Email Obfuscation Helps Spammers

Some people think email obfuscation is a good way to fight spam, that it's somehow more difficult for spammers to understand "account at domain dot com" or "account&64;domain.com" than "account@domain.com". These people are wrong. They will often readily admit that they don’t think email obfuscation will stop all spam, but it still makes them feel like they’re doing something in the war on drugs terrorism spam. Here's what they're doing: in addition to making email more difficult for legitimate uses, they're actually making it easier for spammers.

Google returns 27 million results for "* at * dot com". That's 27 million email addresses waiting to be spammed. Google doesn’t allow you to search for the "@" sign, so that’s 27 million email addresses that wouldn’t be available on Google if they were not obfuscated. Email obfuscation not only doesn’t hurt spammers — it actually helps them. Where it doesn’t make it easier, it acts as a placebo, making people feel more comfortable and complacent living in a world of spam. Like everything else, if you don’t want your email address publicly-available, don’t put it on the public web. But if we want to be able to publish email addresses on the web, we can’t continue this half-hearted war on spam, hiding under our beds of obfuscation and hoping they won’t find us.

 
 
 
In some ways, obfuscated addresses are even more valuable to spammers, as the very act of obfuscation could suggest that the address is important to someone.
 
 
 
 
It seems that you are correct in your initial statement. I would however like to point out that this is only one method of email obfuscation, and that there are many others which are much more effective!
 
 
 
 
Yeah, David, the general problem is that to be useful, email addresses must be comprehensible to humans, and that requires that they follow some sort of standard pattern, and machines can read patterns. I could type my email address as sc0tt-at-randomcha0s-dot-com (change all zeros to o's when de-obfuscating), and I expect no machines could read that, but I'd lose my ability to communicate with many people in the process. It's an arms race on both ends, but at least on server-side filtering, we get spam poetry out of it.
 
 
 
 
G'day,

Sorry for the plug, but this seems relevant - we created reCAPTCHA mailhide to help stop this problem, it's available free for individual and website use - http://mailhide.recaptcha.net/

-Mike Crawford, Carnegie Mellon University
 
 
 
 
Hand write it -- scan it, hope their OCR doesn't find it.
 
 
 
 
Is better to use a pic with email address. They have OCR software but it is more difficult for spammers to get your address.
 
 
 
 
I just post it in a .png file. Not like a equation like "2 + one" will stop spambots, but I'm being forced to input it saying that I'm not one at the end of this post.
 
 
 
 
wow, same time, same OCR word in comments!!! something is wrong in this world...
 
 
 
 
I like the idea of "logic games". In the footer of my website, I give my email address as "firstname at fullname dot com". Since my real name is in the header of the site, any human can parse that -- and if they can't, I don't want to receive email from them anyway -- but a machine will fail. (I do feel sorry for anyone on the receiving end of firstname@fullname.com, though I'd bet it just bounces.) Of course, this doesn't protect from a human spammer from gleaning my address, but that's unavoidable.
 
 
 
 
Its easy to decrypt a simple(and most used) email obfuscation using regexp. Case in point...
http://www.openjs.com/scripts/regexp/email_decrypter.php
 
 
 
 
However (at least now):

"Sorry, Google does not serve more than 1000 results for any query."
 
 
 
 
I have two (or three) email addresses. One for friends etc and another throw away address for the world. When I just have to put an email out there I use the throw away. I click on it once a month, select all, delete all, and go about my business. I don't care if it gets jammed with spam because I don't read anything there.
 
 
 
 
I have a bit of fun with mine...I use "my identifier"@the better university than oxford.ac.uk . Anyone with a reason to get in touch with me knows to use 'cambridge' or 'cam', and if they don't, my counterpart at Oxford gets my spam. Either way, I win.
 
 
 
 
I always liked x@y.com where x=whatever and y=yahoo.
 
 
 
 
Wow, where did this sudden flood of commenters come from today?

Images don't work for blind people, and I'm more willing to exclude people who can't do math than people who can't see. "2 + one" stops the vast majority of spam bots, in my experience. The rest I catch by moderating all comments with links.
 
