Pinnacle Trade Show DisplaysCustomer Testimonials  |  Contact Us 

Portable Trade Show Displays and Exhibit Display Booths. Easy On-line Ordering. Free Ground Shipping.

Unicode Converter / Encoder - Protect Your Email Address!
Converts text into Unicode Equivalent. Protect your email address from email-harvesting spambots!

FIGHT EMAIL SPAM! Every hour of every day, Spam-Bots [a.k.a. Email Harvester computer programs] are scouring the web looking for email addresses to add to their spam list databases.  If you have a website with an (unprotected) email address on it, sooner or later, the spam-bots will find it.  Your email address will be "harvested", you will be added to the spammers' lists, and your email in-box will be flooded with spam.

So what can you do?  You need your email address on your website so that people can contact you.  The key is to "protect" your email address by making it unreadable to the spambots, but still readable to your human visitors.  One extremely simple and generally effective way to protect your email address is to encode it by converting it to Unicode.  While a browser will read and decode Unicode and display your real email address to your human visitors, most Spam-Bots will not recognize it, and will pass it by...



Enter your text here:
   i.e. " "


Unicode Equivalent:
   i.e. " "



Spam: A serious and growing problem.
In 2001, 8% of the email sent was spam.  In 2008, according to industry experts, 64% to 85% of all email sent is spam.  Spam is a huge productivity drain on business.   The current popular tool for fighting spam is the spam filter.  Spam filters have proved to be a necessary but imperfect tool in the war on spam.  The problem is that spam filters often let some spam through, and worse, sometimes filter legitimate email.  What is the cost of one or two lost sales a month because of an overzealous spam filter?  A better solution to fighting spam is to keep your email addresses off of the spam lists. 

Where does spam come from?
According to a 2003 Center for Democracy & Technology (CDT) study, the majority of spam comes from email addresses harvested off the internet.  “Spam-bots” (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across.  Spambot programs look for “” and then record any addresses found into the spammer’s database.
Several companies sell Spambot programs.  They can be purchased for as little as $40, and most companies offer free limited-feature demo programs.  Anyone with an internet connection can use one.  Spambot programs can do a general search, or can be told to look at specific websites, or, for example, can be targeted to do a Google search for “senior living” and then examine the first 10,000 websites they find.  They can follow the links in websites to find other websites.  If your website hasn’t been found by the spambots yet, it will be. 

Should I worry?
Yes.  The Federal Trade Commission (FTC) did a study in 2002 in which they posted different newly created “undercover” email addresses on various websites. They found that within six weeks, 86 percent of the posted email addresses were receiving spam.

How to avoid being spammed.
:  Encode your HTML (
The key to not having your email “harvested” is to encode or disguise your email address so the spambots don’t recognize it.  You can accomplish this quite simply by converting part of your HTML to Unicode, a universal “symbol-based” language that uses numbers to represent different characters (i.e. “a” is “a” and “@” is “@”).  Modify your HTML as shown below, changing “@” is “@” and "." to ".”.  Substitute your name and domain name, of course.

find all occurrences of
<a href=“”></a>
and replace with
<a href="mailto:myname&#64;mydomain&#46;com">myname&#64;mydomain&#46;com</a>

We tested several demo-version email harvesting programs and found that changing the "@" and "." to their Unicode equivalents was sufficient to fool the spambots.  However, if you want to convert your entire email address to Unicode, you can use our text-to-Unicode converter.

There are several other methods of hiding your email address, each with advantages and disadvantages.  One method, for example, is to use javascript to disguise your email address, but doing so limits the ability of visitors without java-enabled browsers to email you.  Whatever method is used, one should consider that any email address that can be seen by a visitor, can also potentially be seen by a spammer.  No method should ever be considered completely guaranteed, and thus one should always also implement step two.

STEP TWO:  Use “disposable” contact email addresses on your website.
Do not use your primary email addresses (i.e. “sales”, “info”, or “yourname”) on your website.  Instead, use a disposable contact email address, such as,, or  When new customers email you, reply to them with your primary email address.  If your disposable website email address is ever compromised by a spammer, you can then simply replace it with a new one, and set your email spam filter to delete any future mail to the compromised address.  If previous customers need to email you, they most likely will check their email program’s inbox and reply to the primary address that you used to respond to their initial inquiry, or they will go to your website where they will see your current disposable contact email address. 

Does Unicode email encoding stop spam?
In CDT study sited above, email addresses that were encoded with Unicode never received any spam.  Our own experience is the same.  We launched our business website, Pinnacle Displays, in 1998.  Within 2 years, business was booming, but so was the volume of spam we were receiving.  We came across the Unicode tip somewhere on the internet, and implemented it.  We also placed new, disposable contact email addresses on our website.  In the last four years, we have never received any spambot-generated spam on our new email addresses. 

