Phil Ringnalda does some tests to see if spammers are smart enough to grab email addresses that have been escaped as numeric character references. I was surprised to find that spammers weren't going this little extra mile.

Spammers are lazy<

Last July, wanting to prove that simplistic protection of email links by just escaping them as numeric character references (a@b.com to produce a@b.com) was a lousy idea — and how could it not be? even without any economic incentive, it wouldn't take me long to write the code needed to harvest them just fine — I put an encoded SpamMotel address in my sidebar, along with a fresh address in the unprotected part of my accessibly spamproofed address. I figured it wouldn't take long before the encoded address was getting just as spammed as the other.

This morning, when I got my third actual email through the encoded one (I guess the "Harvester Test" headline wasn't quite clear enough), I finally remembered to turn it off and take it out. The final tally, for the encoded address: 46 spams, 3 actual emails; for the unencoded address: 2632 spams. Apparently, if you don't have time to really harden an address, it's worth taking the time to at least convert it to NCRs. Lazy spammers. [via phil ringnalda dot com]

I've argued for ages that just escaping email addresses like this was an example of security through obscurity. Of course I'm sure spammers everywhere will now be looking to change this.