

Stop obfuscating your email address - a geek mistake - traskjd
http://www.mindscape.co.nz/staff/johndaniel/index.php/2009/11/stop-obfuscating-your-email-address/

======
RiderOfGiraffes
I have a pet peeve, it's people thinking that my situation is the same as
theirs, and giving me advice that is wrong for me.

I get around 2400 spam a day. I've tried three different spam filters
recommended to me by people I trust and who generally know about these things,
and they get about 97% to 98% accuracy. Worse, they produce false positives.
With 50 spam per day, plus having to trawl through the spam bin to look for
the false positives, I decided to write my own.

My spam filter is highly tuned to my traffic and I get about 10 spam through
per day. More, there are about 2 false positives per month, although that's
very hard to quantify.

The problem with putting up a form is that people want a reply, and yet they
can't type their own email address properly. About half the emails I get
through my various forms have subtle and not-so-subtle misspellings of the
return address, and it can cost me hours to track them down.

No, obfuscated email addresses is still my best tool in this situation.

~~~
TheElder
I'm using Gmail for my domain and received zero spams in well over a year. My
email address is all over the web. What are you using for your spam filter?

~~~
RiderOfGiraffes
I can't use gmail because I have the requirement to create email addresses on-
the-fly. I have my own domain and can do that. The result is I need good spam
filtering.

My filtering now achieves around 99.6% filtering, and about 1 detected false
positive per month. It would be interesting to see how gmail copes with my
2400 spam per day, and what accuracy it achieves, but it's a non-starter
because of how I use email.

~~~
JimmyL
I do this all the time with Google Apps to track who sells my email address,
creating a new one for each place I signup.

1\. Create a catch-all address for the domain you're going to use that isn't
the normal postmaster one.

2\. Pick a three- or four-letter combination of letters that rarely appears in
normal conversation (like dcj, for example).

3\. Set a mail filter on the catch-all account to forward all mail that has
your three-letter combination as a part of its recipient list to your real
address.

This means that for every service you sign up for, you can create a new
address (I always use domainname.code@mydomain) that is trackable and gets to
you. For example, I just signed up with Via Rail's online system - using the
address viarail.dcj@mydomain. It will get forwarded to my real address (since
it's got the dcj in there), if I start getting spam on it I'll know where they
got the email address from, and if it gets really bad I can just change my
filters to block all email to viarail.dcj@mydomain.

You could do something with Gmail's plus-addressing, but I find that many
services don't accept those email addresses.

~~~
Gormo
Yahoo Mail offers a service called AddressGuard that does exactly this, but
it's only available to paid accounts. You can also easily use these as your
from address, so even in direct correspondence, you still shield your primary
address from the recipient. (This allowed me to verify that eMusic sells their
subscriber list to spammers.)

A free alternative is SneakEmail (<http://www.sneakemail.com>) which allows
you to set up disposable addresses that forward to your primary account, and
allows you to set up pre-forwarding filters. They also create a unique address
for the sender of each email, and you can set up your SneakEmail filters to
insert this as the reply-to address of each email you receive.

~~~
JimmyL
SneakEmail is great; it's what I use when I'm seriously suspicious of who I'm
sending mail to.

For 95% of the things I sign up for, however, I'm not that paranoid - the
slight decrease in security is offset by the added convenience of not having
to log into a third-party service (like SneakEmail) to get what I'm doing
done.

------
jgilliam
This will create a pretty mailto link encrypted with javascript that the bots
can't pick up: <http://hivelogic.com/enkoder/form>

I've used it for years with good results. People will even email me thinking
that I've exposed my email address to spammers encouraging me to use the blah
[at] blah dot com style.

~~~
pavel_lishin
Do you ever reply that while you never see spam, you frequently have to deal
with other kinds of unsolicited e-mail, hinting softly?

------
oliverkofoed
My spam avoidance scheme is to own my own domain, and then have *@mydomain.com
go to my inbox, so i can create disposable addresses for any use at any time.

For instance, I always sign up with [servicename].account@mydomain.com and
only ever give out my personal e-mail to people i meet in person.

The great thing is that if a [servicename].account address starts getting
spam, i know which service sold my address and i can just blackhole that
address.

