CHI-WEB Archives

ACM SIGCHI WWW Human Factors (Open Discussion)


Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
"ACM SIGCHI WWW Human Factors (Open Discussion)" <[log in to unmask]>
Francois Jordaan <[log in to unmask]>
Fri, 12 Nov 2004 18:07:40 -0000
text/plain; charset="iso-8859-1"
Francois Jordaan <[log in to unmask]>
text/plain (157 lines)
Hi Pat,

Every so often techniques to protect email addresses on websites from being
harvested by spambots get discussed on webdesign mailing lists and forums.

Steve Champeon, who runs the Webdesign-L list, makes a convincing argument
not to bother. Unfortunately. See email below.

If you're in a hurry, this paragraph sums it up:
I'm not saying fighting spam isn't worthwhile. I'm just saying that any
delusion that "protecting" email addresses will ever work has long gone
from my mind. The trick is to fight spammers, not to waste your time
on a fanciful but futile effort to "protect" your email address. If you
ever use or publish the email address, it's now completely out of your

Also, below this, I include an email from another poster pointing out the
accessibility problems of obfuscation methods.

Date: Fri, 30 Jul 2004 13:49:48 -0400
From: Steven Champeon <[log in to unmask]>
Subject: Re: [WD]: Obfuscating Email addresses
Message-ID: <[log in to unmask]>

on Fri, Jul 30, 2004 at 12:20:55PM -0500, Daniel S. Wesley wrote:
> >Don't bother. If the address is already on a "millions" CD, it'll be
> >there forever, and protecting your address now won't help. And if it
> >isn't there yet, it will be soon enough, because of the !$@%! who let
> >themselves get infected and send out virus-laden email that exposes
> >their entire address books. Spambots are only one vector, are pretty
> >dumb but they evolve, and it's a waste of time to "protect" your email
> >address when there are so many other vectors beyond your control.
> Wow. I didn't realize everyone was so nihilistic about this. :)

When spammers started using the Web Standards Project's Browser Upgrade
Campaign javascript redirect in their HTML email, I published the abuse
role account address for and asked people to report their
spam if it mentioned the WaSP or redirected them to our site, etc. Since
then (a year and a half ago) I'd say I've gotten 20K spam messages sent
to that address alone. I deal with email every day, have wasted the last
year building an effective antispam system, and know whereof I speak ;)

Someone ran a "joe job" against us, sending out several million messages
from the (bogus) address <[log in to unmask]>, back in April-May of
2003. It wasn't ten days between the first bounce we got from the mailing
and the first spam we got /targetting/ that address. We still get spam
to it today.

One of our customers decided she was getting too much spam (back in late
2002) and so we turned her address into a spamtrap. In February 2003, mail
to that address /alone/ accounted for 42% of all of our spam. We still
get spam sent to it every day. Yesterday that addy rejected 77 messages.
(Tip: don't ever reply to a spammer, asking to be removed from their list.
You only make them money as they can sell your address as a "confirmed
opt-in" or live address, distinct from the millions of completely bogus
addresses others use to pad their lists.)

I wrote an article (see further upthread [1]) about how to protect your site
from spambots back in 2002. I included a couple of sample addresses in
the domain; I still get spam sent to them today. 5 in the
past week.


If they haven't learned how to work around all of these tactics by now,
I'd be very surprised.

One of our customers gets, on average, anywhere from 200 to 500 spams a
day (and those are just the ones we reject and therefore know about);
another is approaching 800/day. Why? Because they posted to W3C mailing
lists, or to Usenet, or whatever, or because they're prolific email
users and so hundreds of thousands of people may have their email
addresses in their addressbooks. One domain here accounts for on average
35% of all inbound spam/virus delivery attempts. After the latest virus
outbreak, we saw our spam jump by 50% as spammers harvested bogus,
virus-originated email addresses and started to spam /them/.

The latest round of MyDoom uses Google and a few other search engines
to look for other email addresses in all of the domains in all of the
address books and browser caches, etc. on the infected system, and then
tries to send itself to them. You subscribe to this list. In the headers
we thank You get MyDoom. Google shows 1260 results for
the search "email". Nearly all of them have one or more
email addresses on them, some from public list archives.

And you think that spending a lot of time making it more difficult for
your regular visitors to grab your email address off a Web site is going
to make any difference? Bah. :/ How would you know if it was effective,
anyway? Unless you create a new email address every time the page
reloads, and correlate it to all of the IPs and user agents that grabbed
those pages, /and/ know for certain that the address was grabbed by a
spambot rather than just some innocent and infected victim, you have no
way of knowing. And even then, once the address is created, it lives on,
gets spread around, gets adopted by spammers and sold to new spammers
and so on and on.

I'm not saying fighting spam isn't worthwhile. I'm just saying that any
delusion that "protecting" email addresses will ever work has long gone
from my mind. The trick is to fight spammers, not to waste your time
on a fanciful but futile effort to "protect" your email address. If you
ever use or publish the email address, it's now completely out of your


Date: Fri, 30 Jul 2004 17:30:55 +1000
From: J4Web <[log in to unmask]>
Subject: Re: [WD]: Obfuscating Emails
Message-ID: <[log in to unmask]>

There is a bit of an outline of various email obfuscation methods at:

I researched this topic as thoroughly as I could a month or so ago, and I
ended up agreeing with Tina Clark at:

She says: "After much research I've come to the conclusion that you cannot
provide a non-spammable email link on a web page and still meet
accessibility guidelines."

I would love to be convinced otherwise.


Personally, I do believe that having only contact forms on the site, and no
email addresses, will drastically reduce the amount of spam they receive, at
least in the short term. Implemented correctly, contact forms also don't
have accessibility problems. If, however, your client would like to
encourage their customers to email the bankers directly, then bear the above
advice in mind. Protecting the addresses from spam is futile, so you may as
well implement the links in the normal way, and advise them to use good
Bayesian spam-filtering software on your mailserver or mail client.


Wheel Group, Beaumont House, Kensington Village, Avonmore Road, London W14

T +44 (0)20 7348 1000    F +44 (0)20 7348 1111
D +44 (0)20 7348 1049
[log in to unmask]

This e-mail has been scanned for viruses by MessageLabs.