How are You Preventing Mailto-Link Harvesting?

mixwhit asks: "In our ever increasing effort against spam, we are now considering replacing all mailto: links on our website with something unharvestable (i.e. 'user (at) address', javascript mailto links, character entity evasion, etc.). Obviously this won't stop the spam, but it seems prudent to stop the harvesting so that the spam may slow down someday (year 2024 maybe?). What are others doing with this issue? We would prefer to preserve mailto link clickability, but also only want to make this adjustment once." One suggestion I would make is to put your email address in an image. People can read it, but harvesters won't be able to harvest it (unless they download the image for OCR), but any barrier you can place in front of the spammer, without blocking people honestly interested in communicating with you, is probably a good thing.

Plug

[phlyingpenguin]

See signature for a form mailer that uses mysql to lookup email addresses based on english names :)

Re:Plug

[greenhide]

Hey, guess what.

I was able to use your form to send myself spam!

That's right.

I entered my e-mail address, a from address, and the mail went through.

Essentially, your web page is providing the equivalent of an open relay.

You need to remove the "mailto" field, as that allows the form to be used to send out an address to anybody. Once that's gone, your form should be secure again.

Re:Plug

[phlyingpenguin]

You didn't look at the functionality. The email you used is a backup, an optional form field. I saw your message go through the system (it sends an admin copy). The primary function looks up the regular names used in the form field f2name, which is lined to the admin's list of names.

Mail form

[NaDrew]

Just use a mail form instead of mailto: links. Once you reply to feedback mail, the sender has your address and you can correspond normally. Meanwhile, evil spambots can't harvest an address that isn't shown anywhere.

Re:Mail form

[larry+bagina]

just make sure your mail form is nice and secure... unless you like spammers violating it like CmdrTaco's ass in prison :(

Re:Mail form

[jpsowin]

I agree with this in concept (if it is implemented correctly), as long as people understand that FormMail is one of the biggest exploits of spammers out there. They just use the form to use your server to send their emails. Don't believe me? Check any server log. ;)

Re:Mail form

[skookum]

That is only the case if you are running an ancient, brain dead copy of the original (Matt's Script Archive) formmail.pl. But you'd be a retard for doing that and deserve everything you get. Modern formmail scripts do not allow spam through.

Re:Mail form

[innosent]

I agree 100%. Either use something like formmail.pl, or write your own custom CGI program to handle emails. It is trivial to write a mail form, and users who wish to contact you will be at your website anyways, so why make them read the address and fire up their mail client? Hell, depending on your site (if you have user registrations), you could even use a database-driven email system, and eliminate spam entirely. Just let the user fill out the form, store the message in the database, and when you reply, they should be able to view messages sent to them the next time they log in to your site. You won't get spam, since you aren't using SMTP, but you still have a good (and probably better, since it is more reliable) system of communicating with your customers.

Re:Mail form

[scrytch]

> I agree 100%. Either use something like formmail.pl, or write your own custom CGI program to handle emails

Ironic, that in order to stop spam to you, you would use the notoriously buggy and insecure formmail, turning your box into an open mail relay for spammers to use. Use a secure alternative (there's compatible versions, but really it's not hard to use MIME::Lite yourself). Matt has never fixed formmail to a satisfactory degree, and shows no inclination toward doing so.

If you roll your own, it'd probably still be more secure than formmail, as long as you don't allow it to take addressing information from the outside. Hardwire the configuration into the script, and break it out into a nonreadable config file if you have to. But don't use a "flexible" form mailer unless you know you've got it nailed down.

Re:Mail form

>Matt has never fixed formmail to a satisfactory degree, and shows no inclination toward doing so.

You know... you do have the source code to formmail.pl, so if you're not satisfied with what Matt is doing, you are capable of fixing it yourself and mailing him the result.

Re:Mail form

You know... you do have the source code to formmail.pl, so if you're not satisfied with what Matt is doing, you are capable of fixing it yourself and mailing him the result

ah, the open source copout: "We write it for free, so we give it to you for free, and you do our QA for free"

how about something that's not broken already?

Re:Mail form

[Black+Perl]

You know... you do have the source code to formmail.pl, so if you're not satisfied with what Matt is doing, you are capable of fixing it yourself and mailing him the result.

First of all, why reinvent the wheel when someone's done exactly that? The Not Matt's Scripts (NMS) project has rewritten all his notoriously terrible scripts to make them more robust and secure.

Second of all, it's serious. The formmail script is on the Security Focus Top 10 attacks list. Why people keep using it is beyond me.

