Is E-Mail Obscuration Worth It? 204
ThenAgain asks: "Many sites obscure e-mail addresses by adding noise (like 'STOPSPAM') or by translating the punctuation into words (Ex: 'me at domain dot com'). This makes users feel good but does it actually help? Ten lines of perl could defeat any of the present schemes with ease and the spammers have shown plenty of adaptability. So if we're not helping hold back the flood of spam, why are we decreasing the utility of the web by eliminating mailto tags and forcing users to hand-correct the addresses in their mail clients?"
first post? (Score:5, Insightful)
Because... (Score:5, Interesting)
Yes, but, for now at least, there are still plenty of addresses from people who don't spam-guard, enough that writing those 10 lines of perl isn't even really worth it.
Also, if you have your address spam-guarded, it's effectively a message to the spammers that, "I'm not one of the
And they don't, because it's just not worth it for both those reasons.
Re:Because... (Score:5, Insightful)
1. Writing those "ten lines of perl" is indeed worth it if you want the addresses from the site doing the obfuscation, especially if you know something about those contributing to the site and want to target particular types of people (probably not done often by spammers as they obviously prefer the shotgun approach). Spamming is a business and they can afford to pay programmers - and they DO, given that there are companies out there making software to service spammers.
2. If the obfuscation is automatic or defaults to "on" there really is no message being sent by the owner of the address.
I leave my address open (here and elsewhere) for two reasons: I don't really care what drops into that particular inbox and there's enough filtering on it, local and remote, that it's still useful as an open contact point.
Re:Because... (Score:2)
since for now, very few people obscure the same way, those ten lines of perl actually are probably closer to 30, just to eliminate the creative obsc. that get done, it's not worth it.
Should we all pick ONE true way to obscure, you can expect methods to defeat it to gain popularity.
Recently there was another slashdot about why lots more random "legal" words were introduced in spam, and how it might affect bayes. Many replies correctly pointed out that a correct bayes(individual token lists for
Re:Because... (Score:4, Informative)
Re:Because... (Score:2, Informative)
Re:Because... (Score:2)
Re:Because... (Score:3, Insightful)
Re:Because... (Score:2, Interesting)
Re:Because... (Score:2)
Shouldn't that be "postmaster@[127.0.0.1]"?
Re:Because... (Score:4, Interesting)
You know, if spammers cared a whit about anything except getting more addresses onto their "10 million email addresses" CDs that they sell by spamming, that would have some validity. However experience tells me otherwise.
Spammers have hit email addresses that have only ever been used in postings in news.admin.net-abuse.email. They also spam my abuse@ email addresses. If there is any group of people more likely to have heavy spam filters and/or to complain or retaliate against spammers, it would be the people who post to n.a.n-a.e, and the people who handle spam abuse complaints for their domain. You'd think out of sheer self-preservation that spammers wouldn't bother those people, but they do.
slashdot@davidcole.net (Score:5, Informative)
Otherwise, I use a hotmail account to commonly give out. Obfuscated email addresses are obnoxious.
Re:slashdot@davidcole.net (Score:3, Interesting)
Re:slashdot@davidcole.net (Score:2)
Re:slashdot@davidcole.net (Score:2)
Re:slashdot@davidcole.net (Score:2)
I will at least know who the jerk is who sold my address.
Or the jerk who posted it in their slashdot post :)
.02
cLive ;-)
ps - change your sig - or pay your bill! ;-)
Re:slashdot@davidcole.net (Score:2)
Are firewalls worth it? (Score:4, Interesting)
The reason people obscure their email is
a) It's fast, easy and doesn't require external software.
b) Sometimes that's all the protection you can get when you post to some sites.
Nothing wrong here. Web utilization is still high. It's the spam that is the problem -- not the countermeasures.
10 Lines? (Score:5, Insightful)
Give us 10 lines of perl that will harvest armored email accounts out of a large document, with at least half of the harvested addresses actually usable, and at least half of the potential addresses harvested.
The point is to make the harvesting costly, and reduce the usefulness of spam address harvesting. I maintain three email accounts. One that is used publicly, like here on Slashdot, one that is used for business transactions, like ordering things from Amazon, etc, and one that is a throwaway for registering accounts with various online services.
