Comments on:

By: tekkie

tekkie — Tue, 16 Sep 2008 22:22:14 +0000

HTML entities are surely not the best available option to obfuscate as you can all also confirm from this chart. Mac OS X Dashboard widget called obfuscatr provides JavaScript encoding, which is much more safe than the one described above. The other possible option is just plain hexadecimal encoding of your email addy, similarly to above. So 2 alternatives available from obfuscatr. See the details at flash tekkie. obfuscatr was also featured in MacWorld Italy of March 2008.

By: Jonas Rabbe

Jonas Rabbe — Thu, 31 Mar 2005 20:53:44 +0000

After Stu came up with the ultra-cool email address obfuscation method through CSS

Just wanted to say that the CSS email obfuscation doesn't work in Safari (v. 1.2.4)

By: Joen

Joen — Thu, 31 Mar 2005 06:57:35 +0000

I have seen it, Mathias, it’s very nice. Good addition.

By: Mathias Bynens

Mathias Bynens — Wed, 30 Mar 2005 20:56:01 +0000

After Stu came up with the ultra-cool email address obfuscation method through CSS, I quickly wrote the obfuscate_email() PHP function. And today, I uploaded my very own email obfuscator. As if there weren't enough already, I know.

By: Jonas Rabbe

Jonas Rabbe — Tue, 08 Mar 2005 07:16:48 +0000

Just thought I'd pitch in another side to the story. Phil Ringnalda did an unscientific test of using HTML encoding vs. plain text email, and the suprising conclusion is that spammers are lazy . To extent on his conclusion, however, he did receive some spam on the HTML encoded address. This means he would start getting a lot more spam once his address has been sold and bought. My original points still hold, but I guess we can conclude that using HTML encoded or Javascript obfuscated addresses is safer than simple plain text mailto links.

By: Jonas Rabbe

Jonas Rabbe — Fri, 04 Feb 2005 23:51:34 +0000

It’s just such a hassle to spam someone using their contact form…

By: Joen

Joen — Fri, 04 Feb 2005 23:14:39 +0000

Oh you would too … using my contact form !

By: Jonas Rabbe

Jonas Rabbe — Fri, 04 Feb 2005 23:05:18 +0000

Good thing I got your email before you did that, otherwise I wouldn’t be able to spam you…

By: Joen

Joen — Fri, 04 Feb 2005 22:37:32 +0000

Thanks, Jonas, for adding these links and these comments. As a direct consequence, I have removed my JS "protected" email script from my colophon. Now only the PHP contact form remains.

By: Jonas Rabbe

Jonas Rabbe — Fri, 04 Feb 2005 21:58:49 +0000

Encoding your email address is security through obscurity which is, if not problematic, at least controversial. The wiki entry for security through obscurity likens it to hiding a spare key under your doormat. In theory anyone can enter your house using the spare key, but you rely on the hiding place being secret. Encoding your email address as HTML entities is very much the same. Just as the doormat is one of the first places a burglar would look, HTML entities are easily recognized and converted to reveal the email address. The same is in fact the case for javascript functions. Any javascript interpreter will be able to interpret the javascript and reveal the email address. Additionally, javascript functions and HTML entities are becoming quite wide spread solutions. As more and more people use these two methods of protecting their addresses the spammers will, and already have, account for them in their tools. The only way of attaining security through obscurity is to make it really obscure. Find your own way of hiding your address and don't share it with anyone. If you are the only person hiding your address in one specific fashion, a spammer has less to gain by specifying that obfuscation in his tool as he would only obtain one more address. Additional resources:

Matt Pritchard ? How to hurt the hackers (look at rule # 5 and the preceding text)

Bruce Perens ? Slashdot |?Feature : Security Through Obscurity