Contact details: [any mailbox] [at] [the domain name of this web site]. Please don’t ask me to give interviews, sign books, appear on podcasts, attend conferences or conventions, or provide feedback or endorsements for works of fiction, scientific theories, or slabs of text disgorged by chatbots.
I have no idea how to decipher this obfuscation.
0x3f•Apr 2, 2026
What's difficult about it? You know the domain, gregegan.net. You know the @ symbol, presumably. Then put literally any valid text before the @.
0xEF•Apr 2, 2026
Completely unrelated to the conversation, but our user names are remarkably similar.
ghywertelling•Apr 2, 2026
Is that even possible? Shouldn't the recipient email id need to be created first to be addressable?
cyberlimerence•Apr 2, 2026
Of course, the technical term for that setup is 'catch all', you can set this up with your email provider. You can send your email to "ghywertelling@gregegan.net", for example.
layer8•Apr 2, 2026
Yes, people using “email” for “email address” in contexts where it could also mean “email message”, which “email” more frequently means, is really annoying.
newscracker•Apr 2, 2026
> HTML entities are often decoded automatically by server-side libraries, which means that even the most basic harvesters can get your email addresses without any special effort. This technique should be worthless—and, yet, it still stops most harvesters.
Anecdotal, but I’ve used HTML entities on a public static website for a long time using an href tag with mailto, and yet I’ve not seen any spam.
I guess any spammer who uses some level of GenAI to process and extract email addresses would have a lot more success against all the methods listed in this article.
ciroduran•Apr 2, 2026
I wouldn't think it's very cost effective to apply GenAI to extract email addresses
layer8•Apr 2, 2026
Same. I have a normal mailto link on a Google-indexed page (a top hit with the right search terms) with a dedicated email address for over a decade, and rarely ever received spam for it. This is after DNSBL filtering.
_ache_•Apr 2, 2026
I'm sorry, but that is not how email address are spammed in bulk.
The data-source are the enormous data breach that are more and more frequent.
There is more intensive to collect more information on someone you already know something about than spamming an email you don't even know if it's a valid one.
The spam can also be very more effective as it present itself with personal information about the spammed.
curiousObject•Apr 2, 2026
The OP put those addresses on that web page, and only on that web page. Some addresses received spam.
Edit: that’s not to deny that big data leaks are a serious problem
_ache_•Apr 2, 2026
I'm not denying that it happens.
I'm saying that it not the classical way to spam people nowadays.
It's obvious to any non native english speaker, when you have a spam in english, it is because they toke the email from the web. When it's in you native language, it's usually from a data breach.
I'm vastly more spammed by the later. I can confirm it with unique email addresses of the "+" form (but not with the + character).
Also when I'm spammed in english, it's for Web3 crypto stuff and from a data breach it's a phishing attempt.
notpushkin•Apr 2, 2026
I’ve run a small thingy last year, on its own domain, with a (project-specific) email in plaintext on the homepage. I’ve got a fair bit of spam to that address.
But yeah, I’d say most junk mail is coming to (1) an address leaked from one Russian bank (!) I used, (2) the address listed in public business databases (I have a company in Estonia).
0x3f•Apr 2, 2026
If you're only passing the address in private to some service, you can just use [some-string-unique-to-that-service]@yourdomain.com. Or, more classically, plus addressing to do the same. Then you just block that recipient.
That solution doesn't apply to the use case in the article.
GCUMstlyHarmls•Apr 2, 2026
Surely spammers just turn `me+leaked/sold@mail.com` into `me@mail.com` as well as `me+apple@mail.com`, `me+softbank@mail.com` etc. The cost of stripping any `+postfix` must be about zero even at volume.
