Website Helpers.com

  Articles, tips, and resources for webmasters


a project by Michael Bluejay | email


How to let your website visitors contact you, without your getting spam

by Michael Bluejay • Updated June 15, 2025

The problem:

You want visitors to be able to contact you by email, but there’s a problem:  The easier you make it for them to contact you, the easier you make it for spammers to annoy you as well.  In this article I’ll cover ways to avoid having your contact method from getting overrun with spam.  Which method you choose will depend on how important it is for you to not miss a single legitimate email, and how averse to spam you are.

Rather than make you read the whole article, here’s my recommended way to hide your address from spambots:  Use Javascript.  Here’s the code:

Here's our email address: <span id=email></span>
<script>
   u = "greetings"
   a = "@"
   d = "example.com"
   email.innerHTML = "<a href=mai" +"lto:" +u+a+d+ ">"+u+a+d+"</a>"
</script>

And what it looks like to your visitors:

Here's our email address:  greetings@example.com

I still encourage you to read the rest of this article, because it has lots of useful info.


Once an address is stolen, it’s too late

Once spammers have your email address, the cat is out of the bag.  You can’t have your address un-stolen.  If you switch to a new email address (to stop the influx of spam), you’ll miss any legitimate mail going to your old address.  (You could put an autoresponder on your old address—it’s unlikely that spammers monitor autoresponder replles—but you’ll miss legitimate mail from people who don't want to make the effort to send another message.)  That’s why we should try hard to prevent our addresses from being compromised in the first place.


Spam filters are not a solution

You can’t rely on spam filters to solve your spam problem.  Spam filters aren't perfect.  Some spam will slip through, and worse, some legitimate mail will get tagged as spam and go to your spam folder, where you'll probably never see it.  If your website is a blog, that might not concern you.  But if your site is for business, you probably don't want to miss even one message from a customer (or potential customer).


Deleting spam manually is far from ideal

You might be used to deleting a few spam messages a day and are fine with that.  But wait until you have your email address on a website:  Then you could be looking at dozens or hundreds of messages a day.  And again, the more aggressive you dial up your spam filter, the more likely it is that you’ll miss legitimate mail.  That’s why we’ll cover ways to prevent spam in the first place.

The idea that you "can just hit delete" is so far off the mark I have a list of 14 reasons why spam is a huge problem, that’s not solved by "just" hitting delete.


Choosing an email address

Spammers don’t have to lift your address from your website, they can just guess, if you use a common username.  Spammers are known to send spam to:

  1. mail@
  2. email@
  3. sales@
  4. support@
  5. help@
  6. service@
  7. admin@
  8. webmaster@

...and probably other generic addresses.  If at all possible, choose an address that can’t be easily guessed.


Methods to hive your address from spambots

Naked email addresses are always stolen

Spammers use automated programs called spambots that scour the web, looking for email addresses to add to spam lists.  If you put your email address on your website in plain text, spambots will discover it, and then you'll get spam.

A few years ago, I put on address on this page (spamtest@websitehelpers.com) as a test, to see how long it would take for spambots to find it and send me spam.  Result:  About 30 hours.  Chew on that.  Below we’ll cover ways to have your email address on your site while still hiding it from most spambots.  For now, let's start tallying the methods we’ve covered.

Method Protection Level Ease for visitors Ease of implementation
Naked email address Zero Easy
Easy


Email address or Contact form

You have two broad choices for being contactable:

  1. Put your email address on your website.
  2. Put a contact form on your website.

Both have a set of pros and cons.  And for putting your email address on your site, there are several ways to do that, each with its own set of pros and cons.  So let’s dig a little deeper.


