← All postsCaptchainbox
email securitycold email

How to Protect Your Email Address from Scrapers and Data Brokers

Felix Doer·Founder, Captchainbox··5 min read

Before an AI cold email reaches your inbox, someone — or more likely, some tool — found your email address. The data pipeline for cold email starts with scraping: automated tools that harvest email addresses from public sources, compile them into databases, and sell them to anyone with a credit card and an outreach tool.

Understanding how scrapers find you is the first step to reducing your exposure. But prevention has limits — which is why the most effective protection combines exposure reduction with inbox-level defences.

Where Scrapers Find Your Email Address

1. LinkedIn

LinkedIn is the primary source for B2B cold email targeting. Tools like Apollo, Hunter, and Lusha either access LinkedIn's data directly or use it as a starting point to find associated email addresses. Even if your email isn't listed on your LinkedIn profile, these tools use pattern matching (firstname.lastname@company.com) and verification services to guess and confirm your address.

2. Company websites

Contact pages, team pages, and "about" sections frequently list email addresses. Even if you use a contact form, your domain is exposed — tools use domain-based pattern matching to generate likely addresses.

3. Domain registration (WHOIS)

If you own a domain and didn't use WHOIS privacy protection, your registration email is publicly available in the WHOIS database. This is a common source of spam for small business owners and indie founders.

4. Data brokers and lead databases

Services like ZoomInfo, Apollo, Clearbit, and dozens of others maintain databases of business email addresses compiled from multiple sources. These databases are sold as "B2B lead data" and power the majority of cold email campaigns.

5. GitHub, forums, and public posts

Git commits, forum posts, mailing list archives, and social media posts all expose email addresses. A single public commit with your email in the author field is enough for scrapers to find you.

How to Reduce Your Exposure

LinkedIn

  • Remove your email address from your LinkedIn profile's "Contact Info" section
  • Set your profile visibility to limit what non-connections can see
  • Disable "Allow others to see your email address" in privacy settings

Company website

  • Use contact forms instead of listing email addresses directly
  • If you must list an email, use a general address (hello@, contact@) rather than personal ones
  • Consider using email obfuscation techniques (JavaScript-rendered addresses) to slow scrapers

Domain registration

  • Enable WHOIS privacy protection through your domain registrar (usually free or ~$10/year)
  • Use a registrar that offers it by default (Cloudflare, Namecheap)

Git and code

  • Use GitHub's no-reply email address (username@users.noreply.github.com) for commits
  • Configure git config user.email to use a private address

Data broker opt-outs

  • Submit removal requests to major data brokers: ZoomInfo, Apollo, Clearbit, Lusha
  • Use services like DeleteMe or Privacy Duck that automate opt-out requests across multiple brokers
  • Note: opt-outs are imperfect — data brokers re-scrape sources, and your address may reappear

When Prevention Isn't Enough

The reality is that if you're a professional with any public presence, complete prevention is impossible. Your email address is already in databases. Reducing exposure slows the rate of new cold email, but doesn't stop campaigns that already have your address.

This is why the most practical approach combines exposure reduction (making your address harder to find) with inbox-level protection (handling the cold email that finds you anyway). Sender verification systems like Captchainbox operate at the inbox level: regardless of how many databases have your address, unknown senders must verify before reaching you.

Frequently Asked Questions

Can I request data brokers delete my information under GDPR?

Yes, if you're an EU resident. GDPR's right to erasure (Article 17) requires data controllers to delete personal data upon request. US-based data brokers must comply for EU data subjects. In practice, enforcement varies, and re-scraping means your data may reappear.

Should I use a + alias for signups?

Yes. Using felix+service@gmail.com for signups lets you track which services share your address (if you start getting cold email to felix+service@gmail.com, you know who leaked it). Gmail delivers all + alias variations to your main inbox.

Is email obfuscation on websites effective?

Moderately. JavaScript-rendered email addresses stop simple scrapers but not sophisticated ones. It's worth doing but shouldn't be your only defence. Contact forms are more effective than obfuscation.

← Newer

AI Agents Are Now Sending Cold Emails Autonomously — What This Means for Inboxes

Older →

What Happens When You Reply "Unsubscribe" to Cold Emails (And Why It Makes Things Worse)

Ready to stop AI spam from reaching your inbox?

Captchainbox protects your Gmail from AI-generated cold email. 5-minute setup, no ongoing maintenance.

Join the waitlist

More from the blog

What's the Difference Between Spam and Cold Email?

May 26, 2026

Why CAN-SPAM Doesn't Protect You from AI Cold Email

May 14, 2026

What Happens When You Reply "Unsubscribe" to Cold Emails (And Why It Makes Things Worse)

April 20, 2026