-bp

Re:Mail form

[hondo77]

The form can and will get hijacked, even if it isn't formmail.pl. I have a form on my site that includes a hidden number generated when the page is displayed. Unless that number is included when the form is submitted, it times out (it's not just a time value as it's XORd with other stuff). Even this form gets hijacked. Not as often as the old formmail.pl did but it still happens. If it can happen to a little bodybuilding site, it can happen to you.

Re:Mail form

Just let the user fill out the form, store the message in the database, and when you reply, they should be able to view messages sent to them the next time they log in to your site.

So what you're saying is...

In order to receive no spam, stop using email? :)

Re:Mail form

[innosent]

Basically, yes. Which is more expensive, paying someone for the next 30 years (corporation or sysadmin) to keep spam filtering effective to 90-95%, or paying someone for a week to develop an online database-driven mail solution?

Beware of disability advocates

[bluelip]

People fighting for those who have difficulty seeing have been complaining about the sites that have a person type a number displayed in an image to verify that they're not a bot. They say it causes undue hardship on sight impaired folks. That may not be a legal fight your company would like to enter.

I can see both sides of this. Can't say I know where to stand though.

Re:Beware of disability advocates

Yeah, this is because to get around scripted signup bots they try to provide something that only humans can easily understand... text in an image. They don't provide ALT text, because then a bot could parse that.

Only if you're using a text-only browser you can't see the image, and if you have a sight problem you might not be able to see it anyway. For these people it's usual to have another option where you can provide an email address and have the code emailed to you. Imagine if a government agency did this though - making it significantly easier for someone who isn't disabled - there's a human rights issue in making signup codes in images.

(some don't even provide an alternative way of signing up).

Form mail is the obvious choice to avoid email harvesters, but then submitting a form could be scripted too, so we're really just moving away from popular areas and hiding in the country hoping that the town folk won't find us. It's a good technique and it works, but we need somewhere else to go once the spammers bother with that.

(and webforms still don't have a good interface to submit formatted content like most email programs do... while html email is generally bad if used sparingly it can be better to have a html link rather than an url that might get broken up over several lines).

Actually, I thought it would be a funny project to start on SourceForge... an open source email harvester! We could all contribute patches to understand that "blah at f dot com" is "blah@f.com", peer review for evil.

Re:Beware of disability advocates

[BrokenHalo]

These Turing tests usually munge the appearance of the characters in some way.

In practice, you could just have a jpeg of your address in 42-point boldface Helvetica, which anybody can read if they're not totally blind, and this would be an adequate foil for the majority of bots.

Re:Beware of disability advocates

[glivings]

The problem with having e-mail addresses encoded in images goes beyond excluding the blind. People with text-only browsers (a la lynx), screen readers, PDAs, cell phones, etc. are all excluded.

It's important to remember that web pages are not always rendered visually.

Re:Beware of disability advocates

[Crayon+Kid]

To tackle text-only browsers, ASCII art could be an alternative to images.

As for people with disabilities, you could add a wav or an mp3 pronouncing the verification code. Actual speech generation is not really needed, you could get away with slapping together little 1-letter/digit wavs to form the code, like answering machines do it.

Re:Beware of disability advocates

[LiquidCoooled]

tell that to the ppl who build entire sites out of flash.

On that note, would a small compiled flash element allow a visible encoded, clickable email address to be used for the majority of people?

Re:Beware of disability advocates

[bhtooefr]

Anyone notice the "Can't see this image" links on many of the sites that use this technique? They say to e-mail them, and they'll assist you in signing up if you have errors, you're blind, etc.

Re:Beware of disability advocates

[mcdrewski42]

It's also important to remember that the 'alt' text should be used for all images for this specific case:

If you're displaying an image with the word "fish" in it, why not set the ALT text to "The word in this image is four letters long and describes a sea creature. Starting with 'f', and ending in 'sh', the second letter is 'i'."

Screen readers will read out the text, and unless the spammers get an NLP to understand your text, they'll still not get it!

Un-what?

[devphil]

replacing all mailto: links on our website with something unharvestable (i.e. 'user (at) address'

What makes you think "user at mail dot foo dot com" is unharvestable? The web archives of all the development mailing lists at gcc.gnu.org use that scheme, and we still get spam to unique addresses used only for sending mail to those lists.

It's a handy technique, and useful, but it's certainly not foolproof.