0x3f•Apr 2, 2026
Some people block all mail to non-plus-addressed emails on that inbox, so a plus address is required to be received at all. You could say then spammers will just add a random one, but they wouldn't be getting bounces and would have to guess as much. Still, even stripping the +'ed part is beyond what most of them even bother to do. That dropoff plus normal spam filters works well enough.
gfody•Apr 2, 2026
I filter everything that does NOT include “+asdf” in the to:
dandersch•Apr 2, 2026
Very interesting. It seems for his own email the author has opted for a combination of the CSS display none technique and a XOR cipher:
I noticed that, too. Technically I think this is a version of JS conversion. Interesting that he doesn't specifically mention XOR in the article. He does suggest combining methods though. I suspect this is effective.
fmajid•Apr 2, 2026
I use SVG where I created a text object in Affinity Designer and converted it to curves so the SVG doesn't have text any more, just vectors for the glyphs of it. Seems to work pretty well at keeping spammers at bay.
szszrk•Apr 2, 2026
It also keeps visually impaired people at bay.
hosteur•Apr 2, 2026
But now users cannot copy the email nor can they click it to email you?
ciroduran•Apr 2, 2026
I stopped being concerned about email harvesting years ago, I just simply leave the email on my website. Spam handling is okay enough, I guess.
But I like this review of techniques, even the simplest ones are very effective, that surprised me.
Yaggo•Apr 2, 2026
Same here, the address will eventually leak some way anyway.
I never got SpamAssassin working very well, but since moving my email hosting to Apple (from my own server), spam has not been a problem.
blitzar•Apr 2, 2026
I swear my apple hosted mail spam filter works in reverse. The inbox is full of spam and the legitimate messages (including apple billing notifications) in the spam folder.
GeoSys•Apr 2, 2026
I agree that email addresses get leaked eventually.
However, LLMs are quite good at generating spam and I think soon will evade most filters.
Gigachad•Apr 2, 2026
I doubt it. Most of the signals spam filters use these days are reputation based. You have to build up your domain and IP reputation for a long time first.
embedding-shape•Apr 2, 2026
> You have to build up your domain and IP reputation for a long time first.
Or buy/rent domains/IPs that have good reputations, as there are services that specializes in just bringing up the reputation for stuff so they can sell it once "good". Same exists for user accounts for various platforms like reddit and so on.
Gigachad•Apr 2, 2026
Sure, you'd burn that reputation extremely fast as Google detects your sending patterns change and the first few users start reporting as spam.
embedding-shape•Apr 2, 2026
> you'd burn that reputation extremely fast
Yes, that is indeed the point of those; "build up reputation -> sell/rent -> someone uses it to burn reputation -> rinse and repeat".
BorisMelnik•Apr 2, 2026
you know what's funny is that llms are also good at detecting spam as they are generating it. I've got an automation that scores incoming emails and it's getting better and better each day (also more expensive haha)
SV_BubbleTime•Apr 2, 2026
I can’t explain it well, but I think there is an asymmetric issue here… that the ability for an LLM to write a plausible email, and the ability for an LLM to detect that it’s spam are mismatched.
If an LLM and make a plausible email, the best another LLM can do is to rank it as plausible. Blackbox creation and detection have to be on the same level.
Perhaps if you said the detection LLM had all your context and websearch. That it could know that a Penny Pollytree at Coco Co isn’t a real person, but… that just seems like burning a ton of coal to detect fraud where the creation LLM was able to easily come up with the fictitious spam cheaply.
The real story here is this will go beyond email verification. That every system we have is going to need to up its security. Paper birth certificates and social security cards and email addresses and all manner of identity is going to need new systems of auth. The challenge will be to prevent authoritarian centralization.
e40•Apr 2, 2026
I’m up to more than 1,500 spam emails a month, with my email on the corp website.
jrmg•Apr 2, 2026
I’ve had my email address in a `mailto:` link in plaintext on my then-web-site, now-blog, since the early 2000s, and spam is no real problem. There are a few spam messages in my spam mailbox per day.
Perhaps my provider’s just great at filtering spam - but I kind of doubt it’s better than the major players (for years I’ve used Zoho for email - and it’s ‘okay’ enough that it’s not worth switching).
unilynx•Apr 2, 2026
> But I like this review of techniques, even the simplest ones are very effective, that surprised me.
because harvesters don't care until one technique gets massive use. if you come up with a unique but simple enough scheme for your sites and keep a few dozen email addresses out of their reach.. they've still gathered a million addresses. it's not really worth their effort to get the last 0.0001% of extra email addresses
so it's best to just not advertise your solution and make sure it doesn't get n
any outside traction - if it gets popular the harvesters will defeat it
jmaw•Apr 2, 2026
The author of the article mentioned that they are using it as a honeypot to detect when bots (or rather authors of the bots) implement a work-around for the obfuscation technique. Which is pretty smart!
kevincox•Apr 2, 2026
I've also been like this. But if as the article suggests trivial options like HTML entities or elements with display:none will keep my email out of >90% of harvesters I'm reconsidering as they seem to have no downside other than an extra couple of bytes on the wire.
jwr•Apr 2, 2026
This is such a waste of effort. Your E-mail address is not and can't be a secret. It will get into spammer databases eventually, no matter what you do. You will spend a lot of effort doing all these fancy tricks, and eventually you will get spam anyway.
