Articles, tips, and resources for webmasters

a project by Michael Bluejay | email

Don't use MAILTO: links on a website!

Don't put email addresses on a website!

Spammers WILL lift those addresses directly from your website, unless you take special precautions. This article explains some ways to hide your email addresses on websites from spammers.

Stopping Spam:

How to keep spam bots from stealing addresses from your web site

by Michael Bluejay of Website Helpers | July 2004 • Updated January 2011

If you put an email address on a web page without taking special precautions, spammers will steal it. They use automated programs called spambots which scour websites looking for email addresses to add to their lists. It's not that they might lift the address, they will lift the address. Usually, it won't take long. If you're putting email addresses on the web, you must take precautions to prevent this -- especially if you're posting someone's address other than your own.

If you think, "That's okay, I have a spam filter," then you're in for a nasty surprise. Your filter will sometimes send real messages to your spam folder by mistake, and you won't see them. If you think you can just check your spam folder occassionally, can you really do that when you get hundreds or thousands of spam messages a day? And if you think it's okay because you're not currently getting that much spam....if your email address is on a web page, then someday you will.

The point is, spam filters are not a solution. You have to prevent spam in the first place. And the first step is removing any plain address from the web ASAP.

There are a number of ways to hide your email address from spammers. Unfortunately each of them has a downside. Then again, spam is worse than the downside, so we accept the downside because it's better than surrendering our addresses to spammers.

In a perfect world, you could have all of the following on your web pages:

  • Address is visible to users
  • Address is copyable
  • Address is clickable
  • Javascript isn't required to display the address
  • Users don't have to hassle answering a challenge-resonse email

When you do something to keep spambots from stealing addresses from your web pages you'll give up at least one of those features. It's the price of thwarting spambots, but it's a necessary price.

None of these things will prevent spam that you're already receiving. Once an address has been stolen by spammers there's no way to get them to "un-steal" it. Spam is like cancer -- it's a lot easier to prevent than it is to cure. [More on preventing cancer.] Like so many things in life, if you wait until something becomes a problem, then often there's no easy solution. It's always better to prevent the problem from occurring in the first place. An ounce of prevention is worth a pound of cure. Let's look at some prevention methods for keeping spambots away from addresses on your web pages. 

JavaScript methods (recommended)

How to Implement

Notes: As of March 2006, spammers are starting to get wise to this one. Using this method will still prevent *most* spam, and it's very user-friendly for your site visitors, but it no longer prevents *all* spam. Note that the <noscript> tags are optional, and spambots are more likely to be able to decipher what's in the <noscript> tags if you include them.

You could add a <noscript> tag to the end of your code so those without JavaScript can still see an address, but I don't recommend this because almost everyone has JavaScript enabled, and because spambots are more likely to crack your <noscript> tag than the JavaScript code. But if you really want <noscript>, then do it like this: <NoScript>info<a>-[at]</NoScript>. The random <a> tag and the hyphens will help fool spambots.

Write us at .
Click to .

Write us at <SCRIPT type='text/javascript'>a='info'; b=''
document.write('<A hre'+'f="mai'+'lto:'+a+'@'+b+'">');

Click to <SCRIPT type="text/javascript">
a='info'; b='';
document.write('<'+'A hre'+'f="mai'+'lto:'+a+'@'+b+'">email us</a>');

A, B2, C, D, E
1a, 3j, 4j, 5j

JavaScript field

  <INPUT VALUE="Click to show address" onclick="a='info'; b=''; document.showform.field.value=a+'@'+b; return false">
   <P><INPUT TYPE=text NAME=field SIZE=25>

A, B2, C, D

1a, 2, 3, 6j

Javascript alert

Click to send us email

<A HREF="#" onclick="d=''; u='info'; prompt('Copy address to clipboard',u+'@'+d); return false">Click to send us email</A>

A, B1, C, D, E
1a, 2, 3, 6j

JavaScript popup

Click to send us email

<A HREF="#" onclick="'spampop.html','','width=300,height=200'); return false">Click to send us email</A>

A, B1, C, D

1a, 3j, 4j, 5j, 6j

Have user click a button to get to the page with the email addresses

<FORM ACTION="addresses.html">
<INPUT TYPE=submit NAME=Submit VALUE="See Addresses"> </FORM> (more on this method)

A, B2, C, D, E
1a, 12

Challenge-Response (recommended)


