It finally happened, a spambot defeated my super simple email obfuscation. I've been using a simple JavaScript function to encode my email address for a month. It's not bot-proof, as anything that renders out the page and performs interactions creates a barrier that the page requires rendering out in full and an interaction, making it far more costly.

Here's the email that defeated my spam protection:

Hi Greggant Team,

I trust this message finds you in good spirits. Your finance platform stood out to me – your content is both informative and engaging.

Given our mutual interest in finance, I believe there's potential for collaboration between our platforms. Would you be interested in discussing this further?

Looking forward to your response.

-- Sara Evans
Creative Writer
itsevanssaraaaaa@gmail.com

These emails are nothing new to anyone who runs a blog, usually some sort of backlinking scheme or scam to improve SEO. Obviously, this is pretty low effort as my blog is not related to finance in any way. It's a spray-and-pray approach. It must sometimes work as I used to get several a week, and it's been happening for years.

My stupid solution

I've added a simple question to the contact page. It's a simple math problem that requires a human to solve, adding up 3 + 5.

That's it! Well.... actually, it's a little more complicated, I'm using crypto-js to obfuscate the email to make it more costly for a would be spammer. The logic of my code looks like the following:

    function decryptEmail(encryptedEmail, key) {
        const bytes = CryptoJS.AES.decrypt(encryptedEmail, key);
        return bytes.toString(CryptoJS.enc.Utf8);
    }
    // Prompt the user with a challenge
    const userAnswer = prompt("To reveal the email, please solve: 3 + 5");
    if (userAnswer === "8") {
        const decryptedEmail = decryptEmail(encryptedEmail, secretKey);
        const emailElement = document.getElementById("email");
        emailElement.href = "mailto:" + decryptedEmail;
        emailElement.textContent = decryptedEmail;
        emailElement.classList.remove('not-active')
    } else {
        alert("Incorrect answer. Please try again.");
    }

The hilarious part is I have the key and encrypted email in the source code. It's not secure, but it's not meant to be. It's meant to be a barrier that requires a human to interact or at least a bot to load the entire DOM, including crypto-js. From my observation, this has been more effective than using Recaptcha.

The basic principal of rolling your own email obfuscation is to make it so it requires a sophisticated bot, that consumes resources, a proof-of-work. It's trivial for a single user but costly for a macro operation. The issue with popular off-the-shelf solutions is they can be specifically targeted. This isn't a forever solution as eventually the bots with improve and the cost will fall further but I imagine this will be a workable solution for quite some time.