Slashdot Mirror
Is E-Mail Obscuration Worth It?
ThenAgain asks: "Many sites obscure e-mail addresses by adding noise (like 'STOPSPAM') or by translating the punctuation into words (Ex: 'me at domain dot com'). This makes users feel good but does it actually help? Ten lines of perl could defeat any of the present schemes with ease and the spammers have shown plenty of adaptability. So if we're not helping hold back the flood of spam, why are we decreasing the utility of the web by eliminating mailto tags and forcing users to hand-correct the addresses in their mail clients?"
I'd say the obfuscation makes us feel better and the spammers don't care anyway. they have millions of addresses and more everyday from folks who don't take a second to obfuscate..
Ten lines of perl could defeat any of the present schemes with ease...
.01% of people who responds to this crap, and anything you send me will just hit my spam-filter anyways, so don't even try."
Yes, but, for now at least, there are still plenty of addresses from people who don't spam-guard, enough that writing those 10 lines of perl isn't even really worth it.
Also, if you have your address spam-guarded, it's effectively a message to the spammers that, "I'm not one of the
And they don't, because it's just not worth it for both those reasons.
A Minesweeper clone that doesn't suck
What I usually do is, whenever possible, to put who I'm giving my email address to as the initial part of the email address, ie. slashdot@davidcole.net so I will at least know who the jerk is who sold my address.
Otherwise, I use a hotmail account to commonly give out. Obfuscated email addresses are obnoxious.
David Cole
www.davidcole.net
So much energy is put into securing networks that ends up inconveniencing users while tons of exploits abound and social engineering completely bypasses it. Why bother?
The reason people obscure their email is
a) It's fast, easy and doesn't require external software.
b) Sometimes that's all the protection you can get when you post to some sites.
Nothing wrong here. Web utilization is still high. It's the spam that is the problem -- not the countermeasures.
Cool.. So, what ten lines do you recommend?
/dev/null most days, unless I'm looking for one of those precious "email validation" messages.
Give us 10 lines of perl that will harvest armored email accounts out of a large document, with at least half of the harvested addresses actually usable, and at least half of the potential addresses harvested.
The point is to make the harvesting costly, and reduce the usefulness of spam address harvesting. I maintain three email accounts. One that is used publicly, like here on Slashdot, one that is used for business transactions, like ordering things from Amazon, etc, and one that is a throwaway for registering accounts with various online services.
Of the three, the first one, which is displayed widely, on K5, Slashdot, Groklaw, LiveJournal, and a lot of other heavily trafficed community sites, does not receive any spam of note. The second gets a pretty steady flow.. And the third.. Well.. The third is redirected to
Btw, that first email address has been in use for over three years, now.
Weapons of Mass Analysis
A study by the Center for Democracy & Technology in 2002 concluded that by either replacing email addresses with the HTML equivalent or human-readable equivalents like "example at domain dot com" signficantly cut down on spam. From their Major Findings: "E-mail addresses posted to Web sites using these conventions did not receive any spam." While, yes, it's relativley easy to write a script that would recombine the addresses, apparenlty most harvesters for whatever reason just aren't. My email address, which is posted online, is 'hidden' in HTML and I get very little spam after many years of having it up.
Go have a look around cotton fields just after harvest. Literally tons of the stuff is left behind at the edges of fields, blown along the roadside, lying on the stubble etc. Sure, you could go along and pick it up but the cost of doing so would outweigh the price you'd get for the extra x bushels you'd collect.
It's the same with e-mail addresses - why should a spammer go to the trouble of modifying their bots to detect obscured addresses, when there are plenty of unobscured ones ready for harvest?
I'm sure some spammers do try to pick up obscured addresses, but until they start running out of unobscured addresses, they'll keep going for the masses of low hanging fruit and not bother with the rest.
Of course, obscurity doesn't save your address from brute forcing...
email:(Thecapitalofnewyorkstate)354@hotmail.com.fi llintheblank.
no program is gonna figure it out, unless they knew the algorithm, which they likely don't. It's always *possible* to outmanuever the spammers in some way or another.
Whether it's worth the hassle, is of course, your call.
(albany354@hotmail.com is not my actual email address, so feel free to spam it.)
