20. July 2008, 18:41, by Silvan Mühlemann

Nine ways to obfuscate e-mail addresses compared

When displaying an e-mail address on a website you obviously want to obfuscate it to avoid it getting harvested by spammers. But which obfuscation method is the best one? I drove a test to find out. Here are the results:

In 2006 I opened nine different e-mail addresses. On this page I published the nine e-mail addresses. But every address has been obfuscated by a different method. I made sure it’s getting indexed by Google by putting a link to that page on the tilllate.com homepage.

Then I waited 1.5 years (see the original post).

For each e-mail address I counted the amount of spam I received. The amount of spam received started by 21MB (for no obfuscation and a total of over 1800 spam mails) and went down to absolutely no spam.

The following three methods are absolutely rock-solid and keep your addresses safe from the harvesters.

1. Changing the code direction with CSS

Here’s how you do it:

2. Using CSS display:none

3. ROT13 Encryption

ROT13 encode the e-mail address with this tool or use the str_rot13 function of PHP and decode it via Javascript.

Thanks, Christoph Burgdorfer for this idea.

Filed under: PHP, Web Development

66 Comments »

  1. Really like options 1 and 2. A lot nicer than option 3 (which we use on local.ch). Thx a lot for that research!

    Comment by Patrice — 20. July 2008 @ 19:42

  2. Thinking again I just realized that only option 3 works when you want the mail address to be clickable (aka mailto: links)

    Comment by Patrice — 20. July 2008 @ 20:09

  3. Thank you!

    I read a ton, and that’s one of the most useful things I’ve read in a while.

    Comment by Murphy — 20. July 2008 @ 20:11

  4. Good work…

    Well now you mentioned it…
    if a spammer saw this… what’s gona happen next.

    Comment by Mgccl — 20. July 2008 @ 20:26

  5. Spiders will be smarter and i think that its not hard to teach the spiders how to handle those kind of email obfuscation methods.
    Btw, i am still using automatically generated gif files for displaying emails.

    Comment by vahur — 20. July 2008 @ 20:32

  6. [...] techblog.tilllate.com ist das Ergebnis eines Spam-Versuchs erschienen. Ganz interessant… Dort wird aber auch eine [...]

    Pingback by Thomas Kahl persönlicher Blog » Emailadresse anzeigen und Spam verhindern — 20. July 2008 @ 21:14

  7. I use the display:none method myself. Never actually done any testing just though that a spammer (If using something like php) would just do strip_tags(file_get_contents($url)) then a regex for emails. Hope they don’t cotten on, ooops have I just told them? Quick delete this post!

    Comment by James — 20. July 2008 @ 21:41

  8. Offcourse you might wonder if those vermin will now read this blog and learn to bypass your ideas.

    Comment by Thomas Jespersen — 21. July 2008 @ 01:16

  9. Java, eh?

    Comment by David — 21. July 2008 @ 01:28

  10. Now, this was a worthwhile project! I think this is the first time I’ve come across the CSS methods, but I know it’s certainly the first encounter with stats from such a longterm email obfuscation experiment. Thanks so much for sharing this information!

    Comment by rjleaman — 21. July 2008 @ 01:44

  11. methods 1 and 2 don’t work if you need to wrap a mailto link around them, and method 3 doesn’t work with javascript turned off.
    i’ve found using a combination of url encoded characters and normal characters works pretty well, but like all these methods, isn’t foolproof.

    Comment by mik — 21. July 2008 @ 01:59

  12. What about a gif image with your email in it? You can’t make it clickable but it conveys the right information otherwise.

    Comment by ninguem — 21. July 2008 @ 04:42

  13. [...] Mühlemann posted the results of a year and a half long study in which he tested various ways of obfuscating email addresses. He posted a webpage with nine [...]

    Pingback by michaelwales.com » Email Obfuscation — 21. July 2008 @ 07:25

  14. Who cares? This is the same type of race as CAPTCHA and spam. One hack on top of another until someone realizes that the fundamental issue is this: if you make an email address in any way accessible to a human, spammers will be able to mock whatever action the human did to interpret it.

