Pinnacle Trade Show DisplaysCustomer Testimonials  |  Contact Us 

Portable Trade Show Displays and Exhibit Display Booths. Easy On-line Ordering. Free Ground Shipping.

Unicode Converter / Encoder - Protect Your Email Address!
Converts text into Unicode Equivalent. Protect your email address from email-harvesting spambots!

FIGHT EMAIL SPAM! Every hour of every day, Spam-Bots [a.k.a. Email Harvester computer programs] are scouring the web looking for email addresses to add to their spam list databases.  If you have a website with an (unprotected) email address on it, sooner or later, the spam-bots will find it.  Your email address will be "harvested", you will be added to the spammers' lists, and your email in-box will be flooded with spam.

So what can you do?  You need your email address on your website so that people can contact you.  The key is to "protect" your email address by making it unreadable to the spambots, but still readable to your human visitors.  One extremely simple and generally effective way to protect your email address is to encode it by converting it to Unicode.  While a browser will read and decode Unicode and display your real email address to your human visitors, most Spam-Bots will not recognize it, and will pass it by...



Enter your text here:
   i.e. " "


Unicode Equivalent:
   i.e. " "



Spam: A serious and growing problem.
In 2001, 8% of the email sent was spam.  In 2008, according to industry experts, 64% to 85% of all email sent is spam.  Spam is a huge productivity drain on business.   The current popular tool for fighting spam is the spam filter.  Spam filters have proved to be a necessary but imperfect tool in the war on spam.  The problem is that spam filters often let some spam through, and worse, sometimes filter legitimate email.  What is the cost of one or two lost sales a month because of an overzealous spam filter?  A better solution to fighting spam is to keep your email addresses off of the spam lists. 

Where does spam come from?
According to a 2003 Center for Democracy & Technology (CDT) study, the majority of spam comes from email addresses harvested off the internet.  “Spam-bots” (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across.  Spambot programs look for “” and then record any addresses found into the spammer’s database.
Several companies sell Spambot programs.  They can be purchased for as little as $40, and most companies offer free limited-feature demo programs.  Anyone with an internet connection can use one.  Spambot programs can do a general search, or can be told to look at specific websites, or, for example, can be targeted to do a Google search for “senior living” and then examine the first 10,000 websites they find.  They can follow the links in websites to find other websites.  If your website hasn’t been found by the spambots yet, it will be. 

Should I worry?
Yes.  The Federal Trade Commission (FTC) did a study in 2002 in which they posted different newly created “undercover” email addresses on various websites. They found that within six weeks, 86 percent of the posted email addresses were receiving spam.

How to avoid being spammed.
:  Encode your HTML (
The key to not having your email “harvested” is to encode or disguise your email address so the spambots don’t recognize it.  You can accomplish this quite simply by converting part of your HTML to Unicode, a universal “symbol-based” language that uses numbers to represent different characters (i.e. “a” is “a” and “@” is “@”).  Modify your HTML as shown below, changing “@” is “@” and "." to ".”.  Substitute your name and domain name, of course.

find all occurrences of
<a href=“”></a>
and replace with
<a href="mailto:myname&#64;mydomain&#46;com">myname&#64;mydomain&#46;com</a>

We tested several demo-version email harvesting programs and found that changing the "@" and "." to their Unicode equivalents was sufficient to fool the spambots.  However, if you want to convert your entire email address to Unicode, you can use our text-to-Unicode converter.

There are several other methods of hiding your email address, each with advantages and disadvantages.  One method, for example, is to use javascript to disguise your email address, but doing so limits the ability of visitors without java-enabled browsers to email you.  Whatever method is used, one should consider that any email address that can be seen by a visitor, can also potentially be seen by a spammer.  No method should ever be considered completely guaranteed, and thus one should always also implement step two.

STEP TWO:  Use “disposable” contact email addresses on your website.
Do not use your primary email addresses (i.e. “sales”, “info”, or “yourname”) on your website.  Instead, use a disposable contact email address, such as,, or  When new customers email you, reply to them with your primary email address.  If your disposable website email address is ever compromised by a spammer, you can then simply replace it with a new one, and set your email spam filter to delete any future mail to the compromised address.  If previous customers need to email you, they most likely will check their email program’s inbox and reply to the primary address that you used to respond to their initial inquiry, or they will go to your website where they will see your current disposable contact email address. 

Does Unicode email encoding stop spam?
In CDT study sited above, email addresses that were encoded with Unicode never received any spam.  Our own experience is the same.  We launched our business website, Pinnacle Displays, in 1998.  Within 2 years, business was booming, but so was the volume of spam we were receiving.  We came across the Unicode tip somewhere on the internet, and implemented it.  We also placed new, disposable contact email addresses on our website.  In the last four years, we have never received any spambot-generated spam on our new email addresses. 

