Quick Links

Many people obfuscate their email addresses--typing out someguy (at) somedomain (dot) com, for example--to project themselves from SPAM bots. Do such obfuscation techniques actually work?

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.

The Question

SuperUser reader Kyle Cronin wants to know if such email obfuscation techniques are worth the hassle:

Most of the time when I see someone post their email address online, especially if it's a personal address, they use something like

me [at] example [dot] com

instead of the actual email address (me@example.com). Even top members of this community use similar styles in their profiles:

jt.superuser[AT]gmail[DOT]com

quixote dot su over yonder near that gmail place

The typical rationale is that this kind of obfuscation prevents the email address from being automatically recognized and harvested by spammers. In an age where spammers can beat all but the most diabolical captchas, is this really true? And given how effective modern spam filters are, does it really matter if your email address is harvested?

Given that it's a hassle for the actual humans you're trying to communication with (and potentially not much of a hassle for the harvester bots you're trying to avoid) it's worth digging deeper to find out if the techniques are really effective.

The Answer

SuperUser contributor Akira offers up a study on the matter to support using obfuscation:

Some time ago I stumbled upon the post of someone who created a honeypot and waited for differently obsfucated email-addresses coming back:

Nine ways to obfuscate e-mail addresses compare

CSS Codedirection 0 MB

        <span style="unicode-bidi:bidi-override; direction: rtl;"> moc.elpmaxe@zyx </span> 
    

CSS display:none 0 MB

        xyz<span style="display:none">foo</span>@example.com 
    

ROT13 Encryption 0 MB

        klm@rknzcyr.pbz 
    

Using ATs and DOTs 0.084 MB

        xyz AT example DOT com 
    

Building with Javascript 0.144 MB

        var m = 'xyz'; // you can use any clever method of m += '@';
    
        // creating the string containing the email m += 'example.com';
    
        // and then add it to the DOM (eg, via $('.email).append(m); // jquery) 
    

Replacing '@' and '.' with Entities 1.6 MB

        xyz&#64;example&#46;com 
    

Splitting E-Mail with comments 7.1 MB

        xyz<!-- eat this spam -->@<!-- yeah! -->example<!-- shoo -->com 
    

Urlencode 7.9 MB

        xyz%40example.com 
    

Plain Text 21 MB

        xyz@example.com 
    

This is the original statistical graph made by Silvan Mühlemann, all credit goes towards him:

So, to answer the question: Yes, (in a way) email obsfucation works.

Contributor ak86 weighs in, noting that whatever you gain through obfuscation you lose through inconvenience to yourself and your fellow emailer:

There was an interesting article by Cory Doctorow recently on this subject here which argued that email obfuscation doesn't serve much purpose, and a more optimal approach is intelligently managing the spam you get.

TL;DR version:

  • The objective of this entire exercise is not to reduce the amount of spam you get in your email, but the amount of spam you manually have to remove from your inbox.
  • Email obfuscation is a constant battle to come up with ever sophisticated bot-proof, human-readable encoding, and is a drain on the productivity of both the creator, and the correspondent.
  • "Almost any email address that you use for any length of time eventually becomes widely enough known that you should assume all the spammers have it."
  • "The convenience of stable, easily copy-pastable email addresses" wins over trying to hide from the spambots.

Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.