Does e-mail address obfuscation actually work?

Question

Most of the time when I see someone post their email address online, especially if it's a personal address, they use something like

me [at] example [dot] com

instead of the actual email address (me@example.com). Even top members of this community use similar styles in their profiles:

jt.superuser[AT]gmail[DOT]com

quixote dot su over yonder near that gmail place

The typical rationale is that this kind of obfuscation prevents the email address from being automatically recognized and harvested by spammers. In an age where spammers can beat all but the most diabolical captchas, is this really true? And given how effective modern spam filters are, does it really matter if your email address is harvested?

Answer 1

Some time ago I stumbled upon the post of someone who created a honeypot and waited for differently obsfucated email-addresses coming back:

Nine ways to obfuscate e-mail addresses compared

CSS Codedirection 0 MB spam

<span style="unicode-bidi:bidi-override; direction: rtl;">
moc.elpmaxe@zyx
</span>

CSS display:none 0 MB

xyz<span style="display:none">foo</span>@example.com

ROT13 Encryption 0 MB

klm@rknzcyr.pbz

Using ATs and DOTs 0.084 MB

xyz AT example DOT com

Building with Javascript 0.144 MB

var m = 'xyz';         // you can use any clever method of
m += '@';              // creating the string containing the email
m += 'example.com';    // and then add it to the DOM (eg, via
$('.email').append(m); // jquery)

Replacing '@' and '.' with Entities 1.6 MB

xyz@example.com

Splitting E-Mail with comments 7.1 MB

xyz<!-- eat this spam -->@<!-- yeah! -->example<!-- shoo -->com     

Urlencode 7.9 MB

xyz%40example.com

Plain Text 21 MB

xyz@example.com

This is the original statistical graph made by Silvan Mühlemann, all credit goes towards him:

So, to answer the question: Yes, (in a way) email obfuscation works.

Answer 2

There was an interesting article by Cory Doctorow recently on this subject here which argued that email obfuscation doesn't serve much purpose, and a more optimal approach is intelligently managing the spam you get.

TL;DR version:

• The objective of this entire exercise is not to reduce the amount of spam you get in your email, but the amount of spam you manually have to remove from your inbox.
• Email obfuscation is a constant battle to come up with ever sophisticated bot-proof, human-readable encoding, and is a drain on the productivity of both the creator, and the correspondent.
• "Almost any email address that you use for any length of time eventually becomes widely enough known that you should assume all the spammers have it."
• "The convenience of stable, easily copy-pastable email addresses" wins over trying to hide from the spambots.

Answer 3

So many people still use @ and . outright that there's little need for a spammer to come up with a way to defeat any sort of obfuscation; work not done is money/time not spent.

Answer 4

Anything that is done by lots of people will be defeated, but if you hide your email address in a way that not many web sites do, then the spammers will not invest the money in finding it. (They are trying to make money so will only invest a lot when the returns are high.)

So don't use a method other people use, come up with your own, this is one I have just come up with: (Don't all copy it, or it will stop working)

Email remove all numbers and use the same domain as my web site is on i23an@notMyDomain.com

Answer 5

Spammers are not the NSA. It is not important for them to crack your obfuscation. Any effort made to disguise your email address is probably sufficient to the task.

The more interesting question is, why not just use a disposable email account as a cutoff to filter responses on public forums? That way you don't care if the account gets spam, and after vetting legitimate responses you can contact your correspondents via your regular email account.

Answer 6

Yes it is true in most cases because you need a pattern for email harvesting, the more complex the pattern the more expensive (time/money) it is for spammers to work at getting emails. Of course nothing stops manual harvesting, but that is very low. The thing that is usually done is non JS encoded, plain text emails are harvested (check any 1-2 year old website that is unchanged, and I bet you $20 bucks its plain text email and they get tons of spam).

At my company all the external facing emails are obfuscated using a series of server side & JS client side methods.

So an email never really looks like an email, and the pattern ALWAYS changes. You would be surprised how well this method works, sure some methods are compromised and easily broken, but more elaborate methods of email obfuscation usually make the harvesting pointless as the sheer amount of pattern detection would require a lot of invested resources.

