Evidence-based comparison of spam protection methods for website owners.
The Spam Problem
How Email Harvesting Works
Harvesting bots:
- Crawl websites systematically
- Parse HTML source code
- Use regex patterns to find email addresses
- Store addresses in databases
- Sell to spammers or use directly
Scale of the problem:
- Millions of websites scraped daily
- Sophisticated pattern matching
- Can decode many obfuscation techniques
- Continuously evolving detection methods
Impact:
- Spam arrives within days of publishing an email
- Volume increases over time as address spreads
- Professional email addresses become unusable
- Hours wasted managing spam
Obfuscation Techniques
What Email Obfuscation Does
Attempts to hide email addresses from bots while keeping them readable for humans.
Common Obfuscation Methods
HTML Entity Encoding
Method:
<a href="mailto:support@example.com">
support@example.com
</a>
How it works: Replaces characters with HTML entity codes (@ becomes @)
Pros:
- Simple to implement
- Displays correctly in browsers
- Readable by humans
Cons:
- Bots easily decode (simple character replacement)
- Provides minimal protection
- Only delays spam by days or weeks
- No protection against sophisticated scrapers
Effectiveness: 10-20% spam reduction (temporary)
JavaScript-Based Hiding
Method:
<script>
var user = "support";
var domain = "example.com";
var email = user + "@" + domain;
document.write('<a href="mailto:' + email + '">' + email + '</a>');
</script>
How it works: Constructs email address at runtime using JavaScript
Pros:
- Email not in initial HTML
- Slightly better than entity encoding
- Still displays normally
Cons:
- Bots can execute JavaScript
- Breaks for users with JS disabled
- Bad for accessibility (screen readers)
- Can be reverse-engineered
- Doesn't prevent determined scrapers
Effectiveness: 30-40% spam reduction (degrades over time)
CSS-Based Hiding
Method:
<p>
support
<span style="display:none">REMOVETHIS</span>
@example.com
</p>
How it works: Inserts hidden text that humans ignore but bots might capture
Pros:
- Creative approach
- Slightly confuses basic scrapers
Cons:
- Sophisticated bots ignore hidden elements
- Breaks copy-paste functionality
- Poor user experience
- Accessibility nightmare
- Easily defeated
Effectiveness: 20-30% spam reduction
Direction/Unicode Reversal
Method:
<p style="unicode-bidi: bidi-override; direction: rtl;">
moc.elpmaxe@troppus
</p>
How it works: Displays email backwards, relies on CSS to flip it
Pros:
- Email is reversed in source code
- Displays correctly with CSS
Cons:
- Bots can apply same CSS rules
- Breaks without CSS
- Copy-paste captures reversed text
- Poor accessibility
- Easy to programmatically reverse
Effectiveness: 25-35% spam reduction
Obfuscation: Pros and Cons Summary
Advantages
- Quick to implement: Can add to existing email links
- Some protection: Stops the most basic scrapers
- Email still visible: Users can see and click email
- No external dependencies: Works with just HTML/CSS/JS
Disadvantages
- Temporary relief: Bots adapt and improve
- Incomplete protection: Sophisticated scrapers decode
- Degrades over time: As bots learn patterns
- Accessibility issues: Screen readers struggle
- User friction: Copy-paste often breaks
- No additional security: Just hiding, not preventing
- False sense of security: Seems protected but isn't
Failure Modes
When obfuscation fails:
- Advanced bots execute JavaScript
- Scrapers learn common obfuscation patterns
- Email still gets harvested (just takes longer)
- Spam starts arriving (eventually)
- All the accessibility problems remain
Reality: Obfuscation is an arms race you will lose.
Contact Forms
What Contact Forms Do
Replace published email addresses with web-based submission forms.
How Forms Prevent Spam
Hidden Email Address
The core benefit:
- Email address never appears in HTML
- Not in page source code
- Not in JavaScript
- Not in CSS
- Not anywhere public
Result: Bots can't scrape what doesn't exist.
