Cruising through my mailbox just now, I happened to glance at a piece of spam before deleting it, and did a double-take:
Here, as of a month ago when it wasn't being spammed, was the only reference (WARNING: HIDEOUS MIDI MUSIC) to that address on the Web:
var rhs = "tomorrowlands";
var tld = "org";
var lhs = "kawaii";
document.write(":" + lhs + "@" + rhs + "." + tld + "\">");
document.write(lhs + "@" + rhs + "." + tld + "<\/a>");
The problem is that, if a legitimate company like Google does apply the computing power to it, the spammers don't have to expend the effort: they merely have to crawl the Google results.
And, alarmingly, this seems to be what has started to happen.
At first I thought that the address had been either guessed or else reposted somewhere, and I ran a Google search for firstname.lastname@example.org in order to explore this. The only result to pop up was my own page, and the text summary of the page read:
The source code of the Google results page shows the address bare: "<em>email@example.com</em>"
At first I couldn't believe my eyes. Was this coincidence? I went through my recently deleted e-mail and rechecked all of the spam headers.
I have a similar whitelisted-and-munged address I use only for WikkaWiki announcements, that has only been posted on my own wiki, protected similarly. It has also started receiving spam, and investigation turned up the same results. At this point the evidence is pretty damning.
The first spam I still have for kawaii was on June 8; it's likely that Google's behavior change dates from before then, and the spammers are only now beginning to take advantage of this new potential. The spam started slowly and is now up to several messages per day -- word is probably spreading amongst the bad guys.
Webmasters: Time to re-spamproof your site. A damn useful tool has just dropped out of the toolbox.
PLEASE NOTE: I have disabled the e-mail address referred to by this post. To contact me regarding this post, please write to [the first three letters of this journal name] [the dash symbol, '-'] [mail] [at-sign] tomorrowlands [dot.] org, or leave a comment below.
UPDATE: Two pieces of additional information I'd like to pull out from comments:
1. Even though the sample search I provided was for the compromised e-mail address, the spammer does NOT need to previously know your e-mail address in order to Google it. They just have to search for things shaped like e-mail addresses and skim the cream of the results. [*]
2. There is anecdotal evidence that pages which pull their decode function from a separate .js file have not been broken. (Yet.)
UPDATE 2: Welcome to /. readers! More discussion in the Slashdot thread.