Of the three, the first one, which is displayed widely, on K5, Slashdot, Groklaw, LiveJournal, and a lot of other heavily trafficed community sites, does not receive any spam of note. The second gets a pretty steady flow.. And the third.. Well.. The third is redirected to
Btw, that first email address has been in use for over three years, now.
Re:10 Lines? (Score:2)
Re:10 Lines? (Score:5, Insightful)
davidNOSPAM@amazing.com
david at amazing.com
davidATamazingDOTcom
david@amazing.
etc
I don't bother spamguarding my address because I like to make it easy for people to contact me, and because my email address, in use since 1993, is pretty much everywhere anyway.
Quite honestly postal spam bothers me more than email, since I have to physically dispose of it all
D
Re:10 Lines? (Score:2)
s/[\`\'\"]//g;
s/[\-\_\s]*nospam[\-\_\s]*//gi;
s/\s+at\s+/@/i;
s/\s+dot\s+/\./gi;
s/([\@\.])+/ $1/g;
I don't claim to know regex, and I had four beers. (No, it didn't take me one beer for each line *grin*) I am sure a lot of you out there can do a lot better than I did. But the point is, if I can g
Postal spam tip (Score:2)
The way I deal with that is to play thier own system against them. It works best if you get quite a few with prepaid return envelopes - save up a pile of them and then go through mixing up replies. Don't fill anything in, just put some of the junk one firm sent you in the prepaid envelope for the other. And if you have any newspaper spare, fold up some sheets of that and include it, anything to increase
Re:Postal spam tip (Score:2, Interesting)
I don't bother waiting for prepaid envelopes to show up - any garbage postal spammers dump in my mailbox immediately gets "RETURN TO SENDER" written on it & dumped back in the mailbox. You need to mark out
Re:Postal spam tip (Score:2)
Re:10 Lines? (Score:2)
Yeah, but at least postal spam costs the sender money, email spam costs your ISP bandwidth, and despite what anyone will tell you, bandwidth is NOT cheap.
In heavy traffic and Distinct sites ..Re:10 Lines? (Score:2)
I recently received spam at the address displayed on /. It is an absolute rarity and I was surprised till I realized that /. users are a distinct demographic with certain common traits.
For a business targeting the /. demographic it is probably worthwhile to get all the email addresses (easy to detect where they are on a page and about 750,000 maximum) and then run them thru iterative cleaning. In the first
Re:In heavy traffic and Distinct sites ..Re:10 Lin (Score:3, Insightful)
Then again, when I start making optimistic guesses about
Re:In heavy traffic and Distinct sites ..Re:10 Lin (Score:2)
Well, then we can establish that address mangling works.
I leave a contact address in unobscured text, and in the past 24 hours, I received 74 emails to that mailbox, all of which were spam.
Re:10 Lines? (Score:5, Funny)
Here it is in nine:
A real Perl hacker could probly do it in three, in the shape of a camel.
Re:10 Lines? (Score:2)
Re:10 Lines? (Score:3, Funny)
he figured out that rather than learning perl in order to harvest e-mail adresses more efficiently, he could simply post the question to slashdot and someone would do it for him
think about it
Re:10 Lines? (Score:3, Interesting)
Re:10 Lines? (Score:4, Informative)
"unless I'm looking for one of those precious "email validation" messages."
A bit off topic but I found a cool site that handles those email validation messages you need to get once in awhile. It's called mailinator [mailinator.com]. Anytime you want to register with a site that asks for your email address so they can send you a validation code (and inevitably spam you to death) you can use mailinator's service for free. All you have to do is write bobs_your_uncle@mailinator.com and then you can login into that account at mailinator. All messages received there get deleted in a few minutes and do note that anyone else can access it as well, but it certainly is a good service to handle for that exact case you mention!
-Pat
According to this it works... (Score:5, Interesting)
Harvesting addresses is like picking cotton. (Score:5, Interesting)
It's the same with e-mail addresses - why should a spammer go to the trouble of modifying their bots to detect obscured addresses, when there are plenty of unobscured ones ready for harvest?
I'm sure some spammers do try to pick up obscured addresses, but until they start running out of unobscured addresses, they'll keep going for the masses of low hanging fruit and not bother with the rest.
