This is a follow-up post to my yesterdays post that obfuscating an email address does not work and is useless. Many comments on the blog post stated that they think that obfuscation helps because the bots are not interested in the obfuscated email addresses.
So let’s recap: we use obfuscation to prevent spam bots from harvesting email addresses. So we obfuscate in a way that
- Humans are able to read the email address
- Computers are not able to read the email address
That sounds like a CAPTCHA. If you don’t know the do’s and dont’s of CAPTCHAs I recommend to read the information on captcha.net. One of the most important facts is that you shouldn’t use a CAPTCHA which will break as soon as everybody uses it. That is in the moment the bots start to support it.
Now let’s get back to the obfuscated email addresses. I think we can agree that the obfuscation is conceptually broken. I think we can compare it with cryptography: even that there is no real usecase to attack MD5, nobody would use it to digitally sign important documents any more.
As soon as the harvesters start to search for obfuscated addresses they will find them. If you obfuscate an email address on the web today and in five years the harvesters start to unobfuscate addresses they will find your address. Bad luck.
So instead of using a broken CAPTCHA like obfuscation we should use a secure CAPTCHA like the Mailhide service provided by reCAPTCHA. There are plugins for many programming languages and it can be used to e.g. automatically replace all email addresses in a Mailman archive with a link to the CAPTCHA. It looks like that: jsm…@example.com
And solving reCAPTCHAs is mostly much easier than solving the normal CAPTCHAs as you have a complete word and it is probably much easier than solving some obscure obfuscation rule and it helps to digitize books and newspapers and in the end you get a link to click on.
So I know, that you will say “reCAPTCHA belongs to Google and Google is evil. I don’t want Google to give them my email address”. If you think that, rethink. You think that the world’s biggest web harvester is unable to break your used obfuscation? You have never ever sent an email to a gmail/googlemail account? You don’t use Jabber with Google Talk users? You do not have a Google account? Do you really think that Google doesn’t already know your email address? And if you really don’t trust reCAPTCHA, you could still use scr.im to get a tiny, CAPTCHA protected URL. But I recommend to use a well tested CAPTCHA system.
To summary: I agree that you should secure your email addresses on websites. But please do yourself the favor and do it properly. Obfuscation is broken and it is only a matter of time till harvesters start to harvest the email addresses. There are services which provide a secure CAPTCHA to protect email addresses. Please use those. And no this is not an advertisement campaign for reCAPTCHA – it is just the best CAPTCHA service I know. If you know a better and more secure which doesn’t belong to Google, please leave a note 🙂