Is E-Mail Obscuration Worth It?

ThenAgain asks: "Many sites obscure e-mail addresses by adding noise (like 'STOPSPAM') or by translating the punctuation into words (Ex: 'me at domain dot com'). This makes users feel good but does it actually help? Ten lines of perl could defeat any of the present schemes with ease and the spammers have shown plenty of adaptability. So if we're not helping hold back the flood of spam, why are we decreasing the utility of the web by eliminating mailto tags and forcing users to hand-correct the addresses in their mail clients?"

first post?

[Sdevine]

I'd say the obfuscation makes us feel better and the spammers don't care anyway. they have millions of addresses and more everyday from folks who don't take a second to obfuscate..

Re:first post?

Not obfuscation, 'obscuration'. Moron.

Re:first post?

[Zork+the+Almighty]

Don't be so quick to call someone a moron when you might be one yourself.

Re:first post?

[kiatoa]

"obfuscation makes us feel better..."

Might make you feel better but it annoys me when I attempt to contact someone only to have my mail bounce because I didn't notice their obfuscated mail address.

Personally I use Active Spam Killer (http://http://sourceforge.net/projects/a-s-k) and generally don't care who gets my email address. I get two or three spams a week due to false hits on my white list which I could clean up with a little effort. I'll say it again - if enough folks used ASK or a similar mechanism then spammers would be without a purpose. Unless of course I'm missing something...

Because...

[Hanji]

Ten lines of perl could defeat any of the present schemes with ease...

Yes, but, for now at least, there are still plenty of addresses from people who don't spam-guard, enough that writing those 10 lines of perl isn't even really worth it.

Also, if you have your address spam-guarded, it's effectively a message to the spammers that, "I'm not one of the .01% of people who responds to this crap, and anything you send me will just hit my spam-filter anyways, so don't even try."

And they don't, because it's just not worth it for both those reasons.

Re:Because...

[Babbster]

A couple things:

1. Writing those "ten lines of perl" is indeed worth it if you want the addresses from the site doing the obfuscation, especially if you know something about those contributing to the site and want to target particular types of people (probably not done often by spammers as they obviously prefer the shotgun approach). Spamming is a business and they can afford to pay programmers - and they DO, given that there are companies out there making software to service spammers.

2. If the obfuscation is automatic or defaults to "on" there really is no message being sent by the owner of the address.

I leave my address open (here and elsewhere) for two reasons: I don't really care what drops into that particular inbox and there's enough filtering on it, local and remote, that it's still useful as an open contact point.

Re:Because...

[StenD]

Yes, but, for now at least, there are still plenty of addresses from people who don't spam-guard, enough that writing those 10 lines of perl isn't even really worth it.

It isn't even necessary to obfuscate addresses to foil many spammers. I generally use email addresses of the format user+folder@domain, and virtually all spammers who harvest the address either spam userfolder@domain, or folder@domain. It's nice for spammers to identify themselves, while not obfuscating my email address.

Re:Because...

[AuMatar]

Even more than that- writing those 10 lines of perl would hurt the spammer. Think of it this way- the odds of someone who goes to the trouble of obscurification buying something in spam is virtually nil- an order of magnitude less than those who don't. By not picking up those addresses, he's raising his reply rate and success rate, saving himself money.

Re:Because...

[Net_Wakker]

Also, if you have your address spam-guarded, it's effectively a message to the spammers that, "I'm not one of the .01% of people who responds to this crap, and anything you send me will just hit my spam-filter anyways, so don't even try." And they don't, because it's just not worth it for both those reasons.

I beg to differ. Opting out is mostly used as an emailaddress confirmation, even though a better message stating that you do not want their mail is hardly possible. As long as people pay spammers to get their message out to X million unique "prospective customers," spammers will think these 10 lines of perl are worth their while. They already have to write some perl to harvest emailaddresses from usenet and webpages anyways.

Re:Because...

[Weh]

I suspect that the email harvesters don't really care about the person behind the email address, all they want is lots of valid email addresses which they can sell to spammers.

Re:Because...

[funky+womble]

The majority of websites requiring your email address don't allow you to enter + as a character.

Re:Because...

If spammers are paid by number of addresses reached (which obviously, since they don't accept bounces, isn't verifiable), surely they'd rather list both foo@nospam.example.com and foo@example.com so they can charge twice?

Re:Because...

[larry+bagina]

there was a slsahdot article a couple weeks aback about an anti-spam group over in Europe that bought a CD of email addresses to analyze it. They found a lot of duplicates, a lot of invalid (as in not legal format) addresses, a lot of ed@myNOSPAMsite.com obfuscication, and postmaster@127.0.0.1. Whether tha address is valid isn't even a concern for harvesters, apparrently.

Re:Because...

[StenD]

I have ways around that. But most websites which I register at don't display my email address to the public, so I'm primarily at risk from their mailing lists being stolen/sold. I've had that happen, but the problem is still limited to blocking the compromised email folder.

Re:Because...

[ptomblin]

isn't even really worth it

You know, if spammers cared a whit about anything except getting more addresses onto their "10 million email addresses" CDs that they sell by spamming, that would have some validity. However experience tells me otherwise.

Spammers have hit email addresses that have only ever been used in postings in news.admin.net-abuse.email. They also spam my abuse@ email addresses. If there is any group of people more likely to have heavy spam filters and/or to complain or retaliate against spammers, it would be the people who post to n.a.n-a.e, and the people who handle spam abuse complaints for their domain. You'd think out of sheer self-preservation that spammers wouldn't bother those people, but they do.

Re:Because...

[Carnildo]

a lot of ed@myNOSPAMsite.com obfuscication, and postmaster@127.0.0.1.

Shouldn't that be "postmaster@[127.0.0.1]"?

Re:Because...

[perlchild]

A few notes:
since for now, very few people obscure the same way, those ten lines of perl actually are probably closer to 30, just to eliminate the creative obsc. that get done, it's not worth it.

Should we all pick ONE true way to obscure, you can expect methods to defeat it to gain popularity.

Recently there was another slashdot about why lots more random "legal" words were introduced in spam, and how it might affect bayes. Many replies correctly pointed out that a correct bayes(individual token lists for each user, who might each have a different spam tolerance level and spam definition) would simply ignore that.

What it does change, is that many "automated" systems, which do not have per-user settings, will now have more false-positives. Which in any case, will require more user intervention, and more work per spam.

That's exactly what spammers want, that the ones making an effort, are the ones NOT getting the spam, and the ones getting the spam being the effortless case. As long as that's what's true, they win.

slashdot@davidcole.net

[DavidCole]

What I usually do is, whenever possible, to put who I'm giving my email address to as the initial part of the email address, ie. slashdot@davidcole.net so I will at least know who the jerk is who sold my address.

Otherwise, I use a hotmail account to commonly give out. Obfuscated email addresses are obnoxious.

Re:slashdot@davidcole.net

[ottawanker]

If you used slashdot@davidcole.net, and got e-mail to that address, how would you know whether slashdot sold the address, or whether someone figured it out from the obfuscated address (if you actually used them that is)?

Re:slashdot@davidcole.net

[richie2000]

Doesn't really matter. The point is, you block the poisoned address and go to the next one. That's why there's a 2 in my address here - I once got a spam to the "slashdot" address. That's probably a few years ago, now. Nothing to this one, yet.

Re:slashdot@davidcole.net

[phorm]

The problem with any site where the email address is publicly viewable is that it is harvested by bots. As per my own similar experience, I think that somewhere a spammer rubs his/her hands in glee every time somebody uses an unobfuscated slashdot email.

Re:slashdot@davidcole.net

[cliveholloway]

I will at least know who the jerk is who sold my address.

Or the jerk who posted it in their slashdot post :)

.02

cLive ;-)

ps - change your sig - or pay your bill! ;-)

Re:slashdot@davidcole.net

[grolschie]

Out of interest, have you received spam courtesy of any site/company that is newsworthy? I wonder how many of these larger "legit" sites/companies give out our email addresses.

Re:slashdot@davidcole.net

[way2trivial]

I do something similar..
ok- the same damn thing.. problem is, I know now that a dictionary attack at davidcole.net is really gonna ruin your day..

I can spam X@davidcole.net thru xxxxxxxxx@davidcole.net and you'll get a butload (see goatse.cx for my idea of a butload) of spam.

and I can put down another 1million valid email addresses on my cd (and they are all at davidcole.net)

What about...

[FooAtWFU]

What about Slashdot's schemes? How good are they? :)

Re:What about...

[sycotic]

so far, so good..

two thumbs up to the slash developers :-)

Re:What about...

[cgranade]

I would be ready to guess: very. Why? They're on a rotation, and there's quite a few... a program that could figure out the obfusication method and deobfusicate within a small enough number of cycles to make it economical would be a program indeed.

Re:What about...

[greenhide]

Right, but here the effort just might be worth it. Consider the market: let's say that just 20% of the users make their obfuscated e-mail available through Slashdot.

At last count, there were 743,601 users on Slashdot. 20% of that is around 168,720 emails. Now, all of these people are geeks, tech-minded, probably have above average earning potential and are much more likely to shell out for technology related items. And if the stereotype were true, they also love reading pr0n and could probably could stand to have their dicks enlarged. Granted, they also hate spam, but that's never been a consideration for spammers anyway.

Since all of the e-mails use the same form of obfuscation, once they've set up the scrubber for that week it's a fairly simple matter to scrub all of the e-mails.

All that being said, I recall reading an article that said simply translating them to numerical entities would do the trick.