 
 
 
Obfuscating your address gives may falsely convince you that your important address is safe. If it's published, in any form (even in the firstname at lastname dot c0m form, or as some kind of puzzle), it is possible for a member of the public (including spammers) to get it. A much better method is to set up a disposable address which forwards to your sacred address. Once the disposable address is compromised and you start getting spam via it, just kill it off and replace it with a different disposable address. Once you trust a sender, you can give them your sacred address. I started using junk1@... in about 2000, and am now on junk7@... and my sacred address is mainly spam free.
 
 
 
 
The recent comment flood probably comes from your post having been picked up on reddit.com.
 
 
 
 
Wow, where did this sudden flood of commenters come from today?

reddit.com -- you're on the front page.
 
 
 
 
Obfuscation has worked very well for me. Simply changing a normal mailto: link to text reading "miles at tinyapps dot org" has reduced my daily spam volume by around 80%. I've used SpamAssasin for years, so spam rarely makes it to my inbox in any case.
 
 
 
 
from reddit
 
 
 
 
What I continually fail to understand (someone please explain) is why a spammer thinks that someone who's gone to the effort of obfuscating their email address is likely to be the type of person that is going to respond to an email offering them Viagra or telling them that they've won the Nigerian lottery.

There are obviously some idiots out there who respond to them, but they are not likely to be the ones that are going out of their way to avoid spam.

Personally, I've got my own domain name and use companyname@mydomainname.com or websitename@mydomainname.com whenever I register somewhere. If I do start getting spam at that specific address, I just redirect it to junk. Pretty effective so far.
 
 
 
 
how about a double @ like mymail@@somewhere.com
not a valid mail AND not searchable
but it's obvious what to do to fix it
 
 
 
 
"I have two (or three) email addresses. One for friends etc and another throw away address for the world. When I just have to put an email out there I use the throw away. I click on it once a month, select all, delete all, and go about my business. I don't care if it gets jammed with spam because I don't read anything there."

--Then what's the point of having that e-mail address at all???
 
 
 
 
That extra step (spammers having to goto Google and search for the query, at dot com) may just be the security blanket that most people need to feel safe posting their e-mail address online on forums, etc. Pick your lesser of the two evils or get another e-mail address that you don't have to have daily. There are also services that will create a receive only e-mail box for you such as dodgeit.com.
 
 
 
 
http://bla.st/theobfuscator.php
 
 
 
 
"What I continually fail to understand (someone please explain) is why a spammer thinks that someone who's gone to the effort of obfuscating their email address is likely to be the type of person that is going to respond to an email offering them Viagra or telling them that they've won the Nigerian lottery.

There are obviously some idiots out there who respond to them, but they are not likely to be the ones that are going out of their way to avoid spam.

Personally, I've got my own domain name and use companyname@mydomainname.com or websitename@mydomainname.com whenever I register somewhere. If I do start getting spam at that specific address, I just redirect it to junk. Pretty effective so far."

Right, and the Christian Republicans are the least likely to be gay, molest kids, or cheat on their wives.
 
 
 
 
It's down to 2.4 million now..........
 
 
 
 
Change your email address regularly (if possible) using an algorithm that is easy to use and remember.
For example fredyyyy@provider.com where yyyy is the year, I know that it is simple if not simplistic, but it does take spammers a while to catch up.
It needs to be easy so that people that you know can figure it out.
 
 
 
 
One technique I've used is to use a bit of Javascript and document.write() to programatically create the email link. A browser with Javascript will show a regular clickable email link to a human. A spider is unlikely to bother to execute any JS on the page, and the email address in the source is in a form that isn't extractable without running the simple algorithm in the script.
 
 
 
 
userdomain.com
 
 
 
 
oop, that didn't work. try again:
user [ img src=at_.gif] domain.com
 
 
 
 
nice layout
 
 
 
 
Where possible, your contact points on the web should be via a form. Negating this, expect spam. Set up SpamAssassin or use a web-based email account that filters it well.

If you wish to be proactive, report your spam as you receive it eg spamcop.net
 
 
 
 
About spam... I think your anti-spam protection on this blog could be a bit clearer.
 