Of course, obscurity doesn't save your address from brute forcing...
try this (Score:4, Insightful)
no program is gonna figure it out, unless they knew the algorithm, which they likely don't. It's always *possible* to outmanuever the spammers in some way or another.
Whether it's worth the hassle, is of course, your call.
(albany354@hotmail.com is not my actual email address, so feel free to spam it.)
Re:try this (Score:2)
Re:try this (Score:3, Insightful)
>no program is gonna figure it out, unless they knew the algorithm, which they likely don't. It's always *possible* to outmanuever the spammers in some way or another.
>Whether it's worth the hassle, is of course, your call.
Remember it is not just a hassle for the creator of the email address. It is also a pain in the ass for everyone else. I for one hope I never have to send an email to someone doing that type of masking. How many
Re:try this (Score:5, Funny)
Re:try this (Score:2)
I for one will not be looking it up unless I really need to email you.
But...that's exactly the point, isn't it?
-- MarkusQ
Re:try this (Score:4, Interesting)
me domain com
at dot
That would take some mighty Perl to demangle, I imagine.
Re:try this (Score:2)
Re:try this (Score:2)
New York CITY!!
Git the rope!
Re:try this (Score:2)
Relying on (rather useless) trivia to determine the value of what someone has to say is a rather arrogant form of (non)communication.
Definitely Worth It (Score:5, Interesting)
For example, while you might post your address as:
user@NOSPAM.domain.com
I may post mine as
user2@no_spam_damnit.domain.com
To me, using relatively simple tricks like this to make the job of a spammer harder is definitely worthwile.
Re:Definitely Worth It (Score:2)
This is interesting. I have occasionally gotten spam offering email addresses. They're sorted by domain, have duplicates removed, and also have had addresses removed which contain certain strings such as "spam", as such addresses are generally not real ones - like yours.
Double protection is good, but some people just don't get it, especially when you post in places such as newsgroups, where you've modified your from address. I've wondered whether setting up a real subdomain for real email addresses woul
spamcop.net makes me feel good (Score:3, Insightful)
My less technical friends have no problem mailing me because I use a mailto link on my homepage.
I use a separate yahoo address for shopping. I don't want my shopping information to be linked to my personal website. The spam from the yahoo address is also fed to spamcop.net. Sometimes I also use one-time hotmail addresses to buy from dealers with high spam risk. I simply stop using those accounts and forget the password once the transaction is complete.
Re:spamcop.net makes me feel good (Score:3, Interesting)
My less technical friends have no problem mailing me because I use a mailto link on my homepage.
I have a link too, but I use @ instead of @ and that actually works well enough that spam bots don't recognise it. The browersers I've tried (Konq,Moz,IE) display it and handle it properly though. I saw that here a while back in an article about where addresses are most likely to be harvested from.
-- Steve
Re:spamcop.net makes me feel good (Score:3, Informative)
for example, the first 4 messages sent to slashjunk.4.mbloore@spamgourmet.com will be forwarded to me; any more will be eaten.
more control is available if you want it, such as whitelists and resetting the count. and you can reply throgh them, so your forwarding address is
My technique... (Score:5, Funny)
kajohnson@hotmail.com BECOMES_ letter_second_word_letter_switchfifthandthird_word _getridof_of_restofaddress_is_phoenetic)
kay_a_sonofjohn_atuh_hawtmayled0tcawm_(first_word
Sure, it's brutal to decipher, but there's no way a machine can poke through that mess. Fun for the receiver to figure out too :)
Re:My technique... (Score:2)
Worst of two evils (Score:5, Informative)
For me at the moment, Bayesian filters, a technical solution, works best. Yes, it still wastes bandwidth. But if my ISP ran good filters for me (POPFile [sf.net] is adapting itself for this usage), my bandwidth at least could be saved. And the filters do work well.
Technical solutions are a stopgap measure, but the next step is legal and architectural. Make spamming illegal. This would only affect countries that care and spammers who get caught, but the next step will help. Make it harder to hide where you're coming from. This gives even ISPs in lawless countries motivation to stop sending spam, because if their upstream knows its them, they can threaten to disconnect them.
Munging is probably the worst solution, similar to getting an unlisted number. It's even shorter-term than filters, but it sacrifices the medium in the process. It's a bit like not answering the phone during mealtime - yes, it works, but it interferes too much with legitimate communication. If that's your choice, fine, but I think its ill-advised.
