Sevencolors studies:
experiments with Javascript, CSS, PHP and web standards

Printer icon

Anti spam email

Avoid getting spam through your email contact link

Email harvesters (spambots)

Email harvesters work like search engines but they look for email addresses. Specifically, they look for the "mailto:" protocol in the href attribute of a link or the @ character in the text on a web page.

Once an email address is added to a mailing list it`s basically impossible to get it off it. It`s really important to avoid it.

The script

Using Javascript it`s possible to avoid detection since spambots cannot read it. I originally had a bit of JavaScript code embedded in the footer of my pages but I decided to write a function and publish a contact page instead since, with JavaScript disabled, the embedded code wouldn`t work. This is the code I use now:

function setContact(adr) {
var obj = document.getElementById('contact');
if (obj) {
adr = (adr == 'w') ? 'webmaster' : 'info';
var domain = '';
obj.href = 'mailto:' + adr + '@' + domain;
return true;

The contact link on the page:

<a id="contact" href="contact_page.htm" onmouseover="setContact('w');return false" onfocus="setContact('w');return false">contact</a>

What happens when the user gets his mouse over the link and clicks it:

  • the onmouseover event passes the value 'w' to the function that puts the email address in the status bar of the window
  • the onfocus event passes the value 'w' to the function when the link is clicked
  • the function changes the href attribute of the link that would otherwise point to a contact page
  • if JavaScript is disabled the events don`t work and the link points to the contact page

In the above example I'm passing 'w' as the value of the variable 'adr' (see function) so the email address would be "webmaster at my domain name". If I used any other character than 'w' it would be "info at my domain name".


Remember that the email address on the contact page must be written taking in consideration the fact that spambots look for the @ character in plain text. It should be written like this:

Then ask the user to substitute the AT with @ to send an email.

Email address and domain name must be changed accordingly if you want to use this method on your web site.

At this time this is the best solution I could find to the spam problem. It works with JavaScript disabled and it's quite straightforward.