Browsers can read them easily; Scrubbers can't. Apparently, they're not a solution on Slashdot, though: I can't get them to show up.

Personally, I think this is the ultimate solution to the problem. Sure, it's possible for scrubbers to change their algorithms to grab these too, but as other people have pointed out more eloquently, there are plenty more fish in the sea -- people who put their addresses out with no obfuscation at all are an easier target.

Are firewalls worth it?

[anim8]

So much energy is put into securing networks that ends up inconveniencing users while tons of exploits abound and social engineering completely bypasses it. Why bother?

The reason people obscure their email is
a) It's fast, easy and doesn't require external software.
b) Sometimes that's all the protection you can get when you post to some sites.

Nothing wrong here. Web utilization is still high. It's the spam that is the problem -- not the countermeasures.

10 Lines?

[swdunlop]

Cool.. So, what ten lines do you recommend?

Give us 10 lines of perl that will harvest armored email accounts out of a large document, with at least half of the harvested addresses actually usable, and at least half of the potential addresses harvested.

The point is to make the harvesting costly, and reduce the usefulness of spam address harvesting. I maintain three email accounts. One that is used publicly, like here on Slashdot, one that is used for business transactions, like ordering things from Amazon, etc, and one that is a throwaway for registering accounts with various online services.

Of the three, the first one, which is displayed widely, on K5, Slashdot, Groklaw, LiveJournal, and a lot of other heavily trafficed community sites, does not receive any spam of note. The second gets a pretty steady flow.. And the third.. Well.. The third is redirected to /dev/null most days, unless I'm looking for one of those precious "email validation" messages.

Btw, that first email address has been in use for over three years, now.

Re:10 Lines?

[GiMP]

Interestingly, I get more spam to my business account (unpublished, but guessable address sales@, support@, etc..) - than I do to any of my other email addresses, even my "throw away" ones.

Re:10 Lines?

[daviddennis]

I could picture someone writing a truly humungous program to get all known variations. You could get one or two variations with 10 lines of Perl, but there are hundreds of different NOSPAM schemes out there, and each one would need a few lines to parse.

davidNOSPAM@amazing.com
david at amazing.com
davidATamazingDOTcom
david@amazing.M OC (with verbal instructions to reverse it)
etc

I don't bother spamguarding my address because I like to make it easy for people to contact me, and because my email address, in use since 1993, is pretty much everywhere anyway.

Quite honestly postal spam bothers me more than email, since I have to physically dispose of it all ...

D

Re:10 Lines?

[euggie]

Being able to harvest /all/ of it is not the point; the important thing is to be able to harvest a reasonable amount of it with your effort you put in. Just doing this will give me a reasonable amount from /.:

s/[\`\'\"]//g;
s/[\-\_\s]*nospam[\-\_\s]*//gi;
s/\s+at\s+/@/i;
s/\s+dot\s+/\./gi;
s/([\@\.])+/ $1/g;

I don't claim to know regex, and I had four beers. (No, it didn't take me one beer for each line *grin*) I am sure a lot of you out there can do a lot better than I did. But the point is, if I can get even 1% of all the obfuscated addresses out there, I am in pretty good shape.

OTOH, I totally hear you though: I don't bother with obfuscating addresses either. I make it unavailable if I can, or give out my mailblocks.com address. :-)

Re:10 Lines?

[ThenAgain]

Cool.. So, what ten lines do you recommend?

Here it is in nine:

#! /usr/bin/perl

while(<>) { while(/([a-z0-9]+\@[a-z0-9.]+\.(com|org|net))/gi) { $a = $1;
$a =~ s/[A-Z]+[0-9]*[A-Z]*//;
print("$a\n");
} while(/([a-z0-9]+ at ([a-z0-9]+ dot)+ (com|org|net))/gi) { $a = $1;
$a =~ s/ at /\@/i;
$a =~ s/ dot /\./ig;
print("$a\n"); } }

A real Perl hacker could probly do it in three, in the shape of a camel.

Re:10 Lines?

[agwis]

"unless I'm looking for one of those precious "email validation" messages."

A bit off topic but I found a cool site that handles those email validation messages you need to get once in awhile. It's called mailinator. Anytime you want to register with a site that asks for your email address so they can send you a validation code (and inevitably spam you to death) you can use mailinator's service for free. All you have to do is write bobs_your_uncle@mailinator.com and then you can login into that account at mailinator. All messages received there get deleted in a few minutes and do note that anyone else can access it as well, but it certainly is a good service to handle for that exact case you mention!

-Pat

Re:10 Lines?

[Just+Some+Guy]

Would you settle for a pony?

Re:10 Lines?

[G.+W.+Bush+Junior]

ThenAgain is actually a spammer...
he figured out that rather than learning perl in order to harvest e-mail adresses more efficiently, he could simply post the question to slashdot and someone would do it for him ;)

think about it :P

Re:10 Lines?

[ThenAgain]

It would be a good consipracy theory if I hadn't been the one to post both the story _and_ the code. Check the by-line. :)

Re:10 Lines?

[G.+W.+Bush+Junior]

lol... right :-D

Re:10 Lines?

[rhetoric]

Although this is admittedly not my idea and offtopic, I must.. A good way to dispose of postal spam, is to open it all, and put the ads from each into the business reply envelopes from others, then mail em off, and let those companies know about all the great deals they can get from the other companies, since they were so kind as to let you know! :D

To stay slightly ontopic, if spammers are actually forced to use addresses we can reply to.. the same concept could be used, forwarding spam to spammers :D

Re:10 Lines?

A real Perl hacker could probly do it in three, in the shape of a camel.

Or a Marlboro. They're about the same shape...

Re:10 Lines?

[filenabber]

And if you want/need the email from a mailinator account in your regular email account, you can use Nator - it scrapes email from mailinator.com and sends it to an email address you specify. It can also create a random email address at mailinator.com for you that you can use in a webform then it will monitor that random address and send it to you when you get an email. Nator is written in java and freeware.

Brian

Re:10 Lines?

[nuintari]

Quite honestly postal spam bothers me more than email, since I have to physically dispose of it all ...

Yeah, but at least postal spam costs the sender money, email spam costs your ISP bandwidth, and despite what anyone will tell you, bandwidth is NOT cheap.

Re:10 Lines?

[gnu-generation-one]

"davidATamazingDOTcom"

That sounds good, until you meet an AOL user, and she asks "why isn't my email to you getting through?"

Where did you send it?

john (dot) doe (at) mydomain (dot) com

Re:10 Lines?

[agwis]

Ya I just noticed that's been released. I haven't had a chance to try it out yet but I'll certainly be downloading it shortly and giving it a try.

There's been a couple of times I've forgotten an access code or password and the original email from Mailinator is long gone. If I understand correctly, Nator will let me download that email to my MUA so I can save it but the site that sent it is none the wiser.

Sounds like a nice addition to Mailinator :) Anything that helps lessen the attack on my Inbox is good in my books!

-Pat

Re:10 Lines?

[kasperd]

\.(com|org|net)

Oh I would love all spammers to do like that.

Re:10 Lines?

[ThenAgain]

Yeah, I figure they'd be a bit smarter about it but I didn't want to take the time. They could probably get rid of it all together.

According to this it works...

[Nemozob]

A study by the Center for Democracy & Technology in 2002 concluded that by either replacing email addresses with the HTML equivalent or human-readable equivalents like "example at domain dot com" signficantly cut down on spam. From their Major Findings: "E-mail addresses posted to Web sites using these conventions did not receive any spam." While, yes, it's relativley easy to write a script that would recombine the addresses, apparenlty most harvesters for whatever reason just aren't. My email address, which is posted online, is 'hidden' in HTML and I get very little spam after many years of having it up.

Re:According to this it works...

[AvitarX]

I don't know what you mean by hidden in HTML

but if you mean a link with a mailto:

I find that surprising.

That would seem to be the first clue that something is an email address.

I am not doubting the finding. I am just suprised.

Re:According to this it works...

[Nemozob]

I mean using the HTML equivalent, so that mailto:joe@server.com is written in the code as mailto: I agree that it should be easy to circumvent but apparently it's not happening yet. BTW, there's an OS X program called SpamStopper that does quick translations like this.

Re:According to this it works...

[CableModemSniper]

I believe he is referring to using HTML entities to "spell out" the email address. Like how you write & for &, but using the entities for @ . the letters, etc.

Harvesting addresses is like picking cotton.

[Anaxagor]

Go have a look around cotton fields just after harvest. Literally tons of the stuff is left behind at the edges of fields, blown along the roadside, lying on the stubble etc. Sure, you could go along and pick it up but the cost of doing so would outweigh the price you'd get for the extra x bushels you'd collect.

It's the same with e-mail addresses - why should a spammer go to the trouble of modifying their bots to detect obscured addresses, when there are plenty of unobscured ones ready for harvest?

I'm sure some spammers do try to pick up obscured addresses, but until they start running out of unobscured addresses, they'll keep going for the masses of low hanging fruit and not bother with the rest.

Of course, obscurity doesn't save your address from brute forcing...

Re:Harvesting addresses is like picking cotton.

Free cotton, you say? Hmm...

*Rents a pickup and heads south*

try this

[Joe+the+Lesser]

email:(Thecapitalofnewyorkstate)354@hotmail.com.fi llintheblank.

no program is gonna figure it out, unless they knew the algorithm, which they likely don't. It's always *possible* to outmanuever the spammers in some way or another.

Whether it's worth the hassle, is of course, your call.

