Need someone to lead product management at your software company? I create software for people that create software and I'm looking for my next opportunity. Check out my resume and get in touch.

Where does spam come from?

Freshness Warning
This blog post is over 20 years old. It's possible that the information you read below isn't current and the links no longer work.

It is often suggested that if you are going to place your email address on a Web site, you should obscure it by encoding the address as HTML entiries, else your address gets harvested by spambots. It is just as often refuted by those who think about such things. After all, it stands to reason that spambots can easily learn to decode these entities and happily harvest your encoded address.

That all sounds good in theory, but what happens when the theory is tested?

The Center for Democracy & Technology spent six months conducting a controlled study to determine where spammers get email addresses from. Their report, “Why Am I Getting All This Spam?,” details their findings.

Among other things, the report found that encoded email addresses left on a honeypot Web site for six months were never harvested by spambots. Test addresses placed on the site and used nowhere else never received spam.

That’s not to say that spambots won’t eventually be taught to decode HTML entities, but for now it appears safe to use them in spam prevention.

This also shows that you must test your theories. Something that sounds perfectly sensible in your mind doesn’t always hold up to reality. It seems obvious that spambots would be taught to recognize encoded email addresses, but in the real world, they haven’t.

Phil Ringnalda
April 14, 2003 7:06 PM

I wasn't absolutely sure when I read that report, but I had the feeling that they were talking about entity-encoding an address in text, not entity-encoding an address in a link. It makes a huge difference: if you entity encode an address in a link, it absolutely will get harvested, unless you are sufficiently cunning (so far, my 'written in three chunks by javascript' encoded address hasn't been harvested). I've tried just entity encoding in a link several times with several never-before-spammed addresses, and they get harvested so fast it'd make your head spin.

Adam Kalsey
April 14, 2003 7:44 PM

You're probably right. Looking at Figure 3 ( ), I see that the addresses are encoded but are simply stored in a comment instead of placing them inside a link.

John the Lawyer
April 17, 2005 12:44 AM

I found this quite interesting. For some time I had also heard that it did not matter what you did to the address because the harvesting program had a filter that would understand the change. Quite clearly that was not true at least at the time of the study. Great site, and you turned me on the a great study reference for the spam problem!

October 12, 2006 5:53 AM

Your answers don't really respond to the question. When I Googled the question and received your site as the first choice, I wasn't interested in e-mail address harvesting. We all know how that works. I was interested in who or what generates the messages. I have used Properties in Outlook Express to view some of the messages. 99+% of my spam messages are gibberist - unreadable English or code. On occasion I actually open one and to look at it. Same result. I see no purpose because there is nothing that makes sense. Other than consuming CPU and Internet time - plugging up the system - I fail to see the purpose of spam. Who writes this stuff? I can only conclude that some computer program generates this stuff and sends it automatically.

This discussion has been closed.

Recently Written

Mastery doesn’t come from perfect planning (Dec 21)
In a ceramics class, one group focused on a single perfect dish, while another made many with no quality focus. The result? A lesson in the value of practice over perfection.
The Dark Side of Input Metrics (Nov 27)
Using input metrics in the wrong way can cause unexpected behaviors, stifled creativity, and micromanagement.
Reframe How You Think About Users of your Internal Platform (Nov 13)
Changing from "Customers" to "Partners" will give you a better perspective on internal product development.
Measuring Feature success (Oct 17)
You're building features to solve problems. If you don't know what success looks like, how did you decide on that feature at all?
How I use OKRs (Oct 13)
A description of how I use OKRs to guide a team, written so I can send to future teams.
Build the whole product (Oct 6)
Your code is only part of the product
Input metrics lead to outcomes (Sep 1)
An easy to understand example of using input metrics to track progress toward an outcome.
Lagging Outcomes (Aug 22)
Long-term things often end up off a team's goals because they can't see how to define measurable outcomes for them. Here's how to solve that.


What I'm Reading


Adam Kalsey

+1 916 600 2497


Public Key

© 1999-2024 Adam Kalsey.