Lazy Spammers

Phil Ringnalda does some tests to see if spammers are smart enough to grab email addresses that have been escaped as numeric character references. I was surprised to find that spammers weren't going this little extra mile.

Spammers are lazy<

Last July, wanting to prove that simplistic protection of email links by just escaping them as numeric character references (&#097;&#064;&#098;&#046;&#099;&#111;&#109; to produce a@b.com) was a lousy idea — and how could it not be? even without any economic incentive, it wouldn't take me long to write the code needed to harvest them just fine — I put an encoded SpamMotel address in my sidebar, along with a fresh address in the unprotected part of my accessibly spamproofed address. I figured it wouldn't take long before the encoded address was getting just as spammed as the other.

This morning, when I got my third actual email through the encoded one (I guess the "Harvester Test" headline wasn't quite clear enough), I finally remembered to turn it off and take it out. The final tally, for the encoded address: 46 spams, 3 actual emails; for the unencoded address: 2632 spams. Apparently, if you don't have time to really harden an address, it's worth taking the time to at least convert it to NCRs. Lazy spammers. [via phil ringnalda dot com]

I've argued for ages that just escaping email addresses like this was an example of security through obscurity. Of course I'm sure spammers everywhere will now be looking to change this.

Pages

Powered by Movable Type 8.0.2

About this Entry

This page contains a single entry by Gregory published on March 9, 2005 8:18 AM.

Edited Manga was the previous entry in this blog.

Get Up And Exercise is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.