testing, testing, 1.. 2.. 3..

So an interesting question came up on one of the lists I belong to. There’s a discussion about email addresses, and how effective obfuscation is against spambot collection.

For those of you that may not know, “obfuscation” is a way of hiding things - in plain sight, in this case. Usually, spammers will troll through sites with an automated program, and look for the “mailto:” and “@” within part of your pages’ code, like in anchor links and hidden input fields in forms. When it finds these tasty treats, they will “harvest” the email address and add them to their lists, and quite soon, you’re receiving all kinds of spammy goodness in your inbox.

I had looked into this, myself, a few months ago and came across an interesting article about the effectiveness of email obfuscation. It was an interesting article, and there was a nice test that was performed. The end result was that email obfuscation does, indeed, work. It’s a simple and effective method to use, as well.

Unfortunately, I cannot find the article. I’ve tried, and I am ashamed that I didn’t bookmark it when I had the chance. So, I’ve decided to put it to the test myself.

I have just created two email addresses - literally within the past 5 minutes. I have not told anyone what these email addresses are, and they are not publicly available to anyone as I write this sentence. By the time I get to the end of this post, they will be.

The parameters of this test are simple: I will only post these two email addresses once, here in this post, on this site. I will let them sit there, relatively exposed to the world, and see what happens to them. They are valid email addresses - in fact if you click on one of them and send me an email, I *will* receive it. I have determined, however, that in the beginning stages of this test, I will not respond to any emails I receive from these two address via these addresses.

In other words, if you click on the first one and send an email, I will respond (if you ask me a question or your question is actually worthy of a response), but I will respond from my regular email address, not from the one you have sent. This shouldn’t be a problem, because the fact that I actually get it will prove to you that it is a working and functional email address. But the reason I will not be responding initially is because I don’t want the email address to be circulating in anyone’s inboxes yet. Eventually, I may change my line of thought there - but for now, that’s what I’m going to do.

So, here are the two methods of obfuscation I will be using. The first is a javascript-based obfuscation technique. I’m digging into the archives here - I actually used to use this method back in the day, but have abandoned it a loooooong time ago. The idea is that the javascript splits up the email address, then encodes it. A normal person will click on the link, and an email window will pop up. A spambot will see it (they don’t use javascript), but get nothing from it because the format is broken apart.

The second method is simple HTML encoding. You simply replace each character in the email address with the corresponding HTML entity for that character.

So, let the test begin.

1)

2) obfuscate@anekostudios.com

For the record, I do expect to receive spam anyway - at least just a little bit - simply because this site has already been indexed for a little while, and there are spammers who simply harvest domain names, and start using dictionary words to prepend the domain name, in hopes of getting a valid email address. For instance, if your domain name is “ilovepuppies.com”, you’ve probably gotten email addresses for words from “anywhere@ilovepuppies.com” to “zack@ilovepuppies.com”, and only one or two email addresses within that block of cc’d email addresses actually reached you. So I do expect a little bit. I’m not sure what the percentage of that kind of spam is (personally, I blackhole any email that comes to me, and isn’t a valid email address), but it’s relatively low.

I’ll also tell you that I’m a lover of MailWasher - I don’t check my email without running this little program first. This may also affect how spam is directed at me, because MailWasher has a cool little thing you can do. Because it checks email at the server level (and not after you’ve downloaded it form the server to your inbox) - you can see spam before you actually get it. Then you can bounce it from your server. After a while, the email address has been bounced so many times, the theory is that eventually it is removed from lists as a bad address. So, I do run MailWasher, and I’ll tell you right now that and spam I do get, will be bounced back to the spammer. This may affect my findings - but it’s a real live interpretation of how I work, so I believe it’s valid.

So, the test is now running. Let’s see what happens!

Posted by
February 4th, 2007