SEARCH

How-To Geek

Does Email Address Obfuscation Actually Prevent Spam?

Many people obfuscate their email addresses–typing out someguy (at) somedomain (dot) com, for example–to project themselves from SPAM bots. Do such obfuscation techniques actually work?

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.

The Question

SuperUser reader Kyle Cronin wants to know if such email obfuscation techniques are worth the hassle:

Most of the time when I see someone post their email address online, especially if it’s a personal address, they use something like

me [at] example [dot] com

instead of the actual email address (me@example.com). Even top members of this community use similar styles in their profiles:

jt.superuser[AT]gmail[DOT]com

quixote dot su over yonder near that gmail place

The typical rationale is that this kind of obfuscation prevents the email address from being automatically recognized and harvested by spammers. In an age where spammers can beat all but the most diabolical captchas, is this really true? And given how effective modern spam filters are, does it really matter if your email address is harvested?

Given that it’s a hassle for the actual humans you’re trying to communication with (and potentially not much of a hassle for the harvester bots you’re trying to avoid) it’s worth digging deeper to find out if the techniques are really effective.

The Answer

SuperUser contributor Akira offers up a study on the matter to support using obfuscation:

Some time ago I stumbled upon the post of someone who created a honeypot and waited for differently obsfucated email-addresses coming back:

Nine ways to obfuscate e-mail addresses compare

CSS Codedirection 0 MB

<span style="unicode-bidi:bidi-override; direction: rtl;"> moc.elpmaxe@zyx </span> 

CSS display:none 0 MB

xyz<span style="display:none">foo</span>@example.com 

ROT13 Encryption 0 MB

klm@rknzcyr.pbz 

Using ATs and DOTs 0.084 MB

xyz AT example DOT com 

Building with Javascript 0.144 MB

var m = 'xyz'; // you can use any clever method of m += '@';
// creating the string containing the email m += 'example.com';
// and then add it to the DOM (eg, via $('.email).append(m); // jquery) 

Replacing ‘@’ and ‘.’ with Entities 1.6 MB

xyz&#64;example&#46;com 

Splitting E-Mail with comments 7.1 MB

xyz<!-- eat this spam -->@<!-- yeah! -->example<!-- shoo -->com 

Urlencode 7.9 MB

xyz%40example.com 

Plain Text 21 MB

xyz@example.com 

This is the original statistical graph made by Silvan Mühlemann, all credit goes towards him:

So, to answer the question: Yes, (in a way) email obsfucation works.

Contributor ak86 weighs in, noting that whatever you gain through obfuscation you lose through inconvenience to yourself and your fellow emailer:

There was an interesting article by Cory Doctorow recently on this subject here which argued that email obfuscation doesn’t serve much purpose, and a more optimal approach is intelligently managing the spam you get.
TL;DR version:

  • The objective of this entire exercise is not to reduce the amount of spam you get in your email, but the amount of spam you manually have to remove from your inbox.
  • Email obfuscation is a constant battle to come up with ever sophisticated bot-proof, human-readable encoding, and is a drain on the productivity of both the creator, and the correspondent.
  • “Almost any email address that you use for any length of time eventually becomes widely enough known that you should assume all the spammers have it.”
  • “The convenience of stable, easily copy-pastable email addresses” wins over trying to hide from the spambots.

Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.

 

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 11/29/12

Comments (19)

  1. Russ

    Check this online email obfuscator here: http://www.sodefesa.es/jmaguilar/liame/javascriptgeneratore.aspx
    Is that legit?

  2. Dwight Stegall

    I read that bots will collect it any ay it can get it. Then the bots owner pieces the address back together again. So, no it doesn’t help.

  3. r

    Obfuscate, lol…how ambiguous

  4. Chemical

    If you use gmail they offer an easy alias feature:

    SteveHorwards + “Name of Company / Website” @ gmail.com

    So if I have to register at a website I don’t completely trust I would use SteveHowards+BiteMeSpam@gmail.com. The email ends up in my SteveHoward@gmail account but it’s addressed to the alias. If the website does sell your email to spam bots you can simply filter out the alias.

  5. bobro

    I have never done this for protecting against spam, some sites dont let you put your email address in though when posting so it was a way to get round that… never to protect myself from spam… I feel spam is always going to get through unless i block my mum and sisters, and dad, and mate paul, and work coleagues, and that one site i once bought some business cards from and might use again in the future… I just accept that opening my inbox will see a slew of [delete] presses.

  6. Bigtech

    Generally speaking it is a battle. Any obfuscation technique that becomes popular will become known to the spammers and once it is known they can develop ways to unravel it. Another interesting method I cam across was reverse notation.

    my@example.com becomes com.example@my

    Of course the idea is… eventually you will get spam no matter what you do.. So don’t go killing yourself and making your email address a pain for other people.

  7. Leo

    I’d always thought that people do this to get round word filters on forums etc. where posting of personal details is prohibited.

  8. OldSalt

    I have one email account that has “junkmail” in the leading portion of the address. I almost never get unsolicited email. The only spam mail comes from transactions that I have done and have given that email address in the purchasing process. As these emails come in, I set a rule that actual moves them to a junkmail folder that is purged once a month by scheduled task.