Future solution... (Score:2, Interesting)
How bout your email address displayed as a small image?
Yahoo and other sites have been using words in an image as an anti-automated-signup with good success. They work because it's just too hard to get text out of a fuzzy/obscured image automagically. Image recognition simply isn't good enough yet.
Definite overkill now, but spammers are always cracking the latest line of defense...
Re:Future solution... (Score:2)
That's annoying to people who legitimately want to send you an email.
Re:Future solution... (Score:2, Insightful)
My dad can read email and surf fine without his glasses but sometimes he has to go get his glasses to work out what the "anti-automated-signup" image says.
10 lines? (Score:2)
To answer your question: yes of course it's worth it. It take 3 seconds and befuddles every current email spider on the web.
Sure, ten lines of perl code could decode any ONE technique on Slashdot, but it would take much more to detect which technique (of infinite possible) was used.
However, there is a situation where it becomes reasonable to use such a descrambler. On some mailing list archives, there is a standard anti-spam format applied to every email address. In this case, picking one lock would
My sig (Score:3, Interesting)
spam@tuxserver.ath.cx
It's down now though. Server lost a hard disk overnight. Stupid thing.
spam@tuxserver.ath.cx --I WANT SPAM!!!!
Re:My sig (Score:3, Insightful)
Re:My sig (Score:2)
Re:My sig (Score:2)
Try using it to register a domain name. I use domains at littlecutie dot net for nothing -- absolutely nothing -- but domain registrations. I cleaned it out last week, and it now has 162 messages. One is a renewal notice on a domain. The rest are spam.
I may change my domain registration email to domspam at littlecutie dot net and see what happens, though!
Re:My sig (Score:2)
Cheap tricks (Score:2)
And yet obfuscation seems to work quite well, at least in my experience. How can this be?
I can think of two big reasons. The first is that deobfuscation is harder than it looks. It's not just a matter of applying the reveral -- you also need to recognize which reversal to supply (dubyaNOSPAMwhitehouseNONEgov, dubya at wh
Re:Cheap tricks (Score:2)
Brains, not gibberish (Score:4, Interesting)
Step 1 .com, .net and .org TLDs, more/less for others. (Five bucks a year for ".us", for example.) Having trouble picking one? Use your own name, or add "bork" to the end or something. It really isn't that big a deal.
Register your own domain name. Cheapest reliable registrar I'm aware of is Godaddy [godaddy.com], at about eight bucks a year per domain for
Step 2
Permanently disable the following addresses: info@, support@, webmaster@, ceo@, sales@, president@, admin@, contact@, customerservice@, and tech@.
Step 3 ;-) Here's a hint: You'll your host to support this mail feature.
Can you figure it out by my e-mail address? If not, shoot me one, I'll I'll clue you in, if you can demonstrate that you're not a spammer.
Step 4
Don't post your address, genius! If you slap your e-mail address on a website, in a mailing list, etc... you're gonna get spam. That's the way it is. Stop whining about it, and figure out a solution. (See step three.) If you haven't figured out step three yet, e-mail me.
Step 5
Pay attention. Think about who you give your address to. This goes for the address you use for your domain registration. Oh, and register your domain with an address that you don't care about getting spam at. A month or two later, change it. Spammers pay more attention to the e-mail address a domain is registered with than they do the address(es) that it ends up with later.
I own about twenty domain names, and use multiple addresses for each domain name. I get a combined total of about 3-10 spams per day, tops... and those are only to the addresses I was using before I developed these rules. The benefits? Little to no spam, you can track every company that's sold or shared your information, and easily see who violated their privacy policy. Then, of course, you just shut down the spam that they've enabled, and go on as usual.
It works.
Server side scripting (Score:3, Insightful)
I don't obfuscate at all. I use a server side script to generate a form. The client (browser, spambot, whoever) never sees the address. It is not possible to figure out the address, no matter how determined the spammer is.
I VERY HIGHLY recommend this free php or asp email form [dbmasters.net].
Re:Server side scripting (Score:2)
Bah. Goofed up the link (Score:2)
10 Lines of Perl? (Score:2)
"So if we're not helping hold back the flood of spam..."
We who? I get zero. Not bad for 1,320 web hits on Google on my last name, and over 12 years of regular usenet use. And I do NOT filter. I'm just careful.
