Use an HttpModule to Spam-proof Your Website

    November 1, 2006

Every time an email address is written on a website, it allows spam robots to collect it and abuse it. If you have a website (e.g. blog or forum) that displays the users e-mail address it would be a nice service to mask it for the spam robots.

The safest way to display an e-mail address is to break it up and convert it to something like “name at company dot com”. However, there are a lot of problems involved with that approach. It is difficult to read and you can’t make it into a hyperlink like “mailto:name at company dot com”. If you want to make it into a hyperlink, the best way would be to use a JavaScript function similar to this:

function SendMail(name, company, domain)


   link = 'mai' + 'lto:' + name + '@' + company + '.' + domain;



Then call that method with a hyperlink like this:

<a href="JavaScript:SendMail('name', 'company', 'domain');void(0)">name at company dot com</a>

That will make it pretty difficult to parse for a spam robot.

Another approach is to encode the characters into hex code which is perfectly readable for all browsers, but can proof to be more difficult to parse by robots but not impossible. What a robot can do is to just decode the entire HTML document from hex values into clear text, which will expose the e-mail addresses. But if we mixed clear text and hex values it will be much more difficult for the robot. That’s what the following HttpModule does.


The module replaces all e-mail addresses on your website with the mixed hex/clear text characters. It turns this

<a href=""></a>

Into this

<a href=""></a>

It uses the System.Random class to do the mix of the clear text with the hex values. The primary methods in the modules are the ones that through regex, replaces the clear text addresses.

private static Regex _Regex = new Regex("(mailto:|)(\\w+[a-zA-Z0-9.-_]*)@(\\w+).(\\w+)");

private static Random _Random = new Random();

private static string EncodeEmails(string html)


   foreach (Match match in _Regex.Matches(html))


    html = html.Replace(match.Value, Encode(match.Value));


    return html;


   private static string Encode(string value)


   StringBuilder sb = new StringBuilder();

   for (int i = 0; i < value.Length; i++)    {     if (_Random.Next(2) == 1)      sb.AppendFormat("&#{0};", Convert.ToInt32(value[i]));     else      sb.Append(value[i]);    }    return sb.ToString(); }


You can add this module to any existing web applications without breaking any code. Download the EmailSpamModule.cs below and place it in the App_Code folder on your website. Then add the following to the web.config:


   <add type="EmailSpamModule" name="EmailSpamModule" />

Even though the module makes it much more difficult to decode any e-mail address, it is still my advice that you use the JavaScript method if possible. If you're lazy or don't get paid by the hour, go for the module.

Download (1,16 KB)



Add to | Digg | Reddit | Furl

Bookmark WebProNews:

Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.