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
For example, while you might post your address as:
user@NOSPAM.domain.com
I may post mine as
user2@no_spam_damnit.domain.com
To me, using relatively simple tricks like this to make the job of a spammer harder is definitely worthwile.
My blog
My less technical friends have no problem mailing me because I use a mailto link on my homepage.
I use a separate yahoo address for shopping. I don't want my shopping information to be linked to my personal website. The spam from the yahoo address is also fed to spamcop.net. Sometimes I also use one-time hotmail addresses to buy from dealers with high spam risk. I simply stop using those accounts and forget the password once the transaction is complete.
kajohnson@hotmail.com BECOMES_ letter_second_word_letter_switchfifthandthird_word _getridof_of_restofaddress_is_phoenetic)
kay_a_sonofjohn_atuh_hawtmayled0tcawm_(first_word
Sure, it's brutal to decipher, but there's no way a machine can poke through that mess. Fun for the receiver to figure out too :)
Condemnant quod non intellegunt.
For me at the moment, Bayesian filters, a technical solution, works best. Yes, it still wastes bandwidth. But if my ISP ran good filters for me (POPFile is adapting itself for this usage), my bandwidth at least could be saved. And the filters do work well.
Technical solutions are a stopgap measure, but the next step is legal and architectural. Make spamming illegal. This would only affect countries that care and spammers who get caught, but the next step will help. Make it harder to hide where you're coming from. This gives even ISPs in lawless countries motivation to stop sending spam, because if their upstream knows its them, they can threaten to disconnect them.
Munging is probably the worst solution, similar to getting an unlisted number. It's even shorter-term than filters, but it sacrifices the medium in the process. It's a bit like not answering the phone during mealtime - yes, it works, but it interferes too much with legitimate communication. If that's your choice, fine, but I think its ill-advised.
Litigious bastards
How bout your email address displayed as a small image?
Yahoo and other sites have been using words in an image as an anti-automated-signup with good success. They work because it's just too hard to get text out of a fuzzy/obscured image automagically. Image recognition simply isn't good enough yet.
Definite overkill now, but spammers are always cracking the latest line of defense...
I have been TRYING to get spam to test out the settings on my spamassasin install. I can't do it. I have had the unarmored address in my sig, and it gets NOTHING! I have never been annoyed about a lack of spam before.
spam@tuxserver.ath.cx
It's down now though. Server lost a hard disk overnight. Stupid thing.
spam@tuxserver.ath.cx --I WANT SPAM!!!!
You should use AdiumX on your Mac.
Step 1 .com, .net and .org TLDs, more/less for others. (Five bucks a year for ".us", for example.) Having trouble picking one? Use your own name, or add "bork" to the end or something. It really isn't that big a deal.
Register your own domain name. Cheapest reliable registrar I'm aware of is Godaddy, at about eight bucks a year per domain for
Step 2
Permanently disable the following addresses: info@, support@, webmaster@, ceo@, sales@, president@, admin@, contact@, customerservice@, and tech@.
Step 3 ;-) Here's a hint: You'll your host to support this mail feature.
Can you figure it out by my e-mail address? If not, shoot me one, I'll I'll clue you in, if you can demonstrate that you're not a spammer.
Step 4
Don't post your address, genius! If you slap your e-mail address on a website, in a mailing list, etc... you're gonna get spam. That's the way it is. Stop whining about it, and figure out a solution. (See step three.) If you haven't figured out step three yet, e-mail me.
Step 5
Pay attention. Think about who you give your address to. This goes for the address you use for your domain registration. Oh, and register your domain with an address that you don't care about getting spam at. A month or two later, change it. Spammers pay more attention to the e-mail address a domain is registered with than they do the address(es) that it ends up with later.
I own about twenty domain names, and use multiple addresses for each domain name. I get a combined total of about 3-10 spams per day, tops... and those are only to the addresses I was using before I developed these rules. The benefits? Little to no spam, you can track every company that's sold or shared your information, and easily see who violated their privacy policy. Then, of course, you just shut down the spam that they've enabled, and go on as usual.
It works.
I don't obfuscate at all. I use a server side script to generate a form. The client (browser, spambot, whoever) never sees the address. It is not possible to figure out the address, no matter how determined the spammer is.
I VERY HIGHLY recommend this free php or asp email form.
