|  | Posted by Richard Cornford on 06/30/06 00:52 
Philip wrote:> Richard Cornford wrote:
 
 >> Philip wrote:
 >> <snip>
 >>> I've been testing this with some spamtrap email addresses,
 >>> and it appears to work quite well (but not perfectly).
 >><snip>
 >>
 >> So it doesn't occur to you that the software used by spammers will
 >> evolve to be the most effective for the task? ...
 <snip>
 
 > I disagree. I think spammers are after the low-hanging
 > fruit that is unobfuscated email addresses, and there
 > doesn't seem to be a shortage of that now or in the
 > foreseeable future.
 
 You don't see this thread as being an indication in itself that your
 'low-hanging fruit' is already trying to move out of reach?
 
 > You're right that spam harvesting programs could
 > conceivably evolve to handle obfuscated addresses,
 > but I see very little pressure for them to do so.
 
 They already exist, they just are not yet in common use. Your own
 qualification of "but not perfectly" suggests that some are already
 defeating your e-mail address obfuscation. So the 'evolution' does not
 have to be in the software for the task, just in the choice of software
 that people use for the task.
 
 > If you disagree, that's your opinion and I'm not going
 > to try to tell you it's wrong. But one thing is for sure:
 > right now, obfuscating one's email address will foil more
 > email harvesters than not obfuscating.
 
 What I am saying is that what may be true "right now" may not be true
 next year. So if you can address the problems you may have next year
 with the same effort now as you are spending on implementing a technique
 that can be defeated it makes more sense to do that now.
 
 > I believe (and am trying to assemble real data to so I
 > can rely on something besides intuition here) that using a
 > Javascript-based method is more secure than simple
 > obfuscation, even allowing for evolution of email
 > harvesting programs. I think it is unlikely that email
 > harvesters will ever develop the ability to interpret
 > Javascript,
 
 The e-mail harvesters that are based upon automating the Microsoft web
 browser COM object (Internet Explorer) can already interpret and execute
 javascript (well, technically JScript).
 
 > not because it is too difficult to do but because it would
 > be resource-intensive, a little dangerous, and would
 > have a very low ROI.
 <snip>
 
 It has already been done, would not take more than a week's work to do
 again, and once written could be employed by thousands of individuals
 (if made available). That is not too much investment, so the return is
 proportional to the number of people trying to use javascript to obscure
 their e-mail addresses.
 
 Richard.
 [Back to original message] |