can provide an image (less usable, but very secure) or something like that. Check it out in action my site if you like:
    http://featurific.com/node/23

  5. SengHooi Dot Com 12 Jun, 2008

    I see a lot of people write their email in this way :
    senghooi429[at]yahoo[dot]com.

    I notice myspace and facebook will auto convert your email into this format.

    So…its to preventing spam ?

  6. Mike 7 Jul, 2008

    Javascript and images can also be combined. For example you can place an image and then use JS to replace that image with a clickable mailto link that also allows the address to be selected and copied.

    The only users who miss out then are those that have BOTH images and JS disabled.

  7. Leafgreen 27 Nov, 2008

    This article is now obsolete regarding Flash. “Effectiveness” is no longer “Extremely Good” but ineffective. Google is now capable of indexing all flash text, and the email address in my Flash site is now visible in Google search results. Therefore, spam bots are not far behind, and there are scrape methods to gather email address from Google search results.

    Leafgreen
    Get your Gadgets at http://GadgetNation.net/store

  8. Vladimir Dzhuvinov 14 Mar, 2009

    Well, what is the empirical evidence that “obfuscating script on your website’s published email addresses can reduce the amount of email spam by 90% or more”?

    🙂

  9. Jason Priem 19 May, 2009

    @Vladimir: This site offers some empirical data (although not addressing your specific quote), as does this one. Both are a bit out of date (especially the second), which is significant in the constantly evolving Spy vs. Spy of spam.

    And while these two rather informal studies to give some encouragement to obfuscation, I still say it’s a bad idea. Entity encoding, as this post suggests, is the easiest thing in the world to “break.” I made an <a href=”http://jasonpriem.com/obfuscation-decoder”.obfuscation decoder scriptthat breaks this technique, as well as a variety of “foo[at] bar [dot] com” approaches; it took me a few hours.

    As for javascript, the post correctly points out that it’s a bit of an accessibility/usability fail. Plus, there are plenty of ways to run JS on a server; it’s only a matter of time before spammers catch on (here’s a good example). More importantly, though, it’s just bad form to spend time making information on your site harder to understand. The web is about making information public.

  10. Elton Hoxha 13 Sep, 2009

    Part 1
    The first step I took was jumping on the other side of the river and think like a spammer. I started to search for software that does the harvesting of emails on the internet.
    Using keywords such as “emails, harvest and extract” on Google and I ended up looking at hundreds of software listings, offering an easy way to attack unprotected emails in a few steps…
    I picked up software, called EmailSpiderGold to test. Within a couple of hours I ended up in harvesting 15000 webmasters emails to use on my discretion.
    Along the way I learned that, on the open are several ways to verify that those emails are active as the very developers also offer Email Verifiers which along many characteristics it checks the validity of recipient’s e-mails addresses by connecting to SMTP-servers and simulating the sending of a message and they work pretty smart too as they disconnect as soon as the mail server informs the program whether the address exists or not. On this conclusion we end up thinking that once the email is out there everyone can harvest it and use it without discretion for their own purpose.
    Part 2
    Solutions…
    I came across to several solutions being offered to prevent the emails from harvesting campaigns. Amongst them I found some interesting ones using java scripts to obfuscate the coding on the page.
    Strangely, I didn’t come across with anyone using their own encryption to publish their email on the web page.
    Their lack of confidence was the answer for me.
    Accidentally I got in touch with an old time software developer that shared the same frustration named Peter Johansson; together we joined forces and experiences to develop a shield to the issue. Only recently we had a winner called ATG, an Anti-Spam Tag Generator with advanced features that hides the real address from robotic harvesters. We tested it and it has proved to work.

  11. Jack F 23 Dec, 2009

    @jestep

    WordPress can also use privatedaddy to automatically obfuscate email addresses on their web sites. A plain-HTML (non-WP) version is also available at http://www.privatedaddy.com/ . Both are free. Why don’t you check it out?

Copyright © 2024 The Ecommerce Blog, Jamie Estep, All Rights Reserved · Theme design by Themes Boutique