Need someone to lead product or development at your software company? I lead product and engineering teams and I'm looking for my next opportunity. Check out my resume and get in touch.

Where does spam come from?

Freshness Warning
This article is over 17 years old. It's possible that the information you read below isn't current.

It is often suggested that if you are going to place your email address on a Web site, you should obscure it by encoding the address as HTML entiries, else your address gets harvested by spambots. It is just as often refuted by those who think about such things. After all, it stands to reason that spambots can easily learn to decode these entities and happily harvest your encoded address.

That all sounds good in theory, but what happens when the theory is tested?

The Center for Democracy & Technology spent six months conducting a controlled study to determine where spammers get email addresses from. Their report, “Why Am I Getting All This Spam?,” details their findings.

Among other things, the report found that encoded email addresses left on a honeypot Web site for six months were never harvested by spambots. Test addresses placed on the site and used nowhere else never received spam.

That’s not to say that spambots won’t eventually be taught to decode HTML entities, but for now it appears safe to use them in spam prevention.

This also shows that you must test your theories. Something that sounds perfectly sensible in your mind doesn’t always hold up to reality. It seems obvious that spambots would be taught to recognize encoded email addresses, but in the real world, they haven’t.

Phil Ringnalda
April 14, 2003 7:06 PM

I wasn't absolutely sure when I read that report, but I had the feeling that they were talking about entity-encoding an address in text, not entity-encoding an address in a link. It makes a huge difference: if you entity encode an address in a link, it absolutely will get harvested, unless you are sufficiently cunning (so far, my 'written in three chunks by javascript' encoded address hasn't been harvested). I've tried just entity encoding in a link several times with several never-before-spammed addresses, and they get harvested so fast it'd make your head spin.

Adam Kalsey
April 14, 2003 7:44 PM

You're probably right. Looking at Figure 3 ( ), I see that the addresses are encoded but are simply stored in a comment instead of placing them inside a link.

John the Lawyer
April 17, 2005 12:44 AM

I found this quite interesting. For some time I had also heard that it did not matter what you did to the address because the harvesting program had a filter that would understand the change. Quite clearly that was not true at least at the time of the study. Great site, and you turned me on the a great study reference for the spam problem!

October 12, 2006 5:53 AM

Your answers don't really respond to the question. When I Googled the question and received your site as the first choice, I wasn't interested in e-mail address harvesting. We all know how that works. I was interested in who or what generates the messages. I have used Properties in Outlook Express to view some of the messages. 99+% of my spam messages are gibberist - unreadable English or code. On occasion I actually open one and to look at it. Same result. I see no purpose because there is nothing that makes sense. Other than consuming CPU and Internet time - plugging up the system - I fail to see the purpose of spam. Who writes this stuff? I can only conclude that some computer program generates this stuff and sends it automatically.

Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.


Not your company or your SEO link. Comments without a real name will be deleted as spam.

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Recently Written

A framework for onboarding new employees (May 15)
There’s no single good way to onboard an employee that works for every role. Here's a framework for creating a process that you can adapt to each situation.
TV hosts as a guide for software managers (May 10)
Software managers can learn a lot from journalists or late night TV hosts and how they interview people.
The Improvement Flywheel (Apr 29)
An incredible flywheel for the improvement of a development team. Fix a few things, and everything starts getting better.
Managers and technical ability (Dec 26)
In technical fields, the closer you are to the actual work being done, the closer your skills need to resemble those of the people doing the work.
Dysfunctions of output-oriented software teams (Sep 17)
Whatever you call it, the symptom is that you're measuring your progress by how much you build and deliver instead of measuring success by the amount of customer value you create.
Evaluative and generative product development (Aug 30)
Customers never even talk to the companies that don't fit their needs at all. If the only product ideas you're considering are those that meet the needs of your current customers, then you're only going to find new customers that look exactly like your current customers.
Product Manager Career Ladder (Aug 19)
What are the steps along the product management career path?
Building the Customer-Informed Product (Aug 15)
Strong products aren't composed of a list of features dictated by customers. They are guided by strong visions, and the execution of that vision is the primary focus of product development.


What I'm Reading


Adam Kalsey

+1 916 600 2497


Public Key

© 1999-2020 Adam Kalsey.