Alan,

You are right, and I had started to give this a lot of thought, until I thought: “Forget it! You’re dreaming! Get the first version out, and then solve this problem in the unlikely case that it turns out to be terribly popular.”

In that initial period before I came to my senses, I realised that there are a number of solutions that can be used.

One is to add customisation – in fact, the plug-in already has the ability to customise the NOSCRIPT part of the included HTML. They can have different obfuscations to their email address included here (e.g. adding “NOSPAM” or “REMOVETHIS” or replacing the @ sign with “#AT#” or “@@@” etc.)

Another, is to make each release of the software slightly different, so the spammers will have to play catch up. As you suggest, a similar approach is to create a grab-bag of different solutions, mixed randomly together.

I currently favour a solution that requires the obfuscation to be decoded with a computationally-intensive algorithm. Having a user wait for a few seconds of seconds of computation to crack an email address would probably be acceptable to genuine readers, but not to spammers who have tens of thousands of pages to visit, especially if there were honeypot email addresses littered around each page, in places real users wouldn’t notice or mouseover.

If EmailShroud proves poopular enough for this to be a concern, I will look into how much of JavaScript would be required to implement such a solution. In the meantime, EmailShroud is a bit like a steering wheel lock; defeatable, but not worth the bother while there are other unprotected candidates to steal.

It is important that a more secure solution be produced before the spammers get their improved scripts sorted out. Once the system is cracked the first time, the email addresses harvested are permanently known, and are likely to be sold to others.

Cheery thought for the day: this plugin will only be 100% effective so long as it is not widely used. If every WordPress user picks it up, it will be protecting enough high-quality addresses that it will be worth some email database vendor’s time and effort to crack the protection.

On the other hand, a small amount of protection goes a long way, as most harvesters would prefer to winnow the massive amounts of chaff laying around the ‘net for easier pickings. It would also be possible for the plugin to use a variety of mechanisms and forms for shrouding, making it less cost effective for harvesters to crack.