(albany354@hotmail.com is not my actual email address, so feel free to spam it.)

Re:try this

[Pegasus]

Another usefull obfuscation is something like @my.domain.blah.foo.tld. That 10 lines of perl would need to do some serious mx lookups to figure out the real address and that would usually cost some real time when parsing gazilion of obfuscated addresses.

Re:try this

[Craigj0]

>email:(Thecapitalofnewyorkstate)354@hotmail.com.f i llintheblank.
>no program is gonna figure it out, unless they knew the algorithm, which they likely don't. It's always *possible* to outmanuever the spammers in some way or another.
>Whether it's worth the hassle, is of course, your call.

Remember it is not just a hassle for the creator of the email address. It is also a pain in the ass for everyone else. I for one hope I never have to send an email to someone doing that type of masking. How many of us non americans know what the capital of new york state is? I for one will not be looking it up unless I really need to email you.

Re:try this

[gmhowell]

Also, us Americans are woefully ignorant, even of our own geography. I was going to send mail to poughkeepsie354@hotmail.com

Re:try this

[MarkusQ]

I for one will not be looking it up unless I really need to email you.

But...that's exactly the point, isn't it?

-- MarkusQ

Re:try this

[AragornSonOfArathorn]

(albany354@hotmail.com is not my actual email address, so feel free to spam it.)

Wonderful. albany354@hotmail.com is MY email address. Now i'm getting all kinds of spam for dildo-enlargment pills that will help me stop procrastinating. Thanks, you insensitive clod.

Re:try this

[DavidTC]

How many Americans think the capital of New York is New York City?

Re:try this

[Dachannien]

But the capitals of New York are the N and the Y!

Re:try this

[Greedo]

Best obfuscation that I've seen presents email in this form:

me domain com
at dot

That would take some mighty Perl to demangle, I imagine.

Re:try this

[Wolfrider]

[salsacommmercial]

New York CITY!!

Git the rope!

Re:try this

[MemoryAid]

The way I see it, if it's from somebody that doesn't know the capital of New York, I don't want to read it. I'm sure each person could figure out some piece of trivia that, knowing it, would qualify people to send email to them.

Re:try this

[damiam]

Quick - what's the capital of Coahuila (Mexico)? You don't know? Oh, well then I guess nothing you have to say could be of any intrest to a Mexican.

Relying on (rather useless) trivia to determine the value of what someone has to say is a rather arrogant form of (non)communication.

Re:try this

[Prior+Restraint]

Quick - what's the capital of Coahuila (Mexico)? You don't know? Oh, well then I guess nothing you have to say could be of any intrest to a Mexican.

Email is asynchronous; what does being "quick" accomplish? And off the top of my head, I don't know the capital of Coahuila, but since we're assuming a priori that I have an Internet connection, it can't be especially taxing for a human to look it up.

Relying on (rather useless) trivia to determine the value of what someone has to say is a rather arrogant form of (non)communication.

Throwing a shit-fit just because some random person on the Internet doesn't want to talk to absolutely anyone in the world doesn't make you seem like the most enlightened of persons, either.

PS: Thirty seconds on Wikipedia was all it took to come up with "Saltillo" (I'm a slow reader).

Re:try this

[damiam]

I'm not objecting to the entire concept, I was objecting to the statement that, "The way I see it, if it's from somebody that doesn't know the capital of New York, I don't want to read it."

While one can obviously look such things up, the grandparent poster implied that the words of anyone who didn't know it off the top of their head were worthless.

Re:try this

[gnu-generation-one]

"Also, us Americans are woefully ignorant, even of our own geography."

browne[(is france in europe yes or no)]@hotmail.com...

Re:try this

The way I see it, if it's from somebody that doesn't know the capital of New York, I don't want to read it.

I don't have a problem with that, despite not knowing the capital of New York. Given your attitude described above, I'm pretty sure I have no interest in communicating with you.

With any luck you don't read AC replies, so I won't be contradicting myself by posting this. :p

Re:try this

[MemoryAid]

Well, you caught me. I don't really feel that way regarding the capital of New York. It was just a handy example that was already provided.

In the broader sense, jargon is often used in such a way to exclude non-members of some groups from conversation. In polite society, it's not intentionally done (that would be rude), but other times it is used to make the square peg leave the vicinity of the round hole it was trying to fill. Such jargon is very similar to a piece of trivia (for example, who knows what GNU stands for? Be sure to laugh at those who don't, to make sure they go away.)

As far as whether I have anything interesting to say to a Mexican, perhaps I don't, but please don't lump all Mexicans together like that. They hate that. :-)

Re:try this

[MemoryAid]

That attitude was affected, to provoke reaction. And I've got nothing better to do than read AC replies (sadly).

Definitely Worth It

[jmt9581]

I think that it's definitely worth it. There's no standard way of obfuscating the address. Because TIMTOWTDI, your ten-line Perl script either

• Gets very complex very quickly
• Doesn't correctly un-obfuscate every address

For example, while you might post your address as:
user@NOSPAM.domain.com

I may post mine as
user2@no_spam_damnit.domain.com

To me, using relatively simple tricks like this to make the job of a spammer harder is definitely worthwile.

Re:Definitely Worth It

[philthedrill]

Because TIMTOWTDI, your ten-line Perl script either

• Gets very complex very quickly

Sure, but if a lot of people use something rudimentary like user at domain dot com or user@NOSPAM.domain.com, it's pretty trivial, and a simple script will get a pretty good return rate. Screw the extra work for a few more addresses. If I searched for those two patterns on the web, that would probably get me a significant number of addresses for very little work.

• Doesn't correctly un-obfuscate every address

I don't think it matters that much, since they're not using their own relays anyway.

I may post mine as
user2@no_spam_damnit.domain.com

To me, using relatively simple tricks like this to make the job of a spammer harder is definitely worthwile.

I agree. I took the no-holds-barred approach. I have spamtrap addresses set up on my domain, and my school address is displayed as a JPEG.

Re:Definitely Worth It

[sbryant]

This is interesting. I have occasionally gotten spam offering email addresses. They're sorted by domain, have duplicates removed, and also have had addresses removed which contain certain strings such as "spam", as such addresses are generally not real ones - like yours.

Double protection is good, but some people just don't get it, especially when you post in places such as newsgroups, where you've modified your from address. I've wondered whether setting up a real subdomain for real email addresses would help or not (eg: nospam.domain.com, or for you no_spam_damnit.domain.com). It would at least be interesting to see what came in. Maybe somebody did it already.

-- Steve

Re:Definitely Worth It

"For example, while you might post your address as:
user@NOSPAM.domain.com
I may post mine as
user2@no_spam_damnit.domain.com"

The absolute best filter is, if you email address really is userNOSPAM@example.com

If if you have a DNS server, user@nasa.gov.mydomain.com for anyone who filters out addresses with .gov in them

Re:Definitely Worth It

Which makes me ask... if spammers tend to drop e-mail addys with the word "nospam" in them, shouldn't I set my e-mail address to be "nospam@domain.com"?

(Silly question...)

It does help

Most of the spammers just want the easy addresses, and it's not worth it trying to customize things to one site's way of obscuring. I have honeypot email addresses on all my webpages, and those get spammed, but the regular address I have obscured don't. Only "common" ones like info@, webmaster@, etc get the spam.

spamcop.net makes me feel good

[njchick]

I don't obscure my e-mail address. My e-mail is filtered by spamcop.net. All the spam sent to me gets reported without taking too much of my time. It's the feeling that I fight spammers rather than hide from them that makes me feel good. The filtering costs $30 a year, and it's an excellent value. No, I'm not affiliated with spamcop.net in any other way.

My less technical friends have no problem mailing me because I use a mailto link on my homepage.

I use a separate yahoo address for shopping. I don't want my shopping information to be linked to my personal website. The spam from the yahoo address is also fed to spamcop.net. Sometimes I also use one-time hotmail addresses to buy from dealers with high spam risk. I simply stop using those accounts and forget the password once the transaction is complete.

Re:spamcop.net makes me feel good

[sbryant]

My less technical friends have no problem mailing me because I use a mailto link on my homepage.

I have a link too, but I use &#64; instead of @ and that actually works well enough that spam bots don't recognise it. The browersers I've tried (Konq,Moz,IE) display it and handle it properly though. I saw that here a while back in an article about where addresses are most likely to be harvested from.

-- Steve

Re:spamcop.net makes me feel good

[sweet+reason]

an even easier way to get one-time email addresses is spamgourmet.com. you don't have to go to their website more than the once to register. after that, just make up an address and they will forward it to you a limited number of times.

for example, the first 4 messages sent to slashjunk.4.mbloore@spamgourmet.com will be forwarded to me; any more will be eaten.

more control is available if you want it, such as whitelists and resetting the count. and you can reply throgh them, so your forwarding address is not revealed.

it is all free.

Here's what I do

I use images to show the real email address, and instead of a direct mailto link, I make it a http redirect to a mail-to. Most harvesters see an image with a "regular" link and pass right by it.

Re:Here's what I do

[Cecil]

Uh, how did the harvester find your page in the first place, if not by crawling non-mailto links? I would be surprised if your scheme worked very well at all, and even if it did, I think that's betting too much on the fact that many harvesters are completely incompetent at redirects, not because they magically don't follow links that you think should be ignorable to them.

Re:Here's what I do

Well, after doing it for two years, not a single spam to any of those addresses. Even if they follow the links, they aren't expecting to hit a mailto redirect.