That way, i never have to obfuscate my address, since i'll always just create
a new one for the specific need. It's probably not for everyone though...

------
bantic
I always thought this sort of systematic obfuscation ( /@/at/s, /\\./dot/s,
etc) was as machine-readable as an actual email address. I've just gone on the
assumption that there are spam harvesters out there using regexes that catch
"bob at domain dot com" as well as bob@domain.com.

~~~
eli
Sure, there are. But given the huge number on unobfuscated addresses on the
web how many bother? Ten percent?

EDIT: This experiment shows it to be _much_ less than that (based on volume of
spam received) [http://techblog.tilllate.com/2008/07/20/ten-methods-to-
obfus...](http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-
mail-addresses-compared/)

~~~
acdha
Given the large number of blog, wiki and CMS engines which use the same cargo-
cult security idea, it's probably considerably higher than 10%. If you're
getting paid to harvest addresses, wouldn't you write a single regexp to
increase the number of good addresses?

~~~
eli
Sure _I_ would, but like most half-way decent programmers, you couldn't pay me
enough to code spam bots.

I've blocked a huge volume of comment spam on my sites by blocking certain
malformed HTTP headers. The authors couldn't be bothered to check if they were
getting it right. I don't think most spam bot authors are A) very well paid or
B) very good.

~~~
xinsight
Don't forget that it's a dynamic system. As more of the low-hanging fruit
emails get picked by spam email harvesters, then there is more value in the
harder to decode emails since they haven't been spammed. There is a tipping
point where it would be "worth it" for someone to start to decode the harder
other types of obfuscated emails.

~~~
dkokelley
Possibly, but couldn't you argue that the low-hanging fruit email addresses
are more likely to be profitable to spammers? Which of these two internet
users is more likely to buy your replica rolex: danny@aol.com, or AOL: danny
(or danny at aol, or danny+don'tspamme at teh a oh l's dot com)?

My point is that users smart enough to disguise their emails from spammers are
more likely to be wary of their wares.

------
KevBurnsJr
Add a plus to your name whenever you put your email address into a form on a
website. It will continue to show up as though the +whatever were not present.

Kev+myspace@gmail.com, Kev+facebook@gmail.com, Kev+untrustworthysite@gmail.com

If you start getting a bunch of spam to Kev+myspace@gmail.com, filter out all
email to that address.

~~~
ovi256
I try to use that all the time, except that everybody likes to roll out their
own email validation, and they are all wrong, they do not allow the + sign as
they should.

The RFC is extremely permissive, even spaces (yeah, spaces) are allowed in
email addresses.

------
dpcan
I'm in the same boat as many people here.

I just use Spamassassin with my domain name and I get about 2 spam messages in
my inbox per day, but the spam box gets around 1000 per day. I post my email
address on websites because I want to have zero barriers when a customer or
lead needs to contact me. It's NOT THEIR PROBLEM that I get spam.

So I agree, just get a good spam filter.

------
Raphael
My objection to it is that it would be trivial for email crawlers to decode
the obfuscations most people use.

~~~
selven
Especially obfuscations like "bob at gmail dot com". If I were a spambot I
would just read until the first space and append "@gmail.com" and
"@hotmail.com" and 5-6 other mail providers. This would break through 90% of
people doing that, and they're high value targets too - they feel secure with
their clever obfuscation and chances are their other anti-spam tools (and
reflexes) are weaker.

~~~
eli
But you're not a spam bot author. Based on what I've seen, most spam bot
authors are pretty bad programmers.

Also, I would debate that these are high value targets. I'd wager that people
who go out of their way to obscure their addresses are much less likely to
purchase fake pills or fall for a phishing email than the average user.

------
Tichy
No, spam filters are not pretty good. Instead, email has now become an
unreliable channel for me. I get so much spam that I have to enable automatic
filtering. That means I probably miss non-spam emails occasionally. And some
spam still slips through the automatic filter.

------
Encosia
I couldn't agree more with the post. I've had my primary email address sitting
out on my contact page for years and have never spent a significant amount of
time dealing with spam. At this point, obfuscated addresses are as archaic as
animated "under construction" GIFs and the blink tag.