Writing out the @ sign

If you change the @ sign to something else, most spambots can't recognize it.  For example:

There are three downsides:

  1. Visitors will have to retype your address from scratch.  That’s hardly friendly.
  2. Some visitors will actually not understand the obfuscation.  Once one of my tenants tried to email the literal address in the format greetings{at}example.com, without substituting in the actual @ sign.  And no, he wasn't elderly, he was 30 years old.
  3. Some spambots can steal those addresses.  Most spambots can’t figure out that these are addresses, but some can.  I had several addresses in the greetings{at}example.com format on a website for twenty years with no problems, but one day in 2025, I got multiple automated spam messages to all of them.
Method Protection Level Ease for visitors Ease of implementation
Naked email address Zero Easy
Easy
Write out the @ sign Medium Hard Easy


Encoding the @ sign

In other anti-spam articles, you might see the suggestion to "encode" the at sign, writing it as &#64; in the code instead of @.  That hasn’t worked in decades, spambots were on to that one long ago.

Method Protection Level Ease for visitors Ease of implementation
Naked email address Zero Easy
Easy
Write out the @ sign Medium Hard Easy
Encode the @ sign
Low
Easy
Easy



Post your email address as a picture

If you make your email address an image, it's unlikely that any spambot will be able to read it.  For example, this is a picture:  email address.  You can tell it's a picture because you can't select the text.  (Try it.)  The downsides:

  1. Requires visitors to retype your email address from scratch.  It won’t be copyable or clickable.
  2. Every time the font family or size changes on your site, you'll need to make a new image.
  3. Every time you change the email address, you'll need to make a new image.
Here’s what we've covered so far:

Method Protection Level Ease for visitors Ease of implementation
Naked email address Zero Easy
Easy
Write out the @ sign Medium Hard Easy
Encode the @ sign
Low
Easy
Easy
Post address as a picture High Hard Medium



Javascript

Spambots can’t read Javascripted addresses, at least not today.  Some day they might be able to, but I’ve had Javascripted addresses on my sites for decades, and I don’t get any spam to them.  Here’s example code:

Here's our email address: <span id=email></span>
<script>
   u = "greetings"
   a = "@"
   d = "example.com"
   email.innerHTML = "<a href=mai" +"lto:" +u+a+d+ ">"+u+a+d+"</a>"
</script>

And what it looks like to your visitors:

Here's our email address:  greetings@example.com

Note that anyone with Javascript turned off in their browser won't see the address, but nearly nobody has Javascript turned off, because so many websites will not work at all without Javascript.

Here’s what we've covered so far:

Method Protection Level Ease for visitors Ease of implementation
Naked email address Zero Easy
Easy
Write out the @ sign Medium Hard Easy
Encode the @ sign
Low
Easy
Easy
Post address as a picture High Hard Medium
Javascript High Easy Medium


Contact form

Most blog software and website builders let you put a form on your site for readers to contact you.  Your email address is hidden from public view, and your web software forwards the contact form messages to whatever address you supply, behind the scenes.  This stops most spam, but it comes with a whole host of downsides.

First, it won't stop all spam, because bots will actually spam the form.  Those messages then get dutifully forwarded to you by your web software.  However, you likely won't get nearly as much spam this way as by putting your email address on your website.

Yes, you could add a "CAPTCHA", the little puzzle that readers have to solve before they can send the message.  That stops most form spam, because most bots can't solve the puzzle.  But it's an annoyance for your readers, and it could discourage them from writing in the first place.  That's a problem if the people writing are potential customers and you need their business.

Another problem is that lots of the mail forms are buggy.  I can't count how many mail forms I've tried to submit, which barked at me because they didn't like something about my input.  In many cases there was no clue as to what about my input they didn't like, so I was unable to send the message.  Other forms just give some inexplicable error when trying to send.  Still others say that they've sent the message, but then the website owner never actually gets the message (as they've reported to me).

Contact forms also aren't user-friendly because the sender usually doesn’t get a copy of what they sent.  Very few contact forms will send them a copy.  (And then, many companies add insult to injury by replying to the message by email, again without including a copy of what the visitor originally sent.)

Yet another problem is that because contact forms are so frequently spammed, they often come with their own spam filters, and spam filters sometimes reject legitimate messages.

And what if the sender needs to include an image or some other kind of attachment?  With most contact forms, they can't.