Multi-Layer Protection
SupportRetriever forms include:
Cloudflare Turnstile
- Verifies user is human
- Blocks automated submissions
- Invisible to legitimate users
- Constantly updated
Rate Limiting
- Limits submissions per IP
- Prevents rapid-fire spam
- Protects against floods
- Configurable thresholds
Email Validation
- Checks email format
- Verifies domain exists
- Prevents fake addresses
- Reduces bounce rate
Content Filtering
- Detects spam patterns
- Blocks suspicious content
- Machine learning based
- Improves over time
Honeypot Fields
- Hidden fields bots fill
- Invisible to humans
- Catches basic bots
- Zero user impact
Contact Forms: Pros and Cons
Advantages
- Complete email hiding: Address never published
- Active protection: Multiple layers of spam defense
- Improved reliability: No email client required
- Better mobile UX: Works on all devices
- Professional appearance: Branded forms
- Conversation management: Centralized inbox
- Analytics: Track submission sources
- Accessibility: Properly labeled form elements
- Future-proof: Protection doesn't degrade
Disadvantages
- Initial setup: Requires form creation (5 minutes)
- External dependency: Relies on form service
- Users can't save email: Can't add to contacts directly
- Extra click: Opens form instead of email client
How Forms Handle Cons
"Users can't save my email"
- When they submit, you reply from your real email
- They get your address in the reply
- Only legitimate contacts get your email
- Your address stays off the public web
"Extra click to form"
- Forms often faster than email client launch
- Especially on mobile (no app switching)
- Works on all devices (no setup required)
- Better UX overall
Decision Framework
When to Choose Obfuscation
Use obfuscation if:
- You need email address visible on page
- Users must be able to copy-paste email
- You're okay with partial protection
- You accept eventual spam
- Setup time matters more than results
Realistic expectations:
- Temporary spam reduction
- Will degrade over time
- Not a long-term solution
- Better than nothing
Best for:
- Personal blogs with low traffic
- Temporary pages
- Internal documents
- Low-value targets
When to Choose Contact Forms
Use contact forms if:
- You want maximum spam protection
- You value long-term solution
- You want conversation management
- Mobile experience matters
- Accessibility matters
- You want analytics
Benefits:
- Permanent protection
- Improves over time
- Professional appearance
- Better user experience
Best for:
- Business websites
- Customer support
- Sales inquiries
- Any professional context
- High-traffic sites
Decision Table
| Criteria | Obfuscation | Contact Forms | Winner |
|---|---|---|---|
| Protection | |||
| Spam reduction | 20-40% (temporary) | 99%+ (permanent) | Forms |
| Protection durability | Degrades | Improves | Forms |
| Sophistication | Basic hiding | Multi-layer active | Forms |
| User Experience | |||
| Mobile | Poor (mailto issues) | Excellent | Forms |
| All devices | Inconsistent | Consistent | Forms |
| Email client needed | Yes | No | Forms |
| Confirmation | None | Instant | Forms |
| Technical | |||
| Setup time | 5-10 min | 5 min | Tie |
| Accessibility | Poor | Excellent | Forms |
| SEO impact | Neutral/negative | Positive | Forms |
| Analytics | None | Full tracking | Forms |
| When Email Visible Matters | |||
| Must show email | Yes | No | Obfuscation |
| Copy-paste email | Sometimes | No | Obfuscation |
Overall winner: Contact Forms (12 to 2)
Recommended Setup: Default to Forms, Optional Obfuscation
Primary Strategy: Contact Form
Main contact method:
<a href="https://supportretriever.com/form/your-form-id">Contact Us</a>
Benefits:
- Maximum spam protection
- Best user experience
- Professional appearance
- Handles 99% of contact needs
Secondary Option: Obfuscated Backup
For users who really need email:
<p>
Prefer email?
<span id="email"></span>
<script>
var e = ['support','example.com'];
document.getElementById('email').innerHTML =
'<a href="mailto:'+e[0]+'@'+e[1]+'">'+e[0]+'@'+e[1]+'</a>';
</script>
</p>
Benefits:
- Provides email fallback
- Most users use form (protected)
- Email still has some protection
- Minimizes spam while maintaining options
Practical Implementation
Website footer:
<footer>
<h3>Contact Us</h3>
<p>
<a href="https://supportretriever.com/form/your-form-id"
class="button-primary">
Send Message
</a>
</p>
<p style="font-size: 14px; color: var(--color-text-secondary); margin-top: 10px;">
Prefer email?
<a href="#" onclick="showEmail(); return false;">
Show email address
</a>
</p>
</footer>
<script>
function showEmail() {
var e = ['support','example.com'];
alert('Email: ' + e[0] + '@' + e[1]);
}
</script>
Benefits:
- Form is prominent (most users use it)
- Email requires extra click (reduces exposure)
- Email is obfuscated (some protection)
- Satisfies users who insist on email
Step-by-Step: Switch to Forms
Phase 1: Setup (5 minutes)
- Create SupportRetriever account
- Set up contact form
- Configure settings
- Get form URL
Phase 2: Replace (30 minutes)
Find all email addresses
- Footer
- Contact page
- About page
- Team pages
- Blog posts
- Email signatures
Replace with form links
<!-- Old --> <a href="mailto:support@example.com">support@example.com</a> <!-- New --> <a href="https://supportretriever.com/form/your-form-id">Contact Support</a>Add context with parameters
<!-- Track sources --> ?source=footer ?source=about ?source=blog <!-- Track intent --> ?type=support ?type=sales ?type=press
Phase 3: Test (15 minutes)
- Test form loads on all pages
- Submit test message
- Verify email notification
- Test on mobile devices
- Check conversation in dashboard
- Verify metadata appears
- Test reply flow
Phase 4: Monitor (Ongoing)
- Track spam reduction
- Monitor submission volume
- Review conversation quality
- Adjust as needed
Evidence and Data
Spam Reduction Reality
Obfuscation (data from security studies):
- Basic obfuscation: 15-25% reduction
- JavaScript-based: 30-45% reduction
- Duration: 3-12 months before degradation
- Eventual outcome: Spam arrives anyway
Contact Forms (SupportRetriever data):
- Spam reduction: 99%+
- Duration: Permanent (improves over time)
- User satisfaction: Higher (mobile especially)
- Conversion rate: 20-30% better than mailto
Real-World Scenarios
Small Business (before forms):
- Published email: sales@example.com
- Using JavaScript obfuscation
- Spam: 50-100 per day after 6 months
- Legitimate emails buried
Same Business (after forms):
- Form URL published instead
- Email never exposed
- Spam: 0-2 per month (caught by filters)
- All submissions legitimate