Obfuscate Mailto


(Last updated: October 29, 2013)

Ah, the mailto tag. The easiest way to let people contact you or your company from your website. Easily readable and clickable... and harvestable. Therein lies the problem. Spammers use email harvesting software to scan pages for email addresses to send their spam messages to. And, of course, the venerable mailto tag is the easiest thing for them to pull the address from.

So, some people started just having their email address on the page as the text version of the email address. You have to copy and paste it into your email program, but it still works. Unfortunately, the harvesting programs where updated to catch that, too.

Then people started encoding their address. Instead of email@example.com, it was emai... in the code. Still readable and copyable, but not clickable. And yet again, it appears that the spam filters have caught up and are able to harvest these encoded addresses.

Now many sites now use JavaScript functions to create the mailto links. The calling script simply passes the address and the domain as seperate arguments and the function combines them. Of course, if these specific functions become widespread, the harvesters will be updated to look for them as well.

Possible Solution

What if we combine these techniques? Use encoding on the address in all but the @ and . (since harvestors may be keyed to them) and place that within JavaScript statements. Then split the statements up so that on no line does the complete address or the mailto tag appear. Basically, make it so that the only way to harvest the address is to fully render the page, JavaScript and all.

Try it Out

The current incarnation encodes the address, splits it out, then places it within JavaScript document.write statements. Future additions may include randomly splitting things up, random JavaScript function titles to combine the statements, selecting whether to include a NOSCRIPT fallback, and more.

If you have any suggestions -- or want to see the obfuscator's html/javascript in action -- head to my contact page. Please note that I don't have time to handle any support questions for the obfuscator.

The code is available as an ASP function and as a PHP function.