Email Obfuscation
I’ve been thinking about email obfuscation, mainly because we had a meeting about it at work. My initial thoughts are: “ Is it effective?”, “ Is it worth it?” and “ How long will it last?”
Is it effective?
Somewhat. Obfuscation’s effectiveness seems to largely rest on what method you use.
Simple schemes have already been broken. For the big companies with large pay-offs (large amounts of farm-able addresses/data) sophisticated obfuscation/anti-spam methods have also been broken.
It’s hard to find credible statistics from big organisations. One of the reasons might be that organisations using email obfuscation successfully are often (sensibly) keeping their statistics and implementations close to their chests, lest it become not-so-success. Another reason is that there is no (or not many) mainstream way(s) to do email obfuscation, no product to buy from big vendor X with the supplier/support contract. If you can find some good statistics from big companies please comment and let me know, I’d like to compile some more information.
Obfuscation can only really be effective when every mention of an email is obfuscated. At a University there is going to be a percentage of users who will publish their email addresses far and wide on research proposals, results, journal articles, at conferences and committees and will usually also be the people who make the most noise and/or make the decisions. These people are largely satisfied with mail filtering and do not see a problem with a couple of spam every few days.
There are also many ways to gain email addresses. LDAP is a popular choice and we maintain an LDAP interface to our contact directory which is fairly publicly available (with a web interface). Spammers can easily harvest from these directories. We also have a fairly easily identifiable email address scheme: firstname.lastname@uwa.edu.au. We also publish a DNS address for every user who has dialin/VPN access, although I won’t make those details public here.
What it comes down to is this: mechanically contrived obfuscation methods can always be broken. What you’re trying to do is weight down the cost in the Spammers’ cost-benefit analysis. With cheap labour and increasingly powerful at lowering cost computers breaking obfuscation is becoming cheaper. The balance is tricky.
Is it worth it?
With filtering solutions like Kaspersky Anti-Spam, Barracuda Spam Firewall, Mirapoint RazerGate and IronPort providing a great deal of protection against spam (depending on how many false positives you want) the cost-benefit becomes dubious. For a fixed sum of money these vendors provide a good, proven solution, plus will continue fight the spam war for you, and be 80-99% effective.
For the same cost again (or more) you can also battle spam internally using obfuscation and cover maybe 50% of that remaining 1-20%. There is no mainstream solution, no vendor to adapt the algorithms, and no simple way to implement it.
A good argument is that phishing can also be blocked using these techniques. The counter-argument is that phishing will always exist and we will always combat it the way we do now because you cannot guarantee that there are no phishing emails arriving in users’ mailboxes. Users who have a wonderful aptitude for replying to them.
There is basically the same argument for malware distributed by email.
How long will it last?
As mentioned above, the cost for Spammers to get an email into your mailbox is always coming down. Faster, cheaper computers, cheap labour, talent persuaded by money and greater and greater returns keep them going. Obfuscation methods will be broken swiftly if your institution or organisation is large enough just as quickly as you change them. It is an arms race.
Conclusions
There is more to this topic, and I hope to promote discussion, but I’m done for today.
I will be setting up a honey pot to test some obfuscation techniques. They will be highly synthetic figures because there is no incentive for Spammers to actively break them but at least they will provide some more figures.
I think my point of view is clear: I don’t think it’s worth it. I don’t doubt that obfuscation can be effective: it can. I just don’t think the cost-benefit weighs in obfuscation’s favour. Buy more IronPorts! Disclaimer: not an IronPort employee. :-P