Finally, contact forms come with their own security concerns.  Older ones require you to put the destination email address in a hidden field, which defeats the purpose because page code is visible to spambots.  Also, poorly-programmed contact forms can be hijacked by bots to send spam to lots of recipients (not just to you).

Method Protection Level Ease for visitors Ease of implementation
Naked email address Zero Easy
Easy
Write out the @ sign Medium Hard Easy
Encode the @ sign
Low
Easy
Easy
Post address as a picture High Hard Medium
Javascript High Easy Medium
Contact Form Medium Easy Medium


Protecting your email address not on your website

Preventing your email address from being stolen when you make replies

Even if you protect your email address on your website, spammers can steal your address when you reply to a visitor’s message.  If malware infected the recipient’s computer, that malware can steal your address, and everyone the recipient corresponded with.  There’s only one way to prevent this: have all messaging done through your website, so your email address is never exposed.  That is not convenient, and visitors tend to expect to be able to email back and forth directly without having to go to a website.  It's understandable if you don't want your visitors to have to go through that hassle, but you'll just have to be aware that your address becomes vulnerable every time you hit Send.

Use plus-addressing

Gmail supports plus-addresses.  That lets you create a new email address on the fly by using a + sign.  For example, let's say your address is lisa@example.com.  You can use lisa+[anything]@example.com and it will work automatically, without your setting up anything special.  All mail will be delivered to lisa@example.com.

So how do you use this?  When you buy something on eBay, you use lisa+ebay@example.com. When you apply for a Home Depot credit card, you use lisa+homedepot@example.com.  If you start getting spam to a particular plus address, you can turn off just that one address in your control panel, and you'll continue to get all other mail.  Sweet!

Dreamhost also offers plus-addressing, but they amazingly don't allow you to turn off an individual plus address when it starts getting spam.  (I learned the hard way.)  So you can't use this trick with Dreamhost.


Protecting other people’s email addresses

Don’t expose other people’s email addresses

Don't expose others' email addresses by mailing multiple people in the TO: field, unless you have their explicit permission to do so.  When you put addresses in the TO: or CC: field, then everyone who gets the message can see everyone else's address.  If you don't have permission to do this, then put the addresses in the BCC field, where they'll be hidden from the recipients.

Don't store customers' email addresses in the webspace!

Hackers can often read files from the webspace, even if you don't link directly to those files.  Don't make the assumption that a file can't be seen just because it isn't linked and the directory it's in has an index.html file.  Somehow, one of my secret unlinked files that was in a directory with index.html got exposed; I still don't know how.

Customers' personal data should be stored an a database, that's password-protected.  If you must store personal data in the webspace and not in a database, then store it above the webspace, so the file(s) can't be loaded in a browser.  That is, put it one level above the "public_html" or "www" or "domain.com" or whatever folder contains your website.

If it's really necessary to put customer data in the webspace for some reason, put it in a password-protected directory.


Address to link to this section: https://WebsiteHelpers.com/spam/#whybad

"What's wrong with spam? You can just delete it."

Every time I hear someone say that I want to slap them.

Here's why:

  1. It's very common for legitimate senders, ISPs, or messages to incorrectly get tagged as spam, and the messages don't get through.  Nobody knows how many important messages have never been received.  It's obviously a huge problem when you never know whether messages you send were received or not, not to mention that you never know about all the important incoming messages you miss yourself.

  2. It's not so easy to just hit Delete when you get hundreds of spam messages a day.  Many people are in this situation.  Sure, they can abandon their email addresses and start over, but that's not as simple as just hitting Delete, is it?  (It may be preferable to hitting Delete hundreds of times a day, but my point is that for many people, spam can't be easily dealt with by "just hitting Delete".)  Spam-clogged mailboxes ruin people's ability to use email.

  3. People routinely have to abandon their addresses and start over with new ones because of all the spam they get.  Think of all the time wasted throughout the world by people sending out "Here's my new address messages" and then all the recipients updating their own contact lists.  Spam is responsible for untold hours of wasted people-time this way.

