I’ve always assumed that obfuscating email addresses on web pages was an exercise in futility. Something like HiveLogic’s Enkoder is probably quite effective, but simple things like replacing each character with its equivalent HTML entity (e.g. e for e) can’t possibly be. I figure we have to give some credit to the spambot writers: they can’t fall for trivial deceptions like that forever, and no doubt some caught on years ago.

A recent study demonstrates otherwise. They set up hundreds of email addresses, each used for a single purpose, and tracked the received mail over a six month period. As expected, addresses made available on public web sites received the most spam. What very much surprises me is that email addresses obfuscated either using HTML entity or human-readable equivalents (e.g. “username at domain dot com”) received no spam.

This is bound to change, but it still catches me off guard. Of course, in the situation I face at work (dozens of people maintaining web sites over which I have no control, no chance of using either of these techniques consistently), it really doesn’t matter. I figure I could either filter email addresses on all outgoing pages, which isn’t worth the overhead, or write something that periodically spiders the site and “fixes” pages. Neither option is really worth the trouble. What I can do is try to prevent spambots from hitting our sites in the first place. Lotsa fun to be had there.

Hey Matt, if you’re reading: how about this for a discussion at April’s meeting?