HN
Today

Email obfuscation: What works in 2026?

A new study rigorously tests various email obfuscation techniques, providing data on what actually works against spammers in 2026. The findings challenge common assumptions, revealing that even simple methods remain surprisingly effective against most harvesters, despite their theoretical weaknesses. This deep dive offers practical, data-backed strategies for web developers and individuals looking to protect their digital mailboxes.

133
Score
37
Comments
#2
Highest Rank
15h
on Front Page
First Seen
Apr 2, 5:00 AM
Last Seen
Apr 2, 7:00 PM
Rank Over Time
13872457119111217202327

The Lowdown

This article presents a comprehensive, data-driven analysis of email obfuscation techniques, evaluating their effectiveness against spammers in 2026. Author Spencer Mortensen tests numerous methods for both plain-text email addresses and clickable mailto links, offering insights into which strategies provide genuine protection and which compromise user usability without significant anti-spam benefits.

  • Surprising Effectiveness: Many techniques, even those considered theoretically weak (like HTML entities), block a high percentage of spammers (95-100%). This is attributed to most harvesters being unsophisticated.
  • Plain Text Techniques: Methods like HTML SVG, CSS display: none (with decoy tags), JS concatenation, various JS conversion/encryption methods (Rot18, custom conversion, AES encryption), and JS user interaction all blocked 100% of tested spammers.
  • Clickable Link Techniques: Similar high success rates were observed for techniques applied to mailto: links, including HTML entities, URL encoding, HTTP redirects, HTML SVG, and JavaScript-based obfuscations.
  • Usability vs. Protection: Several techniques, such as HTML symbol substitution, instructions, images, CSS content property, and CSS text direction, were found to severely break usability for humans, making them impractical despite high spam-blocking rates.
  • Methodology: The study employs a unique 'honeypot' approach, where each obfuscated email address is published on the site. Spammers interacting with these addresses reveal which techniques they can bypass, allowing for real-world statistical tracking. The author meticulously disables spam filtering to ensure accurate data collection.

The core observation is that while no technique is foolproof, the vast majority of email harvesters are easily defeated by even basic obfuscation. This suggests that the effort to protect email addresses online is far from futile, providing tangible benefits against automated scraping.

The Gossip

The Great Spam Debate: Obfuscation vs. Filtering

Many commenters debated the continued relevance of email obfuscation, with some arguing that modern spam filters (including those from major providers like Apple or self-hosted LLM-powered solutions) render on-site obfuscation unnecessary, especially given that data breaches are a primary source of spam. Conversely, others shared anecdotal success with even simple obfuscation methods, echoing the article's finding that these techniques still deter most basic harvesters, reinforcing that direct scraping remains a threat for publicly displayed emails.

Usability Quandaries and Accessibility Compromises

A recurring theme was the trade-off between email protection and user experience. Commenters highlighted how some obfuscation methods (e.g., those preventing copying, requiring manual deciphering, or breaking screen reader compatibility) severely degrade usability and accessibility. Concerns were also raised about the potential pitfalls of advanced strategies like 'plus addressing' if not managed carefully, which could lead to missed critical emails from services.

Creative Coding and Custom Cloaking

Beyond the article's tested methods, the community proposed various ingenious, technically complex solutions. These included creating 'tarpit' email addresses hidden with CSS to identify and block spammers, fetching email addresses from the server via JavaScript, converting SVG text to vectorized paths, and even using a brainf*ck interpreter in JavaScript to dynamically render the email, showcasing a hacker's spirit of inventive problem-solving.

The AI Scraper: A Future Threat?

The discussion extended to the potential impact of Large Language Models (LLMs) and advanced AI on email harvesting. Some users experimented with LLMs to de-obfuscate emails, finding success against methods not reliant on CSS or JavaScript. However, the cost-effectiveness of deploying such sophisticated AI for mass scraping was debated, with questions arising about whether future harvesters might resort to OCR or screenshot analysis to bypass current obfuscation techniques.