Re:Here's what I do

[Cecil]

Well, I'm impressed then. I wouldn't trust it myself, but can't argue with what works. :)

Re:Here's what I do

[Robmonster]

One trick I have seen is to use a couple of peices of java script to write out the html for a mailto link. If you separate the mailto command across 2 or 3 java sections spammers will nto eb able to use the raw html code to drag out yur email, but once rendered in a browser it creates a perfectly clickable mailto link.

I cant remember the java commands offhand, but found the trick on one of these Web Tips websites.

Re:Here's what I do

[Saven+Marek]

Here's what I do.

When I come across people who obfuscate their email addresses on purpose, I deobfuscate them and enter their email addresses in spammer's "opt out" pages, just to prove it doesn't work.

Re:Here's what I do

Good thing I posted anon then.

Re:Here's what I do

You wouldn't by chance be using alt text for your images, would you? *blink*

My technique...

[Txiasaeia]

...is to make an address completely unreadable to anybody but a human. For example:

kajohnson@hotmail.com BECOMES
kay_a_sonofjohn_atuh_hawtmayled0tcawm_(first_word_ letter_second_word_letter_switchfifthandthird_word _getridof_of_restofaddress_is_phoenetic)

Sure, it's brutal to decipher, but there's no way a machine can poke through that mess. Fun for the receiver to figure out too :)

Re:My technique...

[Robmonster]

There is no way I would decypher that for anything other than a complete emergency.

This kind of technique just makes it a PITA to mail you, for friends and foes alike.

Re:My technique...

[soft_guy]

Yeah, I tried to email you to offer you a really great job, but you're address didn't work. So, I hired someone else. Sorry.

Re:My technique...

[Haeleth]

kay_a_sonofjohn_atuh_hawtmayled0tcawm_(first_word_ letter_second_word_letter_switchfifthandthird_word _getridof_of_restofaddress_is_phoenetic)

Great. It appears you're only interested in communicating with Americans, though; as far as I'm concerned, "hawtmayled0tcawm" represents something like "hortmail.corm", and I'm a native English speaker - I dread to think what a Chinese or Russian would make of it, however good their command of English.

Besides, most email entry routines will reject your "address", because even the ones that don't bother with proper validation generally at least make sure there's an @ in there.

Re:My technique...

[Txiasaeia]

Hotmail.com is globally recognised; I'm not sure that anybody who's the least bit net-savvy would have a problem with that. For the record, I don't have a hotmail account; I use my own ISP's name without alteration since it's relatively unknown in the global community or I use a throwaway address that's already ridden with junk mail.

As for the "aw"s in the e-mail example: "aw" is the proper way for linguistically spelling the sound represented in "hot" and "com." I didn't do it on purpose, but most English speakers who don't know what hotmail is could phonetically sound out the word and come up with the right domain name.

"Besides, most email entry routines will reject your "address", because even the ones that don't bother with proper validation generally at least make sure there's an @ in there."

True. If it's an entry routine that I care about (such as signing up for a subscription to Pl... Nintendo Power), then I give my real address, of course. If it's one that I don't care about (NY Times), I'm Mr. A B, and my e-mail address is a@b.com. Simple, huh?

Finally, I'm really only interested in communicating with Canadians; the Americans just keep on replying to me! What can I do? :)

Worst of two evils

[Nucleon500]

The cost in terms of usability of munging adresses is too high. There are better ways to fight spam.

For me at the moment, Bayesian filters, a technical solution, works best. Yes, it still wastes bandwidth. But if my ISP ran good filters for me (POPFile is adapting itself for this usage), my bandwidth at least could be saved. And the filters do work well.

Technical solutions are a stopgap measure, but the next step is legal and architectural. Make spamming illegal. This would only affect countries that care and spammers who get caught, but the next step will help. Make it harder to hide where you're coming from. This gives even ISPs in lawless countries motivation to stop sending spam, because if their upstream knows its them, they can threaten to disconnect them.

Munging is probably the worst solution, similar to getting an unlisted number. It's even shorter-term than filters, but it sacrifices the medium in the process. It's a bit like not answering the phone during mealtime - yes, it works, but it interferes too much with legitimate communication. If that's your choice, fine, but I think its ill-advised.

Re:Worst of two evils

But Bayesian filtering is approaching its end-of-usable-life for English language mail.

Spam now often contains some lines of english text unrelated to the spam message to fool the filter.

It still works fine for me as my usual mail is not in English language, so mail messages with lots of English words are suspect. But for native English speakers it will be more problematic.

In heavy traffic and Distinct sites ..Re:10 Lines?

[leoaugust]

Of the three, the first one, which is displayed widely, on K5, Slashdot, Groklaw, LiveJournal

I recently received spam at the address displayed on /. It is an absolute rarity and I was surprised till I realized that /. users are a distinct demographic with certain common traits.

For a business targeting the /. demographic it is probably worthwhile to get all the email addresses (easy to detect where they are on a page and about 750,000 maximum) and then run them thru iterative cleaning. In the first few iterations itself they should be able to get many usable addresses, and then with a person cutting and pasting they should be able to clean more.

My point is that on less trafficked sites, or sites that don't attract a distinct demographic, email obfuscation definitely helps. But for sites like /., k5, etc. I can see it worthwhile for someone to deobfuscate the addresses even if it takes time and money because the cleaned up /. emails are worth a lot of money. Paradoxically, /.'s are the least likely to respond to spamming that comes that way ...

Future solution...

[r00k123]

Say someone does come along and writes some code to get at "armored" addresses. What do we use then?

How bout your email address displayed as a small image?

Yahoo and other sites have been using words in an image as an anti-automated-signup with good success. They work because it's just too hard to get text out of a fuzzy/obscured image automagically. Image recognition simply isn't good enough yet.

Definite overkill now, but spammers are always cracking the latest line of defense...

Re:Future solution...

[Clover_Kicker]

>How bout your email address displayed as a small image?

That's annoying to people who legitimately want to send you an email.

Re:Future solution...

[Grhm]

If you start hiding your email address in blurred or obsured images, you also end up pissing of those with poor eyesight.

My dad can read email and surf fine without his glasses but sometimes he has to go get his glasses to work out what the "anti-automated-signup" image says.

Re:Future solution...

[Endive4Ever]

And it's annoying for people like me who ssh into some of the sites where I have an active email address and use pine to read it.

10 lines?

[sabNetwork]

To answer your question: yes of course it's worth it. It take 3 seconds and befuddles every current email spider on the web.

Sure, ten lines of perl code could decode any ONE technique on Slashdot, but it would take much more to detect which technique (of infinite possible) was used.

However, there is a situation where it becomes reasonable to use such a descrambler. On some mailing list archives, there is a standard anti-spam format applied to every email address. In this case, picking one lock would open every door.

dynamic html / javascript

[aok]

For web-pages, would displaying your e-mail address via an embedded javascript function work (as long as your function doesn't have your address as a simple string)? I've thought of trying this and am assuming harvesters don't run the javascript code in a webpage.

Re:dynamic html / javascript

[microcars]

I've been using ENKODER for doing this on a few websites and I always include a few "control" addresses that do NOT forward to my primary email (which is filtered by Brightmail).

It seems to work VERY well, I have received ZERO spam at any of the "control" email addresses obfuscated with this Javascript:

<script type="text/javascript">
<!--
var data=new Array(
129,141,133,128,152,131,214,134,
134,172,129,133,143,158,131,143,
141,158,194,131,158,139,236,159,
156,141,129,204,129,137,236,134,
134,172,129,133,143,158,131,143,
141,158,194,131,158,139,236
);
var idx=0, n=data[data.length-1];
document.write('<a href="');
while( data[idx]!=n ) {
document.write('&#'+(data[idx++]^n)+';');
&nb sp; }
idx++;
document.write('" title="');
while( data[idx]!=n ) {
document.write('&#'+(data[idx++]^n)+';');
&nb sp; }
idx++;
document.write('">');
while( data[idx]!=n ) {
document.write('&#'+(data[idx++]^n)+';');
&nb sp; }
idx++;
document.write('</a>');
//-->
</script>
<noscri pt>
<p>
JavaScript must be enabled to display this email address.
</p>
</noscript>

Re:dynamic html / javascript

[ClippyHater]

Wouldn't an intelligent hacker who's turned spammer be able to parse the presentation layer of any web page, and thus be able to get a pristine e-mail address regardless of how obfuscated you diplay it via JavaScript? For someone on the ball, I bet they could take any open source rendering engine and mold it into a pretty nice e-mail harvester based simply on the presentation layer.

Re:dynamic html / javascript

[microcars]

I'm sure they could, but based my experience over the past year they don't bother. As has been mentioned before, why would a spammer bother with the extra work when SO MANY email addresses are already out in plain sight on web pages?

Greylisting, + spamassassin

[Leroy_Brown242]

I do not worry about spam. Grey listing + Spamassassin do it all. 1 spam every other day or so hits my inbox. 300 spams a day hit my spam folder.

My sig

[Durin_Deathless]

I have been TRYING to get spam to test out the settings on my spamassasin install. I can't do it. I have had the unarmored address in my sig, and it gets NOTHING! I have never been annoyed about a lack of spam before.

spam@tuxserver.ath.cx
It's down now though. Server lost a hard disk overnight. Stupid thing.
spam@tuxserver.ath.cx --I WANT SPAM!!!!

Re:My sig

[Lukey+Boy]

Maybe the bots filter the word spam.