Only on
Excellent point; the Slashdot demographic is pretty narrowly focussed, compared to the market at large, and, as such, is extremely valuable for a someone targeting that demographic. Unfortunately, as another poster mentioned, they tend to be predispositioned against spam. I'd like to think that more people in the /. community are less likely to fall for the Niagra scam than your average bumpkin.
/. readers, some silly new fad starts up (Russia, fp's, grits, etc.) , and I wind up reconsidering my position.
Then again, when I start making optimistic guesses about
Weapons of Mass Analysis
Seems to have worked for me. The only email address used for /., LJ, and any online signups is thisismyspamdump@. I've never had a spam on this address, mind you, it's only been 6 months :)
Given that inserting the word "SPAM" into an email address is a typical way of attempting to block spam, such that email harvesters might remove the word "SPAM", the trick is to have an email address that legitimately contains the word SPAM, preferably after the @, such that email harvesters bugger up the address. Spamcop.net and Spamgourmet.com both offer this feature. Makes life even harder for the little bots if you put a "NO" before the "SPAM", eg: blah@NOSPAMcop.net, then include a human readable "my address has no no in it".
#!/usr/bin/perl
print "Location: mailto:dan@sales.example.com\n\n";
exit(0);
And then it's just a simple matter of replacing:
a href="mailto:dan@sales.example.com"
with:
a href="/bin.cgi?href=mailto:abuse"
I've been doing this type of thing since about 1998. Surprised more people don't do it. It's fairly trivial to improve upon it and add quasirandom munging to the addresses, etc...
Yes, trivial obscuring like user(at)example(dot)com with various special characters can be done in 10 lines. (Could be hard to get the last 3 lines filled with code.)
But what if the user does not use English language, but German? And what if (s)he does not mark the obscured charachters? user klammeraffe example punkt com or with some funny synonymes user a im kringel example klecks com. Decoding this in 10 lines of Perl becomes harder, and it becomes harder with every new language. Decode this with 10 lines for English, German, French, Polish, Russian, Bantu, Spanish, ...
What happens if the user is really "evil" to spammers? Meine Mail-Adresse besteht aus dem Domainnamen meines Providers example unter der Top-Level-Domain fur kommerzielle Webseiten, dem wird mein Kundenpseudonym user und ein Klammeraffe vorangestellt. (I'm still hiding user@example.com - translation: My mail address is composed from the domain name of my provider example undet the top level domain for commercial websites, prefixed with my client pseudonym user and an at sign.) Decode this and similar examples in 10 lines of Perl for 10 languages, while still being able do decode all trivial variants and all slashdot mail obscurations.
Getting more evil: Meine e-Mail ist catch-those-spammers@example.com mit user vor dem Klammeraffen. Schicken Sie keine Mails an die falsche Adresse. (My email is catch-those-spammers@example.com with user in front of the at sign. Don't send mail to the wrong address.) Set up an account catch-those-spammers that marks and blocks all computers that test that acocunt or send mail to it. Now decode this and all examples above and all slashdot obscuration and don't run into the trap, and do not use more than 10 lines (with 80 characters each) of Perl code.
I bet it can't be done in 10 lines with 80 characters each, using Perl 5 and no external modules.
With nearly no work it is possible to make automatic address collecting harder and thus more expensive. Spammers don't want to spend much money, they want to maximise their profit. So they will do at most only trivial decoding, if they can't collect enough unobscured mail adresses. This is why images containing the mail address won't be OCRed for a while. It simply costs too much. On the other hand, just guessing names for existing domains works pretty well and it is very cheap. I have an unpublished six-letter account at a big German mail provider, and it is permanently hit by spam. The generic (unused and unpublished) accounts (sales, info, mail, accounting, vertrieb) of my domain are also spammed very often. Guessing is cheaper than collecting addresses.
So while this is not a mathematical proof, you can see that non-trivial obscuration will help. See also What You Get When You Buy a Spam CD.
Tux2000
Denken hilft.
Sure, using YoureAllWrong(at)yahoo(dot)com is trivial to detect, but there are an infinite number of schemata that can be used. Just use your imagination.
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
Of course it's some work changing email addresses after expiration (I'm rotating most of them after three months), but it's less work then eating all their spam.