You just use regular mailto: links on your site. When someone sends you a message, SpamArrest sends them an autoresponse asking them to verify they're a real person by typing the letters in an image. Only real, confirmed messages are passed along to you, so this pretty much prevents spam by 100%. You can start off by putting your friends on a whitelist so they don't have to go through the verification process. The way it works is you give your login to SpamArrest, and they periodically download all your mail, and then you download the verified mail from them. The downsides of SpamArrest are that it's a little annoying for the people trying to mail you, and it's not free -- it runs $50/yr. Then again, my friend Michael Shackleford uses it and swears by it. Sign up at

A, B1, C, D, E

Methods in which the email address isn't copyable (less user-friendly)

Spell out the address
NOTE: Spambots can figure out the address if you use just (at), so add the dashes to make it -(at)-. Spambots might eventually figure that out, too. The more junk you put in there the less likely a spambot will figure it out, e.g. info<span style="font-size:1px"> </span>(at) You could put a period between the span tags, but then you run the risk that the user will copy & paste the address but not notice that they need to yank out the period.

Write us at
3, 4, 5, 7

Make an image of the @ sign

Write us at
info<IMG SRC="at.gif">
A, B1, C
3, 4, 5, 7

Methods in which the email address isn't visible (less user-friendly)

Use a form for users to send mail



Send me a copy
(Link the <FORM> to a FormMail.cgi script.)

(Note #1: Some FormMail scripts require you to put the recipient's address in in a hidden field on your web page, defeating the whole point of using FormMail in the first place. You could write out the hidden field with JavaScript, but if you're doing that then you might as well just JavaScript your address to begin with and not use the form.)

(Note #2: Rename your <> script to something else to prevent spammers from finding it by guessing the filename and then hijacking it to send out their spam. Diligent spammers can hijack even a renamed formmail script, so get a professsional to verify that your script is secure.)

2, 3, 4, 9, 10, 11

PHP, Perl, ASP, or other server-side languages

Click to send us email.
PHP: Click to <A href="email.php?u=info&">
send us email</A>

Source of email.php: <?php
header("Location: mailto:$_GET[u]@$_GET[d]"); ?>

See code for other languages.

2a, 5
2, 4,

Additional Advanced Method

Block all visitors other than known browsers; block visitors which request too many pages

(1) Use mod_rewrite in your .htaccess file to block any user-agent that doesn't start with "Mozilla" or "Opera" and which isn't a major search engine bot. Here's a list of user-agent strings. (2) Do a double-reverse lookup on agents that claim to be a search engine bot (like Googlebot) to make sure they're not impersonating a valid bot. (3) Have a script check your logfiles for excessive page requests from an IP address every minute or every page load. (4) When you find violators from #2 or #3, ban their IP addresses in .htaccess. Lift that ban after a day or two because the spambot might have been using an ISP's IP that legitimate users also use. Caveats: You still have to use some other method above, too, to thwart bots that would steal a plain address before you could ban them. You will also likely ban some very small percentage of valid users accidentally.

B2, C, D, E

Obsolete methods that no longer fool most spambots

Encode the @ sign
A, C, D, E

Encode the whole address
(click to see sample code)

Here's a tool that generates these codes.

C, D, E

Block spambots by name with .htaccess

(use regular mailto: links)
See WebmasterWorld and New Architect
C, D, E




(A) Easy to implement

(B1) Fools all spambots at present

(B2) Fools most spambots at present.

(C) Address is visible.

(D) Address is copyable

(E) Address is clickable.

My enhanced JavaScript trick

One spambot is wise to the first JavaScript trick listed above, but it's poorly written, and sees only the part of an address after the hyphen. So you can use document.write to print out an address with a hypen like, and the bot will pick up the address as You can then just block any mail to and that spambot won't have your full address.

This doesn't fool all spambots, but it fools most, and as always, it's best to fight what you can. Note that I don't know whether the spambot was getting the address from the JavaScript or from the <noscript> tags that following the script code.

(1a) Might not fool all spambots. If spambots get wise to this, this trick will be useless.
(1b) Lots of spambots are wise to this trick so it's of questionable value.

(2) Address isn't visible, at least not initially. Users hate it when they can't see the address.

(3) Address isn't clickable, ever.
(3j) Address isn't clickable if user has JavaScript turned off.