Re:My sig

[toast0]

Yeah, i'd bet they would... although people say they get spam on spamcop addresses (i'm not sure exactly how spamcop works, but i think you can get toast0@spamcop.net or forward slashdot@enslaves.us to them)

Re:My sig

[RobertB-DC]

I have had the unarmored address in my sig, and it gets NOTHING!

Try using it to register a domain name. I use domains at littlecutie dot net for nothing -- absolutely nothing -- but domain registrations. I cleaned it out last week, and it now has 162 messages. One is a renewal notice on a domain. The rest are spam.

I may change my domain registration email to domspam at littlecutie dot net and see what happens, though!

Re:My sig

[twistedcubic]

Do a Google search on somehting like "XXX teen sluts" and enter your email address at the first ten sites. You'll have all the spam you need. If you want to manually train Spamassassin, then try usenet: news.admin.net-abuse.sightings

Re:My sig

[Keyser_Lives]

Relax dude...

Remember, if you post it, they will spam.. :)
</fieldofdreams>

Re:My sig

And you'll have tons of spam to wade through when you get out of jail in a few years... (at least, I think that's the bit the parent poster left off...)

Re:My sig

If you really want spam, try posting to the news.admin.net-abuse.* groups with the address unobscured.

Cheap tricks

[fm6]

It does seem strange that address obfuscation works at all. As ThenAgain points out, it doesn't take that must code to turn "dubya(at)whitehouse.gov" into "dubya@whitehouse.gov" (oops!).

And yet obfuscation seems to work quite well, at least in my experience. How can this be?

I can think of two big reasons. The first is that deobfuscation is harder than it looks. It's not just a matter of applying the reveral -- you also need to recognize which reversal to supply (dubyaNOSPAMwhitehouseNONEgov, dubya at whitehouse dot gov, dubyaFSCKSPAM@whitehouse.gov....)

The second reason is the spam culture. The spam industry does not seem to attract a lot of creative, intelligent people. I suppose there must be people working on abvanced spambots, or who send out thousand of random emails with webbug links. But I never seem to encounter them. I suspect that most spambots are sent out by unscrupulous people who don't care about how many invalid addresses are on their lists. It doesn't matter when your customers naive schmucks who answered a "10 million email addresses for only $500!" ad. Which they probably got through spam!

Incidentally, you obfuscate your mailto: links without forcing people to deobfuscate by hand. Jim Tuckek has written a handy little Javascript generator that uses a simple encryption to store an address in a hard-to-access form, then translates it back to text as needed.

Re:Cheap tricks

[ThenAgain]

> I can think of two big reasons. The first is that deobfuscation is
> harder than it looks. It's not just a matter of applying the reveral
> -- you also need to recognize which reversal to supply
> (dubyaNOSPAMwhitehouseNONEgov, dubya at whitehouse dot gov,
> dubyaFSCKSPAM@whitehouse.gov....)

My ten lines (8 actually) work against both those schemes by first replacing occurrences of " at " and " dot " with their respective punctuation, deleting all of the capitol letters (optionally with embeded numbers) and then look for proper addresses. While this script would miss tonnes of addresses it would still harvest millions which are posted using the current obscuration techniques.

#! /usr/bin/perl
while() {
s/ at /\@/ig;
s/ dot /\./ig;
s/[A-Z]+[0-9]*[A-Z]*//g;
while(/([a-z0-9]+\@[a-z0-9.]+\.(com|org|net))/gi) { print("$1\n"); }
}

Re:Cheap tricks

[fm6]

That's 2 out of dozens -- or is it hundreds?

Brains, not gibberish

[ezraekman]

Step 1
Register your own domain name. Cheapest reliable registrar I'm aware of is Godaddy, at about eight bucks a year per domain for .com, .net and .org TLDs, more/less for others. (Five bucks a year for ".us", for example.) Having trouble picking one? Use your own name, or add "bork" to the end or something. It really isn't that big a deal.

Step 2
Permanently disable the following addresses: info@, support@, webmaster@, ceo@, sales@, president@, admin@, contact@, customerservice@, and tech@.

Step 3
Can you figure it out by my e-mail address? If not, shoot me one, I'll I'll clue you in, if you can demonstrate that you're not a spammer. ;-) Here's a hint: You'll your host to support this mail feature.

Step 4
Don't post your address, genius! If you slap your e-mail address on a website, in a mailing list, etc... you're gonna get spam. That's the way it is. Stop whining about it, and figure out a solution. (See step three.) If you haven't figured out step three yet, e-mail me.

Step 5
Pay attention. Think about who you give your address to. This goes for the address you use for your domain registration. Oh, and register your domain with an address that you don't care about getting spam at. A month or two later, change it. Spammers pay more attention to the e-mail address a domain is registered with than they do the address(es) that it ends up with later.

I own about twenty domain names, and use multiple addresses for each domain name. I get a combined total of about 3-10 spams per day, tops... and those are only to the addresses I was using before I developed these rules. The benefits? Little to no spam, you can track every company that's sold or shared your information, and easily see who violated their privacy policy. Then, of course, you just shut down the spam that they've enabled, and go on as usual.

It works.

Re:Brains, not gibberish

Step 2
Permanently disable the following addresses: info@, support@, webmaster@, ceo@, sales@, president@, admin@, contact@, customerservice@, and tech@.

Step 3
Can you figure it out by my e-mail address? If not, shoot me one, I'll I'll clue you in, if you can demonstrate that you're not a spammer. ;-) Here's a hint: You'll your host to support this mail feature.

No, I can't figure it out, largely because I don't knbow what your email address *is*, and your hint suggests that "hide your email address" is not what you mean.

I do notice, however, that if I follow the link you give as your homepage, the first email address I find is "info@". Step 2 anyone?

Server side scripting

[mikeswi]

I don't obfuscate at all. I use a server side script to generate a form. The client (browser, spambot, whoever) never sees the address. It is not possible to figure out the address, no matter how determined the spammer is.

I VERY HIGHLY recommend this free php or asp email form.

Re:Server side scripting

[beat.bolli]

I use a tiny PHP script that sends a Redirect back to the browser. The link is something like /php/redir.php?u=uid and the redirect returns a mailto: link with the correct address appended which opens a compose window like a direct link.

Re:Server side scripting

[mikeswi]

Whoops. He's moved things around a bit. That ASP version is here while the PHP version is at the link in my first post.

Re:Server side scripting

[DrMorris]

This is ok for some sites, but no way a real solution. I hate using forms to send email and I'm pretty sure that I'm not alone. You don't have the possibility to archive your outgoing mail, to save the address for later use etc.

Re:Server side scripting

[tepples]

You can "save the address for later use" once you get a reply back. Still, I can see how having no immediate way to archive all outgoing form mail would pose a problem. Should I modify my form-mail script (online demo; source code not yet published) to bcc the sender?

Re:Server side scripting

it's very easy to archive an email address for later use, before you send your email via a form just stick the email address used in a a database...then generate and send the email.

10 Lines of Perl?

[DynaSoar]

Regardless of "could", they apparently haven't been written.

"So if we're not helping hold back the flood of spam..."

We who? I get zero. Not bad for 1,320 web hits on Google on my last name, and over 12 years of regular usenet use. And I do NOT filter. I'm just careful.

Re:In heavy traffic and Distinct sites ..Re:10 Lin

[swdunlop]

Excellent point; the Slashdot demographic is pretty narrowly focussed, compared to the market at large, and, as such, is extremely valuable for a someone targeting that demographic. Unfortunately, as another poster mentioned, they tend to be predispositioned against spam. I'd like to think that more people in the /. community are less likely to fall for the Niagra scam than your average bumpkin.

Then again, when I start making optimistic guesses about /. readers, some silly new fad starts up (Russia, fp's, grits, etc.) , and I wind up reconsidering my position.

fp

In soviet russia Nigeria scam fall for YOU

Spam Email Address?

[canadianjoe]

Seems to have worked for me. The only email address used for /., LJ, and any online signups is thisismyspamdump@. I've never had a spam on this address, mind you, it's only been 6 months :)

Think out of the box

[Kris_J]

Given that inserting the word "SPAM" into an email address is a typical way of attempting to block spam, such that email harvesters might remove the word "SPAM", the trick is to have an email address that legitimately contains the word SPAM, preferably after the @, such that email harvesters bugger up the address. Spamcop.net and Spamgourmet.com both offer this feature. Makes life even harder for the little bots if you put a "NO" before the "SPAM", eg: blah@NOSPAMcop.net, then include a human readable "my address has no no in it".

Ten lines of Perl?

[dbirchall]

Geez... doesn't take more'n about 3 lines to do this as "bin.cgi":

#!/usr/bin/perl
print "Location: mailto:dan@sales.example.com\n\n";
exit(0);

And then it's just a simple matter of replacing:

a href="mailto:dan@sales.example.com"

with:

a href="/bin.cgi?href=mailto:abuse"

I've been doing this type of thing since about 1998. Surprised more people don't do it. It's fairly trivial to improve upon it and add quasirandom munging to the addresses, etc...

Re:Ten lines of Perl?

[Finni]

Um, no. He means ten lines of perl will un-mangle "user AT mikerowsoft DOT com" or other, as you put it, "quasirandom munging."

Re:Ten lines of Perl?

[dbirchall]

My definition of "quasirandom" is pretty far beyond "AT" and "DOT." ;)

Of course, the sole Slashdotter who wants to de-munge addresses on a site of mine will go to the trouble of figuring out how the quasirandom munging works, for that one site.

Figuring out different quasirandom munging for a large number of sites, though -- which is what address harvesters would have to do -- would be about as big a task as figuring out how to pattern-match spam 100% of the time.