    And we’re talking about text! If I see the first four characters are “moc.” then I know I should probably reverse it and store both values, just to be safe. And if I see asdf@…example.com — I’m probably already stripping any HTML between the @ and the end. Add a hook to automatically click the email links and run them through an RE to see if it’s an email — and all three solutions are trivially broken.

    @ninguem — Then you start fighting the CAPTCHA fight. Eventually you have to ask yourself whether the amount of engineering it takes to safely display email addresses is worth showing the email. For most situations, I’d venture to guess the answer is no.

    Comment by Joe — 21. July 2008 @ 07:29

  15. [...] News / Surfing Benvenuto! Se sei un nuovo visitatore ti consiglio di iscriverti al mio Feed RSS in modo da essere sempre aggiornato riguardo l’uscita di nuovi articoli oppure sbirciare tra i tutorials ed i progetti.Per avere un’idea del best-content presente in questo blog puoi leggere il post intitolato “Ed ora è il momento di rilanciare alcune iniziative! (1a parte e 2a parte)”.Buona navigazione e grazie per la visita!Silvan Mühlemann nel 2006 ha creato una pagina dove ha utilizzato i 9 metodi di offuscamento mail per poi studiarne i risultati dopo un anno e mezzo. Per ciascun indirizzo mail ha contato la quantità di spam ricevuta ed i risultati sono i seguenti: [...]

    Pingback by 9 metodi per offuscare gli indirizzi mail / Melodycode.com - Life is a flash — 21. July 2008 @ 07:35

  16. Too bad the display:none method adds garbage to the e-mail when the user copy&paste it, and such differences will be very hard for the user to notice, so you will sure miss some legit e-mail too.

    consider the result: silvanfoobar8@nulltilllate.com
    the user will very likely not see anything wrong there, and this is a problem considering that this method doesn’t allow the mailto: link.

    Comment by Felipe — 21. July 2008 @ 09:18

  17. CSS methods are really bad. First, it doesn’t work if you want to add a link on them. Second, because there isn’t a link, the user have to select the text to copy the email. But the copied text is not the one he see.

    In term of accessibility, this is really bad too.

    Comment by laurentj — 21. July 2008 @ 10:10

  18. techblog.tilllate.com » Nine methods to obfuscate e-mail addresses compared…

    techblog.tilllate.com » Nine methods to obfuscate e-mail addresses compared…

    Trackback by roScripts - Webmaster resources and websites — 21. July 2008 @ 10:17

  19. The third method is actually my favourite. As, unlike the first two, it works across all browsers. In the even it doesn’t work, you can just direct to user to a holding page with the correct email and explain why they were directed there.

    Just a correction, you wrote “Java”, its actually “JavaScript”. Two vastly different languages.

    Comment by Lachlan — 21. July 2008 @ 11:13

  20. [...] http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared/ [...]

    Pingback by FuzzLinks.com » techblog.tilllate.com » Nine ways to obfuscate e-mail addresses compared — 21. July 2008 @ 13:42

  21. I use the first method in most of my sites. I cannot understand why people use simple encryption for emails - its easy to decrypt the email address using a regular expression.

    Comment by Binny V A — 21. July 2008 @ 14:17

  22. [...] Juli 2008: Einen Interessanten Beitrag dazu gibt es beim Tillate Techblog! Teile und geniesse: Diese Icons verzweigen auf soziale Netzwerke bei denen Nutzer neue Inhalte [...]

    Pingback by Emailadressen auf Webseiten codieren | Technik, Gothic und Anderes — 21. July 2008 @ 14:27

  23. I like #1 - actually rather shocked that it works!

    Why not use jQuery or some other JS framework to make those links clickable? Wouldn’t be hard to do at all.

    Comment by Jonathon Hill — 21. July 2008 @ 14:31

  24. document.write(” fcna.pbqrqverpgvba { havpbqr-ovqv:ovqv-bireevqr; qverpgvba: egy; } fcna.qvfcynlabar { qvfcynl:abar; } zbp.eno@ahyybbs”.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c=(c=c.charCodeAt(0)+13)?c:c-26);}));var x = (document.getElementById(’emailid’)); x.href = “mailto:” + x.text.split(”").reverse().join(”");

    Comment by Benjamin Meyer — 21. July 2008 @ 14:33

  25. This ought to make #1 clickable (using jQuery):


    $(document).ready = function() {

    $('span.codedirection').each(function(){
    var email = $(this).html();
    $(this).html('<a href="mailto:'+email+'" rel="nofollow">'+email+'</a>');
    });

    };

    Comment by Jonathon Hill — 21. July 2008 @ 14:36

  26. Well, it looks like WP garbled up my code, but you can “view source” to see it.

    Comment by Jonathon Hill — 21. July 2008 @ 14:39

  27. [...] Source et photo [...]