Spam Email Address? (Score:2, Interesting)
Think out of the box (Score:3, Insightful)
Ten lines of Perl? (Score:4, Interesting)
#!/usr/bin/perl
print "Location: mailto:dan@sales.example.com\n\n";
exit(0);
And then it's just a simple matter of replacing:
a href="mailto:dan@sales.example.com"
with:
a href="/bin.cgi?href=mailto:abuse"
I've been doing this type of thing since about 1998. Surprised more people don't do it. It's fairly trivial to improve upon it and add quasirandom munging to the addresses, etc...
Re:Ten lines of Perl? (Score:2)
Re:Ten lines of Perl? (Score:2)
Of course, the sole Slashdotter who wants to de-munge addresses on a site of mine will go to the trouble of figuring out how the quasirandom munging works, for that one site.
Figuring out different quasirandom munging for a large number of sites, though -- which is what address harvesters would have to do -- would be about as big a task as figuring out how to pattern-match spam 100% of the time.
Especially if the munge kept mutatin
Re:Ten lines of Perl? (Score:2)
Never, never will 10 lines of Perl be enough (Score:5, Interesting)
Yes, trivial obscuring like user(at)example(dot)com with various special characters can be done in 10 lines. (Could be hard to get the last 3 lines filled with code.)
But what if the user does not use English language, but German? And what if (s)he does not mark the obscured charachters? user klammeraffe example punkt com or with some funny synonymes user a im kringel example klecks com. Decoding this in 10 lines of Perl becomes harder, and it becomes harder with every new language. Decode this with 10 lines for English, German, French, Polish, Russian, Bantu, Spanish, ...
What happens if the user is really "evil" to spammers? Meine Mail-Adresse besteht aus dem Domainnamen meines Providers example unter der Top-Level-Domain fur kommerzielle Webseiten, dem wird mein Kundenpseudonym user und ein Klammeraffe vorangestellt. (I'm still hiding user@example.com - translation: My mail address is composed from the domain name of my provider example undet the top level domain for commercial websites, prefixed with my client pseudonym user and an at sign.) Decode this and similar examples in 10 lines of Perl for 10 languages, while still being able do decode all trivial variants and all slashdot mail obscurations.
Getting more evil: Meine e-Mail ist catch-those-spammers@example.com [mailto] mit user vor dem Klammeraffen. Schicken Sie keine Mails an die falsche Adresse. (My email is catch-those-spammers@example.com with user in front of the at sign. Don't send mail to the wrong address.) Set up an account catch-those-spammers that marks and blocks all computers that test that acocunt or send mail to it. Now decode this and all examples above and all slashdot obscuration and don't run into the trap, and do not use more than 10 lines (with 80 characters each) of Perl code.
I bet it can't be done in 10 lines with 80 characters each, using Perl 5 and no external modules.
With nearly no work it is possible to make automatic address collecting harder and thus more expensive. Spammers don't want to spend much money, they want to maximise their profit. So they will do at most only trivial decoding, if they can't collect enough unobscured mail adresses. This is why images containing the mail address won't be OCRed for a while. It simply costs too much. On the other hand, just guessing names for existing domains works pretty well and it is very cheap. I have an unpublished six-letter account at a big German mail provider, and it is permanently hit by spam. The generic (unused and unpublished) accounts (sales, info, mail, accounting, vertrieb) of my domain are also spammed very often. Guessing is cheaper than collecting addresses.
So while this is not a mathematical proof, you can see that non-trivial obscuration will help. See also What You Get When You Buy a Spam CD [slashdot.org].
Tux2000
Re:Never, never will 10 lines of Perl be enough (Score:2, Interesting)
Re:Never, never will 10 lines of Perl be enough (Score:2)
Yes, it does. You can even write a perl program with zero lines, if you do not count invoking the program as a line:
Real Operating Systems (those not from Redmond) allow command lines of 4 KBytes or even more, this is more than sufficient for most small tasks.
For even more useful examples, see Google search for "perl one-liners" [google.com]
Tux2000
Mac OSX + Mail.app (Score:2)
Re:Mac OSX + Mail.app (Score:2)
There was some discussion on
Re:Mac OSX + Mail.app (Score:2)
(That is, my primary address may be 'foo@bar.com', but I receive spam on 'baz@bat.com'. If I generate a bounce message from that spam, the bounce will include 'foo@bar.com' as my address.)
