Got this in email the other day, decided the answer might interest some of you.
I actually just had a quick random question about your Contact Us page on chuqui.com
I agree about not putting a phone number on a personal or small business site unless you are prepared for the idiot factor.
Since yourself and of course myself too are all too familiar with the world of spammers I was wondering why you don’t obfuscate or somehow protect your mailto: link?
It’s a serious question, as I am actually wondering if you do want to see how much spam will come to it and which types of spam?
good question, complicated answer… Part of it is that my email addresses have been “out there” for so long — I’ve owned plaidworks.com since 1995, for instance — that I assume I’m on every spam list in the universe, because, from what I can tell, I am. So why hide when it’s too late already?
I also think those obfuscators are fake-security. Anything you can build programmatically, they can unbuild programmatically. All they have to do is care enough to try. They really don’t fix things, but they make you feel better, and over time, they get compromised — so you add complexity to things and in the long run, it doesn’t really solve the problem. Or it does, for a while, but how do you know when it stops working?
I don’t see any purpose in having an arms war with someone who can out-gun you from day one. I’d rather put my time into useful things.
So here’s what I do:
I hire someone else to worry about it.
I don’t believe it’s possible for an individual to “win” a way with the spammers. Or even “break even”, or even stick with “moral victories” for long. Even if I could, I’d much rather put my time and energy into other things.
So that means having your email hosted by someone who does have the resources to fight spam. I currently have three email hosts: gmail/google, mobileme/Apple, and my personal ISP (plaidworks.com/chuqui.com). Of the three, the personal ISP has the most leak-through, but they honestly do a good job and I have no complaints, given the complexity of the task.
Apple/Mobileme uses Brightmail for filtering (unless things have changed), and Google uses Postini, which they bought a few months after I turned down a job at Postini to work for Strongmail instead. Both groups have organizations individuals can’t hope to do better than (IMHO), no matter how much the geeks think they can “better mousetrap” the problem. My experience shows it to be a situation with rapidly diminishing returns for constantly increasing resource commitments.
So let the experts handle it. Then, realize it’s never going to be 100% perfect, and don’t get your knickers in a knot when it really IS imperfect. A few pieces of spam sneaking through won’t kill anyone; the stress you get spazzing out over the spam just might.
Right now my final mailbox lives on gmail, because it works best with my webos/Pre phone. When I was living on an iPhone, I used MobileME’s mail server. Depending on where I live, I have the other servers set to auto-forward to the final repository, and everything works pretty well.
In reality, the anti-spam aspects of email work pretty well now if you’re involved with a mail host that has their act together. Many corporate environments don’t. Most geeks fighting this battle on their own don’t (and complain about it loudly, so I think the general view is it’s a lot LESS solved than it is). Living on a mail host run by pros costs a few bucks (well, it doesn’t on gmail, but you get ads. I would happily pay a few bucks to do away with them..) but I’m a lot more worried about spending time than money in most cases.
Things like mail obfuscators never really worked well; they might have been ignored by spammers, but if the spammers decided they were worth investing in cracking, they got cracked. Very few geeks who installed them actually did any kind of scientific testing on how well they worked, they noticed no spam in their boxes for a few days and declared victory. A month later? three? six? Compared to non-obfuscated control addresses?
shrug. very little science here. Including myself. What science I do have is a couple of years old and pretty thin as well, so I don’t declare myself an expert, but when I did experiment, I just didn’t see anything worth the time investment, not compared to just putting my email on a server where a staff was in charge of solving the problem for me.
The proper place to solve the spam problem is on the incoming connection; even if you do obfuscate, all it takes is one mistake to leak, or someone else to leak it FOR you (and I found those leaks everywhere when I was tracking this stuff; painfully sad) to require having to do the incoming filtering as well. If you have to do that anyway, isn’t the proper answer to focus on doing that better and not do things that ultimately don’t really help solve the problem?
My bottom line: you aren’t going to keep email addresses away from the spammers. Trying to do so is a false security solution, and ultimately a waste of time and energy. Instead, it’s keeping spam out of the incoming email stream, and if you do that well, you don’t need to worry about the addresses leaking. So I don’t.