Kommentare zu: About obfuscating email addresses

Von: peterix

peterix — Wed, 07 Oct 2009 21:18:56 +0000

Heh. Obfuscating e-mails is totally wrong. You lose the usability of clickable mail links and the bots get it anyway.

And then you get spam no matter what you do. A better spam filter is the answer.

Von: Martin’s Blog» Blogarchiv » How to secure your email address correctly on the web

Wed, 07 Oct 2009 09:11:35 +0000

[...] is a follow-up post to my yesterdays post that obfuscating an email address does not work and is useless. Many comments on the blog post [...]

Von: Malte Stretz

Malte Stretz — Wed, 07 Oct 2009 08:51:41 +0000

@Martin: The data is still valid and obfuscation still works, exactly for the reasons @Steve wrote. I run a bunch of spam traps which contain both obfuscated and unobfuscated addresses. The latter hardly get any spam.

One reason is that you can’t just run a RE over the whole net and recognize all subtle ways to find mail addresses. Your Bot also can’t really execute all JavaScript it finds. Well, it could, but why should a harvester do so when he’s got enough addresses without doing so. Maybe one day this approach will be broken but until now it works fine (except for the people having to correct the addresses manually but that’s not really much work).

Anyway, what I wanted to write was a reply to @Keopa: KMail 1.9 already had such a feature, I think its gone in KDE4 (can’t try currently): You could insert an address in the format foo at example dot com into the recipient field and it Just Worked

Von: Peter Grasch

Peter Grasch — Wed, 07 Oct 2009 07:56:08 +0000

I still think that obfuscating is a good idea when e.g. posting in technical forums. I have never seen anyone stumped by something like:
“Contact me at grasch ate simon-listens ° org” (which is what I use quite often and I get no spam to that address at all.

And if someone is too lazy to edit the e-Mail address and start the mail program manually instead of clicking on a link I most likely don’t want to know what he had to say anyways .

However, I agree that obfuscation is no solution when e.g. dealing with customers. However, as most non-tech users browse with javascript on, I use a javascript to print the rot13 encoded e-Mail address and provide a noscript alternative which is obfuscated. That way even the hardcore links-users can see an e-Mail address and spam bots are having a hard enough time to (apparently) loose interest.

Greetings,
Peter

Von: Martin

Martin — Wed, 07 Oct 2009 06:20:20 +0000

@Peter: sorry the data is more than two years old. I would not count on it being still valid.

@Yawar: yes like reCAPTCHA. I just looked at the site and it seems to have some accessibility problems and it uses a kind of already broken CAPTCHA.

Von: Peter

Peter — Wed, 07 Oct 2009 00:06:59 +0000

The point you start to be wrong is when you say “I assume that the bots…” Just have a look at what an empirical investigation on this problem results in:

http://koeln.ccc.de/schnucki/
http://www.0×11.net/schnucki/

Cheers, Peter

Von: Yawar

Yawar — Tue, 06 Oct 2009 23:06:43 +0000

I came across this site recently: http://scr.im/

It’s like a URL-shortener for email addresses, with the added benefit of CAPTCHA protection for the address. For example here’s my address: http://scr.im/yawar

Von: Timm

Timm — Tue, 06 Oct 2009 18:37:04 +0000

@Martin: Full Ack! The worst thing about it is the time I have to invest in order to “manually” de-obfuscate the adresses. As if we didn’t have a hard enough time fighting the SPAM in our own mailboxes…

BTW, if I were a Spammer, I wouldn’t even go through the trouble of using a bot, let alone programming one. I’d just use one of the semi-public listings already containing the millions of addresses I need.

Von: Martin

Martin — Tue, 06 Oct 2009 16:19:08 +0000

@Steve: I would like to see the fact that bots do not execute JS I’d say that’s an assumption. Nevertheless it’s a nice idea, but the same problem as for all such ideas: as soon as all users use this approach it is broken. What we need is a general solution for the problem to not play hide and seek any more.

Von: Steve

Steve — Tue, 06 Oct 2009 16:00:26 +0000

I would say that Thomas McGuire is correct. It’s low hanging fruit vs not-so-low. Some obfuscators are quite easy to guess, and are therefore almost as “low”, but in my experience it’s definately better than not obfuscating at all.

I’ve had success with a completely different method. I use a relatively simple JavaScript routine and inline document.write() calls, and avoid having any recognisable email addresses in the source (and the ‘@’ character doesn’t appear anywhere).

This relies on the fact that bots may read the source (including JS) but don’t actually execute any JavaScript. The result is a clickable mailto: link, and I haven’t had any more spam to those addresses since doing that.

Of course, once there’s no more low-hanging fruit, the nasty people will reach up higher, or maybe get a ladder. If that happens, I’ll have to be more creative.

Steve