comments | Email Obfuscation Helps Spammers | typewriting

Comment by Drew McLellan

Tue, 20 Jun 2006 11:14:12 -0700

In some ways, obfuscated addresses are even more valuable to spammers, as the very act of obfuscation could suggest that the address is important to someone.

Comment by David Barker

Mon, 03 Jul 2006 18:35:19 -0700

It seems that you are correct in your initial statement. I would however like to point out that this is only one method of email obfuscation, and that there are many others which are much more effective!

Comment by Scott Reynen

Mon, 03 Jul 2006 22:06:13 -0700

Yeah, David, the general problem is that to be useful, email addresses must be comprehensible to humans, and that requires that they follow some sort of standard pattern, and machines can read patterns. I could type my email address as sc0tt-at-randomcha0s-dot-com (change all zeros to o's when de-obfuscating), and I expect no machines could read that, but I'd lose my ability to communicate with many people in the process. It's an arms race on both ends, but at least on server-side filtering, we get spam poetry out of it.

Comment by Everyone

Sat, 16 Jun 2007 09:07:12 -0700

G'day,

Sorry for the plug, but this seems relevant - we created reCAPTCHA mailhide to help stop this problem, it's available free for individual and website use - http://mailhide.recaptcha.net/

-Mike Crawford, Carnegie Mellon University

Comment by I

Sat, 16 Jun 2007 09:35:31 -0700

Hand write it -- scan it, hope their OCR doesn't find it.

Comment by JustElite

Sat, 16 Jun 2007 09:35:57 -0700

Is better to use a pic with email address. They have OCR software but it is more difficult for spammers to get your address.

Comment by Tom

Sat, 16 Jun 2007 09:36:28 -0700

I just post it in a .png file. Not like a equation like "2 + one" will stop spambots, but I'm being forced to input it saying that I'm not one at the end of this post.

Comment by Liviu

Sat, 16 Jun 2007 09:37:16 -0700

wow, same time, same OCR word in comments!!! something is wrong in this world...

Comment by Justin

Sat, 16 Jun 2007 09:53:18 -0700

I like the idea of "logic games". In the footer of my website, I give my email address as "firstname at fullname dot com". Since my real name is in the header of the site, any human can parse that -- and if they can't, I don't want to receive email from them anyway -- but a machine will fail. (I do feel sorry for anyone on the receiving end of firstname@fullname.com, though I'd bet it just bounces.) Of course, this doesn't protect from a human spammer from gleaning my address, but that's unavoidable.

Comment by Binny V A

Sat, 16 Jun 2007 09:59:58 -0700

Its easy to decrypt a simple(and most used) email obfuscation using regexp. Case in point...
http://www.openjs.com/scripts/regexp/email_decrypter.php

Comment by Adam

Sat, 16 Jun 2007 10:07:40 -0700

However (at least now):

"Sorry, Google does not serve more than 1000 results for any query."

Comment by DrJohn

Sat, 16 Jun 2007 10:28:42 -0700

I have two (or three) email addresses. One for friends etc and another throw away address for the world. When I just have to put an email out there I use the throw away. I click on it once a month, select all, delete all, and go about my business. I don't care if it gets jammed with spam because I don't read anything there.

Comment by Granta

Sat, 16 Jun 2007 10:36:26 -0700

I have a bit of fun with mine...I use "my identifier"@the better university than oxford.ac.uk . Anyone with a reason to get in touch with me knows to use 'cambridge' or 'cam', and if they don't, my counterpart at Oxford gets my spam. Either way, I win.

Comment by WebmasterX

Sat, 16 Jun 2007 10:37:34 -0700

I always liked x@y.com where x=whatever and y=yahoo.

Comment by Scott Reynen

Sat, 16 Jun 2007 10:44:56 -0700

Wow, where did this sudden flood of commenters come from today?

Images don't work for blind people, and I'm more willing to exclude people who can't do math than people who can't see. "2 + one" stops the vast majority of spam bots, in my experience. The rest I catch by moderating all comments with links.