Server side scripting

[mikeswi]

Any method of munging the address must still be clickable within the visitor's browser. If it is clickable, it can be harvested. Javascript and html encoding may stop most of the bots, but bots exist that can slurp the address no matter how much javascript you wrap it in.

I use a PHP email form that never sends the address to the to client accessing it. Short of hacking the server and looking at the php script in plain text, there is no way to harvest the address. I have no need to let the public know my address. If they want to email me, use the form or use my site's message board.

I don't want the guy getting slashdotted, so I won't link his site. If you really want the script I use (available in PHP or ASP), go to hotscripts.com and search for dbmaster's mail form.

Re:Server side scripting

[trompete]

It's funny cause writing mail scripts is so easy with the PHP mail() function. Make sure that you hard-code the email address in the script (not as a hidden field), and you'll be set!

Re:Server side scripting

[Jucius+Maximus]

"Any method of munging the address must still be clickable within the visitor's browser. If it is clickable, it can be harvested. Javascript and html encoding may stop most of the bots, but bots exist that can slurp the address no matter how much javascript you wrap it in."

Check out this freeware windows program called Mailto Encrypter. It doesn't actually use encryption. Basically is uses hex codes to represent the mailto link so spambots cannot read it as plaintext.

I have had very good success using this tool. Addresses that get put up on the company web page in the encoded format NEVER get spam unless the owner actively does something stupid.

My true real actual e-mail address can be found on a limited number of places on the internet and it is encoded like this in every instance. I don't remember the last time I have gotten a spam message outside one of my spam accounts thanks to this tool.

Re:Server side scripting

[bhtooefr]

If you'd rather do it through JavaScript, here's a good one: http://mail.rochester.edu/~jr007j/emailencoder/

Ads

[Mizery+De+Aria]

I just clicked on the background (or so I thought), but apparently I clicked on an image http://ads.osdn.com/?ad_id=827&alloc_id=1959&site_ id=1&request_id=330735&1065145900624 which was an ad. New kind of annoyance? Maybe Slashdot may want to remove such ads?

Re:Ads

[Mizery+De+Aria]

A few refreshes displayed that the ad placement is in position #6.
Also, the link to the ad is http://ads.osdn.com/?ad_id=826&alloc_id=1958&site_ id=1&request_id=9766963&op=click&page=%2farticle%2 epl (in case that helps tracking this, if it's even an issue.)

simple js

[anim8]

<script>
<!--
var u = "sales" ;
var d = "example" ;
var t = "com" ;
var a = u + '@' + d + '.' + t ;
document.write('<a href="mailto:'+a+'">'+a+'</a>') ;
//-->
</script>

Re:simple js

[xingdiego]

I recommend the above method plus:

1) Randomize the variable names for u, d, t, and a
2) Randomize the position of var XX = XX statements.

This will reduce simple regex replacements if you site is big enough with enough emails that someone would want to create a simple reg mod to harvest it.

Re:simple js

[Komarosu]

Ahh yes but it looks like spammers have worked around that one too. We've got a similar scheme like that on our website but still our sales address (which is only advertised on that one site using that scheme) still gets about 4-5 spams a week. Yes its not alot but still you can harvest it.

Re:simple js

[bill_mcgonigle]

There's a nice open source javascript engine a talented programmer could easily build into his harvester. Evaluate the document, then crawl it.

Arms races are rarely effective.

Re:simple js

[91degrees]

But would they? It results in a slower bulkier harvester that is more inclined to crash. Since it can't easily determine whether the result of a script is an email address until it tries executing all javascript on the page. This will leave the harvester open to traps.

Re:simple js

[bill_mcgonigle]

It results in a slower bulkier harvester that is more inclined to crash.

I agree it would be much slower, but the folks who sell harvesting tools are going to have to keep adding features to keep their customers coming back for upgrades. Unfortunately, the most people who protect themselves with this method, the more likely it will become part of harvesters.

The harvester would only share the crash risk a browser does. I haven't crashed in javascript code since the Mozilla guys fixed a stack recursion bug I reported. (yay, team!)

This will leave the harvester open to traps.

Now, that's a good idea. :) I just can't think of any that I wouldn't just wrap a timer around. I'm sure someone will add some devious ideas. Maybe a couple dozen random e-mail addresses? Still, arms races are rarely effective.

Re:simple js

[arkanes]

If I were a spammer who was interested in doing that I'd use the IE engine as the base of my harverster, which means that anything you can click on and have work with be harvestable.

