Monday 9 April 2012

Email Obfuscation Tricks In The Age Of Spammers

Every day thousands of spam emails are propelled to our e-mail addresses and the algorithms used by the spam bots are increasingly getting sophisticated and are able to harvest few kinds of obfuscated e-mail addresses already. While this race between spammers and web users goes on, we can still use several of the obfuscation tricks either to prevent bots from harvesting the emails or to fool bots to pick completely wrong e-mail adresses. Here, I am going to illustrate some useful obfuscation tricks I've come across over.

The Very Basics


A very basic way of obfuscating emails is by replacing the characters such as @ and . with at and dot. Following are few samples:

samar[at]techgaun[dot]com
samar (at) techgaun (dot) com

And, below are some examples that would be nearly impossible to harvest :P. Just be more creative with them and no automated spam bot/email harvester out there will be able to get you :D. However, this might possibly create some kind of DoS like scenario for many legitimate users.

<myfirstname> (at) techgaun (dot) com
<myfirstname> (at) <lastname> (dot) com

Using Image

Another method is to create a small and appropriate image that will display your e-mail address. Should be more than enough, so just create a PNG/GIF of your e-mail address.

Text Encodings

You could perform text encodings and javascript obfuscations, etc. An example of this is using ascii to unicode conversion and applying other level of obfuscations again to it.

The unicode version:

&#0115;&#0097;&#0109;&#0097;&#0114;&#0064;&#0116;&#0101;&#0099;&#0104;&#0103;&#0097;&#0117;&#0110;&#0046;&#0099;&#0111;&#0109;

will properly show as:

samar@techgaun.com

Obfuscations using CSS


Reverse Text Direction

CSS allows you to display the text in the reverse direction. For a HTML entity,

<div class="email">
moc.nuaghcet@ramas</div>

you can specify the following CSS property to use this obfuscation trick.
.email
{
     unicode-bidi: bidi-override;
     direction: rtl;
     float: left;
}

Hidden Text Within E-mail address

Another method is to put some hidden html entity between the parts of e-mail address and then set its display style as none. The spam bots while trying to extract the data from such e-mail information are subjected to get wrong information. An example is:

samar@tech<span class='display: none;'>nique</span>gaun.com

Edit: I found this link with some good examples so I thought I would rather refer you all to this webpage.