Comment by I

Sat, 16 Jun 2007 10:54:23 -0700

Obfuscating your address gives may falsely convince you that your important address is safe. If it's published, in any form (even in the firstname at lastname dot c0m form, or as some kind of puzzle), it is possible for a member of the public (including spammers) to get it. A much better method is to set up a disposable address which forwards to your sacred address. Once the disposable address is compromised and you start getting spam via it, just kill it off and replace it with a different disposable address. Once you trust a sender, you can give them your sacred address. I started using junk1@... in about 2000, and am now on junk7@... and my sacred address is mainly spam free.

Comment by Vineet

Sat, 16 Jun 2007 10:55:16 -0700

The recent comment flood probably comes from your post having been picked up on reddit.com.

Comment by someone

Sat, 16 Jun 2007 10:56:18 -0700

Wow, where did this sudden flood of commenters come from today?

reddit.com -- you're on the front page.

Comment by Miles

Sat, 16 Jun 2007 11:06:09 -0700

Obfuscation has worked very well for me. Simply changing a normal mailto: link to text reading "miles at tinyapps dot org" has reduced my daily spam volume by around 80%. I've used SpamAssasin for years, so spam rarely makes it to my inbox in any case.

Comment by Alexandre Gravier

Sat, 16 Jun 2007 11:06:48 -0700

from reddit

Comment by hobart

Sat, 16 Jun 2007 11:41:11 -0700

What I continually fail to understand (someone please explain) is why a spammer thinks that someone who's gone to the effort of obfuscating their email address is likely to be the type of person that is going to respond to an email offering them Viagra or telling them that they've won the Nigerian lottery.

There are obviously some idiots out there who respond to them, but they are not likely to be the ones that are going out of their way to avoid spam.

Personally, I've got my own domain name and use companyname@mydomainname.com or websitename@mydomainname.com whenever I register somewhere. If I do start getting spam at that specific address, I just redirect it to junk. Pretty effective so far.

Comment by hmmm

Sat, 16 Jun 2007 12:07:43 -0700

how about a double @ like mymail@@somewhere.com
not a valid mail AND not searchable
but it's obvious what to do to fix it

Comment by Jenni

Sat, 16 Jun 2007 13:50:36 -0700

"I have two (or three) email addresses. One for friends etc and another throw away address for the world. When I just have to put an email out there I use the throw away. I click on it once a month, select all, delete all, and go about my business. I don't care if it gets jammed with spam because I don't read anything there."

--Then what's the point of having that e-mail address at all???

Comment by FiveZeroFive.com

Sat, 16 Jun 2007 13:55:47 -0700

That extra step (spammers having to goto Google and search for the query, at dot com) may just be the security blanket that most people need to feel safe posting their e-mail address online on forums, etc. Pick your lesser of the two evils or get another e-mail address that you don't have to have daily. There are also services that will create a receive only e-mail box for you such as dodgeit.com.

Comment by Tim

Sat, 16 Jun 2007 14:04:26 -0700

http://bla.st/theobfuscator.php

Comment by geekygirl23 from reddit

Sat, 16 Jun 2007 14:07:32 -0700

"What I continually fail to understand (someone please explain) is why a spammer thinks that someone who's gone to the effort of obfuscating their email address is likely to be the type of person that is going to respond to an email offering them Viagra or telling them that they've won the Nigerian lottery.

There are obviously some idiots out there who respond to them, but they are not likely to be the ones that are going out of their way to avoid spam.

Personally, I've got my own domain name and use companyname@mydomainname.com or websitename@mydomainname.com whenever I register somewhere. If I do start getting spam at that specific address, I just redirect it to junk. Pretty effective so far."

Right, and the Christian Republicans are the least likely to be gay, molest kids, or cheat on their wives.

Comment by irq

Sat, 16 Jun 2007 14:30:32 -0700

It's down to 2.4 million now..........

Comment by maybe helpful

Sat, 16 Jun 2007 14:54:42 -0700

Change your email address regularly (if possible) using an algorithm that is easy to use and remember.
For example fredyyyy@provider.com where yyyy is the year, I know that it is simple if not simplistic, but it does take spammers a while to catch up.
It needs to be easy so that people that you know can figure it out.