Will the spambots learn to read Unicode in the future?
Probably not, since there is little incentive.  Analyzing HTML for Unicode and then decoding it would require more computational power and would slow the spambots down.  There really wouldn’t be much benefit to the spambots, since the vast majority of websites have not encoded their email addresses.  Based on our own experience and informal calculations, over 90% of websites have unprotected email addresses.
Just for giggles, we checked the “experts” by going through the DMOZ directory for “Email: Spam Prevention”.  Of the 29 website listed, 2 were dead links, 3 used forms for contacting them, 1 used javascript to mask their addresses, 1 used Unicode to mask their addresses, and 22 had unprotected email addresses.  But of the 5 that attempted to protect their email addresses, 4 still had unprotected addresses on their sites.  Thus, of 27 working websites, 26 had unprotected email addresses!  If you encode your website’s email addresses, you’ll be doing better than 96% of the experts.

In conclusion...
1)  If you don't do anything to protect your email address, it most likely will be spammed.  In the 2002 FTC study, 86% of their new unprotected addresses were being spammed within six weeks.
2) There are several ways to disguise your email address - Unicode is one simple and effective method.  However, no solution is guaranteed. Any email address that can be obtained by a visitor could also potentially be obtained by a spammer.
3) Because no solution is guaranteed, always use a disposable contact email address on your website that you can then discard if it is every compromised by a spammer.


I wrote the above article back in 2004, and then updated it in 2008. Since then, I've created a few other websites and have always used unicode to protect any email addresses on the websites. Spam from website email harvesters has never been a significant problem. Then last year (in 2013), I created a small personal website for a project I was working on. I worked on the site for a month and then got side tracked. Last month I went to check on it and logged into the email account I had set up for it, and was stunned to find the account loaded with spam email! At last count, it was getting 20 to 30 spam emails a day. All of the spam was being sent to the contact email address posted on the website. When I the website, I was embarrassed to discover that I had neglected to protect the email address with unicode. The website in question is pretty darn obscure. Although can be found in Google, it gets very few visits. And yet the spambot email harvesters found the site and harvested the contact email, and started spamming it. The lesson is that spambot email harvesters are still stalking the internet, and if your email address is out there and isn't protected, it will be found, and it will be spammed.

Now some of you might be saying, well, so what? That's what email spam filters are for! I agree that spam filters are a life-saver, but I found both person and business emails in my own email spam folders. Fortunately I don't get that much spam so I'm able to check and retrieve the legitimate emails, but it can mean a delay in finding and responding to legitimate emails, or if you get too much spam, going through the spam folder can become impractical, and legitimate emails can be discarded. I also see some spam email still slip through the filters, and personally, getting spam email annoys the heck out of me. I also regularly get spam email that contain virus attachments and that try to trick me into opening them. Spammers are getting better at impersonating legitimate businesses, and a less than careful reader can inadvertently click the wrong link. Spam isn't just annoying, it can be dangerous. It's so easy to protect your email address and stop the spambots from ever harvesting your email address in the first place, that it just seems the right thing to do. Continue to use a spam filter of course, but cut down on the sheer amount of spam in the first place.

Based on my own embarrassing episode above of getting spammed on an accidentally unprotected email address, I decided to expand and update this article both to explain what current options there are for protecting your website email address, and to discuss the benefits and drawbacks to each option, as well as to run an on-going, real-time experiment to see how effective each of the different options are (personally, at this time, I still recommend my original two step approach outlined in my original article, use a "disposable" contact email address and then use unicode to protect it). I did a bit of internet research, and the most recent study I found was by a German blogger (who I was able to read thanks to Google translate), who ran a one year test in 2011 posting on his blog an unprotected email address, as well as addresses protected with unicode, javascript, and css.  At the end of a year, the unprotected address had received 911 spam emails, while the unicode, javascript, and css protected addresses all received NO spam emails at all! His 2011 test would indicate a little protection goes a long way! Other older studies I found indicated that some of the protection methods were not completely effective, but were still highly effective. To gain a better idea of current effectiveness of unicode-protection, I decided to run the ongoing study described further below.


I've listed below various methods for preventing the spambot email harvesters from reading and harvesting your email address. The basic idea is to make your email address unreadable to the spambots (which is also called email munging or email obfuscating, as in to munge or mung your email address or to obfuscate your email address). The key is to keep the email harvester program from reading your email, but to allow a human to read your email address. Some email-munging methods maintain a clickable "mailto:" link so your human visitor to simply click on your email address, while other methods are much less user friendly and require a visitor to read and then retype your email address into their email program.

1. Change your email address into an image.
Effectiveness: probably very high. There are image-reading programs available, but I doubt the spambots are using them.
Disadvantage: kind of a pain to implement (that is, you need to create the image), and your human visitor will have to read and then retype (and hopefully not misspell) your email address. Whether or not it works, I think this is a BAD solution.

2. Use a logic test/instructions to change a non-working email address to a working email address.
Example: (change "x" to "joe2")
Effectiveness: probably extremely high and should defeat all spambot computer programs.
Disadvantage: requires your human visitor to change the email address to make it work. They could miss the instruction to change the address, or make a mistake doing it. Not completely user friendly.