Why do that to our email addresses? Because it actually DOES help a little bit. Why lock our doors at night? Why lock our car when we park downtown? Why encrypt our WiFi network? Why install SOME sort of security on our network? Because we don't want to make it blatantly easy for someone to compromise. If someone really wants that car, they'll get it. If someone really wants to break into your network, they'll do it. But this is one easy level of "security" that will stop the basic script kiddies/thieves/spammers from doing all the damage they want. It may not be the most effective way of stopping spam, but why put a sign on your car (or website) that says "hey, I'm unlocked and the keys are in the ignition"?
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
It's like the CLUB, the automotive theft prevention device (A club that locks accross the steering wheel). By no means could the CLUB prevent someone from stealing a car that they wanted to steal, but if there are two cars next to each other, one with a CLUB and one without, the non-CLUB car is more likely to be stolen.
In effect, the advantage of the CLUB (and of obfuscating your email) is that you are protecting yourself simply because someone else hasn't put in the effort that you have. As long as enough people don't take any protective steps, we just have to take a few.
I have misplaced my pants.
ah yes
c om
jeff@FUCKSPAM.hotmail.com
bNOoSPAMb@blah.SPAM.
etc etc.
Has it occured to anyone that if you start using CAPITAL LETTERS to distinguish noise from signal then that's reasonably easy to filter out?
Eeh, good on you for making the effort, but you probably do want some viagra anyway, you're just shy. The best obfuscation is to use a suitably noised up image but that presents problems of its own...
The first time I got an article up on slashdot, the associated email was non-obfuscated. /., due to a sudden deluge of spam going to the alias linked in the article.
I knew the article was posted before I even checked
The second article I had posted, I obfuscated my address. Thus far no spambots have managed to hit me on that alias.
I'd say that the obfuscation definately worked in this case. It wouldn't fool a spammer doing a visual search for victims, but it was enough to trick the bots.
I wonder though, if slashdot (being very anti-spam) is given special attention by spammers... or if it just goes along with being a highly popular website and thus a good place to harvest addresses.
This unfortunately doesn't work to stop the postal spam. On the other hand, it does ensure that the spammer pays the cost of disposing of their garbage, not you. Your property taxes should pay for the disposal of the garbage you generate - let the spammers pay the taxes to dispose of their garbage.
I don't bother waiting for prepaid envelopes to show up - any garbage postal spammers dump in my mailbox immediately gets "RETURN TO SENDER" written on it & dumped back in the mailbox. You need to mark out your address and the bar code first, otherwise the USPS's automatic sorting equipment will return it to *you* instead of the sender.
When I *do* get prepaid envelopes though, I do use them. Often I'll get a bunch at once - one of the mass coupon mailings - use the prepaid envelopes & cards from some of the offenders to return the crap of the others.
Incidentially, as a demonstration of the (non-)value of voluntary opt-out lists... I'm signed up for the DMA's Mail Preference List and registered with all three credit bureaus as not allowing my address to be sold to marketers. I *still* get about a pound of junk mail a week. The credit-card solicitations have pretty much stopped but I had to directly write Capital One and one other issuer whose name I've forgotten to get to that point.
IMHO the credit bureaus owe me $1.85 (five stamps) but they've made it clear they have no intention of paying their bill...
- Replace @ by @ (sounds simple, but it is reported to work - so far)
- Make mailto links in javascript (Spambots don't appear to parse javascript so far)
- Make a CGI that serves the email address in a clickable form after the user presses a button. Spambots don't parse HTML forms - yet. Use POST instead of GET such that there does not exist any URL that will serve the email address. Optionally include a simple question in the form. (I implemented:
Having to demunge an address is annoying. How many spaces do I have to remove from jl i11@exampleEmail address of John Doe
I am: (x) a robot; ( ) a human [GET EMAIL ADDRESS]
on a website. (Answering wrong will give you 1000 nonexisting email addresses :-) ) If you suspect that the spammer might want to invest some time in writing a script that harvests all 20000 employees from your website, then make it a Kaptcha (type the digits in the image into the box).
Spambots are stupid. I've seen a few of them visit a website that I maintain and they do not even parse basic HTML such as the BASE tag (which the parser needs to derive relative URLs), or the presence of & in URLs (HTML does officially not allow bare & symbols).
Avantslash: low-bandwidth mobile slashdot.