Comment by ghewgill

Sat, 16 Jun 2007 15:02:54 -0700

One technique I've used is to use a bit of Javascript and document.write() to programatically create the email link. A browser with Javascript will show a regular clickable email link to a human. A spider is unlikely to bother to execute any JS on the page, and the email address in the source is in a form that isn't extractable without running the simple algorithm in the script.

Comment by lb2

Sat, 16 Jun 2007 16:07:16 -0700

userdomain.com

Comment by lb2

Sat, 16 Jun 2007 16:09:08 -0700

oop, that didn't work. try again:
user [ img src=at_.gif] domain.com

Comment by asd

Sat, 16 Jun 2007 17:14:38 -0700

nice layout

Comment by Matt

Sat, 16 Jun 2007 20:09:09 -0700

Where possible, your contact points on the web should be via a form. Negating this, expect spam. Set up SpamAssassin or use a web-based email account that filters it well.

If you wish to be proactive, report your spam as you receive it eg spamcop.net

Comment by Someone

Sun, 17 Jun 2007 06:46:08 -0700

About spam... I think your anti-spam protection on this blog could be a bit clearer.

Comment by clynne-typewriting@ofb.net

Mon, 18 Jun 2007 09:49:24 -0700

Not all the folks using "at" are trying to obfuscate for spammers. I use postfix's username-keyword@domain (and username+keyword@domain) form to put my email address up for people, and then procmail to filter out addresses that get acquired by spambots. However, yahoo and topica auto-obfuscate published email addresses, which is awesome if you use a clicky-client for your mail but not so awesome if you don't.

Comment by Comrade Smack

Tue, 19 Jun 2007 11:47:47 -0700

I'm a big fan of the spam game and play it constantly at my page (www.comradesmack.com/cms/contact). There's a few other creative ways to do it such as having multiple links which, when click, MsgBox parts of the Email.

I don't mind this anti-spam game.

Comment by neminem

Tue, 19 Jun 2007 15:30:58 -0700

Not only reddit... I just got here from StumbleUpon.

Anyway, that's not the only kind of obfuscation, and not the kind I use. I'm well aware it's easy enough for spambots to pick up the meaning of something like foo at blah dot com, because it's regular. But how about something like: foo@throwthispartout.blah.thistoo.com.andthis?

Comment by Scott Reynen

Tue, 19 Jun 2007 19:19:17 -0700

neminem, did you see what I wrote to David? You can't confuse bots without confusing people, because people write bots.

Comment by tim

Wed, 20 Jun 2007 01:17:27 -0700

There's another service worth mentioned (rejectmail.com) that lets you create dummy email accounts for this purpose.

Comment by Chaos Intestinal

Wed, 20 Jun 2007 05:05:21 -0700

Do not think bots can't do something a regular browser can. Using XUL applications, or scripting addons such as Greasemonkey, it is quite easy to write a very clever spider bot. While performances can be an issue (not when your are a spammer with some kind of botnet at your disposal), your bot has full access to the DOM, knows about Javascript, knows about CSS.
The solution cannot be purely technical.

Comment by Saulius

Tue, 26 Jun 2007 22:44:03 -0700

I think the best way to publish you email without actually publishing it is to switch parts of the address. Example: google@com.john What do you think?

Comment by Peter

Wed, 27 Jun 2007 07:41:47 -0700

http://www.modernbluedesign.com/web-design-blog/fighting-spam-with-css/

Comment by zero

Wed, 27 Jun 2007 18:33:50 -0700

Just use gmail. It pretty much blocks all my spam even if I plaster my email address all across the web.

Comment by Bjorn

Thu, 28 Jun 2007 04:59:43 -0700

I never write my email address anywhere; instead I always refer to my contact page (http://sunbeam60.net/contact.asp) where I use JavaScript to assemble the email address on the client.

Comment by JQPublic

Thu, 06 Mar 2008 23:26:32 -0800

Wow, where do you people get your information? You're using outdated obfuscation techniques.

Try a mixed ISO/Hex obfuscator like this one:

http://www.seowebsitepromotion.com/obfuscate_email.asp

I get excellent results, and it overcomes every problem previously mentioned on this page.