Because their regex is crap and if you have @twitterHandle or something with a legitimate "@" you just see the obfuscated version.

It's laughably adorable to think it's actually solving a problem or helping in any way, the 'bad actors' it's trying to prevent probably have a work around anyway.

> It's laughably adorable to think it's actually solving a problem or helping in any way, the 'bad actors' it's trying to prevent probably have a work around anyway.

They do—changing your user agent is trivial.

Why would I want to send an incorrect user agent? There's no point having one if it's just going to lie anyway.

I agree. I wish browsers would just stop sending a user agent string entirely. I don't think that I've sent an honest one in over a decade.

Most of these protections are easy to work around, and people do just that, but that isn't the product cloudflare is selling.

To the target market, who have a spam issue, cloudflares protection sounds great, and by the time they've set it up, they won't switch CDN's just because it isn't effective enough.

The problem is therefore spam bots abusing the email system.

Yes, and Cloudflare provides a fairly reasonable solution to this problem. Or, at least, it seems reasonable in the eyes of someone like me who never had to work on something that attempts to solve this problem, so there might be some serious caveats, but I am not aware of those. If someone with more domain knowledge can chime in on this, that would be appreciated as well.

Caveats:

Won't protect against scrapers that execute JS (like ones based on headless browsers -- This includes some modern search engines!)

Won't protect against anyone who takes some time to read their 80-some lines of minified "obfuscated"* JavaScript and hook up a simple text transform to their crawler of choice.

So basically it'll only protect against truly trivial scrapers, but not against anyone who wants to get at it and knows basic JavaScript. You could probably get about the same effectiveness by dividing the email amongst multiple <pre> tags...

*"obfuscated" in quotes because it just means whoever wrote it threw in a trivial to bypass XOR, some number character conversions, and for good measure had the JavaScript remove it's own script tag from the DOM after executing...

What you're missing is that this is effort by the botter. Headless costs more, writing another step in the scraping process and de-obfuscating seems reasonable but again: That is effort by the botter.

If a botter really wants to it's easy to get emails scraped. But they don't care. The demographic of people having obfuscated emails on their page via Cloudflare (since you probably don't know every obfuscation solution out there you target the big ones) is also the demographic with a good spam filter (or just using Gmail).

Botters don't care about everything small. If you're bigger you do get better ones who probably specifically target you and then you have more problems then just having your email stolen.

The 99% solution from Cloudflare is complex enough to not get botted by shitty wannabe hackers.

CloudFlare's solution is to tack on more work.

A better solution would be to change the email system to hinder abuse.

Ok, so fix the email system, and then Cloudflare can remove the bandaid. Maybe fixing the email system is actually way more complex? Just a wild guess.