Does email address obfuscation actually work?

Doesn't it depend on what you mean by "works"?<p>It probably cuts down on spam, but I'm sure it also counts down on legitimate inquiries that didn't get made because the person who wanted to contact them said "fuck it" rather than typing the e-mail by hand. (You could argue that lack of e-mail from those people isn't a great loss, but whatever.)<p>Isn't spam detection at this point good enough that this isn't a concern anymore? gmail has let precisely three bits of spam slip through in the past two months.

I use JavaScript obfuscation: a tiny WordPress plugin I wrote that essentially embeds the email address on the web page in scrambled form, and then transforms it to a clickable `mailto:` link client-side in the user's web browser. A message describing how to contact me is seen if the visitor has JavaScript disabled.<p>In theory an address harvester could easily work around such simple obfuscation, but in practice this seems to raise the bar just enough to make it not worthwhile for them. Email addresses I've posted in plaintext receive much more spam than the one I have obfuscated on my web page. (But greylisting plus SpamAssassin seems to take care of that spam quite well, so it's not as though the obfuscation itself is my only line of defense.)

Cory Doctorow wrote about this in a column last year: <a href="http://www.guardian.co.uk/technology/2010/dec/21/keeping-email-address-secret-spambots" rel="nofollow">http://www.guardian.co.uk/technology/2010/dec/21/keeping-ema...</a><p>He's had the same public email address published without obfuscation for more than 10 years. He describes his anti-spam setup which has served him reliably and argues that the nuisance imposed on correspondents by scrambling his address isn't worth it.

Here's my technique. I use +folder notation (me+folder@gmail.com) for my publicly listed email address.<p>Any spambot that regexps \W or [a-z0-9\.] will get screwed up by the + that appears in the address. However, it's still a totally legal address, it delivers correctly, is clickable in browsers, etc.<p>It's not that I get a low level of spam at this public address - I get ZERO spam. Zero in the last 5 years. I get a small amount addressed to the plain me@gmail.com address, but it seems like spambots just don't pattern match for this. Anyway, it's still a gmail address, and their spam filtering might have something to do with this.

I've done my best to <i>not</i> obfuscate my email address. If the situation dictates, I will even post it on Twitter without obfuscating it in any way. I probably do this at least once per week. We have plenty of defined support vehicles, but every so often someone needs extra-special help and I do my best to oblige.<p>I probably get 30 or so pieces of spam per day, all of which ends up in my Junk folder with no effort on my part. This has remained constant over the years. I get a lot more random cr@p on my personal address ever since I was placed on a list of "people who will blog about your stuff." (which is emphatically not the case).<p>I also created a personal FAQ (<a href="http://www.jeff-barr.com/?page_id=670" rel="nofollow">http://www.jeff-barr.com/?page_id=670</a>) to cut down on the amount of random stuff that I get.

Mine does (see profile).<p>Gmail does a great job of keeping spam out of my box, but I still have to go through the spam folder occasionally to look for false positives (I get a couple a year), so I'd prefer as little spam in there as possible.<p>As for obfuscating, I use methods which require the reader to think, not to apply a rule. All the obfuscation methods presented in the superuser answer can be algorithmically beaten. Mine can't. It requires understanding the words I used. That is, unless it gets copied enough times to be recognized as a standard pattern for obfuscation. But if that happens, I can just change it to something else that requires reading and understanding.

I use three methods for protecting my email address:<p>* Spamgourmet for websites I don't trust. some_random_text.underwater@spamgourmet.com will forward six emails to my real address.<p>* A some_random_text@my-domain.com address with a catch-all for mail I really need.<p>* ReCAPTCHA's mailhide &#60;<a href="http://www.google.com/recaptcha/mailhide/&#62" rel="nofollow">http://www.google.com/recaptcha/mailhide/&#62</a>; for posting my email on the crawlable web.<p>I have noticed that most spam I do get is not from online businesses, but from businesses I've given my email to in person (e.g. conventions, competitions).

I came up with this question when I was reading my RSS feeds when I got to an "Ask Engadget" post that requested users to email questions to "ask [at] engadget [dawt] com". It seemed pretty silly for a popular website to obfuscate their email address in such a weak way, and it got me to thinking whether or not the widely-used technique is effective at all.<p>Does anyone have spam problem with a published email address? Have you had success reducing spam by obfuscating it?

A few comments on this down memory lane: <a href="http://news.ycombinator.com/item?id=1463579" rel="nofollow">http://news.ycombinator.com/item?id=1463579</a>.

The first comment is great:<p><a href="http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared/" rel="nofollow">http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfus...</a><p>Different approaches to obfuscating the email address and comparing spam levels.

I don't bother obfuscating. I don't even use spam filtering anymore. I get about 5 spam emails per day max. I think it helps that my address starts with a "j" so most open relays / spam zombie machines have been shut down before they get to my letter of the alphabet in their email lists.

Not to self promote, but many years ago my site was the first to generate "email icons." Which are just an image of your email address, which does a good job of fooling most email harvesters. I'm surprised it hasn't caught on more. <a href="http://services.nexodyne.com/email/" rel="nofollow">http://services.nexodyne.com/email/</a>

The CSS-based techniques both work in IE6, which is pretty amazing. And you can combine them.<p>But don't use inline styling. Bury the rules in the cascade with some parent class so they can't be easily filtered.

the most upvoted answer there is what a real answer should be :)

Probably about as well as an elephant-repellant

I don't understand the point anymore. Spam filters are much much much better than spammers these days.

I've had my public email address, with no obfuscation, on quite a few very high traffic pages.<p>Remarkably little spam gets through to me. I actually see more spam in my non-public gmail account where, I suspect, the spammers are simply name guessing.<p>Long story made not much shorter -- I would guess that scraping isn't that big of a strategy any more.

It always fascinates me that nobody ever brings up regular expression in these kinds of discussions.<p>Spammers literally sit around all day figuring out ways to deliver more spam, I'm fairly certain they've spent the 30 minutes it takes to craft a regular expression to harvest the easy 80% of these 'obfuscated' e-mails.