Would 'spam' mail really avoid eavesdropping?

It would help if you elaborated on if you are defending from a targeted attack or just being cautious, and what vector the potential adversary would be using to eavesdrop.

That being said, the method you are referring to is called 'security through obscurity', and is

"… discouraged and not recommended by standards bodies."

I would say that is putting it nicely. Security though obscurity is very BAD (on it's own).

Try watching this video from Def Con 21, told from the perspective of forensic investigators. They show several examples of why security through obscurity is a bad idea. You can also get an understanding of the capabilities of the tools used by forensic investigators.


The problem with this technique (with any kind of steganography, actually) is that it relies on security through obscurity.

An eavesdropper who is aware of spammimic.com could easily train their surveillance system to recognize patterns which are typical for messages generated by spammimic, log them and extract their hidden payload.

By the way: Using the word "encryption" in this context is technically inaccurate. An encryption always requires a secret key. When no key is required to "decrypt" the message, like in this case, the correct terms are encoding and decoding. A message which is encoded but not encrypted is not secure against eavesdropping because an attacker only needs to know the algorithm.

Spammimic also offers a variant which requires a password, which adds an encryption layer to the encoding layer. Would the encryption algorithm be a strong one, this would potentially allow confidential communication, but they admit that it is a very weak encryption not fit for serious use.

Conclusion: Spammimic.com is an entertaining toy, but nothing you should use for any serious confidential communication unless you encrypt your payload with a serious encryption algorithm before encoding it.


Using steganography instead of encryption is a rather bad idea, especially when the tool used is freely available. Anybody could use it to uncover the message.

However, simple encryption has a shortcoming when compared to steganography: Encrypted messages are usually identifiable as such, so while nobody knows what you send somebody, there is a proof you sent something.

If both confidentiality and deniability are desired, you can combine both approaches. Use a strong algorithm to encrypt the message, then conceal the ciphertext somehow. Ideally, this should be done by some software performing both tasks, since a PGP header encoded in what superficially looks like spam will costs you deniability if discovered.

In order for your message to get through, it would have to be sufficiently not like spam in order not to be deleted outright. Assuming you send it from your own account, headers etc. will be intact, and isn't this the first thing that spam filters check?

Of course, if you have a GMail account, you might not have the ability to decide which mails get rejected by their SMTP server. However, if you manage your own mail server, it's just a matter of configuration.