Using the de-obfuscation process as a gating mechanism is arbitrary and
perhaps a bit arrogant. There's no reason to assume that familiarity with this
convention equates to intelligence or value. Even now, I still run into plenty
of people in businesses outside of the tech industry that confuse website and
email address formats. That doesn't make them "unworthy" of contacting us; it
just means they have a different skillset and knowledge than we do.

Meanwhile, email spammers and scammers are _most_ likely to understand these
conventions, since it's their "job" to do so.

------
NathanKP
The two main suggestions to allow people to contact you without getting lots
of spam:

1) Use Gmail. Google has written their search engine to know how to detect
spam so they know how to stop spam from reaching your email address. I don't
think I have ever had even a single spam message even reach my spam folder,
and that's thanks to Google. I could put my non-obfuscated email address all
over the place and not have to worry.

2) Write a custom contact form. It is not that hard if you know even a little
bit of PHP. And if you don't you can always use Zoho forms or some other free
online form creator. I never put up contact emails because they are, in my
opinion, just as unprofessional as an obfuscated contact email. Contact forms
are much more professional.

~~~
RiderOfGiraffes
And what do you do when someone mis-types their return address?

------
edw519
OP has it all wrong.

    
    
      e d w 5 1 9   AT   g m a i l
    

is not meant to upset anybody.

It's a IQ test.

If you can't figure out how to contact me from that data then you'd probably
be wasting my time anyway.

Self-solving problem.

~~~
brent
Exactly.

The author cannot be bothered to decode such email addresses. If that is the
case I probably did not want his email in the first place. Ipso facto, my
filter worked.

~~~
Herring
I especially like where he says the _writer_ is lazy for expecting him to
spend 2 seconds decoding that address.

------
cnvogel
One possible solution to the problem is to use dynamically generated throw-
away email-addresses. You can also encode some kind of signature. Then just
hide the monstrously huge address behind a pretty "Please Email me" Link:

mailto:chris-hHz389aASKJkjhqweuiSHADKJweiuqzrq@example.com

If Spam increases (or, say, whenever more than 3 emails have been received at
one particular address), you shut down the address.

I once implemented the receiving, hmac/signature checking, part for the exim
mail-server and a general address-generator class in python and php. But never
actually put it to use.

------
indranil
If I display my email like the way this fellow detests, it obviously means I
anticipate my readers to have enough reason to type an email address out!

------
rv77ax
Looks like we miss some important question here. How spammer got the emails ?
Do the Spam bots really crawled to every web pages ?

Some note that i learn from Internet to minimize spam emails:

\- _Never_ use third party proxy or anonymous network (i.e. Tor). I once work
for company that not allowed to use any port except 8080, so for several
months i use Tor. Suddenly, after several weeks my spam folder increased with
junk emails.

\- Make sure you clear all your caches and cookies _before_ and after browsing
for pr0n. duh! :)

\- Never use any third party application from Facebook/MySpace/any-social-
networks, unless you using your non-private mail on your Facebook/MySpace/any-
social-networks account.

\- Do not read spam email. If you know that email is spam just check it and
delete, or let the system delete it automatically, like Gmail do. I do not
know anything about SMTP protocol but there is one feature that make your
email notified to sender when you read it, by opening your email you just
notified the spammer that your email is, at least still, active.

Spammer, in context of the emails gatherer, is not stupid. They know what
their doing.

------
eli
I wouldn't obfuscate the support or billing contact address for my company,
but on my personal site? Or code documentation posted on the web? You betcha.

There's a big difference between pushing work on your customers and pushing
work on people who don't know you and are trying to contact you the first
time.

------
est
obfuscating is useless:

<http://www.google.com/search?q=at+gmail+dot+com>

Collect enough patterns and you can harvest tons of email addresses like used
to be.

~~~
mseebach
There's a difference between what can be done, and what will be done. The
point in the article is that simple obfuscation actually works.

~~~
petsos
Yes, but that's like hiding behind your finger. It is so easy to de-obfuscate
that it is just a matter of time.

~~~
gloob
A matter of time is plenty good enough for the time being. It's an email
account, not a bank account.

------
tomjen2
Unless you are really desperate for people to contact you, forcing them to
"decode" the email address might be a nice velvet rope that keeps out those
who aren't worthy of your time.

Obviously this might not work if you have a customer support email.