(4) Address isn't copyable. Forces webmail users to retype the address, or at least edit it.
(4j) Address isn't copyable if user has JavaScript turned off.

(5) Relies on ability of users to understand that they must replace "(at)" or the graphic with a real "@" symbol. You can put instructions about that in there, but then the page starts getting cluttered.
(5j) Same as 5, but is only a problem if the user has JavaScript turned off.

(6j) Doesn't work if the user turned JavaScript off.

(7) Address itself must be shown rather than a send email type link.

(8) Might have to make @ images in a variety of fonts, sizes, and colors.

(9) Requires either knowledge of CGI programming, or that your webhost provides a canned FormMail script that doesn't require you to put your email address in a hidden Form field.

(10) User gets no transcript of the message. You can overcome this by including an option to cc: the user, except most prewritten FormMail scripts don't support this.

(11) Spambots can find the address that the form is sent to unless your CGI interface allows you to not put the send-to address in typical email format.

(12) Requires user to go to a new page before seeing the email address(es).

(13) Hard to implement. Doesn't work well if email address appears on every page (vs. on a "Contact Us" page). You will probably accidenally deny access to some legitimate users.

(14) User receives an autoresponse and has to go to a website to verify they're not a spammer before the message gets delivered. It only takes a few clicks, but anyone who wants to email from your website will have to go through that hassle.


More on SpamArrest

SpamArrest is described in more detail above, but here's the technical explanation of how it works, especially since it's not explained well on their website:
  1. You give SpamArrest the login for your POP3 mail account.
  2. SpamArrest periodically downloads all your mail to their system, automatically.
  3. SpamArrest sends out the autoresponder to everyone who sent you a message, who's not already on your whitelist and who hasn't already confirmed their address.
  4. Once a sender confirms their address, SpamArrest moves all validated mail into a separate mailbox.
  5. You download the verified mail from that separate mailbox, which is all spam-free.

To you, the whole process is pretty transparent. From your perspective, you just have a different login to access your mail, and when you get it there's no spam.

Years ago I listed SpamArrest here but then removed that info because back then SpamArrest had a habit of sending separate messages to people who got one of teh autoresponses, asking them to sign up for SpamArrest. That's pretty much spam itself, ironically. But SpamArrest was lambasted on the net for that practice and they learned their lesson and no longer do that, and even wrote it into their new privacy policy. I tested this with several addresses and I never got any spam from them, so I'm satisfied that they're clean.

You can sign up for SpamArrest here. As I write this (November 2008), the cost is $50/year. Full disclosure: If you sign up from that link, I get a commission.

Starting over with a new address

If the amount of spam you're getting is burdensome you may have little choice other than to start over with a new email address. Of course this is never convenient or fun. It's easier if your email provider provides Autoresponder service, so that anyone who sends mail to your old address automatically receives a message back telling them your new address. Don't worry, it's unlikely that spammers will pick up your new address from the autoresponder. Spammers send to thousands or millions of addresses at the same time and they get thousands of bounce messages since many of the addresses they sent to are outdated. Spammers don't waste their time going through the thousands of bounce messages to see if someone posted their new address with an autoresponder.

In Yahoo, you can set up an autoresponder with the "Vacation Response" feature. Just tell it you're on vacation forever.

Where spammers get their addresses

Spammers get their addresses from many places, but these are probably the most common:

(1) They harvest email addresses that are listed on websites. If you have a website with your address on it, I don't have to ask whether you're getting spam to that address. I know you are.

(2) They buy them from online stores. When you buy something online or just make an online inquiry, disreputable businesses sell your email address to spammers. Obviously this is more likely if you're buying something from a spam email, or if you're buying something sleazy itself (pharmaceuticals, porn).

(3) They buy them from other spammers. Once anyone has your address, they sell it over and over to other spammers. In fact, most spammers don't harvest email addresses from websites themselves -- just a handful of evil-doers harvest addresses, then those addresses get sold and re-sold over and over again.

(4) They figure it out from online services. For example, if you have a Yahoo account username, then you also have the web page, and spammers figure they can email Here's a page about a similar problem with the Google Pages service.

(5) They guess. For any given domain, they'll mail to webmaster@, mail@, postmaster@, info@, help@, sales@, service@, support@, and others.

(6) They use the domain registration database. When you register a domain name you have to list an email address, and it's public information. Woe to (s)he who puts a real email address in that field.