Especially if the munge kept mutating. :)

In the "more than ten lines of Perl" category, for example, you could have a script to display addresses, a script to de-munge addresses, and a script to update /etc/aliases (or its equivalent), all in sync.

So Joe User comes along, clicks on "dan@spam-armor040121.example.com" and gets a redirect to "dan040121@example.com" ... which was added to /etc/aliases as an alias for "dan@example.com" (which never gets publicized) at 2004-01-21 00:00, and gets removed from /etc/aliases at, say, 2004-01-23 00:00.

Joe's got a couple days to finish typing his message. If a spam-harvester is even smart enough to click the link and harvest the address (which none are, so far), the address it harvests becomes totally worthless in short order.

I've actually used "expiring" addresses of this nature on Usenet before; some harvesters are in possession of literally hundreds of addresses for me that were used for all of an hour and haven't worked since about a week after they were used. I have dreams of someday filling an entire "million addresses" CD with nothing but broken addresses for me. :)

Re:Ten lines of Perl?

[FattMattP]

The problem with that is that it assumes that the user's mail client is on the same machine as their web browser. I don't have an email client on my machine. I ssh into my server and use mutt. Your method makes it difficult to copy your email address, or just read it from the screen, and put it into mutt.

Never, never will 10 lines of Perl be enough

[Tux2000]

Yes, trivial obscuring like user(at)example(dot)com with various special characters can be done in 10 lines. (Could be hard to get the last 3 lines filled with code.)

But what if the user does not use English language, but German? And what if (s)he does not mark the obscured charachters? user klammeraffe example punkt com or with some funny synonymes user a im kringel example klecks com. Decoding this in 10 lines of Perl becomes harder, and it becomes harder with every new language. Decode this with 10 lines for English, German, French, Polish, Russian, Bantu, Spanish, ...

What happens if the user is really "evil" to spammers? Meine Mail-Adresse besteht aus dem Domainnamen meines Providers example unter der Top-Level-Domain fur kommerzielle Webseiten, dem wird mein Kundenpseudonym user und ein Klammeraffe vorangestellt. (I'm still hiding user@example.com - translation: My mail address is composed from the domain name of my provider example undet the top level domain for commercial websites, prefixed with my client pseudonym user and an at sign.) Decode this and similar examples in 10 lines of Perl for 10 languages, while still being able do decode all trivial variants and all slashdot mail obscurations.

Getting more evil: Meine e-Mail ist catch-those-spammers@example.com mit user vor dem Klammeraffen. Schicken Sie keine Mails an die falsche Adresse. (My email is catch-those-spammers@example.com with user in front of the at sign. Don't send mail to the wrong address.) Set up an account catch-those-spammers that marks and blocks all computers that test that acocunt or send mail to it. Now decode this and all examples above and all slashdot obscuration and don't run into the trap, and do not use more than 10 lines (with 80 characters each) of Perl code.

I bet it can't be done in 10 lines with 80 characters each, using Perl 5 and no external modules.

With nearly no work it is possible to make automatic address collecting harder and thus more expensive. Spammers don't want to spend much money, they want to maximise their profit. So they will do at most only trivial decoding, if they can't collect enough unobscured mail adresses. This is why images containing the mail address won't be OCRed for a while. It simply costs too much. On the other hand, just guessing names for existing domains works pretty well and it is very cheap. I have an unpublished six-letter account at a big German mail provider, and it is permanently hit by spam. The generic (unused and unpublished) accounts (sales, info, mail, accounting, vertrieb) of my domain are also spammed very often. Guessing is cheaper than collecting addresses.

So while this is not a mathematical proof, you can see that non-trivial obscuration will help. See also What You Get When You Buy a Spam CD.

Tux2000

Re:Never, never will 10 lines of Perl be enough

[max]

Of course it will be harder to write such a filter (Please note that the spammer wouldn't care about the filter max beeing 10 lines with 80 chars each and no modules, if 2000 lines do the job the script will be 2000 lines.)

But for the non-german speaking person visiting your website it would perhaps be impossible to get to mail you, and besides you missed the running point in the original posting:

So if we're not helping hold back the flood of spam, why are we decreasing the utility of the web by eliminating mailto tags and forcing users to hand-correct the addresses in their mail clients?

Or perhaps you have already answered the question; Yes we have definitely decreased the utility of the web by eliminating mailto tags and forced the users to hand-correct (deobscure) email addresses.

Re:Never, never will 10 lines of Perl be enough

[max]

Since I am a bit tired I should probably clarify my previous post. Most posters seem to have got stuck on the claim that 10 lines could deobfuscate most addresses. It doesn't matter if it is 10, 100, 1000 or more. Deobfuscation either works (since most users use simple obfuscation techniques) or don't work. In the cases where it don't work people would probably have to think twice to deobfuscate manually and the probability of sending the mail to a non-existant adress is higher. You will be harder to reach. So yes we have decreased the utility and the spam continues.

Use obfuscation if you think it works for you, I don't think it is necessarily a bad thing unless used over-excessively. Personally, I rather rely on filtering techniques and make it easy for people wanting to mail me to do so. This is the reason I have an email address, otherwise I would force people to use regular mail to get in touch with me.

Let this be a lesson to you kids: sleep before you post.

Re:Never, never will 10 lines of Perl be enough

[rock_climbing_guy]

Does perl allow you to write your entire program on one line like c++ does?

Re:Never, never will 10 lines of Perl be enough

[Tux2000]

Yes, it does. You can even write a perl program with zero lines, if you do not count invoking the program as a line:

perl -MLWP::Simple -e 'getstore "http://slashdot.org/","current-slashdot.html";'

Real Operating Systems (those not from Redmond) allow command lines of 4 KBytes or even more, this is more than sufficient for most small tasks.

For even more useful examples, see Google search for "perl one-liners"

Tux2000

Re:Never, never will 10 lines of Perl be enough

I can do it in 10 lins of C...

I mean, why all those newlines?

Mac OSX + Mail.app

[narratorDan]

Since I switched to OSX and started to use Mail.app I've found the adaptive junk mail filters to be quite good. Plus the ability to bounce spam makes those spamers who actually maintain their lists remove my name automatically. I've left Mail in the learn mode so that I can declare a spam to be junk if it gets past the filter. I have also made a separate filter for mail marked as junk, so after glancing to make sure that it is indeed junk I bounce it. I get fewer and fewer junk mail each passing day. I've even received some "you have been removed" messages. Whether it is a scam or not I don't know. But, I am very happy with Mail.

NarratorDan

Re:Mac OSX + Mail.app

[fuzzybunny]

Does it actually cause a server (never played with Mail.app) to bounce the message with a proper 550 or similar, or just reply with a form?

There was some discussion on /. a while ago about doing spam filtering during the transaction phase on the MTA, allowing you to really bounce messages (at the risk of false positives.)

Re:Mac OSX + Mail.app

[tdemark]

Well, it has some caveats during the bounce. The biggest one, which makes it useless to me, is that it bounces with your primary email address, regardless of who the email was sent to. Since the email addresses I receive spam on are not my primary address, bounces really wouldn't help.

(That is, my primary address may be 'foo@bar.com', but I receive spam on 'baz@bat.com'. If I generate a bounce message from that spam, the bounce will include 'foo@bar.com' as my address.)

Luckily, SpamAssassin gets almost all of the 100 or so spam I get per day ... I'll see 1 or 2 in my inbox per week, they rst go into a Jail folder which I review every few months before I add them to the spam database with salearn.

The original message was received at 2004-01-20 06:04:09 -0500
from postoffice.$email_domain [10.0.0.1]

----- The following addresses had permanent fatal errors -----
<$email_addr>

-----Transcript of session follows -----
... while talking to postoffice.$email_domain.:
RCPT To:<$email_addr>
<<< 550 5.1.1 unknown or illegal alias: $email_addr
550 <$email_addr>... User unknown
Reporting-MTA: dns; postoffice.$email_domain
Received-From-MTA: DNS; postoffice.$email_domain
Arrival-Date: 2004-01-20 06:04:09 -0500

Final-Recipient: RFC822; $email_addr
Action: failed
Status: 5.1.1
Remote-MTA: DNS; postoffice.$email_domain
Diagnostic-Code: SMTP;550 5.1.1 unknown or illegal alias: $email_addr
Last-Attempt-Date: 2004-01-20 06:04:09 -0500

From: $First $Last <$email_addr>
Date: January 20, 2004 6:05:53 AM EST
To: $to_addr
Subject: Test

This is a test

You can insert your values for the included variables to see how Mail would generate a bounce message.

- Tony

Re:Mac OSX + Mail.app

Have to agree on that one. It probably removes 95% of the junk that would have otherwise come to my inbox.

Re:Mac OSX + Mail.app

[soft_guy]

I too use Mail and use the junk mail filters. I have noticed that spam is starting to get through. Apparently its a new kind of spam message that contains a list of words to get through filters?

Also, when my business partner forwards email to me, it often marks it as Spam for some reason. Like sometimes he forwards info off of a web page that is advertising something he wants me to look at.

Excellent Service

[(-mas-borracho-)]

When I sign up for stuff I use this service:

Mailinator.com

Cheers

Re:In heavy traffic and Distinct sites ..Re:10 Lin

[Pathwalker]

I recently received spam at the address displayed on /. It is an absolute rarity...

Well, then we can establish that address mangling works.

I leave a contact address in unobscured text, and in the past 24 hours, I received 74 emails to that mailbox, all of which were spam.

