Defeat the Email Scrapers and Spammers

It’s very convenient to show your sales or customer support email addresses on your website…especially if you make them clickable. But, guess what…the evil slimebag scrapers and spammers out there will eventually crawl your site, looking for href="mailto:somebody@somewhere.com" or even just the somebody@somewhere.com kind of pattern. And they’ll scrape that email address off, stick it on a CD with 66 million other victims, and voila…now you’re the proud recipient of 100 emails a day for Kohl’s coupons, ED pills, etc.

If you’re on WordPress, there’s this awesome little plugin that will encrypt your email addresses for you, and decrypt them for real human users so they’re still clickable. But safe from spammers. I use it on my WordPress sites, and highly recommend it.

If you’re not on WordPress, though, I’ve written an encrypt/decrypt mechanism that’s pretty easy to use.

IIS Users – Classic ASP

First, you put this function in an #include file and include it in each page that needs to show email addresses: 
'----------------------------------------------------------------------------
'Obfuscates an email address to foil spammer-scrapers
'----------------------------------------------------------------------------
Function ObfuscateEmail (sOriginal)
	Dim sTmp, iLength, iTmp, sTmp2

	iLength			= Len (sOriginal)
	iTmp			= CLng(1)
	sTmp			= ""

	Do while (iTmp <= iLength)

		If (iTmp Mod 7 = 0) Then
			sTmp	= sTmp & Mid (sOriginal, iTmp, 1)
		Else
			sTmp	= sTmp & "&#" & Asc (Mid (sOriginal, iTmp, 1)) & ";"
		End If 

		iTmp		= iTmp + 1
	Loop

	sTmp			= "" & sTmp & ""
	iLength			= Len (sTmp)
	iTmp			= CLng(1)
	sTmp2			= ""

	Do while (iTmp <= iLength)

		sTmp2		= Mid (sTmp, iTmp, 1) & sTmp2
		iTmp		= iTmp + 1
	Loop

	ObfuscateEmail	= ""
End Function
Then, in your page, where you want to put the email address, you call that function like this: 
Nice people (not spammers!) can email us at <%=ObfuscateEmail("support@visualitineraries.com")%>.
In this example, it’ll show up as support@visualitineraries.com and be clickable, i.e. will launch their email program with that address in the To: field. In the raw HTML source, however, that email address and the mailto: bit will be character-by-character reversed in order, and each letter converted to a numeric ASCII encoding of the letter. It’ll look something like this: 
Obfuscating to stop scrapers and spammers

 
Last thing to do: include a Javascript file with the client-side code that unscrambles the email address. Here’s the code that goes in that Javascript file: 
function reObfuscate (sTmp)
{
	document.write(reObfuscateCore (sTmp));
}

function reObfuscateCore (sTmp)
{
	var		i		= 0;
	var		sOutput	= "";

	while (i < sTmp.length)
	{
		sOutput		= sTmp.charAt(i) + sOutput;
		i	= i + 1;
	}

	return sOutput;
}

function unEncodeEmailChars (sTmp)
{
	var		i		= 0;
	var		iNum	= 0;
	var		sNum	= "";
	var		sOutput	= "";
	var		chChar	= "x";

	while (i < sTmp.length)
	{
		if (sTmp.charAt (i) == "&")
		{
			sNum	= "";
			i		= i + 2;		/// skip &#
						
			if (sTmp.charAt (i) != ";")
			{
				sNum	= sNum + sTmp.charAt(i);
				i		= i + 1;
			}

			if (sTmp.charAt (i) != ";")
			{
				sNum	= sNum + sTmp.charAt(i);
				i		= i + 1;
			}

			if (sTmp.charAt (i) != ";")
			{
				sNum	= sNum + sTmp.charAt(i);
				i		= i + 1;
			}

			if (sTmp.charAt (i) == ";")
			{
				i		= i + 1;
			}

			iNum		= parseInt(sNum);
			chChar		= String.fromCharCode(iNum);
			sOutput		= sOutput + chChar;
		}
		else
		{
			sOutput		= sOutput + sTmp.charAt(i);
			i	= i + 1;
		}
	}
		
	return sOutput;
}
What happens is this: when the page loads, the browser calls the inline client-side Javascript function reObfuscate(), which is embedded in the HTML right where the email is to be displayed, and that takes the scrambled email address and unscrambles it on-the-fly.

Apache Users - PHP

Here's your PHP function implementation: 
//----------------------------------------------------------------------------
//Obfuscates an email address to foil spammer-scrapers
//----------------------------------------------------------------------------
function ObfuscateEmail ($sOriginal)
{
	$iLength	= strlen ($sOriginal);
	$sTmp		= "";

	for ($iTmp = 0; $iTmp < $iLength; $iTmp++)
	{
		if (($iTmp + 1) % 7 == 0)
			$sTmp	= $sTmp . substr ($sOriginal, $iTmp, 1);
		else
			$sTmp	= $sTmp . "&#" . ord (substr ($sOriginal, $iTmp, 1)) . ";";
	}
		
	$sTmp		= "<a href=\"mailto:" . $sTmp . "\">" . $sTmp . "</a>";
	$iLength	= strlen ($sTmp);
	$sTmp2		= "";

	for ($iTmp = 0; $iTmp < $iLength; $iTmp++)
	{
		$sTmp2	= substr ($sTmp, $iTmp, 1) . $sTmp2;
	}

	echo "<SCRIPT language='JavaScript' type='text/javascript'>reObfuscate('" . $sTmp2 . "');</script>";
}
Then, you call it this way on the page: 
Nice people (not spammers!) can email us at <?php ObfuscateEmail("support@visualitineraries.com") ?>.

Leave a Reply

Michael Cottam - Freelance technical SEO consultant - 20915 Royal Oak Circle, Bend, OR 97701

© 2025 OzTech, Inc. All rights reserved.