Also, a note to those who make fancy "me+someservice@somedomain.com" addresses: make really sure you are in control and these work. Some services (including mine) will need to E-mail you one day, for example to tell you that your account will be deleted because of inactivity. If you don't receive that E-mail because of your fancy spam defenses, your account will be deleted. I've seen people hurt themselves like this and it makes me sad.
On a constructive note: what works very well is spam filtering using LLMs. We have AI to help us with this problem today. I wrote an LLM despammer tool which processes my inbox via IMAP using a local LLM (for privacy reasons). I see >97% accuracy in my benchmarks on my (very difficult) testing corpus. It's nearly perfect in real life usage. I've tested many local models in the 4-32B range and the top practical choice is gpt-oss:20b (GGUF, I run it from LM Studio, MLX quantizations are worse) — not only does it perform very well, but it's also really fast.
dandersch•Apr 2, 2026
The techniques in the article right now have had around 95%-100% success at avoiding spam and take about 5 min. to implement. Your approach of putting an LLM in front of your inbox gives 97% accuracy, may have false positives (so you may not receive that account deletion email after all), requires to run inference and, I assume, would take at least an hour to setup.
Also, the two can be complementary, anyways, so I am not sure what your point is.
0x3f•Apr 2, 2026
Plus-addressing is built in to most email services. There's no 'fancy' set up to break; it just works. That is, there's no way me@gmail.com works but me+someservice@gmail.com doesn't, unless you explicitly configure it not to work. Similarly for custom domains on most services.
If you use a catch-all on a domain, i.e. someservice@somedomain.com, I guess in theory that might break. But it seems about as likely as messing up the overall domain setup.
Also, my account on your service is likely much more disposable to me than my email address/domain. Anything I care about, I'd back up. Not just assume some random website is going to preserve it for me forever.
mmsc•Apr 2, 2026
> Also, a note to those who make fancy "me+someservice@somedomain.com" addresses:
Just wait until one of these companies demands an email from the registered email address of your account!
Croak•Apr 2, 2026
My email provider allows me to send from + email addresses, just change the from header.
hrmtst93837•Apr 2, 2026
Plus tags annoy signup forms more than they slow spam crawlers. If you're spending this much effort on obfuscation, run a sane mail filter and save the weird tricks for the sites that insist on emailing you later, because some apps treats a plus alias as invalid and then you get to debug their broken account recovery.
siruwastaken•Apr 2, 2026
I'm surprised that html entity supstitution performs so well. I would have assumed that scrappers could at least speak proper html.
sureglymop•Apr 2, 2026
What I often see is js that fetches the email from the server separately and inserts it.
badsectoracula•Apr 2, 2026
Some time ago i was wondering if the common "me at foobar dot com" you still see a lot of people do actually helps at all, especially now with LLMs, so i searched for some common "obfuscation" techniques and found this site (not the 2026 update, but the previous - it was a few months ago). Then i wrote a simple LLM query with a bunch of examples from the site[0] (the tool is just a frontend for a commandline program that uses llama.cpp and Mistral Small 3.1 in Q4_K_M quantization since it loads relatively fast and is fine for simple prompts). AFAICT it could reveal anything that wasn't relying on CSS tricks or JavaScript.
Like others mentioned, though, personally i haven't bothered by email harvesting for years now since spam filters seem to do a decent job. I have my email posted in plaintext here (which i bet is harvested very often) and in various other places and the occasional spam i get is eclipsed from "spam" from services i've actually signed up for (coughlinkedincough).
IMO a better approach would be individualized addresses.
Imagine someone visiting your blog who wants to e-mail you can burn some CPU cycles to "earn" an address that hasn't been given out to anybody else, e.g. user+TOKEN@example.com, where it is algorithmically-unlikely for them to be able to guess a different TOKEN that will work. Then if abuse occurs, you can just retire that one address. (In a non-interactive context, like a paper ad, you could just generate one yourself.)
