This site provides the following access keys:

Brandan Lennox's

Simple Anti-Spam Technique for Developers

You may have heard of spam bots. They look through web pages and try to find stuff that looks like e-mail addresses — like or the HTML code <a href="">John Doe</a> — and then spam the hell out of them.

Now us what build the sites try to outfox the bots by making e-mail addresses not look like e-mail addresses. One of the biggest giveaways is a hyperlink like the one above, which has to contain the string “mailto:” in order to properly send an e-mail. That’s easy for a bot to search for, so developers figured they’d try to hide it.

For example, Safari will recognize this code as the same hyperlink as I wrote above:


Those weird sequences of ampersands and semi-colons get translated by the browser so that it sees a normal e-mail hyperlink. So I go and replace all the instances of “mailto:” within e-mail addresses on my sites, but alas, the bots have autonomously reprogrammed themselves to look for the encoded text as well as plain old “mailto:”, and I’m still stuck getting spam.

Smarter folk than I have come up with very elaborate tricks for hiding e-mail addresses. I opt for a less effective but simpler solution of encoding random portions of the e-mail address each time I need to display an address on one of my sites. Bots might be smart enough to look for &#x6d;&#x61;&#x69;&#x74;&#x6f;&#x6f;&#x3a;, but they probably won’t look for all 5,040 variations of “mailto:” that are attainable by this method.

To this end, I’ve created a PHP Class (PHP 5 and above) to handle encoding e-mail addresses in this fashion. I hope it makes someone out there a little less vulnerable to spam.

Of course, the developers lose. We always do. Because bots have figured out how to act just like web browsers, so any link that works for a human will work for a bot. But this at least gets rid of the lazy ones that haven’t bothered reprogramming themselves.