> Email addresses published on webpages usually need to be protected from email-harvesting spambots.
Do they though?
I have had my email address published on my website in a <a href="mailto:… for like 20 years and I don't get spam that would get through the spam filter.
I use both Gmail and (for some other addresses) a webmail hosted by a local company which uses some other filter. Both work well, so it's not something only Google can do.
I definitely recall in the early 2000's it absolutely did lead to spam, and e-mail obfuscation techniques were a real thing that genuinely helped.
But by 2015 or so it didn't matter at all anymore, in my personal experience. It didn't even lead to spam that needed to filtered. Spammers just stopped looking for e-mails that way.
Which makes perfect sense -- most people don't have their e-mail address listed anywhere online in the first place, but you can purchase gigantic lists of e-mail addresses. That either originate from companies that sell their own user lists, or people who hacked the companies' servers.
These days if you want to send spam, trawling the web for e-mails makes zero sense. It's practically the least efficient thing you could do.
I’ve been having all my email addresses posted plain text since like 2005 and I’ve signed up on like every website imaginable (my password manager has over 2,000 entries) and I’ve never had a spam problem, at least on Gmail.
I have two people I designed web sites for in the last year and I put both their email addresses in the footer and neither one of their accounts has received a single spam message in all of that time (not even something dropped into the Spam folder). Both sites are popular and have thousands of visitors and get scraped by every search engine and AI bot you can think of.
Interesting. Maybe footer emails tend to be support contact addresses rather than personal inboxes. Otherwise I’d find that discrepancy very surprising.
My thoughts exactly. On the other hand, an email address I used with Usenet ca 1999–2001 has had a consistent flood of spam. I think most spammers are using the same 20+-year-old list of emails.
The email address on my website doesn’t even get stuff that goes to the spam filter. Nothing, nada zilch.
I do think that there are some mailing lists that get generated by trying to guess emails, brute-forcing gmail addresses by trying dictionary attacks of the FIRSTNAME.LASTNAME variety or 1–10 letters. I get a tiny amount of spam sent to a domain@domain.com address I have, but that’s typically on the order of one message a year.
And all else aside, the overall volume of spam email has declined dramatically, even ignoring the effect of the gmail spam filter. I’m guessing that email as a spam vector just doesn’t make sense anymore and most of what goes out is a mix of 419 scammers trying to make their quotas and would-be scammers who’ve been scammed into buying that 20-year-old list of emails.
The practice of email address "obfuscation" feels like a relic of a bygone era, one that was never actually sound in its methodology, but spread. A form of cargo-cultism has kept it alive
Yeah just looking at this, it appears to add about 1K of overhead and at least one additional http request for something that ultimately boils down to a mailto: link, so it can still be scraped, and just adds bloat to your web page.
My preference is to not have my email harvested at all when possible, even if I don't personally see the spam emails. (I'm not saying it's a critical privacy/security issue, but a preference.)
My experience is that you send email to someone whose Op Sec is not as good as your own, then your email will be harvested at the point when that person's address book is harvested. I don't know all the details of how these harvests occur, but using a shady mobile app with Contacts permission would be enough.
Your email address cannot be (and isn't) secret, if you give it to other people (regular people, i.e. friends, colleagues, etc.) so they can send you emails. If you don't want your email harvested, you can never use it (at least to receive emails).
I've also had my email posted in mailto's in a half dozen places for... a long time. I remember in the early 00's when I'd cargo cult the old "type the whole email out as adrian at adrianpike dot com" thing on forums thinking it would work as some mystical talisman, and it turns out considering emails to be secret isn't worth the time.
this used to be a problem in the early 00s. I don’t think spam filtering was as good back then so protecting your public email from spam was necessary.
Also this was a time when mail boxes were often allocated 10-25 megabytes. So spam bots could easily flood your email.
Agreed. I have several web sites with publicly visible email addresses and they don't get much spam.
The spam I get is rather mis-targeted. For a while I was getting spam for equipment which would be useful were I a bulk producer of olive oil. "We have 15 years of experience in the research, development and production of automatic edible oil filling equipment...." There are the usual fake financing deals: "We’ve pre-approved your business for financing..." Whatever sends that crap doesn't look at the web site at all.
When I get spam from Gmail or Outlook accounts, I report it, so they will get a strike against their account. I don't hear from those people again.
All other spam is so obviously bogus that simple filters are dumping it into a junk folder. Most of it seems to be phishing emails. "You have won a (some tool)..." seems to be popular this week.
They do. My wife lost her 10-year-old Instagram account to a well crafted phishing attack against an email she had published…
Instagram/Meta’s customer support is absolutely atrocious and disgraceful on this front. They basically treat my wife like she’s also a spammer and there’s no way to recover the account or undo any of the changes the spammers made.
It’s hilarious how they ask you to “appeal” a ban by clicking a single button without giving any chance to rectify what the spammers did to her account. Of course their automated bots just reject your appeal almost instantly. Shameful.
Clicking the appeal button is like a trap to permanently ban your account.
You can get it back by paying off a Meta employee through a site like Swapd. It's either that or get your comment to the front page of HN. Those are the only two customer support channels for Meta or Google.
Does her email show up on any leaks on https://haveibeenpwned.com/ ? I'm wondering if not publishing it would have made any difference to receiving phishing messages.
Would such an attacker be stymied by this? It seems like automated email harvesting wouldn't be a big time saver for any attack that required a well-crafted anything. I don't know anything about that particular attack, though.
Same here, I've had my email plainly visible on my website in mailto links and on Github, and I don't get any spam that breaks through Fastmail's spam filters.
Do they though?
I have had my email address published on my website in a <a href="mailto:… for like 20 years and I don't get spam that would get through the spam filter.
I use both Gmail and (for some other addresses) a webmail hosted by a local company which uses some other filter. Both work well, so it's not something only Google can do.