Naturally, this would be best with an e-mail client that is aware of the scheme, and with a mail-service that has some API for generating new addresses, such as if you want to cold e-mail somebody and use a new from/return address.
Some years ago I had the fanciful idea of doing it with a phone-app, where it manages creating new addresses as-needed, disabling them, and keeping notes about who you gave them to.
terrabitz•Apr 2, 2026
Sounds like a similar approach to this service: https://addy.io/
I use it all the time in conjunction with Bitwarden to generate unique emails per site. You can have notes in each email, and they show up in a small banner on in the forwarded email. And each one is individually disable-able, so you can easily cut it off if you see spam from it.
I was really interested in this space and made my own homegrown tool for this. I used it for a while until I discovered Addy and switched over. IIRC there are similar services by Mozilla, Apple, and Proton.
Macha•Apr 2, 2026
I would expect that a llm based scraper is going to be better at parsing an email address from your instructions than some of the more inattentive people who's emails you might want to receive. So I think some of the dumber mitigation measures that still block the simple regex bots from this topic are probably a better bet now.
binaryturtle•Apr 2, 2026
When I wrote my own brainf*ck interpreter (in C) at the start of the year I was really struggling to find a use for the language. Eventually I had the idea to obfuscate emails on my websites with the language.
Basically each email gets written as a brainf*ck program and stored in a "data-" attribute. The html only includes a more primitively obfuscated statement "Must enable Javascript to see e-mail." by default which then gets replaced by another brainf*ck interpreter (in JS) with the output of the brainf*ck code. Since we only output ASCII we can reduce the size of the brainf*ck code by always adding 32 to each value it outputs. The Javascript is loaded from what seemingly looks like a 3rd party domain. There we filter basing on heuristics and check if the "referer" matches before sending out the actual interpreter code.
Of course all this would not help if a scraper properly runs things through Javascript too.
Recently I read you soon will be able to run DOOM via CSS, so certainly it should be possible to have a brainf*ck interpreter in CSS? That would be the next step… just to get rid of the Javascript, but then I'm okay with all the downsides of using Javascript just for the e-mail obfuscation.
Anyway… I also regularly (at least once a year) rotate those public contact addresses.
Borealid•Apr 2, 2026
How does this approach meaningfully differ from having javascript that XORs the email with a random sequence of bytes stored in that JS?
binaryturtle•Apr 2, 2026
It's more fun? :)
/edit
And you can combine both approaches: XOR'ing the code first for good measurements. :)
robotswantdata•Apr 2, 2026
How does that work if the scraper takes a screenshot to feed to a LLM or OCR?
yummypaint•Apr 2, 2026
That seems like a very expensive way to crawl the internet
robotswantdata•Apr 2, 2026
Scrape normally collect emails, if no email seen take screenshot and OCR
OCR is cheap and REGEX is cheap
Croak•Apr 2, 2026
One trick is having an tarpit email adress on your website. It is hidden using CSS so no real visitor sees it but it is visible in source. If your mail server recieves mail for that adress you can just block that IP for 24h.
MichaelApproved•Apr 2, 2026
This sounds like bad advice and would result in blocking google and other major ESPs.
I occasionally get spam from people who took the time to create gmail accounts. Based on this advice, the honey pot email address would get spam from a Gmail account and your script would block Gmail servers.
notpushkin•Apr 2, 2026
Yeah, I mean, you can personally vet those domains/IPs?
Croak•Apr 2, 2026
There exist lists of email providers. Those you can whitelist, ie. they can't get on the blacklist. Even then they would only be blocked temporarily. There also exists postmaster@domain.com which should not filter at all.
I am aware that you are able to abuse said system but if you monitor logs those issues would only be temporary.
WTH, a 302 into a "mailto:" (search for "HTTP redirect" in the featured article) opens up my e-mail client without clicking a mailto link!? This seems wrong.
layer8•Apr 2, 2026
Some browsers ask whether to open the email client in that case. I don’t see it as significantly different from a redirected download link that would open a program based on the mime type or file ending. Or from a redirect to another URL pattern associated with an app, like for example how YouTube links may open in the YouTube app.
