Is E-Mail Obscuration Worth It?

ThenAgain asks: "Many sites obscure e-mail addresses by adding noise (like 'STOPSPAM') or by translating the punctuation into words (Ex: 'me at domain dot com'). This makes users feel good but does it actually help? Ten lines of perl could defeat any of the present schemes with ease and the spammers have shown plenty of adaptability. So if we're not helping hold back the flood of spam, why are we decreasing the utility of the web by eliminating mailto tags and forcing users to hand-correct the addresses in their mail clients?"

slashdot@davidcole.net

[DavidCole]

What I usually do is, whenever possible, to put who I'm giving my email address to as the initial part of the email address, ie. slashdot@davidcole.net so I will at least know who the jerk is who sold my address.

Otherwise, I use a hotmail account to commonly give out. Obfuscated email addresses are obnoxious.

Worst of two evils

[Nucleon500]

The cost in terms of usability of munging adresses is too high. There are better ways to fight spam.

For me at the moment, Bayesian filters, a technical solution, works best. Yes, it still wastes bandwidth. But if my ISP ran good filters for me (POPFile is adapting itself for this usage), my bandwidth at least could be saved. And the filters do work well.

Technical solutions are a stopgap measure, but the next step is legal and architectural. Make spamming illegal. This would only affect countries that care and spammers who get caught, but the next step will help. Make it harder to hide where you're coming from. This gives even ISPs in lawless countries motivation to stop sending spam, because if their upstream knows its them, they can threaten to disconnect them.

Munging is probably the worst solution, similar to getting an unlisted number. It's even shorter-term than filters, but it sacrifices the medium in the process. It's a bit like not answering the phone during mealtime - yes, it works, but it interferes too much with legitimate communication. If that's your choice, fine, but I think its ill-advised.

Re:10 Lines?

[agwis]

"unless I'm looking for one of those precious "email validation" messages."

A bit off topic but I found a cool site that handles those email validation messages you need to get once in awhile. It's called mailinator. Anytime you want to register with a site that asks for your email address so they can send you a validation code (and inevitably spam you to death) you can use mailinator's service for free. All you have to do is write bobs_your_uncle@mailinator.com and then you can login into that account at mailinator. All messages received there get deleted in a few minutes and do note that anyone else can access it as well, but it certainly is a good service to handle for that exact case you mention!

-Pat

Re:Because...

[StenD]

Yes, but, for now at least, there are still plenty of addresses from people who don't spam-guard, enough that writing those 10 lines of perl isn't even really worth it.

It isn't even necessary to obfuscate addresses to foil many spammers. I generally use email addresses of the format user+folder@domain, and virtually all spammers who harvest the address either spam userfolder@domain, or folder@domain. It's nice for spammers to identify themselves, while not obfuscating my email address.

Re:Because...

[funky+womble]

The majority of websites requiring your email address don't allow you to enter + as a character.

Re:spamcop.net makes me feel good

[sweet+reason]

an even easier way to get one-time email addresses is spamgourmet.com. you don't have to go to their website more than the once to register. after that, just make up an address and they will forward it to you a limited number of times.

for example, the first 4 messages sent to slashjunk.4.mbloore@spamgourmet.com will be forwarded to me; any more will be eaten.

more control is available if you want it, such as whitelists and resetting the count. and you can reply throgh them, so your forwarding address is not revealed.

it is all free.

Simple and effective obfuscation

[hankwang]

These tactics work and do not require to much thinking/demunging by the user:

• Replace @ by @ (sounds simple, but it is reported to work - so far)
• Make mailto links in javascript (Spambots don't appear to parse javascript so far)
• Make a CGI that serves the email address in a clickable form after the user presses a button. Spambots don't parse HTML forms - yet. Use POST instead of GET such that there does not exist any URL that will serve the email address. Optionally include a simple question in the form. (I implemented:

  Email address of John Doe
  I am: (x) a robot; ( ) a human [GET EMAIL ADDRESS]

  on a website. (Answering wrong will give you 1000 nonexisting email addresses :-) ) If you suspect that the spammer might want to invest some time in writing a script that harvests all 20000 employees from your website, then make it a Kaptcha (type the digits in the image into the box).

Having to demunge an address is annoying. How many spaces do I have to remove from jl i11@example .com? Did I place the cursor left or right of the whitespace? Damn, one space too many removed.

Spambots are stupid. I've seen a few of them visit a website that I maintain and they do not even parse basic HTML such as the BASE tag (which the parser needs to derive relative URLs), or the presence of & in URLs (HTML does officially not allow bare & symbols).