Email Obfuscation: What Works in 2026?
Source: Hacker News (319 points) | Spencer Mortensen
Key Findings
Rating: ★★★★☆ - Comprehensive benchmark of email anti-scraping techniques with real spammer testing data.
Plain Text Email Protection
| Technique | Block Rate | Status |
|---|---|---|
| No protection | 0% | Useless |
| HTML Entities | 95% | Basic |
| HTML Comments | 98% | Basic |
| HTML SVG | 100% | Best |
| CSS Display None | 100% | Best |
| JS Concatenation | 100% | Good |
| JS AES Encryption | 100% | Best |
| JS User Interaction | 100% | Best |
Clickable mailto: Link Protection
| Technique | Block Rate | Status |
|---|---|---|
| No protection | 0% | Useless |
| URL Encoding | 96% | Basic |
| HTML Entities | 100% | Best |
| HTTP Redirect | 100% | Best |
| HTML SVG | 100% | Best |
| JS Concatenation | 100% | Good |
Key Insights
- Surprising effectiveness: Basic techniques like HTML entities still block 95%+ of harvesters because most scrapers are simple
- CSS display:none: Most harvesters don't apply style rules, making this one of the best techniques
- JS AES encryption: Uses browser's built-in SubtleCrypto - unbreakable without the JS file
- User interaction: Only reveals email when user interacts with page - raises the bar significantly
- SVG technique: Hides email in unusual place but keeps it accessible to screen readers
- Best practice: Layer multiple techniques for defense in depth
Usability Warning: Some techniques (symbol substitution, instructions, images, CSS content) break usability - they block scrapers but also frustrate legitimate users.
Methodology
Tested against 318 spammers for plain text techniques and 299 for link techniques. Results show that most harvesters are basic and don't interpret JavaScript or CSS.