Where does spam come from?

Freshness Warning
This article is over 16 years old. It's possible that the information you read below isn't current.

It is often suggested that if you are going to place your email address on a Web site, you should obscure it by encoding the address as HTML entiries, else your address gets harvested by spambots. It is just as often refuted by those who think about such things. After all, it stands to reason that spambots can easily learn to decode these entities and happily harvest your encoded address.

That all sounds good in theory, but what happens when the theory is tested?

The Center for Democracy & Technology spent six months conducting a controlled study to determine where spammers get email addresses from. Their report, “Why Am I Getting All This Spam?,” details their findings.

Among other things, the report found that encoded email addresses left on a honeypot Web site for six months were never harvested by spambots. Test addresses placed on the site and used nowhere else never received spam.

That’s not to say that spambots won’t eventually be taught to decode HTML entities, but for now it appears safe to use them in spam prevention.

This also shows that you must test your theories. Something that sounds perfectly sensible in your mind doesn’t always hold up to reality. It seems obvious that spambots would be taught to recognize encoded email addresses, but in the real world, they haven’t.

Phil Ringnalda
April 14, 2003 7:06 PM

I wasn't absolutely sure when I read that report, but I had the feeling that they were talking about entity-encoding an address in text, not entity-encoding an address in a link. It makes a huge difference: if you entity encode an address in a link, it absolutely will get harvested, unless you are sufficiently cunning (so far, my 'written in three chunks by javascript' encoded address hasn't been harvested). I've tried just entity encoding in a link several times with several never-before-spammed addresses, and they get harvested so fast it'd make your head spin.

Adam Kalsey
April 14, 2003 7:44 PM

You're probably right. Looking at Figure 3 ( http://www.cdt.org/speech/spam/figure3.gif ), I see that the addresses are encoded but are simply stored in a comment instead of placing them inside a link.

John the Lawyer
April 17, 2005 12:44 AM

I found this quite interesting. For some time I had also heard that it did not matter what you did to the address because the harvesting program had a filter that would understand the change. Quite clearly that was not true at least at the time of the study. Great site, and you turned me on the a great study reference for the spam problem!

October 12, 2006 5:53 AM

Your answers don't really respond to the question. When I Googled the question and received your site as the first choice, I wasn't interested in e-mail address harvesting. We all know how that works. I was interested in who or what generates the messages. I have used Properties in Outlook Express to view some of the messages. 99+% of my spam messages are gibberist - unreadable English or code. On occasion I actually open one and to look at it. Same result. I see no purpose because there is nothing that makes sense. Other than consuming CPU and Internet time - plugging up the system - I fail to see the purpose of spam. Who writes this stuff? I can only conclude that some computer program generates this stuff and sends it automatically.

Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.


Not your company or your SEO link. Comments without a real name will be deleted as spam.

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Follow me on Twitter

Best Of

  • Rounded corners in CSS There lots of ways to create rounded corners with CSS, but they always require lots of complex HTML and CSS. This is simpler.
  • The mouse and me Not only is the mouse very destructive, but it's evaded all attempts to capture or kill it so far.
  • Embrace the medium The Web is different than print, television, or any other medium. To be successful, designers must embrace those differences.
  • Let it go Netscape 4 is six years old.
  • Newly Digital Newly Digital is an experimental writing project. I've asked 11 people to write about their early experiences with computing technology and post their essays on their weblogs. So go read, enjoy, and then contribute. This collection is open to you. Write up your own story, and then let the world know about it.
  • More of the best »

Recently Read

Get More

Subscribe | Archives


Product Manager Career Ladder (Aug 19)
What are the steps along the product management career path?
Building the Customer-Informed Product (Aug 15)
Strong products aren't composed of a list of features dictated by customers. They are guided by strong visions, and the execution of that vision is the primary focus of product development.
Assumptions and project planning (Feb 18)
When your assumptions change, it's reasonable that your project plans and needs change as well. But too many managers are afraid to go back and re-work a plan that they've already agreed to.
Feature voting is harmful to your product (Feb 7)
There's a lot of problems with using feature voting to drive your product.
Encouraging 1:1s from other managers in your organization (Jan 4)
If you’re managing other managers, encourage them to hold their own 1:1s. It’s such an important tool for managing and leading that everyone needs to be holding them.
One on One Meetings - a collection of posts about 1:1s (Jan 2)
A collection of all my writing on 1:1s
Are 1:1s confidential? (Jan 2)
Is the discussion that occurs in a 1:1 confidential, even if no agreed in the meeting to keep it so?
Skip-level 1:1s are your hidden superpower (Jan 1)
Holding 1:1s with peers and with people far below you on the reporting chain will open your eyes up to what’s really going on in your business.

Subscribe to this site's feed.


Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

Twitter, etc: akalsey



©1999-2019 Adam Kalsey.