  9. john senchak

    How I do it is have special role account for each site, so say I shop at Walgreens.com , I use walgreens@ ” my domain name .com” Each site has it’s own email address and if it gets spammed then I just change it to something else. then delete the old one. It’s a lot easier because many sites make you use a email address during the login process. By using the site name with the email address it makes things a lot easier

  10. Joseph

    I would have thought spammers using latest technology were able to automatically substitute ‘@’ for ‘at’ and ‘.’ for ‘dot’ etc. I am not much of a programmer myself but it should be possible to write a program that can reconstruct an obfuscated email. If I am right, there wouldn’t be much point obscuring one’s address.

  11. Stephen - NYC

    @john senchak, That’s exactly what I do. So far 2 of my accounts have been compromised and I had to tweak the email for the companies/newletters. One which was affected was my account at the good folks at windows secrets. They acknowledged that they didn’t send it. I think my mistake was making the email address too easy for a spammer person to guess it (assuming they already had my domain name). So I changed it and now if the old address comes in, it gets deleted automatically.

  12. Brian

    I used to manually process and handle spam email.
    Then I got turned onto:
    SpamGourmet.com
    OnlyMyEmail.com

    I rarely, if ever, get unwanted spam anymore using those tools.

  13. WhytteDragun

    My solution to spam is creating throwaway addresses. Say my regular address is whyttedragun@yahoo.com – if I’m at a site called bigtrucks.com that needs my email address, I pop over to yahoo mail and create a throwaway address something like whyttedragun-bigtrucks@yahoo.com – the mail sent to that address goes into my regular inbox so it’s just as easy to check as my regular mail is and if My solution to spam is creating throwaway addresses. Say my regular address is whyttedragun@yahoo.com – if I’m at a site called bigtrucks.com that needs my email address, I pop over to yahoo mail and create a throwaway address something like whyttedragun-bigtrucks@yahoo.com – the mail sent to that address goes into my regular inbox so it’s just as easy to check as my regular mail is and if I start getting spam sent to that address, I know who gave the spammers my address and it’s very easy to just remove the throwaway address.

  14. Jim

    Although spammers could write software to decode *any* form of encryption, the real question is “Is it worthwhile for spammers to do it?” Any such processing will slow down their software that parses out email addresses and the harvest of un-encrypted email addresses is bountiful. Too bad the workers aren’t few.

    I’d like to segway to a different, but related, discussion: What form of encryption works for putting email addresses on web sites, where the webmaster’s software does the encryption? I manage a website that opened in 1997 (a non profit organization that has a zero budget).

    My webmaster email address and thousands of users’ email addresses were originally plain mailto links, in plain text. I was getting dozens of spam emails per day addressed to webmaster. On a forum I read that a very simple encryption worked by replacing the @ with @ in both the displayed and link part of email addresses would prevent some spambots from snatching the email address. The @ went into the html code. Browsers convert that (and other escaped characters) to the appropriate character for display and the email address that gets passed to any email client from a mailto link. Some very early browsers, before circa 2000, did not do the conversion.

    In my homemade content management system all email addresses get encrypted that way. After several weeks I noticed I was getting less spam (I think), but that could also have just been because my ISP’s spam filtering was working better.

    In our case, I expected most of our web site visitors would not be experienced enough to know that if they saw “[at]” or “_at_” in an email address that they should edit the email address manually.

    Does anybody out there have suggestions or experience with how to encrypt email addresses on web sites?

  15. Bob

    I don’t get too excited about spam in the mail. I have a gmail address and it is very good at filtering the crap. Just occasionally it will wrongly tag a good email as spam so you have to look at the spam folder. You can also manually tag an email as spam and that sticks for future emails from that source.

  16. john

    Please these guys review the database every once in a while and when they see a new scheme it takes a few mins to crack it and then they take a few more to update their code to reverse it. I suspect that graph is very old. my SW skills are not the greatest and I could write a routine that would parse these strings to valid emails in a few minutes.

    Jim was saying this would slow the spammers SW down, yea if you care about a few milliseconds. I am with him though on wondering how the heck you encrypt emails on a website. not in the database but in the actual HTML.

  17. Mal

    I’ve been using an anti-SPAM product called Mailwasher Pro for many years and found it to be very easy to set up and use, and very efficient at filtering out the rubbish.

    Also use different email addresses for different purposes, so if SPAM starts appearing on a particular address, it gets dumped then establish a new one. Not very onerous… :)

  18. OldSalt

    ~Jim,

    I also maintain a website and forum for a Not-for-Profit group. I use a separate email address for contact for the webmaster and don’t use the word webmaster on the site…”Contact myseparateemail@domain.com for questions or inquiries”

    For the members, I don’t allow email addresses to be posted and require they use instant messaging through the site for communications. Then, if they want to email amongst themselves, they can. Also, if they want to post an email address in a forum post, then they do it as an individual post. So far, the only problems have come from rare website hacks and daily attempts of spammers to create forum accounts. Requiring a location in the profile set-up and manually approving account activations has made it fairly easy to identify spammers and then Blocking IP addresses and email domains of the spammers.

  19. Jer

    Far from ideal but In some cases you can post an image of your email address.

    Another way, if your address has numbers in it, could be to type it out normally but subtract 1 from the number portion. Obviously noting the fact so people know to add it back.

    Actually that’s dumb, don’t do that..

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!