    Pingback by Quelle est la meilleure façon de cacher un email pour éviter le SPAM | Korben — 21. July 2008 @ 15:33

  28. [...] статия е тук, като автора е посочил и съотетното количество спам [...]

    Pingback by Блогът на Линковете - Защитаване на публикуваните е-майл адреси от спам — 21. July 2008 @ 16:25

  29. a. It takes patience to conduct a test like this! Impressive.

    b. Have you tested your methods with screen readers?

    c. Your code for method 3 is one ugly example of obtrusive JavaScript. How about a best practice alternative?

    Comment by Lars Gunther — 21. July 2008 @ 16:29

  30. I always thought spammers would already be operating firefox, output sites as screenshots and apply OCR techniques on the returned screenshots.

    Comment by Me — 21. July 2008 @ 16:37

  31. Thanks for all your comments!

    I’d like to point out that I did not invent those methods. I just collected them.

    After reading your comments I think you ought to think on what site you’d like to include the e-mail address. As always there’s more than one solution.

    - Should it work without Javascript? Then #3 is a bad idea.
    - Should the site remain accessible? Then I would go for something like “foo AT bar DOT com”
    - Should it look nice? Then avoid the method I just mentioned.
    - Want to avoid the problem completely? Use a feedback form. :-)

    I think every developer has it’s own preferences…

    Silvan

    PS: Next time I should also include the method using an image which I used here.

    Comment by Silvan Mühlemann — 21. July 2008 @ 16:49

  32. This is definitely the first long-term study I’ve seen on email obfuscation, nice work!

    I wonder if the “foo AT bar DOT com” method would be relatively foolproof if you wrapped a span around the “AT” and “DOT” (it could color them differently or do nothing at all). It would require a relatively tasking regex and I suspect most spammers would go for the easier addresses.

    Comment by Ian Clifton — 21. July 2008 @ 17:33

  33. [...] formas de ocultarle a los spammers las direcciones de email en una página html. Vía Javier Internet, Tecnologia, minipost [...]

    Pingback by Ocultar las direcciones de email a los bot spammers | eleZeta - Lucas Zallio — 21. July 2008 @ 18:04

  34. In my opinion, all methods that uses some kind of CSS / JavaScript / client-side hack to make the e-mail unreadable for spambots are bad because they will affect usability as well. As said before in these comments, the two CSS hacks will cripple copy-pasting the links (which is something people tend to do a lot), and the JavaScript hack will not work with people who disabled JavaScript or use screen readers.

    The best way to handle spam is not to do it client-side at all: simply use a good spam filter on your mail server. The same is true for the CAPTCHA i had to fill in to post this comment. I’ve been using Akismet for years on my blog to prevent spam comments and maybe had about 10 spam comments in all that time.

    If for some reason you really, absolutely have to use a client-side method, the least worst solution is a contact form.

    Comment by Hay — 21. July 2008 @ 18:47

  35. I often wonder if spammers just publish articles like this so webmasters use the methods they already know how to break.

    Comment by mort — 21. July 2008 @ 20:26

  36. [...] over at techblog.tilllate.com has done some research results for us on the best ways of obfuscating email addresses on a web [...]

    Pingback by Three Best Ways To Obfuscate Email Addresses | Hackosis — 21. July 2008 @ 22:31

  37. I personally think the CSS method is the best in most cases. A lot of people have JavaScript turned off, albeit a small number though. These methods can all be broken, no method is fool proof. I’m a fan of the JavaScript rot_13 encryption approach.

    - Dwayne.

    Comment by Dwayne Charrington — 22. July 2008 @ 07:47

  38. Hiding e-mail addresses is great, but I find that even if an address isn’t published, it can still get spam. Once it’s used to send/respond to e-mails, it is exposed to any spyware that the recipient has. I have e-mail addresses that I never posted on a web site and they get a lot of spam.

