Hacker News new | past | comments | ask | show | jobs | submit login
How to Hide your Email Address on Web Pages (labnol.org)
28 points by Ashuu on Jan 4, 2014 | hide | past | favorite | 27 comments

I use my own function to character encode all the letters except the @ sign and split it into multiple writelns via JavaScript. It has a NOSCRIPT fallback as well (email AT address DOT com) which is also character encoded. The combination has worked well on client sites with clean email addresses. My own personal email address was in the clear for years and still is on other sites, so that one is a bit hopeless.

My Obfuscate Mailto function is available for direct use on my site as well as a PHP and ASP function for plugging in to other sites: http://johnhaller.com/useful-stuff/obfuscate-mailto

You can view the result by plugging an email in to that form or by viewing the source on my contact page: http://johnhaller.com/contact

Is spam from address-scraping bots still a problem? I get why people did it before there was spam filtering, but these days, who cares?

No it isn't. It it still possible to quickly add an address to the spam pile by putting it on a web page. And I've done that to provide honeypot addresses which let me dump all email from senders to any address that also goes to the honeypot address.

In my experience, no. I suppose it might change if I had an order of magnitude more popular website, but I've left mine in plaintext for a while and not experienced any issues.

I had an image instead a few years back, but that's just a hassle for readers.

Shortly before Christmas I started receiving spam to an address I know is only present on one web page. However it had been there for over a year before I got in (but is a pretty obscure page).

So I'd yes it is a problem but it's not the biggest problem.

My website gets like no visitors but I've had my email in plaintext on it forever. Never get any spam I didn't sign up for myself :)

The reality is, spambots will get through it eventually no matter what, and you will only end up increasingly inconveniencing your visitors. (How pissed would you be if you copied an email address somewhere and it appeared in reverse?) With email being what it is today, it's up to the receiving end to have good anti-spam software running.

Make sure to read "Nine ways to obfuscate e-mail addresses compared" as it tells which technique is most effective


Ultimately, obfuscating your email address might be futile


Considering this experiment was started in 2006 and the results published in 2008, I imagine most bots or newer bots have been configured to handle these.

Anyone interested in starting a new experiment? I guess I will. It might get me on the front page of HN in 1 to 2 yeras!

To me, email address obfuscation seems like one of those things that everyone does because everyone else is doing it. However, I've had my email address public and unobfuscated for years and I get very minimal amounts of spam, largely thanks to Gmail's wonderful spam filter.

Well you probably get shit-tons of spam addressed to you, though it might not make it all the way to your inbox proper.

Unicode may help a bit too: ﹫@ != @

The one that spammers haven't figured out yet is: "My name is Bob and you can email me at this domain." (anywhere in a page under bob.com).

You can do that without needing it to be such an easy address - for example, you can contact me using my gmail.com address which is corin.c.cole

The simplicity of this is very appealing.

I have had my email address available on a web page, with only minor obfuscation (escaping characters, sometimes in different encoding schemes) for over a decade. I don't get a lot of spam on that address.

I doubt there's any economic incentive for an email-harvester to solve the problem of even trivial obfuscation. These days you can buy tens of thousands of email addresses for a small amount of money. These are harvested from e-commerce and social media, and are much more likely to be real and current, and the targets more unsophisticated about clicking on ads.

EDIT: Actually there is an incentive; when the algorithm is applied on behalf of many naive users. So maybe the built-in algorithm in WordPress is actually more targetable than something you make up yourself. This isn't crypto; it's just obfuscation, so being original may help.

I typically have a form on the site do the emailing directly. Here is a plugin I wrote for Wordpress to do this, which is basically just a mailer with a CSRF token: http://wordpress.org/plugins/plainmail/

The best solution to me is to simply never have an email address visible on your site anywhere.

... and yes, before someone points it out, having a form on your site is just as much of an issue potentially.

It's the best if you never want to hear from me.

I have my mail software set up so that I can comfortably write emails, match and track responses, and all that. If you want me to use your mailer instead, I'll probably just forget about it.

Admittedly, that is another drawback.

All of these are interesting, but ultimately fall down on the same point: spam "bots" harvesting emails aren't always programs anymore. One could write a pretty straightforward program that grabs all the bits of webpages that look email-like (techniques like these would make them EASIER to ID) and then gets them read by people with a Mechanical Turk-style process.

My technique was to use a "+spam" suffix on my email user with the idea that when the spambots got it, I'd just ban that address and change the web site to use "+spam1". That was over 10 years ago and I've never once gotten spam to that address. Turns out spambots aren't a problem any more after all.

I've always been a fan of codeigniter's 'safe_mailto' function.

See here: https://github.com/EllisLab/CodeIgniter/blob/develop/system/...

I remember reading an article that tried several methods on publicly email addresses and tallied how each one got spam. Turns out ROT13 was the best. I use this tool: http://rot13.florianbersier.com/ So far so great.

You can also simply display the address as an image. I don't know how many spambots actively crawl and apply OCR to general images, rather than just specifically programmed CAPTCHA procedures.

That's a good idea especially if you want to prevent visually impaired people from being able to communicate with you.

Clever trick. However, the bots will eventually catch on.

You can also use http://boun.cr it's like bit.ly for email addresses.

or just use scr.im [¹], originally developed by Ozh [²].

[1] http://scr.im

[2] http://ozh.org

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact