A few months ago, I did the unthinkable: I posted my email address on the internet.
In fact, I did it multiple times, tweeting multiple email addresses, from different domains (one was even gmail!).
I included the @ symbol, the period, and the rest, so in order to email me, you’d simply need to copy and paste. If the common wisdom of the internet is to be trusted, I should have received a deluge of spam into these newly created inboxes after the spambots crawled past these email addresses.
I turned off spam filtering and waited.
Four months have passed and I have received exactly three pieces of spam to the unobscured addresses I posted on Twitter. (I would share those tweets with you but I want to continue this experiment a little longer.)
One was a solicitation to buy Twitter followers, and two were phishing attempts (written in Italian) purporting to be from an Italian credit card issuer. That’s it. All three were labeled as suspicious by my email client.
Strangely, it appears one of the email addresses wound up in the contacts list of a Moroccan man who then invited all of his contacts to join him on Facebook, Twitter, and Linkedin. That address received a dozen or so emails from those services pestering me to join and reminding me of the invitation. Although unwanted, these emails are legitimate. They were not phishing attempts nor another type of malicious attack, even though they were persistent, and in French. One of them read: “Oubaha wants to join your network on LinkedIn. What would you like to answer?”
The suggestion to mask or obscure email addresses to avoid spam has been around for more than a decade. References to replacing the @ with (at) or .com with (dot) com to reduce spam can be found on online message boards and archives dating back to the 1990s. The US Federal Trade Commission even studied the effect of posting email addresses to the internet (pdf) in various ways in 2005. The FTC study found that masking an email address only reduces the amount of spam, it doesn’t prevent it. That is to say, obscuring your email address doesn’t prevent spam, yet the tactic persists.
But there are two realities here. The first is that spammers do not appear to be massively harvesting Twitter for email addresses. (If they are, they’re not using the addresses they collect to send a lot of spam.)
The second is that parsing out an email address from one of the many obscuring formulations is just as easy for software as it is for humans. You think a computer can’t be programmed to realize what “[at] gmail [dot] com” means? You’re wrong.
Stop playing games and save everyone the hassle. If you need to give out your email address in public over the internet, just post it there. If you still think you’ll be spammed, reduce your risk by deleting the post once you know the recipient got the address. (Receiving an email from them is a good indication.)
Presumably, your email provider has good spam recognition as a last line of defense—tactics which catch 99.5% of spam with 0.0% false positives have been around for more than a decade. At that rate, when I turn my spam filter back on I should expect spam from putting my email address on Twitter to reach my inbox once every 22 years. I’m willing to take that risk.