Here are other other ways spammers get your email address.

Knowing these things are the key to preventing spam. Our strategies for preventing spam revolve around preventing spammers from getting our address from websites, and limiting who we give our email address to.

Using multiple addresses

An old trick is to have two addresses: a "real" address that you give only to family and close friends, and a "throwaway" address you use for everything else. If the throwaway address starts getting spam, you literally throw it away -- put an autoresponder on it directing readers to your new address, and start over with another address.

Use plus-addressing

Both Google support plus-addresses. That lets you create a new email address on the fly by using a + sign. For example, let's say your address is You can use lisa+[anything] and it will work automatically, without your setting up anything special. All mail will be delivered to

So how do you use this? When you buy something on eBay, you use When you apply for a Home Depot credit card, you use If you start getting spam to a particular plus address, you can turn off just that one address in your control panel, and you'll continue to get all other mail. Sweet!

Please note that in an earlier version of this article I said that Dreamhost also offers plus-addressing, which is true, but I just found out (12/09) that they amazingly don't allow you to turn off an individual plus address when it starts getting spam. (I learned the hard way.) So you can't use this trick with Dreamhost.

Using catch-all addresses

My favorite trick doesn't work so well any more. Since I have my domain name, I had set up my domain to accept any mail addressed to it -- e.g., [anything] would all come to me. So I used a different address for everyone I did business with --,,, etc. -- it all came to me. Then if one of these businesses let spammers get my email address, I could just turn that individual email addresss off.

There are two problems with this: First, spammers can just guess at addresses to send to. One morning you may find hundreds of identical spams addressed to,, etc. Second, when spammers send out their spam to others, they might list your domain as the return address, with a different return address for each message:,, etc. Then you'll have to deal with hundreds of bounce messages from spams that went to dead addresses.

So if you want to use this method, then set it up for use with a subdomain like [anything], and never list your subdomain on a web page or send out email from your mail client with it. It's far less likely that a spammer will target a subdomain to send randomly-addressed spam to (especially if they've never heard of that domain), and less likely that they'll list the subdomain in the return address of spam they send out.

Dreamhost offers catch-all addresses and free subdomains with hosting plans, and they host a domain for as little as $7.95/mo.

Note that with Dreamhost, if you have catch-all enabled and turn off an address you used to use, mail sent to that address will just disappear, and the sender won't get a bounce message, so they won't know that their message wasn't received. Dreamhost has to do it that way because otherwise the bounce messages they send could get tagged as spam and other mailservers would stop accepting mail from Dreamhost's servers. Here's yet another reason how spam hurts everybody.

Don't store customers' email addresses in the webspace!

Spammers were able to get a logfile of my clients' customers' email addresses because I wasn't careful enough. I put the logfile in a directory that also had an index.html file, which should have prevented any bot from seeing the log.txt file inside that directory. I don't know how they did it, but they found it -- along with Google, Yahoo, and who knows who else. I have a lengthy post about the incident at WebmasterWorld.

To keep this from happening to you:

  1. If at all possible, store sensitive data above the webspace. That is, put it one level above the "public_html" or "www" or "" or whatever folder contains your website.
  2. If it's really necessary to put customer data in the webspace for some reason, put it in a password-protected directory.

Don't assume that no one can find a file in a directory that has an index.html file. I made that assumption, and I (and my client, and their customers) got burned.

Address to link to this section:

"What's wrong with spam? You can just delete it."

Every time I hear someone say that I want to slap them.

Here's why:

  • It's very common for legitimate senders, ISPs, or messages to incorrectly get tagged as spam, and the messages don't get through. Nobody knows how many important messages have never been received.  It's obviously a huge problem when you never know whether messages you send were received or not -- not to mention that you never know about all the important incoming messages you miss yourself.

  • It's not so easy to just hit Delete when you get HUNDREDS of spam messages a day. Many people are in this situation. Sure, they can abandon their email addresses and start over, but that's not as simple as just hitting Delete, is it? (It may be preferable to hitting Delete hundreds of times a day, but my point is that for many people, spam can't be easily dealt with by "just hitting Delete".) Spam-clogged mailboxes ruin people's ability to use email.

  • People routinely have to abandon their addresses and start over with new ones because of all the spam they get. Think of all the time wasted throughout the world by people sending out "Here's my new address messages" and then all the recipients updating their own contact lists. Spam is responsible for untold hours of wasted people-time this way.