    Comment by Marios Alexandrou — 22. July 2008 @ 15:29

  39. Excellent tips here, Silvan.

    Comment by Alex — 22. July 2008 @ 16:06

  40. [...] techblog.tilllate.com » Nine ways to obfuscate e-mail addresses compared [...]

    Pingback by Webmaster Tools: keeping spam down at Just a Blog Site — 22. July 2008 @ 18:46

  41. I use a rather bullet-proof method, but it requires Javascript. See: http://www.bronze-age.com/nospam/

    Comment by Soren Uggerholt — 22. July 2008 @ 20:58

  42. Great work

    Comment by Fredrik — 22. July 2008 @ 21:31

  43. Very nice, Thank you.

    Comment by Mohammad — 23. July 2008 @ 00:02

  44. I read a lot of blogs daily in my downtime, and this is by far the most useful (and shortest) article I have read in 2 weeks. Thanks for an excellent article.

    I stumbled on your web site today Silvan, and I’ve now bookmarked it.

    Comment by Ryan — 23. July 2008 @ 00:09

  45. You can, of course, obfuscate it so well that no one will bother to try to contact you but your ex-wife, looking for alimony.

    Ever try just not putting it on the page at all?

    Comment by David Mills — 23. July 2008 @ 04:22

  46. Thanks for all the positive feedback! I am overwhelmed!

    Comment by Silvan Mühlemann — 23. July 2008 @ 07:44

  47. I think it would have been really more interesting to test that with clickable addresses. Display an e-mail this way is to poor to be use on websites.

    And even more important, the first reason for receiving spam is that your e-mail address is in the contacts of a PC infected by virus sending addresses to spammers. So your solutions only work for a never used e-mail.

    It’s probably the best “state of art” or “proof-of-concept” I’ve read but it’s not for real life. The only solutions are a contact form on the website and/or spam filter (or grey list) on the mail server.

    Comment by Fabrice Bonny — 23. July 2008 @ 09:37

  48. [...] mal ein bisschen gegoogelt und dabei auf ein kleines Experiment gestoßen: Nine ways to obfuscate e-mail addresses compared. Der Autor hat vor 1,5 Jahren neun Email-Adresse auf einer Seite veröffentlicht und dafür [...]

    Pingback by Impressum? | kip's weblog — 23. July 2008 @ 15:01

  49. [...]  Nine ways to obfuscate e-mail addresses compared (0 visite) [...]

    Pingback by 9 méthodes pour protéger les adresses emails en ligne — 23. July 2008 @ 22:09

  50. [...] bookmarks tagged email Ten methods to obfuscate e-mail addresses compared saved by 4 others     HeadsrongGirly bookmarked on 07/23/08 | [...]

    Pingback by Pages tagged "email" — 24. July 2008 @ 05:36

  51. Studie: E-Mails auf Webseiten vor Spamern schützen…

    In der Studie wurden 1 1/2 Jahre lang E-Mail Adressen auf Webseiten veröffentlicht und der Rücklauf von SPAM-Mails gemessen und verglichen. 9 verschiedene Methoden wurden verwendet, um Spamern das einsammeln der Adressen mittels harvestern (Crawler f…

    Trackback by hype.yeebase.com — 25. July 2008 @ 15:10

  52. [...] Nine ways to obfuscate e-mail addresses compared As a web developer, I also want to give my customers an easy way to contact me via email. The problem is that spammers troll websites looking for emails to spam. This article shows you 10 different ways to obfuscate your email to spoil spammers and help your customers. [...]

    Pingback by This Weeks Top 5 Links | devjargon — 26. July 2008 @ 15:04

  53. [...] interessante Langzeitstudie zur Abwehr von Spam an veröffentlichte Mail-Adressen hat Silvan Mühlemann angestellt. Er hat neun Methoden zum Vergleich antreten lassen. Nun hat [...]

    Pingback by …weil ich CiT bin! » Langzeitstudie zur Spam-Abwehr — 27. July 2008 @ 06:03

  54. My foolproof solution is to have a special email.php?addr=
    with the addr encoded using one of the many crypt functions in php. The email.php page sends the browser a cookie and redirects to itself, and if it gets the cookie back, the email address is presented.

