Does e-mail address obfuscation actually work?
Some time ago I stumbled upon the post of someone who created a honeypot and waited for differently obsfucated email-addresses coming back:
Nine ways to obfuscate e-mail addresses compared
CSS Codedirection 0 MB spam
<span style="unicode-bidi:bidi-override; direction: rtl;">
moc.elpmaxe@zyx
</span>
CSS display:none 0 MB
xyz<span style="display:none">foo</span>@example.com
ROT13 Encryption 0 MB
[email protected]
Using ATs and DOTs 0.084 MB
xyz AT example DOT com
Building with Javascript 0.144 MB
var m = 'xyz'; // you can use any clever method of
m += '@'; // creating the string containing the email
m += 'example.com'; // and then add it to the DOM (eg, via
$('.email').append(m); // jquery)
Replacing '@' and '.' with Entities 1.6 MB
xyz@example.com
Splitting E-Mail with comments 7.1 MB
xyz<!-- eat this spam -->@<!-- yeah! -->example<!-- shoo -->com
Urlencode 7.9 MB
xyz%40example.com
Plain Text 21 MB
[email protected]
This is the original statistical graph made by Silvan Mühlemann, all credit goes towards him:
So, to answer the question: Yes, (in a way) email obfuscation works.
There was an interesting article by Cory Doctorow recently on this subject here which argued that email obfuscation doesn't serve much purpose, and a more optimal approach is intelligently managing the spam you get.
TL;DR version:
- The objective of this entire exercise is not to reduce the amount of spam you get in your email, but the amount of spam you manually have to remove from your inbox.
- Email obfuscation is a constant battle to come up with ever sophisticated bot-proof, human-readable encoding, and is a drain on the productivity of both the creator, and the correspondent.
- "Almost any email address that you use for any length of time eventually becomes widely enough known that you should assume all the spammers have it."
- "The convenience of stable, easily copy-pastable email addresses" wins over trying to hide from the spambots.
So many people still use @ and . outright that there's little need for a spammer to come up with a way to defeat any sort of obfuscation; work not done is money/time not spent.