Bender•Apr 2, 2026
They left off html cgi form. Generate the email on the web page and the server sends the email after performing some basic sanity checks and anti-spam on the form and web server itself such as solving some CSS puzzle or winning a game of DOOM.
tgv•Apr 2, 2026
I use a very simple encryption plus some padding (fluff in the article), but the email address gets updated by JS. This requires JS plus evaluating the resulting DOM. If you don't evaluate JS, the address will be something like "please@activate.javascript". Or you could use "potus@whitehouse.gov", in which case clueless scrapers end up spamming the US government.
kqr•Apr 2, 2026
I have a hypothesis email scrapers don't parse HTML at all. I suspect they search the raw bytestring for @ characters and take whatever's on either side of it. That probably gets them as many addresses as they can realistically use at a fraction of the cost, given how expensive HTML parsing can be.
(Similarly, I'm sure most links can be found by searching the bytestring for "href" and taking what's to the right of it.)
This would explain why HTML entities are so effective.
On the other hand, surely the TLS handshake is far more expensive than HTML parsing? Maybe it's to avoid parser failure modes that consume a lot of resources?
j45•Apr 2, 2026
Token based extraction around the @ is definitely one way that can work with a few tweaks.
BorisMelnik•Apr 2, 2026
it really varies, you are correct most modern ones search the byte string for @ characters but there are probably hundreds of different methods out there in black hat marketing circles to scrape emails.
mcmcmc•Apr 2, 2026
Haven’t heard “black hat marketing” before but that’s very fitting for a lot of the “growth hackers” out there
curiousObject•Apr 2, 2026
I believe you’re right. But sometimes, you really have to think about how mad your adversary is.
A dog will keep biting long after that is a disastrous plan.
Someone•Apr 2, 2026
> This would explain why HTML entities are so effective.
Could also be that they learned that sending spam to obfuscated addresses doesn’t gets much response. Such messages might get filtered out more and/or addressees might be less inclined to reply to it.
sumanep•Apr 2, 2026
Use a form
VladVladikoff•Apr 2, 2026
This is a great list on how to make an email harvester even better.
leonidasv•Apr 2, 2026
Yes and no, some techniques are still expensive for bots that aim to extract millions of addresses per day (like running JS and CSS, rendering SVG, etc).
simojo•Apr 2, 2026
GitHub has a spot to display your email on your profile; is this obfuscated as well? Most of my current spam is from putting my email on there..
IshKebab•Apr 2, 2026
Your email is still available from the actual commits presumably.
nabbed•Apr 2, 2026
It's odd. My email address is included un-obfuscated in ~90 commits to a popular open source repo on github. I also use this same email address for a mailing list associated with this OSS project. As far as I can tell, I've never received a single spam email in the 8 years I've had this email account.
When I view a commit on the github UI using view source, I can see the commit author's email address just as text with no special handling. It's bracketed by "<" and ">", so maybe that's enough to confuse harvesters.
I just looked at the spam folder of one my personal accounts (where I sign up for services), and it has got tons of stuff, most recently 2 or 3 with the subject "YOU PERVERT! I RECORDED YOU!".
It seems spammers are doing less harvesting and more purchasing of email lists from service vendors.
Macha•Apr 2, 2026
I have a wildcard address at my domain. The most common email addresses for spam are:
- git@mydomain.com
Presumably harvested from GitHub or gitlab
- contact@mydomain.com / admin@mydomain.com
Not actually an email address ever used, presumably people just guessing these exist from convention.
- <first name>@mydomain.com
I mean, if you know my name you can probably guess this but also this has been my primary email address for outbound email and so has ended up in marketing lists etc.
- ap@mydomain.com, finance@mydomain.com
This is a very recent trend but I've been getting emails to made up addresses like these ones quoting forged emails from myself (with various titles like CEO or CFO attached) claiming to authorize payments to other parties, usually backdated, and then asking that I process their invoice ASAP because look how long ago the CEO said it should be paid. I guess my website has ended up in some list of businesses despite being a personal site.
Ironically, the address that was in plain text in my HN profile for like 15 years gets very minimal spam.
vlucas•Apr 2, 2026
I recently noticed an uptick in cold emails and spam after publishing my new website. After a few weeks, I asked Claude/Cursor to obfuscate the email for spam protection in the mailto: link, and thy both used JavaScript with data attributes.