    Someday you'll try to email a long-lost friend or business contact only to discover that their email address no longer works because they had to abandon their old address because of excessive spam, and somehow they missed notifying you about their new address, and you have no other contact information for them. This is real harm: Because of spam people wind up losing contact with each other. It cuts both ways, too: Someday people may try to contact you only to discover that your own old email address no longer works. Too bad for both of you.

    The inability to connect with old friends profoundly decreases one's quality of life. And spam is to blame. And this problem can't be solved by "just hitting delete".

  • When deleting so much spam, you're much more likely to accidentally delet legitimate messages. Do you open each and every message to verify that it's spam before deleting it? If so, then you're really letting spam waste a lot of your time. If not, then you're invariably deleting legitimate messages accidentally on occasion. Congratulations, you're screwed either way.

  • Users are often in positions where they're paying by the minute to access the Internet (hotels, remote locations in which there's no local access number so they have to dial long distance). These people are forced to pay extra to download the spam they have no choice but to receive. (And the more they try to filter it, the more likely they are to miss legitimate, important messages.)

  • If you're not receiving hundreds of spams a day, it's because ISP's devote considerable resources to blocking and filtering spam so you never see it. It's such a waste when you consider that ISP's could be doing something more productive with their time than spending thousands of collective people-hours fighting spam. Personally, I've spent hundreds of hours combatting spam.

  • All this time and effort in blocking spam is expensive, and everyone is paying higher ISP rates as a result.

  • ISP's have to buy bigger hard drives to process all the junk mail, and to store the junk mail that they couldn't positively identify as spam. (About 75% of all messages sent are spam.) Equipment isn't free, we're all paying for this.

  • ISP's are sometimes forced to kill legitimate messages to clear out a mail queue when spam is flooding its servers.  Here's one example.

  • In my previous line of work it was essential that I reply to inquiries as quickly as possible. Whenever I heard the incoming email chime I had to stop what I'm doing and switch over to my mail client to check the new message. Imagine doing this dozens or hundreds of times a day, just to discover that the incoming message is spam. This is a serious impediment to productivity.

  • Web hosts are forced to disable useful features because spammers abuse them. For example, Dreamhost no longer allows customers to forward a catch-all address to a domain outside their system. Users no longer have this useful option because of spam. They also will no longer send bounce messages back to the sender for email addresses that have been deactivated when the customer is using catch-all addressing, for the same reason. Users no longer have the ability to easily let legitimate senders know that their message never made it through. Because of spam.

  • Webmasters can't easily put email addresses on their websites or spambots will steal the addresses, flood them with spam, and make them useless. That means that webmasters are forced to use the anti-spam methods described on this page, which wastes their time, and gives their users a poorer experience since all the anti-spam methods have downsides for users -- such as the email address not being visible or clickable.

  • Webmasters who have forms on their site where visitors can enter their email address have to put in safeguards so spammers don't hijack the forms to send out spam. This wastes a lot of their time. I've been forced to waste a lot of my time on this very problem.

  • Webmasters who aren't super-cautious have their feedback forms hijacked by spammers anyway. This has happened to me. Had I not been able to respond quickly, my host would have shut down my server, turning off websites and email service for dozens of clients who had done nothing wrong. And as a result of the spam that did get through, it's likely that many servers no longer accept email from my server. These are serious consequences.

  • Spammers usually forge the return address on the spam they send out, often picking the address of a legitimate person who had nothing to do with the spam. That person's email address then gets flooded with thousands and thousands and thousands of bounce messages from the old, dead addresses on the spammer's mailing list, as well as hundreds of angry messages from people who thought that the legitimate user was the person who sent the spam. Even worse, the innocent victim risks having his or her website shut down since it looks like the victim was the one who sent out the spam.

  • Since spam filters often figure that HTML (formatted) email is spam even if it isn't, many newsletter publishers have been forced to revert to old-style plain text messages to make sure their readers can receive the newsletters they requested. Millions of people have to read through ugly pages of unformatted text because instead of being able to read a nicely formatted newsletter that doesn't give them a headache.
"Just hit delete"? Any time I hear someone saying that I want to smack them.

Fighting spam is a big, big issue and I couldn't cover every single thing, but I hope this is enough to get you started. Good luck!


  Articles, tips, and resources for webmasters

a project by Michael Bluejay | email