Email Address Obfuscation with ROT13

Obfuscating Email Addresses with ROT13

One creative application of ROT13 is hiding email addresses from automated spam harvesters while keeping them accessible to human visitors.

The Spam Problem

Web crawlers (bots) scan pages for patterns like user@example.com to build spam mailing lists. Displaying email addresses in plain text makes them easy targets.

ROT13 as a Defense

By encoding the email address with ROT13 and using a small JavaScript snippet to decode it on page load, you can prevent simple bots from finding the address:

<span id="email" data-rot13="hfre@rknzcyr.pbz">
  [Enable JavaScript to see email]
</span>
<script>
  const el = document.getElementById('email');
  const encoded = el.dataset.rot13;
  el.textContent = encoded.replace(/[a-zA-Z]/g, c =>
    String.fromCharCode(
      c.charCodeAt(0) + (c.toLowerCase() < 'n' ? 13 : -13)
    )
  );
</script>

How Effective Is It?

ROT13 obfuscation stops the simplest bots that look for literal @ signs and .com patterns. However:

• Basic bots: Blocked effectively
• Sophisticated bots: May execute JavaScript or recognize ROT13 patterns
• Very advanced bots: Will render pages like a browser and extract any visible email

Combining with Other Techniques

For better protection, combine ROT13 with:

• CSS direction tricks: Display the email backwards with direction: rtl
• HTML entity encoding: Mix @ for the @ sign
• Contact forms: Replace email links with contact form pages entirely
• Image-based display: Render the email as an image (hurts accessibility)

Considerations

• ROT13 only rotates letters; the @ and . characters pass through unchanged
• Some spam bots specifically check for ROT13-encoded addresses now
• Always provide a fallback for users without JavaScript
• Consider accessibility — screen readers need access to the actual address