And then some light vanilla JS to stitch it together. Works in the browser, and spam has dropped off a cliff since.
ProllyInfamous•Apr 2, 2026
Really surprised this [very well-written] article didn't suggest the fantastic technique of owning an entire domain (although author's own examples obviously include unique handles@ for each tested practice).
Then you can hand each recipient an absolutely unique email which isn't just ole "name.morewords@" period trick — block those which receive SPAM.
----
OR: the even "easier" lifestyle of just not using email (like me). Obviously this is difficult for modern living, but that's what temp email is best for [i.e. circumventing ubiquitous `REQUIRED` email address fields].
nzealand•Apr 2, 2026
I've been doing that for two decades. Most of the spam comes directly to my primary gmail. Because I shared that with friends and family. And at least some of my friends and family shared their entire contact list with the wrong app at least once.
This article however is talking about publishing your email address on a public website. It matches my experience, that simple javascript concatenation stops 100% of spam. Not that I would or ever did trust my primary email address to that.
ProllyInfamous•Apr 2, 2026
This is your configuration error (likely just using a simple catch-all)?
When configured correctly each family member can reach you at a custom handle@, even seeing this custom reply address in response emails from you.
----
But yes, you're correct about the purpose of OP's article (website obfuscation). The topic-overlap is so close that it's still worth mentioning, IMHO.
jonathanstrange•Apr 2, 2026
I've never obfuscated my mail and do not use server-side spam filters, yet have never had a problem with spam. Yes, I get maybe twice or three times as much spam than legitimate mail (if we include spam that was once (semi-)authorized when clicking the wrong option). However, it's all filtered reliably client-side.
djha-skin•Apr 2, 2026
It's simple: draw your email in a paint program and export it as a png. Totally readable by humans.
kqr•Apr 2, 2026
...humans with vision in good working order. There's a large subset of humans who would then have no way of contacting you.
dyingkneepad•Apr 2, 2026
Then I can't copy+paste, so I might make a typo when sending you a message.
TZubiri•Apr 2, 2026
What I do is I have a catch all, and based on the emails I get, I know which emails are made public, and I scout what the threat actors are doing.
For a similar reason I dislike ip2ban, my objective is not to block all attack attempts, I prefer receiving them acknowledging them and being immune to them.
The idea of ignoring attack attempts isn't very safe when you think about it, your body doesn't do that, it creates antibodies upon subclinical expositions. Complete isolation means your immune system is weak and you are more vulnerable to the lightest of exposures.
momo_dev•Apr 2, 2026
interesting that most scrapers are still just regex-searching for @ in raw bytes. on the receiving side i've been dealing with a different angle of the same problem, blocking disposable/temp email signups. a domain blocklist catches 90% but the clever ones use random alias domains that all point their MX records to the same disposable mail infrastructure. checking where MX records actually resolve catches those too
27 Comments
Contact details: [any mailbox] [at] [the domain name of this web site]. Please don’t ask me to give interviews, sign books, appear on podcasts, attend conferences or conventions, or provide feedback or endorsements for works of fiction, scientific theories, or slabs of text disgorged by chatbots.
I have no idea how to decipher this obfuscation.
Anecdotal, but I’ve used HTML entities on a public static website for a long time using an href tag with mailto, and yet I’ve not seen any spam.
I guess any spammer who uses some level of GenAI to process and extract email addresses would have a lot more success against all the methods listed in this article.
The data-source are the enormous data breach that are more and more frequent. There is more intensive to collect more information on someone you already know something about than spamming an email you don't even know if it's a valid one.
The spam can also be very more effective as it present itself with personal information about the spammed.
Edit: that’s not to deny that big data leaks are a serious problem
It's obvious to any non native english speaker, when you have a spam in english, it is because they toke the email from the web. When it's in you native language, it's usually from a data breach.
I'm vastly more spammed by the later. I can confirm it with unique email addresses of the "+" form (but not with the + character).
Also when I'm spammed in english, it's for Web3 crypto stuff and from a data breach it's a phishing attempt.
But yeah, I’d say most junk mail is coming to (1) an address leaked from one Russian bank (!) I used, (2) the address listed in public business databases (I have a company in Estonia).
That solution doesn't apply to the use case in the article.
But I like this review of techniques, even the simplest ones are very effective, that surprised me.
