Coding email links to avoid spam
This page contains advice for developers and maintainers of ringing websites such as Guild sites. It describes how to encode email links to protect them from spammers. An automatic encoding tool is also provided.
Email contact links are an invaluable part of any web page. However, they are also vulnerable to a particular type of web robot known as the spam harvester or spambot. A spam harvester can read through the pages in your site and extract email addresses which are then added to bulk marketing databases. The result: more spam arrives in your inbox. If you've quoted other people's addresses on your site, they will probably get upset with you too.
The solution to this dilemma is to protect email links in a way that hides them from the spam harvester. Here's how.
The normal way of doing it
Normally you'd add an email address to a web page with a piece of HTML such as:
<a href="mailto:firstname.lastname@example.org">Mr Nobody</a>
This creates a mailto link, and when displayed in a web page looks like this:
When the site user clicks the link, instead of triggering a transition to another web
page, their mail client will instead pop up a compose mail window, addressed to the
target of the link, in this case
Unfortunately a spam harvester can easily read the email address within the HTML code, so this style of link should be AVOIDED!
A solution adopted by some sites (including Roger Bailey's Change Ringers' Email Directory) is to nobble the email address in such a way that a spam harvester won't recognise it, but a human reader will. The normal way of doing this is to replace the "@" sign with some text, such as "-AT-":
<a href="mailto:nobody-AT-fake.address9z.com">Mr Nobody</a>
When clicked, this will produce an email addressed to
For these reasons I believe it is better to use a more sophisticated form of address hiding.
A better solution
If you click this link, you will see a normal mail window open addressed to
As you can see, there is nothing in this code which can be directly used by a spam harvester to reclaim the email address. So, the spam harvesting problem is also solved.
How do I implement this solution?
This file should be added to a suitable directory, such as the root or a scripts directory, within your web site. It is very small (less than 1K) so will not adversely affect page-load times.
To use the script to protect email links in a web page you need to carry out the following steps:
If you do want to encode the links manually, here is a description of the five
parameters needed by the
Sometimes you might want to code a link in which the email address itself is shown
as the visible text, e.g. . To do
this, simply call
Numbers for top-level domains
The use of numbers helps hide the email address from spam harvesters. My email.js file uses the following table of common top-level domains:
If you have a need for other top-level domains, these can easily be added to the
A very small number of users may have scripting disabled. For them it may be worth adding a note that the email addresses will not be visible. You can do this with HTML code such as:
For more information on spam harvesters and email links, try these pages:
MBD August 2003