3. Use javascript to unscramble an otherwise munged email address.
HTML sample code:
<script type="text/javascript">
var name = 'user';
var at = '@';
var domain = '';
document.write(name + at + domain);

Effectiveness: probably good unless the spambot computer program reads javascript.
Disadvantage: requires your human visitor's browser to read javascript, otherwise the email address won't display. Email address is not clickable. Not completely user friendly.

4. Use css to un-reverse a munged (reversed) email address.
HTML sample code:
<span style="direction: rtl; unicode-bidi: bidi-override;">eojrofmapson@4eoj</span>
Example:  eojrofmapson@4eoj
Effectiveness: probably good unless the spambot computer program reads css.
Disadvantage: A cool idea. Your email address is backwards (i.e. moc.321zyx@eoj), which is what the spambot should see, but then the css command displays it in reverse (, so it is now correct. Although it's a cool idea, I wouldn't use it. It requires your human visitor's browser to display css properly, otherwise the email address will be backwards. The email address is not clickable. If you try to cut and paste the address it is still backwards, thus you must re-type the address to use it, with a possibility of making a mistake. Not user friendly.

5. Replace @ with "at"
Example:  joe5  at
Effectiveness: probably good but the study below will test it in the real world.
Disadvantage: Email address is not clickable. Human visitor can cut, paste, and fix email to make it work. Pretty straightforward, but not completely user friendly.

6. Replace @ with "(at)"
Example:  joe6  (at)
Effectiveness: may be even better than #5 above.
Disadvantage: Email address is not clickable. Human visitor can cut, paste, and fix email to make it work. It may be more effective than method #5, but also could be more confusing. Fairly straightforward, but not completely user friendly.

7. Partial unicode abfuscation. Replace 7@n with "&#55;&#64;&#110;" in html.
Alternative is to convert entire address to unicode.
HTML sample code:
<a href="mailto:joe&#55;&#64;&#110;">joe&#55;&#64;&#110;</a>
Effectiveness: probably good but the study below will test it in the real world. Simple to implement using unicode converter/encoder above.
Disadvantage: None. Completely user friendly. Email address is clickable. Human visitor should be unaware email is protected. Study below will confirm effectiveness, but past experience and research indicates this eliminates most spam email.

8. Minimal unicode abfuscation. Replace @ only with "&#64;" in html.
HTML sample code:
<a href="mailto:joe8&#64;">joe8&#64;</a>
Effectiveness: probably good but the study below will test it in the real world. Very simple to implement.
Disadvantage: None. Completely user friendly. Email address is clickable. Human visitor should be unaware email is protected. Study below will confirm effectiveness, but past experience and research indicates this eliminates most spam email.


To test the effectiveness of the various methods listed above, I posted a list of email addresses on a page on another website on March 26, 2014.  The website is over ten years old and gets a moderate amount of traffic.  Each test email uses a different unique name with a random number attached (NOT the example email addresses below). I will be updating the results regularly in the table below, and will keep the study going indefinitely to monitor how well the various email address spambot protection methods work in the real world...
Note: just to see what happens, I also posted a second test list of different email addresses on a separate third website, the fairly obscure small personal website I mentioned above that I created in 2013 and that has been receiving daily spam to an unprotected email address posted on it accidentally when I first created it. I will create a second results table for it if it starts to get a significant amount of spam or if the results are significantly different from the main study results.

  method example # of spam emails effectiveness
1 using an image    
2 using logic test/instructions
replace x with joe2
3 using javascript      
4 using css (to reverse text) eojrofmapson@4eoj    
5 using "at" instead of "@" joe5  at    
6 using "(at)" instead of "@" joe6  (at)    
7 partial unicode (replacing "7@n" only)    
8 minimal unicode (replacing "@" only)    
9 no protection    

List of test email addresses posted (on a different website than this one) on March 26, 2014.
Results as of April 9, 2014. No spam emails received yet.


I will be interested to see how the above study unfolds and what it shows about current spambot email harvester activity on the internet. At this point, my previous recommendations still stand.
You should protect any email address you post on the internet. Why invite unnecessary spam? Don't make yourself rely too heavily on email spam filters and potentially miss important emails, or get spam emails carrying obnoxious or damaging computer viruses. Protect your email address!
Either use unicode obfuscation in your html, or simply write your address as [name at]. Both methods are very simple to implement, and should drastically cut down on spam. I prefer unicode obfuscation since you still have a clickable email address for your human visitors.
Also use a "disposable" email address on your website, such as []. In the event the address is compromised, you can simply change it to [] and turn off the old email address. Just don't use the disposable email address to email people as they may then store it in their address books. Only use the disposable email address for initial contacts from your website.

If you have any questions or comments about this page, please email Steve at

Lord Nefarious, the evil email harvester SPAMBOT!

Lord Nefarious (named after Lord Business from the Lego Movie) is the diabolical email harvester spambot created by my slightly Lego-obsessed 9-year-old son Jack. Feel free to use his image in the fight again spam, just please include an image credit link back to this page (, giving credit to the artist and creator, Jack Peterson.

© 2004-2014 Steve Peterson, Pinnacle Displays Inc