I never got SpamAssassin working very well, but since moving my email hosting to Apple (from my own server), spam has not been a problem.
However, LLMs are quite good at generating spam and I think soon will evade most filters.
Or buy/rent domains/IPs that have good reputations, as there are services that specializes in just bringing up the reputation for stuff so they can sell it once "good". Same exists for user accounts for various platforms like reddit and so on.
Yes, that is indeed the point of those; "build up reputation -> sell/rent -> someone uses it to burn reputation -> rinse and repeat".
If an LLM and make a plausible email, the best another LLM can do is to rank it as plausible. Blackbox creation and detection have to be on the same level.
Perhaps if you said the detection LLM had all your context and websearch. That it could know that a Penny Pollytree at Coco Co isn’t a real person, but… that just seems like burning a ton of coal to detect fraud where the creation LLM was able to easily come up with the fictitious spam cheaply.
The real story here is this will go beyond email verification. That every system we have is going to need to up its security. Paper birth certificates and social security cards and email addresses and all manner of identity is going to need new systems of auth. The challenge will be to prevent authoritarian centralization.
Perhaps my provider’s just great at filtering spam - but I kind of doubt it’s better than the major players (for years I’ve used Zoho for email - and it’s ‘okay’ enough that it’s not worth switching).
because harvesters don't care until one technique gets massive use. if you come up with a unique but simple enough scheme for your sites and keep a few dozen email addresses out of their reach.. they've still gathered a million addresses. it's not really worth their effort to get the last 0.0001% of extra email addresses
so it's best to just not advertise your solution and make sure it doesn't get n any outside traction - if it gets popular the harvesters will defeat it
Also, a note to those who make fancy "me+someservice@somedomain.com" addresses: make really sure you are in control and these work. Some services (including mine) will need to E-mail you one day, for example to tell you that your account will be deleted because of inactivity. If you don't receive that E-mail because of your fancy spam defenses, your account will be deleted. I've seen people hurt themselves like this and it makes me sad.
On a constructive note: what works very well is spam filtering using LLMs. We have AI to help us with this problem today. I wrote an LLM despammer tool which processes my inbox via IMAP using a local LLM (for privacy reasons). I see >97% accuracy in my benchmarks on my (very difficult) testing corpus. It's nearly perfect in real life usage. I've tested many local models in the 4-32B range and the top practical choice is gpt-oss:20b (GGUF, I run it from LM Studio, MLX quantizations are worse) — not only does it perform very well, but it's also really fast.
Also, the two can be complementary, anyways, so I am not sure what your point is.
If you use a catch-all on a domain, i.e. someservice@somedomain.com, I guess in theory that might break. But it seems about as likely as messing up the overall domain setup.
Also, my account on your service is likely much more disposable to me than my email address/domain. Anything I care about, I'd back up. Not just assume some random website is going to preserve it for me forever.
Just wait until one of these companies demands an email from the registered email address of your account!
Like others mentioned, though, personally i haven't bothered by email harvesting for years now since spam filters seem to do a decent job. I have my email posted in plaintext here (which i bet is harvested very often) and in various other places and the occasional spam i get is eclipsed from "spam" from services i've actually signed up for (coughlinkedincough).
[0] https://i.imgur.com/ytYkyQW.png
Imagine someone visiting your blog who wants to e-mail you can burn some CPU cycles to "earn" an address that hasn't been given out to anybody else, e.g. user+TOKEN@example.com, where it is algorithmically-unlikely for them to be able to guess a different TOKEN that will work. Then if abuse occurs, you can just retire that one address. (In a non-interactive context, like a paper ad, you could just generate one yourself.)
Naturally, this would be best with an e-mail client that is aware of the scheme, and with a mail-service that has some API for generating new addresses, such as if you want to cold e-mail somebody and use a new from/return address.
Some years ago I had the fanciful idea of doing it with a phone-app, where it manages creating new addresses as-needed, disabling them, and keeping notes about who you gave them to.
I use it all the time in conjunction with Bitwarden to generate unique emails per site. You can have notes in each email, and they show up in a small banner on in the forwarded email. And each one is individually disable-able, so you can easily cut it off if you see spam from it.
I was really interested in this space and made my own homegrown tool for this. I used it for a while until I discovered Addy and switched over. IIRC there are similar services by Mozilla, Apple, and Proton.
