Avoiding obfuscated email addresses

Some people attempt to thwart email harvesters by obfuscating email adresseses, such as by displaying them as <name[at]example[dot]com>.

Ever wonder how hard it is to decrypt obfuscated email addresses? The answer: Very easy! There are several serious problems with this approach.

Trivially easy to decrypt 

The popular "UnCryptMailto" script converts email addresses of the form <goofy@encryption.com> into <nbjmup;hppgzAfodszqujpo/dpn>. The site then provides the following dubious javascript, suggesting that it should be used in place of plain text email addresses on the victim's website:

<a href="javascript:linkTo_UnCryptMailto('nbjmup;hppgzAfodszqujpo/dpn');">goofy [at] encryption [dot] com</a>

Astute readers may already see several obvious patterns. Here are a few more 'obfuscated' addresses created with the UnCryptMailto" script, and color coded to help you quickly identify patterns. 

Original Obfuscated
goofy@encryption.com nbjmup;hppgzAfodszqujpo/dpn
goofy2@encryption.com nbjmup;hppgz2Afodszqujpo/dpn
abcdefg@encryption.com nbjmup;bcdefghAfodszqujpo/dpn
1234567@abcdefghijhlmnop.com nbjmup;2345678Abcdefghijkimnopq/dpn
what@about-the-tld.net nbjmup;xibuAbcpvu.uif.ume/ofu
and@another.net nbjmup;boeAbopuifs/ofu
by-now@it-should-be-obvious.dude nbjmup;cz.opxAju.tipvme.cf.pcwjpvt/evef


Do you see it? Each and every character is incremented exactly one place on the ASCII character table. A becomes B, B becomes C, etc. That's not security. 

Decryption process is public knowledge

In the case of the "UnCryptMailto" script, the decryption algorithm is publicly available at http://jumk.de/nospam/stopspam.html where every spam harvester is free to grab it as well. Actually, given the weakness of the encryption process, I wouldn't be suprised if that site is hosted or sponsered by spam harvesters. They certainly benefit from its existence.

Decryption is exposed within the page it's intended to protect

It's hard to convey how stupid this is. The theory seems to be that spam harvesters are outwitted by the need to view source code.

Javascript encryption is not a complete defense

The web contains many posts that theorize spam harvesting bots won't interpret javascript, and so will miss javascript-encrypted email address. This creates a false sense of security. Spam harvesters can use bots to interpret javascript as often as they want. The more people hide behind the illusion that spam harvesters are too lazy to bother with javascript, the more enticing the total number of javascript-encrypted addresses becomes. 

This is an example of Security through Obscurity, the idea that something is protected because the bad guys aren't looking at it.

Security through Obscurity

The strategy of obfuscating the address relies on the concept of Security through Obscurity. According to this method, email addresses are preseumed safe as long as the 'bad guys' don't discover the decryption algorithm. This is why posting the decryption code directly into the page it is meant to protect is simply, ummmm... stupid. 

For example, see the suggested directions at http://jumk.de/nospam/stopspam.html. The site advises its victims to add the following decryption algorithm to the head of their web pages—an awesomely stupid tactic, similar to hanging the key to a locked door onto the door itself. 

BTW: The most significant line in this script is displayed in red. This is the heart of the obfuscation process, such as it is.


<script type="text/javascript"> 
function UnCryptMailto( s ) { 
 var n = 0; var r = ""; 
 for( var i = 0; i < s.length; i++) {
 n = s.charCodeAt( i ); 
 if( n >= 8364 ) { 
 n = 128; 
 r += String.fromCharCode( n - 1 ); 
return r; 

function linkTo_UnCryptMailto( s ) { 
 location.href=UnCryptMailto( s ); 

// --> 


Easy to search for and find 

Many naive website builders may use the same function names as publicly available code examples. This makes it trivially easy to find the orginal source by searching for matching function calls. Unsurprisingly, jumk.de/nospam/stopspam.html proves to be the top listed site in a Google search for UnCryptMailto, perhaps indicating that many email harvesters have been there before us. 

Not an actual encryption algorithms 

It only takes a few moments for a thoughful person to notice that the encryption algorithm in the "UnCryptMailto" script does nothing more than increment each ASCII character by 1. Bingo. Algorithm cracked. 

This is perhaps the most basic character-level encryption scheme ever devised, and is not worthy of the name. It is so blatantly inadequate that it is sometimes presented in introductory cryptography classes to demonstrate what not to do precisely because it creates so many easily observed patterns. 

Nothing more (actually 12 less) than ROT13 

ROT13 ("rotate by 13 places") is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet. ROT13 is an example of the Caesar cipher, developed in ancient Rome. In the basic Latin alphabet, ROT13 is its own inverse; that is, to undo ROT13, the same algorithm is applied, so the same action can be used for encoding and decoding. 

The algorithm provides virtually no cryptographic security, and is often cited as a canonical example of weak encryption

For more on ROT13, see http://en.wikipedia.org/wiki/ROT13

Easy to guess using location patterns 

The fourth character from the end of many email addresses is a period (.). In the "UnCryptMailto" script this location always contains a slash (/), an obvious pattern. The slash character is exactly one ASCII character higher than the period. Bingo. Algorithm cracked. 

Easy to guess using grouping patterns 

Recurring groups of characters are an easy starting point for cracking any encryption scheme. There are several patterns that keep recurring in "UnCryptMailto" addresses. For example they all begin with "nbjmup". Not surprisingly, each of the characters in this string is exactly one ASCII character higher than the characters in the string "mailto". Bingo. Algorithm cracked. 

Vulnerable to simple pattern testing 

Go to jumk.de/nospam/stopspam.html and enter a very obvious pattern such as <aaaa@bbbbbb.com>. The predicted result will be <nbjmup;bbbbAcccccc/dpn>. Bingo. Algorithm cracked. Don't be fooled by the characters at the start of the text. That's just "mailto:" with each character incremented one ASCII number to create, "nbjmup;". "m" becomes "n", "a" becomes "b", "i" becomes "j", etc.

Test your site!

Would you like to test the vulnerability of your obfuscated email addresses? 

Simply copy the encrypted text from your website into the free online Email Obfuscation Checker. If the address is successfully decoded, you can be sure the majority of spam harvesters will have little trouble as well.

Try the Email Obfuscation Checker »