Spamgourmet

[Mmm+coffee]

I don't even bother obscuring my address most of the time due to a handy free (as in beer and speech) little utility over at Spamgourmet.com. It allows you infinite disposable email addresses that forwards to an address you specify.

How it works: When some site/etc is asking for your email address and you just *know* they're going to spam you, give them a spamgourmet address. -

identifier.#ofemailstoaccept.userhandle@spamgour met.com

I.E.

slashdot.5.user@spamgourmet.net

Once you get five emails you won't get any more mails forwarded from the slashdot identifier. Been using it for over a year and looking at my user page I've been saved from over 600 spams. By giving my real email address out to only sources I trust and using a spamgourmet address for all the rest my email box is totally free of spam. I'd highly suggest it.

Not completely on topic, but it's how I give out my address 95% of the time and it works for me.

Re:Spamgourmet

Do you trust them, though?

By now spamgourmet must have built up quite a nice little list of email addresses...

my solution, use images...

[zonker]

instead of writing billg@microsoft.com

use billgmicrosoftcom

btw, put the alt text in there for those that don't have images turned on. :)

Re:my solution, use images...

[zonker]

argh! stupid slashdot...

okay, let's try that again...

instead of writing billg@microsoft.com

use billg[ gif image of an at sign ]microsoft[ gif image of a period ]com

btw, put the alt-text in there for those that don't have images turned on. :)

Bouncing in Windows

[jjga]

You can also bounce messages in Windows using this Eudora plug-in. I don't think it is effective against spam, but it might be useful in other cases, like a friend sending you all the time stuff you are not interested in.

10 lines of perl can pass the turing test?

[You're+All+Wrong]

Sure, using YoureAllWrong(at)yahoo(dot)com is trivial to detect, but there are an infinite number of schemata that can be used. Just use your imagination.

YAW.

Use subdomains if possible...

[DocSnyder]

For my Usenet and Web forum activities, I'm using unmunged email addresses with "temporary" subdomains, e. g. "slashdot@expires-200401.docsnyder.de". After some time I will deactivate them in my DNS - they no longer exist, neither do their MX records. Except for a few DNS queries, spammers don't even cost me any significant network traffic - they don't find my email server!

Of course it's some work changing email addresses after expiration (I'm rotating most of them after three months), but it's less work then eating all their spam.

Re:Use subdomains if possible...

[twistedcubic]

Brilliant! I'll be implementing this one real soon. Go ahead and mod this up boys and girls.

Re:Use subdomains if possible...

[jea6]

This is a really darn good idea. Good for you.

Of course, you still have the issue of regular spam but every little bit helps.

An AI-Complete obfuscation scheme

[archnerd]

I've seen /. use things like "daniRABBITel@franke.name minus herbivore". That's obviously going to be virtually impossible for spammers to crack.

Re:An AI-Complete obfuscation scheme

[Second_Derivative]

ah yes

jeff@FUCKSPAM.hotmail.com
bNOoSPAMb@blah.SPAM.c om

etc etc.

Has it occured to anyone that if you start using CAPITAL LETTERS to distinguish noise from signal then that's reasonably easy to filter out?

Eeh, good on you for making the effort, but you probably do want some viagra anyway, you're just shy. The best obfuscation is to use a suitably noised up image but that presents problems of its own...

Re:An AI-Complete obfuscation scheme

[MemoryAid]

Do you have any email addresses with no spam at all?

No spam?!? Ewww!

I don't like spam?

Spam, spam, spam, spam.....

Postal spam tip

[AllUsernamesAreGone]

Quite honestly postal spam bothers me more than email, since I have to physically dispose of it all ...

The way I deal with that is to play thier own system against them. It works best if you get quite a few with prepaid return envelopes - save up a pile of them and then go through mixing up replies. Don't fill anything in, just put some of the junk one firm sent you in the prepaid envelope for the other. And if you have any newspaper spare, fold up some sheets of that and include it, anything to increase the weight and the cost to the firm (adding old washers, other bits of metal used to be a good one, probably land you in trouble now though) then post them off. Pretty soon they'll work out that you're just costing them a lot of money and you really are serious about not wanting their crap.

Re:Postal spam tip

[w9wi]

This unfortunately doesn't work to stop the postal spam. On the other hand, it does ensure that the spammer pays the cost of disposing of their garbage, not you. Your property taxes should pay for the disposal of the garbage you generate - let the spammers pay the taxes to dispose of their garbage.

I don't bother waiting for prepaid envelopes to show up - any garbage postal spammers dump in my mailbox immediately gets "RETURN TO SENDER" written on it & dumped back in the mailbox. You need to mark out your address and the bar code first, otherwise the USPS's automatic sorting equipment will return it to *you* instead of the sender.

When I *do* get prepaid envelopes though, I do use them. Often I'll get a bunch at once - one of the mass coupon mailings - use the prepaid envelopes & cards from some of the offenders to return the crap of the others.

Incidentially, as a demonstration of the (non-)value of voluntary opt-out lists... I'm signed up for the DMA's Mail Preference List and registered with all three credit bureaus as not allowing my address to be sold to marketers. I *still* get about a pound of junk mail a week. The credit-card solicitations have pretty much stopped but I had to directly write Capital One and one other issuer whose name I've forgotten to get to that point.

IMHO the credit bureaus owe me $1.85 (five stamps) but they've made it clear they have no intention of paying their bill...

Re:Postal spam tip

[WhiteDragon]

My dad once had a magazine subscription that he wanted to cancel. He asked them to cancel, but they kept sending him stuff, so he took one of the business reply cards, and taped it to a big box of dirt (about 50 pounds or so) along with a letter saying please remove me, and sent it to them. He never got any more magazines.

ASCII encoding working for me.

I run a small site for one of my friends. Her account and the webmaster account, both on a contact page in unobfuscated form, were getting inundated with spam. I killed both mail accounts and created a differently-named ones, which are on the contact page but encoded using this tool/

That was in May. Neither account has gotten spam since, so I'm a believer. Spammers appear to be too busy trying to thwart Bayesian filters to come up with ways to harvest obfuscated addresses theses days.

Re:In heavy traffic and Distinct sites ..Re:10 Lin

[beat.bolli]

Interestingly, the only mails I get on my /. address are Gibe viruses, about 10 so far...

I have no idea how this came to be, though.

Stop using the word "munge"!

[Gothmolly]

Otherwise you end up sounding like that cocksucker Eddie Gilbert.

Re:In heavy traffic and Distinct sites ..Re:10 Lin

[ahknight]

In Soviet Russia ... oh, never mind.

It's the same as encrypting your WiFi, etc

[chia_monkey]

Why do that to our email addresses? Because it actually DOES help a little bit. Why lock our doors at night? Why lock our car when we park downtown? Why encrypt our WiFi network? Why install SOME sort of security on our network? Because we don't want to make it blatantly easy for someone to compromise. If someone really wants that car, they'll get it. If someone really wants to break into your network, they'll do it. But this is one easy level of "security" that will stop the basic script kiddies/thieves/spammers from doing all the damage they want. It may not be the most effective way of stopping spam, but why put a sign on your car (or website) that says "hey, I'm unlocked and the keys are in the ignition"?

The CLUB

[jmlyle]

It's like the CLUB, the automotive theft prevention device (A club that locks accross the steering wheel). By no means could the CLUB prevent someone from stealing a car that they wanted to steal, but if there are two cars next to each other, one with a CLUB and one without, the non-CLUB car is more likely to be stolen.

In effect, the advantage of the CLUB (and of obfuscating your email) is that you are protecting yourself simply because someone else hasn't put in the effort that you have. As long as enough people don't take any protective steps, we just have to take a few.

You insensitive clod!

(albany354@hotmail.com is not my actual email address, so feel free to spam it.)

But it's mine. You bastard!

Javascript seems to work.

[Dr.+Manhattan]

I obfuscate the contact address for my website with some javascript, and don't otherwise publicise it. No spam yet, and it's been available for a few months. Of course, no one really cares about my website anyway...

Bah. Goofed up the link

[mikeswi]

What I get for posting before drinking my coffee. That asp version is here.

Personal experience

[phorm]

The first time I got an article up on slashdot, the associated email was non-obfuscated.
I knew the article was posted before I even checked /., due to a sudden deluge of spam going to the alias linked in the article.

The second article I had posted, I obfuscated my address. Thus far no spambots have managed to hit me on that alias.

I'd say that the obfuscation definately worked in this case. It wouldn't fool a spammer doing a visual search for victims, but it was enough to trick the bots.

I wonder though, if slashdot (being very anti-spam) is given special attention by spammers... or if it just goes along with being a highly popular website and thus a good place to harvest addresses.

Best obscured email address I've ever seen

[Stephen+Williams]

I saw a great obscured address a few years back. Using the system, "me@example.com" would be obscured something like this:

|em|ee|at|ee|ecks|ay|em|pee|ell|ee|dot|see|oh|em |

No way that a harvester is getting at that! Probably not very portable across accents, mind.

-Stephen

Re:Best obscured email address I've ever seen

[Prior+Restraint]

Hey, whatever happened to that guy whose /. sig was something like, "echo foo | dc | awk {bar} | baz and run crypt to email me"? A bit overly-geeky for most people, but I always thought it was neat.

Let's play write that code!

Bob: 10 Lines of Perl? I can do it in 8 lines.
Steve: I can do it in 2 lines.
Bob: Write that code!

