Email Obfuscation

Why are email addresses obfuscated?

Email addresses are common targets for spam, phishing attacks — even malicious crawlers. While there are many ways to obfuscate addresses from marketers or bots, no method is perfect. On top of this, usage of simple obfuscation techniques often results in a worse user experience; having said that, it should be balanced with more user-friendly techniques (that are less effective protection against spam).

In essence, email obfuscation is a simple concept that can be difficult to balance between bot-prevention and the overall user-experience.

How email addresses get obfuscated

As mentioned previously, there are many ways for Email Obfuscation to happen:

1) Putting email addresses into images

This is a simple method of obfuscation — essentially, a website owner can embed his/her email address(es) into an image that a bot cannot read. Unfortunately, with new AI (artificial intelligence) neural networks, this can be defeated. Users also have to read text from an image, resulting in both accessibility and user-experience issues.

2) Using text-based obfuscation techniques

Text-based obfuscation involves putting email addresses in a human-readable format that is still hard for a crawler to read. For example, if a webmaster wishes to place on their website, a potential deterrent would be to write support(at)bunny(.)net (or other similar variations to this). Similar to the previous technique, users lose out again as they cannot easily copy an address.

3) JavaScript-based obfuscation

This is yet another popular way to hide email addresses from bots: using JavaScript, addresses can be placed onto a page dynamically. For example, an easy way to obfuscate email addresses on a page is to do set an ID for the HTML tag containing the email address and having the email encoded in base64:

    I am available at the following email address: <span id="email"><noscript>JS is required to view this address.</noscript></span>

Now, when a “legitimate” browser loads the website, the following code is executed:

<script type=”text/javascript”>
		var email = "c3VwcG9ydEBidW5ueS5uZXQ="; //
	  document.getElementById("email").innerHTML = atob(email);

… and for regular users, an email address (that can be copied) appears:

I am available at the following email address:

While imperfect, this solution is the most user friendly of the four listed methods. They neither have to read text from an image or remove placeholders. The only downside to this form of obfuscation is the relative simplicity of “decryption”: any bot running a fully fledged browser can easily bypass basic forms of JS-powered email hiding techniques.

4) Captcha-based obfuscation

CAPTCHAs, or user challenges, are typically the least user-friendly solution to hide contact information. They usually look like the following:

Other variations include scrambled text or auditory CAPTCHAs. Another major issue is the existence of services that can solve CAPTCHAs automatically; not only do CAPTCHAs make a user experience far worse, they can end up being equally as insecure as the latter option.



An automated application used to scrape (i.e. take) content from other sources.


Generally, obfuscation is the act of manipulating content such that specific users/bots cannot read your content.