Phil Ringnalda does some tests to see if spammers are smart enough to grab email addresses that have been escaped as numeric character references. I was surprised to find that spammers weren't going this little extra mile.
Last July, wanting to prove that simplistic protection of email links by just escaping them as numeric character references (
firstname.lastname@example.org produce email@example.com) was a lousy idea — and how could it not be? even without any economic incentive, it wouldn't take me long to write the code needed to harvest them just fine — I put an encoded SpamMotel address in my sidebar, along with a fresh address in the unprotected part of my accessibly spamproofed address. I figured it wouldn't take long before the encoded address was getting just as spammed as the other.
This morning, when I got my third actual email through the encoded one (I guess the "Harvester Test" headline wasn't quite clear enough), I finally remembered to turn it off and take it out. The final tally, for the encoded address: 46 spams, 3 actual emails; for the unencoded address: 2632 spams. Apparently, if you don't have time to really harden an address, it's worth taking the time to at least convert it to NCRs. Lazy spammers. [via phil ringnalda dot com]
I've argued for ages that just escaping email addresses like this was an example of security through obscurity. Of course I'm sure spammers everywhere will now be looking to change this.