Many people obfuscate their email address on web sites in the hope that bots are unable to extract their address from websites. That could look like the following:
email [AT] example [dot] tld
This approach is for example used by Mailman’s archiver pipermail and the MARC mail interface used by the KDE mailing lists. Some people even ask to “not quote the e-mail address unobfuscated in message bodies”.
So is it useful to obfuscate the email address? Does that add any security?
The answer is No. This obfuscation is a kind of a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) which requires that a computer cannot solve the Artificial Intelligence problem when it has access to all information required to create the test. Yesterday I tried to proof that this kind of CAPTCHA is broken and wrote a small application which is able to extract the email addresses from a public pipermail archive. The application is less than 300 lines of code and can automatically download all emails for a given month and year and extract the sender’s address by just extracting all a elements from the online accessible emails and applying a regular expression on the text to get the email address. I only wanted to work half an hour on that. In the end I had to compile Qt 4.6 because I needed the new QWebElement 😉 If someone is interested in the source code I could create a repository on gitorious.
The following image shows the result of an “attack” on the plasma-devel archive. For privacy reasons I blurred the user part of the mail address.
I don’t think there is any reliable way to obfuscate an email address using simple text. If there is an algorithm to obfuscate the address, there is a regular expression to unobfuscate the email. The only way to protect an email address is to not include it anywhere where a bot could harvest. That is replace it by a “real” CAPTCHA that will reveal the email address when solving it. For websites there is for example the Mailhide API of reCAPTCHA. For mailinglists that is completely useless as the email address is already included in plain text in the email headers. Instead of parsing websites bots could just subscribe to the mailinglists.
So please stop obfuscating your email addresses. It is useless and makes it impossible to just click on an email link. Instead the reader has to solve the useless CAPTCHA.