LinLog

I was reading a thread on e-mail and spam over at Tek-Tips the other day, and several of the posters recommended e-mail obfuscation as a method for avoiding spam. For example, listing your address as "bob AT foo DOT com" or "johnATgmailNOSPAM.com" instead of the actual address. This sort of thing is everywhere now, and has been for several years.

My question is: why are people still doing this? Does it actually still work? I mean, is there any actual evidence that obfuscating your e-mail addresses is an effective way to combat spam? Or is it just that it used to work years ago and nobody has bothered to re-evaluate method?

I've read studies in the past that indicated this was effective, but nothing recently. For example, about three years ago I read a paper that found entity and/or URL encoding your address worked very well, e.g. the letter "A" would become A in the text and %41 in the clickable link.

But that was years ago. And while the spammers may be subhuman dirt-bags, they're not stupid or lazy. I find it impossible to believe that the people writing address harvesters have just been sitting on their thumbs for the past three years. These obfuscation methods have been in wide circulation for some time, so they must have accounted for them by now.

And when you think about it, it's not even really that hard. For example, converting URL and entity encoding to plain text is a simple matter for anyone with a Python/Perl/whatever interpreter and a chart of the relevant character set. Likewise, accounting for simple obfuscations like the ones I mentioned earlier is well within the abilities of any competent programmer. A talented programmer could do it in an afternoon with a few well-placed regular expressions.

The futility of obfuscation becomes much clearer when you consider that the address harvesters don't necessarily care that much about the quality of the addresses they collect. Sure, high-quality, known-good addresses are more valuable, but the low-quality, probably invalid ones can still be sold for a few pennies per thousands. And since many (if not most) spammers are using botnets to do their dirty work - stealing the bandwidth they use to send spam - they aren't hurt much by having a bunch of bogus addresses in their lists. Why not just try a few variations on any potentially obfuscated addresses just in case you get lucky?

Pretty much the only obfuscation methods I've seen that seem to be effective are putting the address in an image and using some convoluted JavaScript to disguise the e-mail address, but still make the mailto link function normally. The problem with these approaches is that they're extremely annoying and inaccessible to people with disabilities. They also don't offer any guarantees. Image recognition software is getting better and there's nothing to stop the harvesters from implementing JavaScript interpreters, so while both techniques may work now, it seems they're living on borrowed time.

It seems to me that the whole thing is just an ill-conceived battle to maintain the old way of doing things. If you're really that concerned about your e-mail address being harvested on a web site, then just don't display it on the site at all. Just use a PHP form mailer, or something. They're not hard to set up and they offer complete protection because your e-mail address doesn't have to appear on the page in any way, shape, or form. They also have the advantage of being completely accessible to users with visual impairments or who, for whatever reason, can't use JavaScript.

So, in conclusion, please don't obfuscate your e-mail address. It's really annoying, sometimes inaccessible, and there's no evidence that it still works but plenty of reason to suspect it doesn't.