Will the spambots learn to read Unicode in the future?
Probably not, since there is little incentive.  Analyzing HTML for Unicode and then decoding it would require more computational power and would slow the spambots down.  There really wouldn’t be much benefit to the spambots, since the vast majority of websites have not encoded their email addresses.  Based on our own experience and informal calculations, over 90% of websites have unprotected email addresses.
Just for giggles, we checked the “experts” by going through the DMOZ directory for “Email: Spam Prevention”.  Of the 29 website listed, 2 were dead links, 3 used forms for contacting them, 1 used javascript to mask their addresses, 1 used Unicode to mask their addresses, and 22 had unprotected email addresses.  But of the 5 that attempted to protect their email addresses, 4 still had unprotected addresses on their sites.  Thus, of 27 working websites, 26 had unprotected email addresses!  If you encode your website’s email addresses, you’ll be doing better than 96% of the experts.

In conclusion...
1)  If you don't do anything to protect your email address, it most likely will be spammed.  In the 2002 FTC study, 86% of their new unprotected addresses were being spammed within six weeks.
2) There are several ways to disguise your email address - Unicode is one simple and effective method.  However, no solution is guaranteed. Any email address that can be obtained by a visitor could also potentially be obtained by a spammer.
3) Because no solution is guaranteed, always use a disposable contact email address on your website that you can then discard if it is every compromised by a spammer.


I wrote the above article back in 2004, and then updated it in 2008. Since then, I've created a few other websites and have always used unicode to protect any email addresses on the websites. Spam from website email harvesters has never been a significant problem. Then in 2013, I created a small personal website for a project I was working on. I worked on the site for a month and then got side tracked. About a year later (in 2014) I went to check on it and logged into the email account I had set up for it, and was stunned to find the account loaded with spam email! At last count, it was getting 20 to 30 spam emails a day. All of the spam was being sent to the contact email address posted on the website. When I the website, I was embarrassed to discover that I had neglected to protect the email address with unicode. The website in question is pretty darn obscure. Although can be found in Google, it gets very few visits. And yet the spambot email harvesters found the site and harvested the contact email, and started spamming it. The lesson is that spambot email harvesters are still stalking the internet, and if your email address is out there and isn't protected, it will be found, and it will be spammed.

Now some of you might be saying, well, so what? That's what email spam filters are for! I agree that spam filters are a life-saver, but I found both person and business emails in my own email spam folders. Fortunately I don't get that much spam so I'm able to check and retrieve the legitimate emails, but it can mean a delay in finding and responding to legitimate emails, or if you get too much spam, going through the spam folder can become impractical, and legitimate emails can be discarded. I also see some spam email still slip through the filters, and personally, getting spam email annoys the heck out of me. I also regularly get spam email that contain virus attachments and that try to trick me into opening them. Spammers are getting better at impersonating legitimate businesses, and a less than careful reader can inadvertently click the wrong link. Spam isn't just annoying, it can be dangerous. It's so easy to protect your email address and stop the spambots from ever harvesting your email address in the first place, that it just seems the right thing to do. Continue to use a spam filter of course, but cut down on the sheer amount of spam in the first place.

Based on my own embarrassing episode above of getting spammed on an accidentally unprotected email address, I decided to expand and update this article both to explain what current options there are for protecting your website email address, and to discuss the benefits and drawbacks to each option, and how effective each method probably is. I did a bit of internet research, and the most recent study I found was by a German blogger (who I was able to read thanks to Google translate), who ran a one year test in 2011 posting on his blog an unprotected email address, as well as addresses protected with unicode, javascript, and css.  At the end of a year, the unprotected address had received 911 spam emails, while the unicode, javascript, and css protected addresses all received NO spam emails at all! His 2011 test would indicate a little protection goes a long way! Other older studies I found indicated that some of the protection methods were not completely effective, but were still highly effective.


I've listed below various methods for preventing the spambot email harvesters from reading and harvesting your email address. The basic idea is to make your email address unreadable to the spambots (which is also called email munging or email obfuscating, as in to munge or mung your email address or to obfuscate your email address). The key is to keep the email harvester program from reading your email, but to allow a human to read your email address. Some email-munging methods maintain a clickable "mailto:" link so your human visitor to simply click on your email address, while other methods are much less user friendly and require a visitor to read and then retype your email address into their email program.

1. Complete unicode obfuscation. Convert your entire email address to unicode in your html as discussed in article above.
Effectiveness: probably good. Simple to implement using unicode converter/encoder above. Just be sure to also use a "disposable" email address. If your address is ever compromised and you determine it has been harvested, then you can switch to a new disposable email address and use a higher level of protection as discussed below.
Disadvantage: None. Completely user friendly. Email address is clickable. Human visitor should be unaware email is protected.