    Someday you'll try to email a long-lost friend or business contact only to discover that their email address no longer works because they had to abandon their old address because of excessive spam, and somehow they missed notifying you about their new address, and you have no other contact information for them.  This is real harm:  Because of spam people wind up losing contact with each other.  It cuts both ways, too:  Someday people may try to contact you only to discover that your own old email address no longer works.  Too bad for both of you.

    The inability to connect with old friends profoundly decreases one's quality of life.  And spam is to blame.  And this problem can't be solved by "just hitting delete".

  4. When deleting so much spam, you're much more likely to accidentally delete legitimate messages.  Do you open each and every message to verify that it's spam before deleting it?  If so, then you're really letting spam waste a lot of your time.  If not, then you're invariably deleting legitimate messages accidentally on occasion.  Congratulations, you're screwed either way.

  5. Users are sometimes in positions where they're paying for their Internet data (hotels, remote locations in which there's no local access number so they have to dial long distance, ships at sea).  These people are forced to pay extra to download the spam they have no choice but to receive.  (And the more they try to filter it, the more likely they are to miss legitimate, important messages.)

  6. If you're not receiving hundreds of spams a day, it's because mail providers devote considerable resources to blocking and filtering spam so you never see it.  It's such a waste when you consider that mail providers could be doing something more productive with their time than spending thousands of collective people-hours fighting spam.  The staff resources they have to devote to this increases the cost of web hosting.  Personally, I've spent hundreds of hours combatting spam.

  7. Mail providers have to buy bigger hard drives to process all the junk mail, and to store the junk mail that they couldn't positively identify as spam.  (About 75% of all messages sent are spam.)  This increases the cost of webhosting.

  8. Mail providers are sometimes forced to kill legitimate messages to clear out a mail queue when spam is flooding its servers.  Here's one example.

  9. In my previous line of work it was essential that I reply to inquiries as quickly as possible.  Whenever I heard the incoming email chime I had to stop what I'm doing and switch over to my mail client to check the new message.   Imagine doing this dozens or hundreds of times a day, just to discover that the incoming message is spam.  This is a serious impediment to productivity.

  10. Web hosts are forced to disable useful features because spammers abuse them.  For example, Dreamhost discontinued Catch-All email addressing, because it was too hard for them to manage when spammers tried to abuse it.  Legitimate customers no longer have this useful option because of spam.

  11. Webmasters can't easily put email addresses on their websites or spambots will steal the addresses, flood them with spam, and make them useless. That means that webmasters are forced to use the anti-spam methods described on this page, which wastes their time, and gives their users a poorer experience since all the anti-spam methods have downsides for users—such as the email address not being visible or clickable.

  12. Webmasters who have forms on their site where visitors can enter their email address have to put in safeguards so spammers don't hijack the forms to send out spam.  This wastes a lot of their time.  I've been forced to waste a lot of my time on this very problem.

  13. Webmasters who aren't super-cautious have their feedback forms hijacked by spammers anyway.  This has happened to me.  Had I not been able to respond quickly, my host would have shut down my server, turning off websites and email service for dozens of clients who had done nothing wrong.  And as a result of the spam that did get through, it's likely that many servers no longer accept email from my server.  These are serious consequences.

  14. Spammers usually forge the return address on the spam they send out, often picking the address of a legitimate person who had nothing to do with the spam.  That person's email address then gets flooded with thousands and thousands and thousands of bounce messages from the old, dead addresses on the spammer's mailing list, as well as hundreds of angry messages from people who thought that the legitimate user was the person who sent the spam.  Even worse, the innocent victim risks having his or her website shut down since it looks like the victim was the one who sent out the spam.
"Just hit delete"? Any time I hear someone saying that I want to smack them.

Fighting spam is a big, big issue and I couldn't cover every single thing, but I hope this is enough to get you started. Good luck!

Website Helpers.com

  Articles, tips, and resources for webmasters


a project by Michael Bluejay | email