Craig Burton’s blog is on my blogroll. Yesterday I wanted to comment on a recent post of him about Onfolio and Firefox. The form asked me to insert my email address. Thanks to the amount of spam I receive I have become very reluctant to enter my address. Sites just have no clue about how to deal with them. There are numerous sites posting entire mail archives with no obfuscation whatsoever to protect email addresses. On Craig’s site, I pasted my XRI contact service url (http://xri.net/=bavo.de.ridder) which would allow both Craig and his readers to contact me.

Sadly enough, the form came back to me, telling me that I should enter a real address. Hmmm, so I had to give my address. Knowing Craig’s reputation I assumed to following:

1. Craig uses the email address to confirm a real person was posting and I would probably get a confirmation mail I had to respond to before my comment would be published.
2. Craig would then be smart enough not to publish my email address or at least obfuscate it enough to keep it safe from spammers.

Feeling slightly more comfortable, I entered my real address and hit submit. A few seconds later (actually a lot of seconds later, his site must be on a 32kbps line), the post was submitted. I went to my mail reader to hit “get mail” but nothing had arrived yet. Going back to Craig’s site I discovered that:

1. The comment was submitted and showed my email address in both the source and the rendered version (so not even basic javascript hiding).
2. I did not receive a confirmation mail.

I mailed Craig to ask him to remove my address from the site. His mail address is available on his site, obfuscated as “gcraigburton [at] Yahoo [dot] com”. Nice. Obfuscation for his address but al his commenters are exposed.

I am very tempted to include Craig’s mail address, not obfuscated, but I will refrain. Craig’s obfuscation of his own address is weak enough, spammers probably already got it.