Email Address Obfuscation

We all go through public forums all the time and every once in a while we encounter people sharing their email addresses in the form “name _AT_ email address _DOT_ com” and several variations of that. The motivation behind this practice (which is really old now) is to ‘obfuscate‘ one’s email address and make it difficult for spam bots to collect email addresses from a forum. The idea here is simply the quantity of email addresses collected by the bots. They employ regex matching to extract the username, server’s address and domain extension from the email address.  I know what you’re thinking, OF COURSE the spam bots can be easily reprogrammed or at least updated every once in a while to take into account the most common place obfuscation habits of people. So strings like “AT” and “DOT” with whatever prefixes or suffixes can be ‘parsed’ into an “@” and “.” which returns a lot of junk email addresses also because we use the word “at” and “dot” normally also in our writing. In any case some kind of obfuscation is always good to work around the spam bots.

How does all this fit into the big picture? Does it have any effect on the spam emails received by people? Have a look at the visualization below:

Volume of Spam received by obfuscation method

mailto: links are NSFW 😛

I was a little amused when I looked at this picture because I hadn’t really taken email address munging so seriously and had not considered that people have developed so many tools for it.

Have a look at this email address obfuscator, it presents you with a lot of options to obfuscate and configure your email address. I did not really dig around this tool so much but it seems interesting. There is only so much a person can hide because ultimately the email address has to be ‘usable’.

For instance I munged an email address using the tool and they generate some javascript which you are supposed to embed into your web page and the script creates an element in your web page with the munged email address. I munged it using an image for instance and got this code:

This seems pretty messed up, but you can see the image attached to a link and it you can guess what the “href” tag contains. It’s only a matter of unescaping and decoding the URL and the HTML entities used in the link.

In JQuery it’s as simple as doing this:

For anyone who has a little experience in Web development and is aware of security concerns of javascript injection, this is a nightmare! We would ofcourse not want to inject arbitrary code into our DOM.

I found an amazing work around for this problem on a Stackoverflow post. The function basically removes the script tags and sanitizes the html before putting it as the html content of a div and displaying it’s text. The code:

Both of this scripts work great and again are not really hard to plug into a spambot if all they care about is collecting arbitrary email addresses because that’s what matters in the end.

Look Ma No Links?

Ok, so you know now there are a couple of techniques out there to make your email address less spam friendly. Would you use it? Would I? Personally I wouldn’t. Spamming or bulk email sending is really old school now. It’s still prevalent I agree but most of the email services we use like Gmail, Yahoo or any thing for that matter have really good SPAM filters in place which are updated and improved really frequently to filter our emails.  Also, I feel most of the email addresses in existence now have already been crawled at least once and with really good spam detection we are not really bothered with spam anymore. Yeah, the flip side to munging your email addresses is that the spam bots also need to be updated frequently and the more email addresses they crawl, the more processing that goes behind the scenes, the more resources they consume and their efficiency goes down. So you see, there are trade offs :D. Give obfuscation a try and see what works for you.

PS: Let me know of any other technique that you frequently use to munge your email addresses which I missed out on.