Mobile app version of
Login or Join

: Way to list "Contact Us" email address on web site, yet reduce likelihood of spam? What's a good way to list a "Contact Us" email address on a web site, while reducing the likelihood it will


Posted in: #ContactPage #Email #EmailAddress #Spam

What's a good way to list a "Contact Us" email address on a web site, while reducing the likelihood it will get spammed?

Is putting the email address in an image the best technique, or are there others?

10.26% popularity Vote Up Vote Down

Login to follow query

More posts by @Gonzalez347


Sorted by latest first Latest Oldest Best



If you're using a contact form, you could do the fun technique of using random names for your inputs.

For example, I make a contact form, instead of using email as an input, I would use liame, same with name (eman), and comment (tnemmoc). The bots don't actually know what those inputs do, so they just disregard them.

10% popularity Vote Up Vote Down



I use a PHP function to generate some javascript to output the the script at runtime. Note that you don't need PHP to generate the JS at runtime, you can generate the JS once locally and then include the static JS in your page.

You can also use the linked function with this snippet below to automatically obfuscate email addresses in given a given HTML (where $processedContent is the HTML):

$emailMatches = array();
$matchCount = preg_match_all('/(?:[a-zA-Z0-9_.-])+@(?:(?:[a-zA-Z0-9-])+.)+(?:[a-zA-Z0-9]{2,4})+/', $processedContent, $emailMatches);

if($matchCount > 0) {
$emailMatches = $emailMatches[0];

foreach($emailMatches as $email) {
$replacement = createJSMailLink($email);

$processedContent = str_replace($email, createJSMailLink($email), $processedContent);

10% popularity Vote Up Vote Down



Use Zoho Creator to set up a contact form. The feedback you receive will be stored on a database that you can access online & it will also be emailed to you.

10% popularity Vote Up Vote Down



I've set up a Google Docs Form / Spreadsheet. I can check form entries once a day and my inbox isn't flooded.

10% popularity Vote Up Vote Down



If you don't mind using javascript, you can use something like ROT13 for obfuscating the email address. For example see this:
Personally, I prefer using a contact us form and not worry about the spambots, but of course it all depends on your requirements.

10% popularity Vote Up Vote Down



The easiest thing I've found is to use a contact form where there is a default address, but also the ability for the user to select who the communication should go to (marketing, sales, tech support, etc.). Then, based on the value of the drop-down the posted form data is sent by the server to the appropriate email address.

Run this contact list out of a database table so you can easily update/add entries to the drop-down. That way you're never exposing any sort of address to the wide world of spam bots, and still give your users a great way to send in feedback.

10% popularity Vote Up Vote Down



All the obfuscation techniques in the world can't help in the long run if you get a lot of people contacting you. All it takes is for someone to drop you a message and later get infected by some malware that scans their inbox / sent mail / address book /whatever for valid addresses, andyour address it out there being passed from list to list [I even have contacts who are stupid enough to put there email address and password into online forms for the most idiotic of reasons, you probably have too, the most recent one was a site that offered to compute someone's "email astrology chart and predictions" which immediately spammed all the fool's contacts with an invitation to the same site and <deity> only knows what other lists we are now on as a result].

The address on my public web-sites isn't just a throw-away address - it is on a throw-away sub-domain. If I start getting spam on that sub-domain I create a new one, update the sites where my contact details are listed, and a short time later I completely remove the sub-domain from DNS records. If you do this, or any other throw-away address techniques, make sure you make clear (on any page listing the address and in the footer of any mail you send using that address) that the address will change in future and if people can't get through they should check back to make sure they have the correct address.

This has the advantage of just being a simple address for people to click (if their browser+mailer are linked that way) or copy+paste without needing to use their brains to edit the address afterwards (I'm always surprised by how many otherwise intelligent and observant people can't get that sort of thing right). It also means my mail server doesn't spend its days bouncing messages sent to "random" addresses (aaron@, adam@, amy01@, ...) at the expired sub-domains. It also doesn't confuse screen-readers used by the blind or poorly sited.

Another option that I've not tried yet is to use an AJAX request to read in the email address and other details. This may be slightly more effective than document.write based obfuscation, though will add a little extra load on the web server.

I used to use "contact me/us" forms instead but I found that they get spammed as much as, sometimes more than, plain-text email addresses - sometimes by scripts that are trying to use the form to create an account somewhere rather than use it as a contact form.

10% popularity Vote Up Vote Down



If you have a bot filter (using 1x1px, subnet, known bots, jscript detection, http referrer and browser agent) you can simply not display the information if its a bot.

Solution in PHP:

if (!isbot()) {
echo 'mailto:'.$email_address_for_real_people;
else {
echo 'mailto:yourself_bot@'.$bots_domain_address;

10% popularity Vote Up Vote Down



I use a simple Python script to convert the e-mail address into an mailto link where the e-mail address is HTML entity encoded. This is completely transparent to the user, but seems to obscure the contents enough to defeat most simpleminded harvesting bots.

#! /usr/bin/env python3.0

def entity_encode(text):
out = ""
ba = text.encode()
for i in range(len(ba)):
out = out + "&#x{0:02x};".format (ba[i])
return out

def print_email_link(address) :
print('<!-- {0} -->'.format(address))
print('<a href="{0}{1}">{1}</a>'.format(entity_encode("mailto:"), entity_encode(address)))


This gives the output

<!-- -->
<a href="&#x6d;&#x61;&#x69;&#x6c;&#x74;&#x6f;&#x3a;&#x74;&#x65;&#x73;&#x74;&#x31;&#x32;&#x33;&#x40;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x63;&#x6f;&#x6d;">&#x74;&#x65;&#x73;&#x74;&#x31;&#x32;&#x33;&#x40;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x63;&#x6f;&#x6d;</a>

When the result is pasted into a web page, the browser displays the text "" as a hyperline to "", so it is just as convenient to the end user as including the address in the clear. But it does seem to defeat many harvesting bots.

