How can I protect my web pages from email address harvesting?

Username:
Password:

If you are responsible for a web space, be aware that email addresses published on your pages are vulnerable to being added to unsolicited email (spam) lists and could thus receive unwanted email. Spammers can collect email addresses by running automated harvesting scripts to parse static web pages one by one, looking for strings of characters that appear to be email addresses. Such automatic programs can catch thousands of addresses in a very short time.

To test the security of your own address, visit a search engine such as Google and enter your email address. The number of results you see is at least how many are visible to harvesting scripts.

For Indiana University web pages, if the contact information is for IU business, consider obtaining a departmental account and listing that address rather than your personal address; see At IU, how do I request a departmental or group account?

To help protect email addresses from harvesting scripts, consider the methods listed below (though none is fully guaranteed).

On this page:

Re-format addresses

The simplest method for hiding addresses is to present them in a way that contains all necessary information but makes the address unusable without some modification. For example, insert spaces into the address:

username @ domain.edu

You can also list only the username next to an individual's name, and note the domain elsewhere on the page. The main drawback is that this method renders the address unclickable. You may wish to add an explanatory statement to your page, for example:

"Email addresses on this page are displayed in a manner that will deter automatic address harvesting programs. This step is taken to reduce unsolicited email sent to Indiana University addresses. We regret any inconvenience caused for our legitimate visitors."

Substitute ASCII codes in addresses

Present email addresses by substituting ASCII codes for certain characters in the address, trusting the user's browser to translate the codes back into the correct characters. The format for ASCII codes is the & (ampersand symbol), followed by the # (pound sign), followed by a number corresponding to the character to be displayed, followed by a ; (semicolon). In an address, for example, you could substitute the ASCII code for both the @ (at sign), which is 64, and the . (period), which is 46, as follows:

username@domain.edu

When you enter the above code in your HTML, browsers render it as username@domain.edu , but harvesting scripts looking at the source will see only the ASCII codes; unless they have been designed to translate ASCII codes, they will be unable to recognize the code as an address. This technique can be effective in both the target and text of a mailto: link.

Consult an ASCII code table for information on other characters.

Web forms

Below are two options for controlling or limiting access to email addresses using HTML web forms:

Create a link to a web form asking users to enter their own address. Upon submission, the form emails the requested address to the user, and writes the transaction to a log.
You can create a link going to a web form where users enter a message, and the form then submits the message using a server script. For instructions for doing this on IU departmental web pages, see Preventing Email Harvesting.

Build the `mailto:` link using a server script or JavaScript

Use scripts to emulate the function of a mailto: URL. The idea is to create a link on your page that submits the username and domain of the email address to a program that builds the mailto: URL dynamically and returns it to the user's browser.

For instructions and examples of this method for server scripts, see James Thornton's Redirect mailto: for Spam Prevention software page.
The following JavaScript function can also obscure mail addresses: <a href='javascript:window.location="mail"+"to:"+"user"+"@"+"domain"+"."+"com";' onmouseover='window.status="mail"+"to:"+"user"+"@"+"domain"+"."+"com"; return true;' onmouseout='window.status="";return true;'>Click here to send mail.</a>
This returns a mailto: link to user@domain.edu , but the username and domain appear broken up in the source HTML file, protecting them from harvest scripts.

Note: This requires your visitors to have JavaScript enabled in their browsers; you may want to note this on your page.

This technique was taken from Mac Efficiency 101: Preventing Spam.

Use graphics in displaying addresses

You could use graphics to display addresses. This works well as a companion to the previous methods in order to have a normal-looking, clickable email address displayed on your page as the link to your CGI, JavaScript, or form. However, if your priorities require maximum security over user convenience, you should use this method by itself and instruct users to type the address into their email program to send mail.

With this method, you create an image of some or all of each address. For highest security, represent the entire address with a graphic, for example:

Replacing the entire address requires the most work, as each graphic must be unique. However, this is the most secure, requiring a harvesting script to have optical character recognition or a human operator to harvest the address, if used in conjunction with one of the script methods above.

You could simply replace the @ sign with a picture of the same; however, the username and domain name are then readable and in close proximity to each other, and thus vulnerable. You might also consider using a graphic to represent everything in the address after the username, i.e., the @ sign and the domain.

For further explanation of the method of representing the @ sign graphically, see James Thornton's Graphic @ for Spam Prevention software page.

This is document alcm in domain all.
Last modified on April 15, 2009.