Indiana University
  •  
  •  
  •  

Protecting your web page(s) from email address harvesting

If you are responsible for a web space, be aware that email addresses published on your pages are vulnerable to being added to unsolicited email (spam) lists. Spammers collect email addresses by running automated harvesting scripts that parse static web pages one by one, looking for strings of characters that appear to be email addresses. Such programs can collect thousands of addresses in a very short time.

To test the security of your own address, visit a search engine such as Google and enter your email address. The number of results you see represents the minimum number that are visible to harvesting scripts.

For Indiana University web pages, if the contact information is for IU business, consider obtaining a departmental account and listing that address rather than your personal address; see Requesting a departmental or group account

To help protect email addresses from harvesting scripts, consider the methods listed below (none is guaranteed to be a complete solution).

On this page:

Re-format addresses

The simplest method for hiding addresses is to present them in a way that contains all necessary information but makes the address unusable without some modification. For example, insert spaces into the address:

username @ domain.edu

You can also list only the username next to an individual's name, and note the domain elsewhere on the page. The main drawback is that this method renders the address unclickable. You may wish to add an explanatory statement to your page, for example:

"Email addresses on this page are displayed in a manner that will deter automatic address harvesting programs. This step is taken to reduce unsolicited email sent to Indiana University addresses. We regret any inconvenience caused for our legitimate visitors."

Substitute ASCII codes in addresses

Display email addresses by substituting ASCII codes for certain characters in the address, trusting the user's browser to translate the codes back into the correct characters. The format for ASCII codes is the & (ampersand symbol), followed by the # (pound sign), followed by a number corresponding to the character to be displayed, followed by a ; (semicolon). In an address, for example, you could substitute the ASCII code for both the @ (at sign), which is 64, and the . (period), which is 46, as follows:

username@domain.edu

When you enter the above code in your HTML, browsers render it as username@domain.edu, but harvesting scripts looking at the source will see only the ASCII codes; unless they have been designed to translate ASCII codes, they will be unable to recognize the code as an address. This technique can be effective in both the target and text of a mailto: link.

Consult an ASCII code table for information on other characters.

Use web forms

Below are two options for controlling or limiting access to email addresses using HTML web forms:

  • Create a link to a web form asking users to enter their own address. Upon submission, the form emails the requested address to the user, and writes the transaction to a log.

  • Create a link to a web form where users enter a message, and the form then submits the message using a server script. To do this on IU departmental web pages, see Preventing Email Harvesting.

Build the mailto: link using a server script or JavaScript

Use scripts to emulate the function of a mailto: URL. The idea is to create a link on your page that submits the username and domain of the email address to a program that builds the mailto: URL dynamically and returns it to the user's browser.

The following JavaScript function can also obscure mail addresses:

<a href='javascript:window.location="mail"+"to:"+"user"+"@"+"domain"+"."+"com";' onmouseover='window.status="mail"+"to:"+"user"+"@"+"domain"+"."+"com"; return true;' onmouseout='window.status="";return true;'>Click here to send mail.</a>

This returns a mailto: link to user@domain.edu, but the username and domain appear broken up in the source HTML file, protecting them from harvest scripts.

Note: This requires your visitors to have JavaScript enabled in their browsers; you may want to note this on your page.

For assistance converting an email address into JavaScript, you may also wish to use Hivelogic's Enkoder Form.

Use graphics in displaying addresses

As a companion to the previous methods, using graphics allows you to have a normal-looking, clickable email address displayed on your page as the link to your CGI, JavaScript, or form. However, if your priorities require maximum security over user convenience, you should use this method by itself and instruct users to type the address into their email program to send mail.

With this method, you create an image of some or all of each address. For highest security, represent the entire address with a graphic, for example:

human-readable text image

Replacing the entire address requires the most work, as each graphic must be unique. However, this is the most secure, requiring a harvesting script to have optical character recognition or a human operator to harvest the address, if used in conjunction with one of the script methods above.

You could simply replace the @ sign with a picture of the same; however, the username and domain name are then readable and in close proximity to each other, and thus vulnerable. You might also consider using a graphic to represent everything in the address after the username, i.e., the @ sign and the domain.