Basically each email gets written as a brainf*ck program and stored in a "data-" attribute. The html only includes a more primitively obfuscated statement "Must enable Javascript to see e-mail." by default which then gets replaced by another brainf*ck interpreter (in JS) with the output of the brainf*ck code. Since we only output ASCII we can reduce the size of the brainf*ck code by always adding 32 to each value it outputs. The Javascript is loaded from what seemingly looks like a 3rd party domain. There we filter basing on heuristics and check if the "referer" matches before sending out the actual interpreter code.
Of course all this would not help if a scraper properly runs things through Javascript too.
Recently I read you soon will be able to run DOOM via CSS, so certainly it should be possible to have a brainf*ck interpreter in CSS? That would be the next step… just to get rid of the Javascript, but then I'm okay with all the downsides of using Javascript just for the e-mail obfuscation.
Anyway… I also regularly (at least once a year) rotate those public contact addresses.
/edit
And you can combine both approaches: XOR'ing the code first for good measurements. :)
I occasionally get spam from people who took the time to create gmail accounts. Based on this advice, the honey pot email address would get spam from a Gmail account and your script would block Gmail servers.
(Similarly, I'm sure most links can be found by searching the bytestring for "href" and taking what's to the right of it.)
This would explain why HTML entities are so effective.
On the other hand, surely the TLS handshake is far more expensive than HTML parsing? Maybe it's to avoid parser failure modes that consume a lot of resources?
A dog will keep biting long after that is a disastrous plan.
Could also be that they learned that sending spam to obfuscated addresses doesn’t gets much response. Such messages might get filtered out more and/or addressees might be less inclined to reply to it.
When I view a commit on the github UI using view source, I can see the commit author's email address just as text with no special handling. It's bracketed by "<" and ">", so maybe that's enough to confuse harvesters.
I just looked at the spam folder of one my personal accounts (where I sign up for services), and it has got tons of stuff, most recently 2 or 3 with the subject "YOU PERVERT! I RECORDED YOU!".
It seems spammers are doing less harvesting and more purchasing of email lists from service vendors.
- git@mydomain.com
Presumably harvested from GitHub or gitlab
- contact@mydomain.com / admin@mydomain.com
Not actually an email address ever used, presumably people just guessing these exist from convention.
- <first name>@mydomain.com
I mean, if you know my name you can probably guess this but also this has been my primary email address for outbound email and so has ended up in marketing lists etc.
- ap@mydomain.com, finance@mydomain.com
This is a very recent trend but I've been getting emails to made up addresses like these ones quoting forged emails from myself (with various titles like CEO or CFO attached) claiming to authorize payments to other parties, usually backdated, and then asking that I process their invoice ASAP because look how long ago the CEO said it should be paid. I guess my website has ended up in some list of businesses despite being a personal site.
Ironically, the address that was in plain text in my HN profile for like 15 years gets very minimal spam.
Something like:
``` <a href="#" class="js-mailto ${className}" data-email-user="${local}" data-email-host="${host}" data-email-subject="${sub}" > ${children} </a> ```
And then some light vanilla JS to stitch it together. Works in the browser, and spam has dropped off a cliff since.
Then you can hand each recipient an absolutely unique email which isn't just ole "name.morewords@" period trick — block those which receive SPAM.
----
OR: the even "easier" lifestyle of just not using email (like me). Obviously this is difficult for modern living, but that's what temp email is best for [i.e. circumventing ubiquitous `REQUIRED` email address fields].
This article however is talking about publishing your email address on a public website. It matches my experience, that simple javascript concatenation stops 100% of spam. Not that I would or ever did trust my primary email address to that.
When configured correctly each family member can reach you at a custom handle@, even seeing this custom reply address in response emails from you.
----
But yes, you're correct about the purpose of OP's article (website obfuscation). The topic-overlap is so close that it's still worth mentioning, IMHO.
For a similar reason I dislike ip2ban, my objective is not to block all attack attempts, I prefer receiving them acknowledging them and being immune to them.
The idea of ignoring attack attempts isn't very safe when you think about it, your body doesn't do that, it creates antibodies upon subclinical expositions. Complete isolation means your immune system is weak and you are more vulnerable to the lightest of exposures.