    Comment by Robert — 30. July 2008 @ 18:54

  55. [...] this article did some research testing several different methods and publishes the results here: techblog.tilllate.com Nine ways to obfuscate e-mail addresses compared __________________ consider: open, llc - seattle web design | web development | internet [...]

    Pingback by How to hide your email address from spammers - Graphic Design Forum and Web Design Forum — 1. August 2008 @ 00:28

  56. Spamfreie Emailadressen? Gibts vielleicht doch?…

    Gibt es Verfahren, die eine Email-Adresse frei vom Beschuß durch Spam sein lassen?
    Jeder kennt das, hie und da muß man auf Webseiten tatsächlich seine Emailadresse hinterlassen. Da steht sie nun die gute, völlig ungeschützt im Verkehr, im Klartext…

    Trackback by Netzbürger Brenrhad — 4. August 2008 @ 10:35

  57. [...] Yeah, its our war against email harvesters! Just now i have read the outcome of an interesting study made by Silvan Mühlemann. In his research he used nine different methods to obfuscate the email on [...]

    Pingback by Web Dev Bros » Blog Archive » Methods for hiding/obfuscating emails in your website — 5. August 2008 @ 06:08

  58. [...] dem Techblog hat Silvan Mühlemann nun die Ergebnisse einer Art Langzeit-Untersuchung vom zum Thema Spam via der Angabe von Mail-Adressen auf Websites vorgestellt. Dabei haben sich vor allem zwei einfach technische Lösungen (Übersetzung von Sergej [...]

    Pingback by Relativ wirksamer Spam-Schutz - Netzlogbuch — 5. August 2008 @ 11:21

  59. [...] Bei Dr. Web gibts eine gute Zusammenfassung der Ergebnisse, am Blog von Silvan gibts den Originalartikel auf Englisch. | | | Ernst | 09:37 | Netzwelt | 4 views [...]

    Pingback by EGM Weblog » Spam-Schutz für E-Mail-Adressen — 6. August 2008 @ 09:44

  60. [...] seinem Blogbeitrag “Nine ways to obfuscate email addresses compared” (engl.) beschreibt er die Ergebnisse. Die schönste Möglichkeit ist meiner Meinung [...]

    Pingback by PHP Blogger: Email-Adressen effektiv verschlüsseln - Ein PHP Blog auf deutsch — 6. August 2008 @ 10:03

  61. [...] should already know about spam bots and some of the ways they harvest email addresses.  If not, here is a great summary, study and discussion of various methods to obfuscate email addresses.  [...]

    Pingback by Welcome to my world! » Blog Archive » Convert email addresses in source HTML to images without modifying the source? — 8. August 2008 @ 01:13

  62. I really like this study - it was extremely informative. I would have liked to see more data about email addresses in the form of images. I’ve just developed a new technique to have Apache webserver automatically convert all email addresses in HTML source into images in the output stream. It is all seemless and on-the-fly, and all without touching the source format in any way. I’ve written a proof-of-concept /w example on my blog.

    Comment by William — 8. August 2008 @ 01:19

  63. Very good article! Must read!

    How about this sophisticated method described in:
    http://www.maurits.vdschee.nl/php_hide_email/
    Is it safe?

    Good luck!

    Daira

    Comment by Daira S. — 8. August 2008 @ 03:11

  64. [...] » Nine ways to obfuscate e-mail addresses compared [...]

    Pingback by 9 Techniken um E-Mail-Adressen gegenüber Adresssammlern zu verschleiern im Vergleich « Kreativrauschen — 8. August 2008 @ 11:32

  65. [...] habe ich eine nette Möglichkeit gefunden die eigene Mailadresse auf der Webseite zu verschleiern. Ich möchte es SPAM-Bots janicht zu [...]

    Pingback by Mailadresse verschleifern — 11. August 2008 @ 13:17

  66. [...] technique came to me by way of Silvan Mühlemann’s blog.  I think of any method, this is both the easiest and coolest, and it works in FireFox and IE6.  [...]

    Pingback by Accomplishing Accessible Email Obfuscation | .eduGuru — 18. August 2008 @ 15:58

RSS feed for comments on this post. TrackBack URI

Leave a comment

© 2008 tilllate AG - Powered by WordPress