Email Address Harvesting

By Paladion

March 15, 2006

Which is/are the secure methods, among given options, to prevent email addresses harvesting?

  1. Re-format/ munging address
  2. Substitute ASCII codes in address
  3. Obscure address through javascript
  4. Hide address in image
  5. Options 3 and 4

The answer is 5) Options 3 and 4.

Spammers steal email addresses from websites by using spambots, computer programs which automatically troll web pages and harvest email addresses. Spambots consider text with @ symbol as an address. Before analyzing the answers lets have an idea what these methods talk about:

  1. Reformatting/munging is to alter the address in a way that it is invalid but human beings can easily fix before sending email to that address. Email address is made technically invalid by inserting text that spambots won't be able to recognize as not being part of the address. For instance mung "" address as

    Spambots will harvest these addresses and send mails which will bounce. To let legitimate visitor send mails, information to correctly demung the address should be given.

  2. Substitute ASCII codes in address is a method to hide email address from spambots so that they cannot recognize address and harvest them. This is achieved by using ASCII character codes to replace certain characters in the address, trusting the user's browser to translate the codes back into the correct characters. Use ASCII code (64) to replace "@" and (46) to replace ".". For example, address "" can be included in HTML of the site as


    Both the above addresses will be displayed by browsers as "" , but harvesting scripts looking at the source will only see the ASCII codes.

  3. Obscure address through javascript is the method to make email address unnoticeable or indistinct. Online tools are readily available to create "ready to use" email address obscuring javascripts . Or you could write one on your own. Insert the resulting script in HTML of website and the clickable email address will be displayed to visitors. After obscuring the email address looks like
    <script type='text/ javascript '>
    var a = new Array(' net','le.','amp','@ex ', ' joe ');
    document.write ("<a href =' mailto:"+a [4]+a[3]+a[2]+a[1]

    Javascript must be enabled in the visitor's browser to display the email address. To try, first copy this script in notepad then save that file with extension as ‘.html' and open the page to see the result. It needs javascript to be enabled in your browser.

  4. Hide address in image is the method to display email address as an image.   One creates an image of email address and thus text address does not appear in HTML code that could be recognized by a spambot . Either the entire address can be represented with a graphic or simply @ symbol can be replaced with a picture of the same. For e.g.


Now let's analyse each of the choices:

  1. Depending on what and where one posts the email address, a junkster may take the time to de-mung address. Disguising addresses makes it difficult for people to send e-mail to each other, as user has to manually de-mung the address in order to reply to the post or to send mail. Visitor may demung the address incorrectly. Also, when posting to usenet it should also be noted that disguising an e-mail address is, in the strictest terms, a violation of RFC 1036 . Also effort is needed to e nsure that the munged address is not someone else's e-mail address.
  2. Spambots can be programmed/adjusted to decode (translate ASCII code) on the fly and will be able to recognize the email address. Spambots inevitably will improvise so this technique is bound to become less effective over a period of time.
  3. Harvesters are unlikely to begin interpreting javascript. Harvesters that interpret the javascript on every page they come across would face a substantial risk of getting stuck in infinite loops or crashing due to malformed javascript. The only disadvantage is this technique may hide email addresses from visitors who have javascript disabled in their browsers.
  4. To read the address from an image, a spambot would require to have OCR capabilities or a human operator to harvest the address, both of which are less likely. Harvesters have to download the images and need to process every one of them.

    Replacing the entire address is the most secure way but requires more work than just replacing the @ symbol with graphics. Replacing only the @ symbol with graphics would leave the username and domain name vulnerable, as they would be readable and in close proximity to each other. One might also consider using a graphic to represent everything in the address after the username; i.e., the @ symbol and the domain.

    However, with this method, users with sight disabilities are at an inconvenience as screen reader software cannot extract the email address from the images. Also, normal visitors will have to manually type email addresses when they wish to contact you, which may be a minor inconvenience.

    NOTE: It should be noted that both of these techniques (Options 3 and 4) are likely to remain sound for some time to come!


Tags: Quiz