Simple and effective obfuscation

[hankwang]

These tactics work and do not require to much thinking/demunging by the user:

• Replace @ by &#64; (sounds simple, but it is reported to work - so far)
• Make mailto links in javascript (Spambots don't appear to parse javascript so far)
• Make a CGI that serves the email address in a clickable form after the user presses a button. Spambots don't parse HTML forms - yet. Use POST instead of GET such that there does not exist any URL that will serve the email address. Optionally include a simple question in the form. (I implemented:

  Email address of John Doe
  I am: (x) a robot; ( ) a human [GET EMAIL ADDRESS]

  on a website. (Answering wrong will give you 1000 nonexisting email addresses :-) ) If you suspect that the spammer might want to invest some time in writing a script that harvests all 20000 employees from your website, then make it a Kaptcha (type the digits in the image into the box).

Having to demunge an address is annoying. How many spaces do I have to remove from jl i11@example .com? Did I place the cursor left or right of the whitespace? Damn, one space too many removed.

Spambots are stupid. I've seen a few of them visit a website that I maintain and they do not even parse basic HTML such as the BASE tag (which the parser needs to derive relative URLs), or the presence of &amp; in URLs (HTML does officially not allow bare & symbols).

mailto?

[mix_master_mike]

mailto links are nasty... of the huge world out there i'd believe half click on those only to find themselves opening up something they don't use (perhaps outlook express)

personally i like the simple methods people use and am happy to correct it in my client if need be.

Re:mailto?

[MarcQuadra]

Ahh, the beauty of Mozilla for browsing and mail. Granted, the mail totally sucked ass before about 1.2, but I really like the integration.

Accessible?

[tepples]

my school address is displayed as a JPEG.

How sure do you feel that all people who would have a reason to use your school address can see?

Re:Accessible?

[philthedrill]

Good point, but it's a tradeoff. However (and this may offset the benefits of having my e-mail address displayed as an image), but people can look me up in the school directory. In fact, that's probably where most of my spam is coming from.

Before @

[tepples]

To cope with SpamCop and other e-mail services with "spam" in their name, I think the harvesters drop only those addresses where the "spam" part precedes the @ delimiter.

They ARE trying (badly) to deobfuscate addresses

[terrencefw]

I know this because I see failed attempts in my maillogs, like:

some_removethis_body@example.com

wrongly deobfuscated to

some__body@example.com

Do spammers care if it is a valid address?

[TPFH]

A lot of spammers are not selling anything besides their spamming services.

They say they will "send your message to 10 million gazillion users" but do they really care that a lot of the addresses they send to are dead, abandoned or obfuscated?

No, they just have a bunch of addresses, and as long as it is in the form of foo@bar.com they don't care if it bounces back, it is still valid enough for their customers.

Remember, it is spammers that we are talking about here.

Use it on eBay!

[rock_climbing_guy]

Set up a new address and use it as your account name on eBay. Then, do some activity on eBay, and you should get plenty of spam. Especially if you actually sell something.

Cheap, indeed.

[Prior+Restraint]

...deleting all of the capitol letters...

Isn't the local-part of an email address case-sensitive? At least, that's how I read the spec.

Re:Cheap, indeed.

[ThenAgain]

Yeah, but you've gotta pick heuristics at some point. It's a pretty safe assumption (for now) that the vast majority of e-mail addresses will be represented all lower-csae (just look around). The anti-spam noise is normally all-caps so that it's easy to spot.

How to Get Spam: The Collector's Guide

Procuring a load of spam for research, filter testing, or other purposes is as easy as following a few simple steps.

1] Create a new email address. This step assumes that you don't want to intentionally introduce more spam into your existing email accounts; if you don't mind doing so, you can skip this part.

2] Post a message to the Usenet newsgroup alt.business.multi-level. The contents of the message don't matter, just post something like "Hello everyone!" This newsgroup is harvested on a daily basis by numerous spammers, especially the get-rich-quick and pyramid varieties. You may even receive an email within an hour of posting.

If you don't have access to an NNTP server, use Google Groups. (Be sure to sign up for Google Groups using your new email address. It will be used as the return address on your Usenet posting.)

3] Assuming you have access to an existing source of spam, such as your current email address - and who doesn't! - carefully follow the "Remove Me" links from at least 10 different spam emails. What you're really looking for is 10 different removal forms, so if you keep winding up at the same form, try a different spam. Be sure that no parameters, like tracking ID numbers or an email address, are in the query string portion of the removal URL. Submit your new spamtrap email address to be "removed" (which, in spammer-speak, means "added to the list").

4] Repeat these steps daily until the spam is rolling in. It shouldn't take more than a few days.

They don't bother unobfuscating...

[weave]

I've been posting a trivially simple to defeat munge in my sig on usenet posts for years, with just a space in front and behind @ like "user @ example.com" and I have yet to receive any spam to it.

I will also say that my return "from" address in usenet posts is unobfuscated but coded, and I receive tons of spam to it. I also have had unobfuscated addresses on web pages since 1994 and they all get hammered too. Even after all the blacklists and spam detection, I still get about 100 spams a day. :-(

On a more humorous note, I have turned on the slashdot random auto-munge feature and for a while there it was munging it to slashdotNO@weaverling.org -- and I started to get spam to that one. Gotta love the ones who claim I am only getting it because I opted in to their marketing list.

With a little javascript

[rollthelosindice]

You can obfuscate your email addresses, and still allow the users to click on an email address and havethe functionality of the mailto tag

Email obfuscation hurts only you

[debrocks]

Whether you like it or not, those spammers have your number. Obfuscate all you like. Register one place where you cannot and Wham! your email is out there. Your prospective girlfriend/boyfriend as the case may be will however be turned off by the antisocial behaviour and Bham! life sucks!

SpamCop also a spammer

[alexborges]

SpamCop also works in sending spam (makes cool boxes for spammers)....so, hows that for a warm fuzzy feeling of hurting anyone who doesnt pay into spamcop schemes?

Re:SpamCop also a spammer

[njchick]

I have no idea what you are talking about. Maybe somebody impersonated spamcop.net. It happens all the time. Spammers really hate it.

Re:SpamCop also a spammer

[alexborges]

Slashdot.org [slashdot.org] is what im talking about. Think about paying spamcop a dime.

No worries

[smagruder]

I recently decided to stop worrying about giving out my email addresses and no longer do any obfuscations. Instead, I concern myself with establishing good filters at the email servers that deliver mail to me. Whenever I get a spam that beats the filter, I forward it to uce@ftc.gov and spamrecycle@chooseyourmail.com. Then, I write a new filter that blocks "emails like that".

In a way, I've turned myself into a spam honeypot. But the spams I receive are but a trickle now, and I never worry about giving out my real email addresses. That is, they are proudly displayed as-is on all my sites as well as boards I participate in.

Disposable email address

[nuggz]

Yes, thats fun, change your email address every few weeks.
Last time I changed I missed piles of old places I put it, and my friends still years later send to the old address.

This solution may work, but it is too much work, and quie inconvenient

Re:They ARE trying (badly) to deobfuscate addresse

I know this because I see failed attempts in my maillogs, like:

some_removethis_body@example.com

wrongly deobfuscated to

some__body@example.com

Hahaha. You made that up because all you would see in the logs is "some__body@example.com" and no reference to "some_removethis_body@example.com"

Obscurring with Javascript

[yintercept]

As most email address harvesters don't compile the javascript, you can use that to obscur the mailto link and still have an email button that works for most users...you miss the people with javascript disabled.

Of course, there is no email address obscurring that prevents manual harvesting. Considering that email sent to an obscurred address is more likely to be read than one sent to posted address. I wouldn't be surprised to learn that there were people employed in sweat shops manually harvesting "obscurred" addresses.

Hiding behind a POST form

The StupidScript approach is horrible from a useability point, in that
it does not work with many browsers, while at the same time it is very
simple to bundle a JavaScript interpreter (see the Mozilla subproject)
with a mail harvester.

Personally I've choosen to automatically hide my email addresses
automatically behind a requiring a POST request. This is the
only working AND useful safeguard against bots. See the Nanoweb PHP
Webserver and its EmailProtect module. /milky

Re:Because...THAY SEND EMAIL TO abuse@!!!!

Becuse if thay stop sending email to abuse@ domain name, then evrybudy wood change ther email adres to abuse @ and ther own domain name, and then use the subject line for subdivisins. Wat I use, is I dont use email enymore, I use a form on mi website to type email mesiges into, and also an atachments (if you want to), and I look in mi C:\HTML\EMAIL\ directory for email mesiges that I receved.
I am not a Anonymous Coward!!

Re:10 Lines? uve Perl code to harvest all posible

As well as wat you posted, you can also use OCR and Artifisel Inteligence to reed picchers uv text, and also to execute the JavaScripts on the web page to get JavaScripted obsufscated email adreses as wel.
I am not a Anonymous Coward!!

Re:In heavy traffic and Distinct sites ..Re:10 Lin

[Alex]

...less likely to fall for the Niagra scam than your average bumpkin.

Do you mean Nigeria or Viagra ?

Alex

Works for me!

[jamehec]

I obfuscate all the time, and no spam yet, I mean NONE AT ALL.

Makes me wonder why more folks don't try it.

Economically not worth it

[Unsolicited+Commando]

If everyone in the world took the 2-3 seconds to obfuscate their eMail address and also spent 1-2 seconds it takes their brain to decode their friends' eMail, the resulting daily wasted energy would be roughly 4-5 times the GDP of the USA.

DON'T DO IT!!!