Many people obfuscate their email addresses–typing out someguy (at) somedomain (dot) com, for example–to project themselves from SPAM bots. Do such obfuscation techniques actually work?
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.
SuperUser reader Kyle Cronin wants to know if such email obfuscation techniques are worth the hassle:
Most of the time when I see someone post their email address online, especially if it’s a personal address, they use something like
me [at] example [dot] com
instead of the actual email address (email@example.com). Even top members of this community use similar styles in their profiles:
quixote dot su over yonder near that gmail place
The typical rationale is that this kind of obfuscation prevents the email address from being automatically recognized and harvested by spammers. In an age where spammers can beat all but the most diabolical captchas, is this really true? And given how effective modern spam filters are, does it really matter if your email address is harvested?
Given that it’s a hassle for the actual humans you’re trying to communication with (and potentially not much of a hassle for the harvester bots you’re trying to avoid) it’s worth digging deeper to find out if the techniques are really effective.
SuperUser contributor Akira offers up a study on the matter to support using obfuscation:
Some time ago I stumbled upon the post of someone who created a honeypot and waited for differently obsfucated email-addresses coming back:
CSS Codedirection 0 MB
<span style="unicode-bidi:bidi-override; direction: rtl;"> moc.elpmaxe@zyx </span>
CSS display:none 0 MB
ROT13 Encryption 0 MB
Using ATs and DOTs 0.084 MB
xyz AT example DOT com
var m = 'xyz'; // you can use any clever method of m += '@';
// creating the string containing the email m += 'example.com';
// and then add it to the DOM (eg, via $('.email).append(m); // jquery)
Replacing ‘@’ and ‘.’ with Entities 1.6 MB
Splitting E-Mail with comments 7.1 MB
xyz<!-- eat this spam -->@<!-- yeah! -->example<!-- shoo -->com
Urlencode 7.9 MB
Plain Text 21 MB
This is the original statistical graph made by Silvan Mühlemann, all credit goes towards him:
So, to answer the question: Yes, (in a way) email obsfucation works.
Contributor ak86 weighs in, noting that whatever you gain through obfuscation you lose through inconvenience to yourself and your fellow emailer:
There was an interesting article by Cory Doctorow recently on this subject here which argued that email obfuscation doesn’t serve much purpose, and a more optimal approach is intelligently managing the spam you get.
- The objective of this entire exercise is not to reduce the amount of spam you get in your email, but the amount of spam you manually have to remove from your inbox.
- Email obfuscation is a constant battle to come up with ever sophisticated bot-proof, human-readable encoding, and is a drain on the productivity of both the creator, and the correspondent.
- “Almost any email address that you use for any length of time eventually becomes widely enough known that you should assume all the spammers have it.”
- “The convenience of stable, easily copy-pastable email addresses” wins over trying to hide from the spambots.
Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.