 
 
 
Not all the folks using "at" are trying to obfuscate for spammers. I use postfix's username-keyword@domain (and username+keyword@domain) form to put my email address up for people, and then procmail to filter out addresses that get acquired by spambots. However, yahoo and topica auto-obfuscate published email addresses, which is awesome if you use a clicky-client for your mail but not so awesome if you don't.
 
 
 
 
I'm a big fan of the spam game and play it constantly at my page (www.comradesmack.com/cms/contact). There's a few other creative ways to do it such as having multiple links which, when click, MsgBox parts of the Email.

I don't mind this anti-spam game.
 
 
 
 
Not only reddit... I just got here from StumbleUpon.

Anyway, that's not the only kind of obfuscation, and not the kind I use. I'm well aware it's easy enough for spambots to pick up the meaning of something like foo at blah dot com, because it's regular. But how about something like: foo@throwthispartout.blah.thistoo.com.andthis?
 
 
 
 
neminem, did you see what I wrote to David? You can't confuse bots without confusing people, because people write bots.
 
 
 
 
There's another service worth mentioned (rejectmail.com) that lets you create dummy email accounts for this purpose.
 
 
 
 
Do not think bots can't do something a regular browser can. Using XUL applications, or scripting addons such as Greasemonkey, it is quite easy to write a very clever spider bot. While performances can be an issue (not when your are a spammer with some kind of botnet at your disposal), your bot has full access to the DOM, knows about Javascript, knows about CSS.
The solution cannot be purely technical.
 
 
 
 
I think the best way to publish you email without actually publishing it is to switch parts of the address. Example: google@com.john What do you think?
 
 
 
 
http://www.modernbluedesign.com/web-design-blog/fighting-spam-with-css/
 
 
 
 
Just use gmail. It pretty much blocks all my spam even if I plaster my email address all across the web.
 
 
 
 
I never write my email address anywhere; instead I always refer to my contact page (http://sunbeam60.net/contact.asp) where I use JavaScript to assemble the email address on the client.
 
 
 
 
Wow, where do you people get your information? You're using outdated obfuscation techniques.

Try a mixed ISO/Hex obfuscator like this one:

http://www.seowebsitepromotion.com/obfuscate_email.asp

I get excellent results, and it overcomes every problem previously mentioned on this page.
 
 
 
 
Screw it all - use Postini (which is now tied in w/ Google) for $3/year. It is simply the best mail filtering software out there. I've owned my domain for 15 years - same e-mail address for the whole time. I used to get 200+ spam per day - yes, per day. With Postini I get *maybe* 1-2 per week, if that.

http://www.google.com/a/help/intl/en/security/compare.html

Trust me, you will love it.
 
 
 
 
@JQPublic:
Entity obfuscation is the easiest thing in the world to "crack." I made up an obfuscation decoder (http://jasonpriem.com/obfuscation-decoder) that has no problem translating mixed entity encodings (and other obfuscations) into email addresses; it took me a few hours, and most of my time was spent making regexes to decode a variety of "foo [at] bar [dot] com"-style munges.

The more important point, though, is that obfuscation is a fundamentally broken idea. The web is not for hiding things, it's for making them open. Especially as semantic web technologies find traction, we're going to find that we want machines to be able to read and understand content like email addresses.
 
 
 
 
Obfuscation is not about hiding your email from spammers, its about making it 'non-standard'. Any pattern or encoding that you use that is different from the 10s of thousands of other ways people are 'hiding' their email address, you making it harder for a spammer to single out your patter for recognition.

Of course, if you don't put your email address on the net at all, then, it'll never get found. I always use a contact form that posts to a php script that contains my email address where noone can get at it.
 
 
 
 
Yup, I'm making my own test. If you don't mind ;)

awztr1-01a@yopmail.com
awztr1-02b @ yopmail , com
awztr1-03c at yopmail.com
awztr1-04d at yopmail dot com
awztr1-05f[@]yopmail[.]com
awztr1-06g@yopmail
awztr1-07h at yopmail
awztr1-08i at yopmail , com
awztr1-09j[a]yopmail.com
awztr1-10k[remove]@yopmail.com
 

Be number 50:

 
 
 
knows half of 8 is