Obviously, I delete the comment with the plain ASCII version of the address once I've pasted the obscured e-mail link into the appropriate spot in web page's HTML source.

10% popularity Vote Up Vote Down



Here is another email obfuscator: Enkoder, from Dan Benjamin. It comes both as an online app and a standalone app for Mac.

10% popularity Vote Up Vote Down



The best solution: use a spam filter.

I actually use Gmail to handle my POP3 email account for my business, because it's much easier to check email on different computers. Gmail's spam filters are the best in the world.

So you can just display as your email address and forget about spam.

10% popularity Vote Up Vote Down



My non-answer is to not do this. Modern email systems, such as GMail and the Barracuda anti-spam appliance, do an excellent job of filtering spam. Any barrier that you put between you and your visitors means a lower level of engagement and, depending on the type of site, potential loss of sales.

If you are worried about users who don't have native mail client installed, or who don't have the mailto: handler set correctly, then have a Contact Us page with BOTH the linked email address and a form (without a CAPTCHA) and let the user choose.

Spam is annoying, but it's our burden to bear, not our users.

10% popularity Vote Up Vote Down



Personally, I don't display email addresses on sites, but instead have an easy to use, accessible contact us form, along with an indication of who the email is from; allowing users to send the site owners and operators emails, without exposing email addresses or having to jump through various JavaScript hoops, etc.

This is often the best way to go if your spam filtering isn't that sophisticated.

10% popularity Vote Up Vote Down



What I do is write out the email address as words, wrapped in a span tag: <span class="email">joe dot blow at gmail dot com</span>. Then a page-level script runs, grabbing any such spans and replacing each with a constructed email link. It may not be too obscure, but I've had no complaints. Plus if JavaScript is disabled, the user can still read the actual span text.

10% popularity Vote Up Vote Down



use css to hide some noise from the real text (just all in one line, i formatted it to better illustrate the technique):

u<span class="spam">noise</span>ser @ <span class="spam">noise</span>
example<span class="spam">noise</span>

and then use this little css-snippet:

.spam { display: none; }

if you need valid mailto: content, then you have to create it via jscript in the dom, see some of the other answers for that. but i am not a big friend of that.

10% popularity Vote Up Vote Down



One way:

<script language="javascript">
var name = "user"
var host1 = "gm"
var host2 = ""
var addr =
document.write("<a href=mai" + "lto:" +
name + "&#64;" + host1 + host2 +
">" + name + "&#64;" + host1 + host2 + "</a>")

You can write "Unscramble my email: user at com dot gmail" in <noscript> tags for those who have javascript turned off. This way you get the hyperlink functionality. You have a good chance at keeping spamers away from your address and people with javascript turned off or text only browsers can still get your email address.

10% popularity Vote Up Vote Down



I pass all contact forms through a throwaway Gmail account, that forwards mail to the real email address. It's free, it's easy, and Gmail's spam detection is top notch.

It requires no extra effort when making the website, and if anything gets through you just login to the Gmail account and flag it as spam.

You can then set the Gmail inbox to either automatically archive anything that has been forwarded, or even delete it if you don't want that extra copy kept there.

10% popularity Vote Up Vote Down



Use a graphic library (such as GD which is supported by PHP, or similar) to dynamically create .png images containing the email addresses.

Compared to my other answer this solution is less annoying for the users (but not transparent; they can't copy & paste it but must re-type it from scratch) but is also less secure: a computer can potentially read the unobfuscated image.

But overall I think it's a good compromise; it will stop the vast majority of spam bots.

10% popularity Vote Up Vote Down



Ask the user to resolve a CAPTCHA before showing them the email address (or if you have a contact form, before letting the user submit it).

It's the most annoying for the users but definitely the most effective.

10% popularity Vote Up Vote Down



Use natural language to spell out the eMail address...


thatguy at gmail dot com

You'd be surprised how much harder it is to write a bot that can differentiate natural language vs writing a bot that just searches for the @ sign and regexes a normal address.

It isn't 100% foolproof but it isn't any worse than obfuscation and it won't alienate your visually impaired users and/or users that have JavaScript disabled.

Update: Here's an example of this technique in action.

Update 2:

It turns out that someone has actually done research on this and posted it online. See the SuperUser post describing the results or the original article

10% popularity Vote Up Vote Down



I've used for years. Users typically know enough to delete the 'no-spam.'.

Otherwise, I just use a contact form with a 'captcha' and send the mail directly from the website.

10% popularity Vote Up Vote Down



I'm a fan of obfuscation, where the email address is essentially rendered with Javascript.

For example, could be rendered as

<a href="javascript:location='mailto:u006du0079u0040u0065u006du0061u0069u006cu002eu0063u006fu006d';void 0">
<script type="text/javascript">document.write('u006du0079u0040u0065u006du0061u0069u006cu002eu0063u006fu006d')</script></a>

As far as the user is concerned, it's normal text and can be copied and pasted. Bots on the other hand will have a harder time with it.

Here's the obfuscator I used.

10% popularity Vote Up Vote Down



using html encoding like &#649&#7854&#7575, the browser will render it like "abc"

10% popularity Vote Up Vote Down



Use an email obfuscator

10% popularity Vote Up Vote Down



A quite good, while not perfect way is to create the e-mail address via javascript. Most spiders looking for e-mails do not execute javascript, and hence do not find a readable e-mail address.

Here is just one example how it could be done.

10% popularity Vote Up Vote Down

Back to top | Use Dark Theme