📧 Email Obfuscator – Stop Spam Bots from Harvesting Your Address
Every email address you publish in plain HTML is a potential target. Automated spam bots continuously crawl websites looking for the @ symbol pattern and harvest millions of addresses per day. The Email Obfuscator converts your address into one of several disguised formats so bots cannot extract it, while real visitors and browsers still see it correctly.
🔍 Why Email Obfuscation Matters
A raw address like [email protected] in your HTML source is trivially scraped. Obfuscation does not make the address invisible to humans — it makes the source code representation unrecognisable to bots that scan for literal email patterns. This simple defensive layer can dramatically reduce the volume of unwanted automated messages your address receives.
⚙️ Supported Obfuscation Methods
| Method | How It Works | Spam Safety | JS Needed? |
|---|---|---|---|
| HTML Entities (Decimal) | Every character → &#NNN; | Medium | No |
| HTML Entities (Hex) | Every character → &#xHH; | Medium | No |
| ROT13 | Caesar cipher, shift 13 | Low | No |
| ROT-N + JS | Custom shift + JS decoder | Medium | Yes |
| JS charCodeAt | Unicode code-point array, assembled at runtime | High | Yes |
| Base64 + atob() | Base64-encode; decode with atob() | High | Yes |
| CSS Direction (RTL) | Reversed string + direction:rtl CSS | Medium | No |
| Zero-Width Injection | U+200B inserted between every character | Medium | No |
🧪 Method Deep-Dives
HTML Entity Encoding
The simplest no-JS approach. Each character in your address is replaced with its HTML numeric entity. For example, a becomes a (decimal) or a (hex). Browsers decode these automatically and render the address correctly; most basic scrapers that search for @ in source code will miss it because the @ sign becomes @.
JavaScript charCodeAt Array
Each character is stored as its Unicode code point in a JavaScript array: [104,101,108,108,111,64,…]. A small inline script assembles the string with String.fromCharCode() at page-load time. Because the literal email string never appears in HTML source, sophisticated scrapers that evaluate simple JS patterns still fail to extract it.
Base64 + atob()
The address is Base64-encoded (e.g., aGVsbG9AZXhhbXBsZS5jb20=) and a short script calls atob() to decode it in the browser. This technique is compact and highly effective — the email is not recognisable in source at all.
CSS Direction Trick
The email string is reversed and wrapped in a <span> with direction:rtl; unicode-bidi:bidi-override. Browsers display the reversed text right-to-left, which makes it appear correctly to human readers. Scrapers reading left-to-right get a nonsense string.
Zero-Width Character Injection
Unicode U+200B (zero-width space) is inserted between every character. These characters are invisible to human readers but break the [^\s@]+@[^\s@]+ regex that most scrapers use. Note: some email clients may strip these characters, so test mailto links before deploying.
🚀 How to Use This Tool
- Enter your email address in the input field.
- Choose an obfuscation method from the dropdown.
- Optionally add a custom display label (e.g., "Contact Us") and toggle the mailto link wrapper.
- Copy the generated code snippet.
- Paste it directly into your HTML where the email should appear.
📊 Choosing the Right Method
- Maximum protection, JS is fine → Use JS charCodeAt or Base64 + atob().
- No JavaScript, high compatibility → Use HTML Entities (Decimal or Hex).
- Visual uniqueness / artistic sites → Try the CSS Direction trick.
- Layered defence → Combine HTML entities in the
hrefattribute with a JS-rendered display text.
⚠️ Important Limitations
Obfuscation is a deterrent, not a guarantee. Advanced headless-browser scrapers can execute JavaScript and may defeat even the highest-rated methods. For mission-critical contact addresses consider also using a contact form, CAPTCHA-protected endpoint, or a separate obfuscated alias that forwards to your real inbox.