Is it possible thwart email harvesters by obfuscating email adresseses, such as by displaying them as <name[at]example[dot]com>?
Ever wonder how hard it is to decrypt such addresses? The answer? Very easy!
This site decodes email address that are encrypted using typical obfuscation methods. A few exampled are shown in the form below. You can edit the examples or replace them with other obfuscated addresses. Get cracking!
IThe original source for the script was found at http://jasonpriem.org/2009/05/stop-obfuscating-email. Additional decryption features were added to completely decrypted the popular "UnCryptMailto" script hosted at jumk.de/nospam/stopspam.html.
Astute readers may already see several obvious patterns. Here are a few more 'obfuscated' addresses created with the UnCryptMailto" script, and color coded to help you quickly identify patterns.
Do you see it? Each and every character is incremented by one on the ASCII character table. A becomes B, B becomes C, etc. Decrypting this code is demonstrated in the below examples, where tests #13 and #14 are decrypted twice, once for the silly-looking label and once for the ASCII character shift.
In the case of the popular "UnCryptMailto" script, the decryption algorithm is available at http://jumk.de/nospam/stopspam.html where every spam harvester is free to grab it. Actually, I wouldn't be suprised if that site is hosted or sponsered by spam harvesters in order to delude the foolish.
This is probably one of the stupider ideas ever conceived. The theory seems to be that spam harvesters are outwitted by the need to view source code. The strategy of obfuscating the address relies on the concept of Security through Obscurity". According to this method, email addresses are preseumed safe as long as the 'bad guys' don't discover the decryption algorithm. This is why posting the decdription code directly into the page it is meant to protect is simply, ummmm... stupid.
For example, see the suggested directions at http://jumk.de/nospam/stopspam.html. The site advises its victims to add the following decryption algorithm to the head of their web pages—an awesomely stupid tactic, similar to hanging the key to a locked door onto the door itself.
BTW: The most significant line in this script is displayed in red. This is the heart of the obfuscation process, such as it is.
Many naive website builders may use the same function names as publicly available code examples. This makes it trivially easy to find the orginal source by searching for matching function calls. Unsurprisingly, jumk.de/nospam/stopspam.html proves to be the top listed site in a Google search for UnCryptMailto, perhaps indicating that many email harvesters have been there before us.
It only takes a few moments for a thoughful person to notice that the encryption algorithm in the "UnCryptMailto" script does nothing more than increment each ASCII character by 1. Bingo. Algorithm cracked. This is perhaps the most basic character-level encryption scheme ever devised, and is not worthy of the name. It is so blatantly inadequate that it is sometimes presented in introductory cryptography classes to demonstrate what not to do precisely because so many obvious patterns are created.
ROT13 ("rotate by 13 places") is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet. ROT13 is an example of the Caesar cipher, developed in ancient Rome. In the basic Latin alphabet, ROT13 is its own inverse; that is, to undo ROT13, the same algorithm is applied, so the same action can be used for encoding and decoding. The algorithm provides virtually no cryptographic security, and is often cited as a canonical example of weak encryption. For more on ROT13, see http://en.wikipedia.org/wiki/ROT13
The fourth character from the end of many email addresses is a period (.). In the "UnCryptMailto" script this location always contains a slash (/), an obvious pattern. The slash character is exactly one ASCII character higher than the period. Bingo. Algorithm cracked.
Recurring groups of characters are an easy starting point for cracking any encryption scheme. There are several patterns that keep recurring in "UnCryptMailto" addresses. For example they all begin with "nbjmup". Not surprisingly, each of the characters in this string is exactly one ASCII character higher than the characters in the string "mailto". Bingo. Algorithm cracked.
Go to jumk.de/nospam/stopspam.html and enter a very obvious pattern such as <firstname.lastname@example.org>. The predicted result will be <nbjmup;bbbbAcccccc/dpn>. Bingo. Algorithm cracked. Don't be fooled by the characters at the start of the text. That's just "mailto:" with each character incremented one ASCII number to create, "nbjmup;". "m" becomes "n", "a" becomes "b", "i" becomes "j", etc.