2. Replace @ with "at"
Example:  joe  at
Effectiveness: probably ok to start as long as you use a disposable email address in case it is compromised, and certainly better than nothing.
Disadvantage: Email address is not clickable. Human visitor can cut, paste, and fix email to make it work. Pretty straightforward, but not completely user friendly.

3. Replace @ with "(at)"
Example:  joe  (at)
Effectiveness: may be slightly better than #2 above.
Disadvantage: Email address is not clickable. Human visitor can cut, paste, and fix email to make it work. It may be more effective than method #5, but also could be more confusing. Fairly straightforward, but not completely user friendly.

4. Minimal unicode abfuscation. Replace @ only with "&#64;" in html.
HTML sample code:
<a href="mailto:joe&#64;">joe&#64;</a>
Effectiveness: probably ok to start as long as you use a disposable email address in case it is compromised, and certainly better than nothing.
Disadvantage: None. Completely user friendly. Email address is clickable. Human visitor should be unaware email is protected.

5. Partial unicode abfuscation. Replace e@n with "&#55;&#64;&#110;" in html.
Alternative is to convert entire address to unicode.
HTML sample code:
<a href="mailto:joe&#55;&#64;&#110;">joe&#55;&#64;&#110;</a>
Effectiveness: probably good. Simple to implement using unicode converter/encoder above.
Disadvantage: None. Completely user friendly. Email address is clickable. Human visitor should be unaware email is protected.

6. Use a logic test/instructions to change a non-working email address to a working email address.
Example: (change "x" to "joe")
Effectiveness: probably extremely high and should defeat all spambot computer programs.
Disadvantage: requires your human visitor to change the email address to make it work. They could miss the instruction to change the address, or make a mistake doing it. Not completely user friendly.

7. Use javascript to unscramble an otherwise munged email address.
HTML sample code:
<script type="text/javascript">
var name = 'user';
var at = '@';
var domain = '';
document.write(name + at + domain);

Effectiveness: probably very good unless the spambot computer program reads javascript.
Disadvantage: requires your human visitor's browser to read javascript, otherwise the email address won't display. Email address is not clickable. Not completely user friendly.

8. Use css to un-reverse a munged (reversed) email address.
HTML sample code:
<span style="direction: rtl; unicode-bidi: bidi-override;">eojrofmapson@eoj</span>
Example:  eojrofmapson@eoj
Effectiveness: probably very good unless the spambot computer program reads css.
Disadvantage: A cool idea. Your email address is backwards (i.e. moc.321zyx@eoj), which is what the spambot should see, but then the css command displays it in reverse (, so it is now correct. Although it's a cool idea, I wouldn't use it. It requires your human visitor's browser to display css properly, otherwise the email address will be backwards. The email address is not clickable. If you try to cut and paste the address it is still backwards, thus you must re-type the address to use it, with a possibility of making a mistake. Not user friendly.

9. Change your email address into an image.
Effectiveness: probably very high. There are image-reading programs available, but I doubt the spambots are using them.
Disadvantage: kind of a pain to implement (that is, you need to create the image), and your human visitor will have to read and then retype (and hopefully not misspell) your email address. Whether or not it works, I think this is a BAD solution.


1. You should protect any email address you post on the internet. Why invite unnecessary spam? Don't make yourself rely too heavily on email spam filters and potentially miss important emails, or get spam emails carrying obnoxious or damaging computer viruses. Protect your email address!
2. At least use unicode obfuscation in your html or simply write your address as [name at]. Both methods are very simple to implement, and should drastically cut down on spam. I prefer unicode obfuscation since you still have a clickable email address for your human visitors.
3. Also use a "disposable" email address on your website, such as []. In the event the address is compromised, you can simply change it to [] and turn off the old email address. Just don't use the disposable email address to email people as they may then store it in their address books. Only use the disposable email address for initial contacts from your website.
4. If you use unicode obfuscation (and use a disposable email address of course) and you determine that a spambot has still managed to harvest your website contact email address, then pick a new disposable contact email address for your website (turn off the old one) and encode it with one of the methods above that should have a higher level of effectiveness, such as a combination of javascript and unicode obfuscation.

If you have any questions or comments about this page, please email Steve at

Lord Nefarious, the evil email harvester SPAMBOT!

Lord Nefarious (named after Lord Business from the Lego Movie) is the diabolical email harvester spambot created by my slightly Lego-obsessed 9-year-old son Jack. Feel free to use his image in the fight again spam, just please include an image credit link back to this page (, giving credit to the artist and creator, Jack Peterson.

© 2004-2015 Steve Peterson, Pinnacle Displays Inc