6 Precautions You Should Take Against Email Harvesters & Spammers

Saikat Basu 24-02-2012

Spam has its roots in email harvesting. Email harvesting is the umbrella term for the methods spammers (or bulk email marketers) use to obtain email addresses in volumes. It could be as low tech as purchasing email address lists or go high-tech with the use of special email harvester bots which scan or spider through webpages, discussion boards, and chat groups.


The legality of email harvesting differs from country to country. The United States for example has the CAN-SPAM Act that prohibits email harvesting. But the law overall has remained mired in a fog of ineffectiveness. In general, across the board it is considered illegal to acquire email addresses with automated software. But spammers remain undefeated as your email inbox no doubt tells you.

Anti-spammers, email companies, and projects like Project Honeypot are doing their bit. What can we do to protect our emails from email harvesters? Maybe, start off with these precautions at least.

stop receiving spam email

Mung Your Email Address

Email address munging is the easiest method to cover up your email IDs from spam bots, though it’s not the neatest. It is simply modifying your email ID – to something that looks like – johndoe at mail dot com. Spam bots look for patterns as defined in their programming logic. Disguising email IDs with random text is an attempt to defeat that logic. In the example above, we have eliminated @ and the “.com” to confuse the spam program.

This method is simple to follow but comes with the risk that real humans also might get confused and “de-mung” the address incorrectly. Spam bots are also getting better, so it is reasonable to assume that some can pick up variations of an email address. But along with the GIF signature, this remains the easiest one to apply in places like community boards.



Each character can be mapped to a corresponding ASCII code. ASCII codes are translated by browsers into the readable character form, but it handicaps the spam bots as they fail to recognize the codes. You can insert something like into the HTML of your webpage. Here, both “@” and “.” have been substituted with their ASCII codes. You can obscure your entire email ID with ASCII codes, but that will take some effort.

I came across this simple website and its form that helps out with address munging.

Use a Graphic Email Signature

prevent email harvesting

The email address above is not text but a transparent GIF image created in a photo editor. It looks neater and spam bots cannot read it because it is an image file and using OCR is still a long way off. But using GIF email signatures has a couple of disadvantages – the recipient can miss the email ID if images are turned off in his browser. Also, a GIF email sign ideally should not be hyperlinked… so recipients will have to key in the ID themselves, and that’s a bit inconvenient.


Use Disposable Email Addresses

prevent email harvesting

Disposable email addresses are also a neat solution. These onetime dummy email accounts can be used when giving out email addresses to websites. You can abandon them at will. We have covered quite a few web services which generate disposable email addresses. Find a few to use in our Directory.

I also came across a service called Scrim which protects your email address by disguising it using a custom link. You can try it out.

Encode With JavaScript

<script type='text/javascript'>var a = new Array('','johndoe@em');document.write("<a href='mailto:"+a[1]+a[0]+"'>"+a[1]+a[0]+"</a>");</script>


That’s ‘’ obscured with JavaScript and inserted into the HTML of a webpage. Spam bots don’t do a good job of reading JavaScript and can’t find the ID in the source code, but our usual browsers render it perfectly. Of course, you need to have it switched on to display the email signature correctly. There are many JavaScript generators available freely on the web that can generate the code for you. Copy the code into your HTML where you want the link to appear.

Use Contact Forms

stop receiving spam email

Secure email forms are the best and most professional way to protect email addresses while soliciting information. All professionally designed websites will have one. It is user-friendly as all the reader has to do is add information and click on submit. Email addresses aren’t displayed to the readers or spam bots. A further barrier of a CAPTCHA prevents auto-populating bots from attacking the system. Yes, the reader cannot use his favored email client to send messages but that’s a small inconvenience.

These five points cover the bare minimum we can do as individuals and also as web designers to protect email addresses from the scourge of email harvesters. There are a few more advanced techniques that go around like Spider Traps. Anti-spam methods are advancing the battle even as spamming evolves. It is a battle. How do you combat it at your level? Are you aware of email harvesters and the tricks they play? And do remember – never respond to a spam email. It only confirms your identity.


Image Credit:  Spam warning sign on binary via Shutterstock

Related topics: Email Tips, Spam.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Altar
    September 20, 2016 at 4:00 am

    Most people sometimes (rarely) shut off their javascript function in their browsers, so, that trick won't work. Captchas are a pain for humans and it also doesn't work on different devices showing lots of errors. Encoders aren't a good deterrent as spambots are now capable of decoding - including the javascript too.

    I'd go with the image option, making sure it is is designed attractively so they don't miss it.

  2. James Bruce
    February 25, 2012 at 9:45 am

    In fairness, only a few of these really work. Javascript can be easily decoded and rendered by bots nowadays; masking an address with AT can be recognized and converted; contact forms can be somewhat thrwated by harvesting the address from the domain contacts instead; captchas only prevent humans, not bots (decaptcha services cost pennys).

    Personally, I just let the spam come, and let the fantastic filter services do their job. I get about 1 spam a week now that actually makes it to my inbox, and very false false positives. 

  3. Cicas
    February 25, 2012 at 12:29 am

    Back in 2004 I'd used that ASCII method on my websites and my friend showed me that javascript trick just a couple of weeks ago.
    Personally I don't use any of these tips (I no longer run a website). Instead I have 2 (actually 4 if counting school email and one I'm very likely going to abandon) email addresses: one for "people with face" (people I know, like friends and family) and one for "web" (I use it for forum registrations and various other pages. It is "dedicated" to contain spam and I'm OK with it - since it has search tool I can allways find what I need and the rest - I dont care:) ).
    But if I'd start to run a website again I'd probably go with that javascript solution.

    • Cicas
      February 25, 2012 at 12:34 am

      I think the last sentence should be: ".. if I'd started to run ... I'd probably went with..." am I right? Still learning your wonderful language;)

      • Knitwitter
        February 25, 2012 at 5:19 am

        Nope. "Go with" is the proper idiom. But if we're going to nit-pick, you should have said: "But if I was going to start running a web site again..." 

        • James Bruce
          February 25, 2012 at 9:46 am

          running is superflous. 

          "If I was going to start another website, I'd probably go with Javascript"

        • Migwar
          February 25, 2012 at 12:53 pm

          Actually, the correct construction is "But, if I were going to start running a web site again ... "    It's called the subjunctive mood.  And, why do you assume it would be ANOTHER [ie, a different] website, and not simply a resurrection of the old website ?  Starting a website and running it are two different activities.  Even if they were not, the use of the word "running" would then be redundant, not superfluous.  [Unless you are British, of course, and think the only meaning of the word "redundant" pertains to employment layoffs.]