Generating On-The-Fly Email Addresses as an Anti-Spam Measure in WordPress

Generating On-The-Fly Email Addresses as an Anti-Spam Measure in WordPress

On my IT consulting business site, I’m using a php script I’ve written to generate on-the-fly random email addresses specific to the browsing session looking at the site. So, I can include email addresses in plain text on the site, but if a spammer harvests one, I can block it, and other people legitimately browsing the site will still get individualized working addresses they can contact me with.

It generates a log as email are generated, so you know who got what email. You’ll want to watch the log size yourself so you don’t fill your disk space.

Obviously it’s more complicated than just this, there’s whitelisting involved as well as some other behind-the-scenes trickery, such as double-checking emails against the log as they arrive, that I can’t reveal publicly for opsec reasons.

But, I can reveal the basic php script that coughs up a random email address specific to the session info. A WordPress shortcode that allows calling custom PHP scripts is set to run this script, and placed on the site where I want a working contact email address to be displayed.

Right now it works for me with PHP8.4. YMMV.

A word of warning: I wrote this a long time ago, and hate PHP, and really don’t remember how it works. Please don’t write with questions or support requests, this is an “as is” freebee. I’m sure you can find someone who’s better at PHP than I am to help you with anything.

Basically, I just stuck this here because I’m first setting this site up and need some content to test the layouts. Don’t expect more than that.

Also, I know it’s badly flowed and hard to read. If you think I’m going to battle WordPress’s broken editor trying to get it to display a code block correctly, you’ve got another think coming.




//generated emails and user session info will be logged in the logfile you specify

//in wordArray, enter some words to use in the generated email addresses, since email addresses can’t start with a number. Then, to prevent spamming to catchall addresses, you can filter for these valid words and reject incoming emails that don’t start with them.



ini_set(‘display_errors’, 1);
ini_set(‘display_startup_errors’, 1);

if (!isset($_SESSION[‘theEmail’]))

function getUserIpAddr(){
//ip from share internet
//ip pass from proxy
return $ip;

function getUA() {
if(!isset($_SERVER[‘HTTP_USER_AGENT’])) {return “none”;}
{ return $_SERVER[‘HTTP_USER_AGENT’];}

$theOutput =””;

// Write the contents back to the file


function getName($n) {
foreach (getallheaders() as $name => $value) {
$theBrowserDetails .= “$name: $value\n”;


// Append a new person to the file
$current = ‘Date – ‘.date(“c”).”\n”;
$current .= ‘Detected IP – ‘.$_SERVER[‘REMOTE_ADDR’].”\n”;
$current .= ‘User Real IP – ‘.getUserIpAddr().”\n”;
$theUA = getUA();
$current .= $theBrowserDetails.”\n”;
$current .= ‘getUA() – ‘.$theUA.”\n”;


$IPhashInt = (int) filter_var($theIPhash, FILTER_SANITIZE_NUMBER_INT);
$IPhashReversedInt = (int) filter_var($theIPhashReversed, FILTER_SANITIZE_NUMBER_INT);
$randomDigitOne = 1+$IPhashInt%8;
$randomDigitTwo = 1+$IPhashReversedInt%8;
$randomComboOne = $randomDigitOne * $randomDigitTwo + $randomDigitOne;
$randomComboTwo = $randomDigitOne * 10 + $randomDigitTwo;
$randomComboThree = $randomDigitOne + $randomDigitTwo*10;
$wordHashInt = filter_var($wordHash, FILTER_SANITIZE_NUMBER_INT);
$wordHashFinal = md5(10+(($randomComboThree*($wordHashInt%$randomComboTwo+abs($randomComboOne-$randomComboTwo))) % (2+($randomComboOne*10) % ($randomComboTwo+1))));
$wordHashHashed = $wordHashFinal[-2];
$theResult = $word.$connectorChar.$wordHashHashed.$randomDigitOne.$randomDigitTwo;
$current .= “Script generated an email address: “.$theResult.”\n”;
$current .= “~ ~ ~ ~\n”;

file_put_contents($file, $current,FILE_APPEND);

if (filesize($file) > 500*1024) {
$filename2 = “$file”.date(“c”);
rename($file, $filename2);
touch($file); chmod($file,0666);
return $theResult;

$_SESSION[‘theEmail’] = $theOutput;
$theOutput = $_SESSION[‘theEmail’];
echo $theOutput.”@”.$myDomain;