Avoiding obfuscated email addresses
Some people attempt to thwart email harvesters by obfuscating email adresseses, such as by displaying them as <name[at]example[dot]com>.
Ever wonder how hard it is to decrypt obfuscated email addresses? The answer: Very easy! There are several serious problems with this approach.
Trivially easy to decrypt
Astute readers may already see several obvious patterns. Here are a few more 'obfuscated' addresses created with the UnCryptMailto" script, and color coded to help you quickly identify patterns.
Do you see it? Each and every character is incremented exactly one place on the ASCII character table. A becomes B, B becomes C, etc. That's not security.
Decryption process is public knowledge
In the case of the "UnCryptMailto" script, the decryption algorithm is publicly available at http://jumk.de/nospam/stopspam.html where every spam harvester is free to grab it as well. Actually, given the weakness of the encryption process, I wouldn't be suprised if that site is hosted or sponsered by spam harvesters. They certainly benefit from its existence.
Decryption is exposed within the page it's intended to protect
It's hard to convey how stupid this is. The theory seems to be that spam harvesters are outwitted by the need to view source code.
This is an example of Security through Obscurity, the idea that something is protected because the bad guys aren't looking at it.
Security through Obscurity
The strategy of obfuscating the address relies on the concept of Security through Obscurity. According to this method, email addresses are preseumed safe as long as the 'bad guys' don't discover the decryption algorithm. This is why posting the decryption code directly into the page it is meant to protect is simply, ummmm... stupid.
For example, see the suggested directions at http://jumk.de/nospam/stopspam.html. The site advises its victims to add the following decryption algorithm to the head of their web pages—an awesomely stupid tactic, similar to hanging the key to a locked door onto the door itself.
BTW: The most significant line in this script is displayed in red. This is the heart of the obfuscation process, such as it is.
Easy to search for and find
Many naive website builders may use the same function names as publicly available code examples. This makes it trivially easy to find the orginal source by searching for matching function calls. Unsurprisingly, jumk.de/nospam/stopspam.html proves to be the top listed site in a Google search for UnCryptMailto, perhaps indicating that many email harvesters have been there before us.
Not an actual encryption algorithms
It only takes a few moments for a thoughful person to notice that the encryption algorithm in the "UnCryptMailto" script does nothing more than increment each ASCII character by 1. Bingo. Algorithm cracked.
This is perhaps the most basic character-level encryption scheme ever devised, and is not worthy of the name. It is so blatantly inadequate that it is sometimes presented in introductory cryptography classes to demonstrate what not to do precisely because it creates so many easily observed patterns.
Nothing more (actually 12 less) than ROT13
ROT13 ("rotate by 13 places") is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet. ROT13 is an example of the Caesar cipher, developed in ancient Rome. In the basic Latin alphabet, ROT13 is its own inverse; that is, to undo ROT13, the same algorithm is applied, so the same action can be used for encoding and decoding.
The algorithm provides virtually no cryptographic security, and is often cited as a canonical example of weak encryption.
For more on ROT13, see http://en.wikipedia.org/wiki/ROT13
Easy to guess using location patterns
The fourth character from the end of many email addresses is a period (.). In the "UnCryptMailto" script this location always contains a slash (/), an obvious pattern. The slash character is exactly one ASCII character higher than the period. Bingo. Algorithm cracked.
Easy to guess using grouping patterns
Recurring groups of characters are an easy starting point for cracking any encryption scheme. There are several patterns that keep recurring in "UnCryptMailto" addresses. For example they all begin with "nbjmup". Not surprisingly, each of the characters in this string is exactly one ASCII character higher than the characters in the string "mailto". Bingo. Algorithm cracked.
Vulnerable to simple pattern testing
Go to jumk.de/nospam/stopspam.html and enter a very obvious pattern such as <firstname.lastname@example.org>. The predicted result will be <nbjmup;bbbbAcccccc/dpn>. Bingo. Algorithm cracked. Don't be fooled by the characters at the start of the text. That's just "mailto:" with each character incremented one ASCII number to create, "nbjmup;". "m" becomes "n", "a" becomes "b", "i" becomes "j", etc.
Test your site!
Would you like to test the vulnerability of your obfuscated email addresses?
Simply copy the encrypted text from your website into the free online Email Obfuscation Checker. If the address is successfully decoded, you can be sure the majority of spam harvesters will have little trouble as well.