< Edited Manga | Main | Get Up And Exercise >

March 09, 2005

Lazy Spammers

Phil Ringnalda does some tests to see if spammers are smart enough to grab email addresses that have been escaped as numeric character references. I was surprised to find that spammers weren't going this little extra mile.

Spammers are lazy<

Last July, wanting to prove that simplistic protection of email links by just escaping them as numeric character references (&#097;&#064;&#098;&#046;&#099;&#111;&#109; to produce a@b.com) was a lousy idea — and how could it not be? even without any economic incentive, it wouldn't take me long to write the code needed to harvest them just fine — I put an encoded SpamMotel address in my sidebar, along with a fresh address in the unprotected part of my accessibly spamproofed address. I figured it wouldn't take long before the encoded address was getting just as spammed as the other.

This morning, when I got my third actual email through the encoded one (I guess the "Harvester Test" headline wasn't quite clear enough), I finally remembered to turn it off and take it out. The final tally, for the encoded address: 46 spams, 3 actual emails; for the unencoded address: 2632 spams. Apparently, if you don't have time to really harden an address, it's worth taking the time to at least convert it to NCRs. Lazy spammers. [via phil ringnalda dot com]

I've argued for ages that just escaping email addresses like this was an example of security through obscurity. Of course I'm sure spammers everywhere will now be looking to change this.

Posted by snooze at March 9, 2005 08:18 AM


Post a comment

LJ Users: You can now sign on via openID. Please enter the URL to your LiveJournal in the following space. For example, http://www.livejournal.com/users/yourLJnamehere.

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Remember me?