Brute force of CAPTCHAS is different, where the hackers/spammers/harvesters TARGET a specific site. This does not really apply to small mom & pop websites who might use a myriad of obfuscation methods, or sites where users post different format emails in a variety of email obfuscation ways (omitting the .com or .net, etc).

Most harvesters are not Javascript aware, that is they do not process JS. Making those methods more costly for harvesters. There are some harvesters that do try to process JS, but like I said it is very costly when you are running millions of emails in a matter of minutes, you don't want to go down to 10s or 100s if you can do 1000s.

My method of doing an each time random method works very well, I have yet to get any spam on my account.

Answer 7

I have 2 obfuscation methods not mentioned. Neither affords the benefit of being a clickable link, or even cut-and-paste.

• Use a graphic element instead of text.

• Line the elements up vertically, with columns of other stuff to the left and/or right:

email     dummy@
me at:    example.com

Answer 8

JS obfuscation does work up to a point with simple wget based harvesters, but I guess that JS enabled IE instances are also being employed, and they can read what the webuser would see.

When the address is harvested, or stolen via a security breach on one of your favourite sites as it eventually will, it'll be out there being replicated on spammers lists forever.

My own email address is so old it predates spam, and therefore visible all over the net, so I get thousands of attempts to deliver per week... bring it on! I have had time to develop a sophisticated system that effectively turns it into a spamtrap, with high scoring stuff auto reported to spamcop to aid the community.

Spam will be defeated one day, and I seen encouraging signs that it is in decline.

Answer 9

I put my email address in the clear on the web everywhere, and contrary to popular belief this doesn't seem to have any effect on the amount of spam that I receive. It's been stable at an average of 3 per day for a long time. So I'd say that obfuscation is useless.

I do notice that very short usernames (e.g. wim@example.com) result in more spam. Apparently the email addresses used by spammers are simply generated by trying all possible short letter combinations, and by using name lists.

Answer 10

One thing that worked very good for me is using ASP.NET to create a "LinkButton". This linkbutton then has a Response.Redirect("mailto:MailAddress"); as the "onClick" action. This will result in the LinkButton having a javascript:DoPostBack(...) as the URL. In the end it makes a server request which returns a "redirect to the mail address". The farm bots never got this email.

Answer 11

I don't think it helps a whole lot using standard [AT] and [DOT], but using either words that mean things or can be realized to mean at and dot...or even _A((T>> or anything else that is reasonably random...just my thoughts on the matter.

Answer 12

If you try to search for email-adresses with google, you will find out, that it is really hard, and google for some reason has not much of them in the form "common.name@wellknown.domain" - maybe a self restriciton?

If I search for "maier[at]berlin.de", I find more hits, than if I search for "maier@berlin.de", and the @ seems to work as a joker sign. The hits aren't really mailadresses.

And on the other side, you want your customers (if you have such, and contact them in the web) use a comfortable mailto-link, without fiddling around and removing fancy pants.

So if you still don't trust google, bing, bong and zong (maybe they sell mailadresses seperately?), you can compose your email adress with a little bit of Javascript:

"mailto" + ":" + "wagner" + "." + "stefan" + "@" + "paris" + "." + "de" 

I guess most webcrawlers don't interpret Javascript, and will have a hard time, finding your adress in a big, automated and cheap process.

Answer 13

From my experience with the Sblam! anti-spam service there's a lot of technically incompetent spammers, who nevertheless keep trying, probably because there's a lot of unprotected emails to harvest (and unprotected sites to spam), so even simple obfuscation might stop some harvesters.

OTOH updating regular expression in a harvester to look for (@| AT ) is not rocket science and probably many spammers have done it already.

---

Puzzles that annoy humans are not worth it. I've devised a standards-compliant obfuscation that encodes mails with entities, urlencoding and adds unusual constructs to the URL and HTML (source code):

http://hcard.geekhood.net/encode/?addr=test@example.com

This gives a link that is readable and fully functional for real users, but can be harvested only by spammers who take effort to parse HTML and URL correctly (it might avoid some spam, or at least it promotes web standards among harvester writers! ;)

Answer 14

Since email lists are sold, one company can figure out the easy one and then others can use it. In that way it is similar to any DRM.