Luckily, SpamAssassin gets almost al
Re:Mac OSX + Mail.app (Score:2)
Also, when my business partner forwards email to me, it often marks it as Spam for some reason. Like sometimes he forwards info off of a web page that is advertising something he wants me to look at.
Spamgourmet (Score:2)
I don't even bother obscuring my address most of the time due to a handy free (as in beer and speech) little utility over at Spamgourmet.com [spamgourmet.com]. It allows you infinite disposable email addresses that forwards to an address you specify.
How it works: When some site/etc is asking for your email address and you just *know* they're going to spam you, give them a spamgourmet address. -
identifier.#ofemailstoaccept.userhandle@spamgour met.com
I.E.
slashdot.5.user@spamgourmet.net
Once you get five emails you wo
10 lines of perl can pass the turing test? (Score:2, Insightful)
YAW.
Use subdomains if possible... (Score:4, Interesting)
Of course it's some work changing email addresses after expiration (I'm rotating most of them after three months), but it's less work then eating all their spam.
Re:Use subdomains if possible... (Score:2)
An AI-Complete obfuscation scheme (Score:2)
Re:An AI-Complete obfuscation scheme (Score:2, Interesting)
jeff@FUCKSPAM.hotmail.com
bNOoSPAMb@blah.SPAM.
etc etc.
Has it occured to anyone that if you start using CAPITAL LETTERS to distinguish noise from signal then that's reasonably easy to filter out?
Eeh, good on you for making the effort, but you probably do want some viagra anyway, you're just shy. The best obfuscation is to use a suitably noised up image but that presents problems of its own...
It's the same as encrypting your WiFi, etc (Score:3, Interesting)
The CLUB (Score:2, Interesting)
In effect, the advantage of the CLUB (and of obfuscating your email) is that you are protecting yourself simply because someone else hasn't put in the effort that you have. As long as enough
Javascript seems to work. (Score:2)
Personal experience (Score:3, Interesting)
I knew the article was posted before I even checked
The second article I had posted, I obfuscated my address. Thus far no spambots have managed to hit me on that alias.
I'd say that the obfuscation definately worked in this case. It wouldn't fool a spammer doing a visual search for victims, but it was enough to trick the bots.
I wonder though, if slashdot (being very anti-spam) is given special attention by spammers... or if it just goes along with being a highly popular website and thus a good place to harvest addresses.
Simple and effective obfuscation (Score:3, Informative)
Email address of John Doe
I am: (x) a robot; ( ) a human [GET EMAIL ADDRESS]
on a website. (Answering wrong will give you 1000 nonexisting email addresses :-) ) If you suspect that the spammer might want to invest some time in writing a script that harvests all 20000 employees from your website, then make it a Kaptcha (type the digits in the image into the box).
Spambots are stupid. I've seen a few of them visit a website that I maintain and they do not even parse basic HTML such as the BASE tag (which the parser needs to derive relative URLs), or the presence of & in URLs (HTML does officially not allow bare & symbols).
They ARE trying (badly) to deobfuscate addresses (Score:2)
some_removethis_body@example.com
wrongly deobfuscated to
some__body@example.com
Do spammers care if it is a valid address? (Score:2)
They say they will "send your message to 10 million gazillion users" but do they really care that a lot of the addresses they send to are dead, abandoned or obfuscated?
No, they just have a bunch of addresses, and as long as it is in the form of foo@bar.com they don't care if it bounces back, it is still valid enough for their customers.
Remember, it is spammers that we are talking about here. [pennypacker.org]
Re:Here's what I do (Score:2)
Re:Here's what I do (Score:2)
When I come across people who obfuscate their email addresses on purpose, I deobfuscate them and enter their email addresses in spammer's "opt out" pages, just to prove it doesn't work.
Re:What about... (Score:2)
Re:What about... (Score:2)
At last count, there were 743,601 users on Slashdot. 20% of that is around 168,720 emails. Now, all of these people are geeks, tech-minded, probably have above average earning potential and are much more likely to shell out for technology related items. And if the stereotype were true, they also love reading pr0n and could probably could stand
Re:mailto? (Score:2)