What is content obfuscation in spam?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you're a spam filter, and your whole job is reading email text to spot suspicious patterns. A spammer writes "v1agra" instead of "viagra" and suddenly your keyword match fails. That's content obfuscation in a nutshell. It's any trick that makes a spam filter misread what the email actually says.

Spammers have invented a surprising number of ways to do this. Character substitution swaps letters for numbers or symbols ("pr0duct", "f.r.e.e"). Homoglyph attacks replace a regular letter with a visually identical character from a different alphabet, so what looks like an "a" to your eye is actually a Cyrillic "а" to the filter. Image-only emails put all the offer text inside a picture, leaving the HTML nearly empty so keyword filters find nothing to flag.

HTML adds even more tricks to the toolbox. Invisible text (white text on a white background, or text sized at zero) gets inserted between real words to break up patterns the filter would otherwise catch. CSS can hide blocks of filler content from the human reader while the filter still sees it. Variable fonts and color tricks create visual words that the underlying markup never actually spells out.

Here's the ironic part, though. Modern spam filters are wise to all of this. OCR scanning reads text inside images. Rendering engines actually display the email the same way a browser would, so invisible text tricks get spotted. And machine learning has learned to treat obfuscation itself as a red flag. A sender who writes "fr3e" instead of "free" isn't just using a weird word. They're announcing they have something to hide.

For legitimate senders, this matters in a subtle way. Overly creative formatting, unusual characters, or hiding content with CSS can accidentally trigger the same signals these filters are trained to catch. Keep your email code clean and your text readable, and you won't look like you're trying to trick anyone (because you're not).

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my email for accidental obfuscation signals

Based on my email setup and sending habits, can you tell me which content obfuscation signals I might be accidentally triggering? Please review the following details about my emails and flag anything that could look suspicious to a spam filter.

Edit the yellow boxes, then send to the AI of your choice.