Re:simple js

Now, that's a good idea. :) I just can't think of any that I wouldn't just wrap a timer around. I'm sure someone will add some devious ideas. Maybe a couple dozen random e-mail addresses? Still, arms races are rarely effective.

A hidden link to another page. This hidden page would contain a warning like "don't click these links, they may crash your browser" (in case a human went there by accident), and some links to bad JS. The JS could be something as simple as an infinite loop, or maybe one that generates fake email addresses (bonus points if a server-side script automatically finds the spammer's ISP and uses that domain for some addresses).

Re:simple js

[Diplo]

Faced with this problem I ended up writing my own email-address encoder that has proved quite popular with friends. Whilst not as sophisticated as some, it works pretty well and will generate both HTML and JavaScript links via simple web-form. Try it out at www.diplo.co.uk/encode/. (Obviously, all email addresses' entered into this are sold on :p )

Hiveware's Enkoder

[jpsowin]

Just use this. Life is good, eh?

Re:Hiveware's Enkoder

[dimator]

This is a really cool idea, actually. Two things though: it increases the document size a good deal, since the my email address (19 characters) becomes a 1383 character string. This could really add up if you had more than one email address on the page (such as a mailing list archive). Although, in the world of broadband, thats a small price to pay.

The other thing is, if you are using this, you'd be wise to change the string 'hiveware_enkoder' to something unique. The reason being, if spam harvesters really wanted to, they could recognize that string, and have their own javascript engine handy run the script to get at the email address hidden inside. That's a lot of work, but not entirely impossible. If the Hiveware system gains many users, it might be worthwhile for them.

Unicode your email address

[jelevy01]

Just Unicode the email addresses, not unharvestable, but it makes it slightly more difficult. No change to user functionality.

Re:Unicode your email address

[Alpha27]

Unicode is not supported in all browsers, especially the older ones.

I use an image

[Kris_J]

My personal site uses a simple image of my email address with no link. So far no spam, but the odd real email. Even if it does start getting spam, it's a Spamcop address. At work, we have a generic text-only active link as you would expect for reception. For individual emails you need to be logged onto our student/staff portal.

Meanwhile, I'm keeping an eye out for the next technology to replace email. IM was promising about five years ago, but went to hell faster than email.

Re:I use an image

[Hallow]

I'm guessing your image doesn't have a proper alt tag for screen readers, so that begs the question: why don't you want to receive email from blind people?

Think before you do something like this people - first it's not section 508 compliant (if your site needs to be), and secondly it's just not nice to exclude a whole bunch of disabled people.

Use a form instead that mails you their input - never reveals their email address, and is accessible.

Re:I use an image

[Alpha27]

Because it would then be a waste of my time sending them p0rn. No screen reader can interpret the pics... yet. ;=)

Re:I use an image

[Jucius+Maximus]

"My personal site uses a simple image of my email address with no link. So far no spam, but the odd real email."

I prefer not to do that as I like to keep my pages accessible to visually impaired people.

Re:I use an image

[Kris_J]

My site contains stuff that's mostly visual (artwork folios, fancy case mod, link to my Lexa Doig wallpaper hosted off-site) that I doubt it matters. Anyway, I get maybe five hits a day. It's quite possible I've never had a blind person visit my site.

Re:I use an image

[yanestra]

"My personal site uses a simple image of my email address with no link. So far no spam, but the odd real email."

I prefer not to do that as I like to keep my pages accessible to visually impaired people.

What about an alternative .wav file?

Re:I use an image

[yuri+benjamin]

"My personal site uses a simple image of my email address with no link. So far no spam, but the odd real email."

I prefer not to do that as I like to keep my pages accessible to visually impaired people.

What about an alternative .wav file?

I guess that would be good. Unless the user is blind and deaf.

Re:I use an image

Helen Keller is dead, don't worry about that.

Uhh...

[babbage]

Quoth the original message...

What are others doing with this issue? We would prefer to preserve mailto link clickability, but also only want to make this adjustment once." One suggestion I would make is to put your email address in an image. People can read it, but harvesters won't be able to harvest it (unless they download the image for OCR)

Err, doesn't this exactly not meet the given criteria? The guy wants links to be clickable. If you hide the image, you can only get as far as, say:

<a href="mailto:foo@bar.com">
<img src="email_addy.png">
</a >

But that's just as easily harvestable as it would have been if you left the visible text as the plain address. What's the point?

It's the contents of the href attribute that need to be obscured, not the visible text (or image, or video clip, or whatever). You can't embed an image in the href text, so I don't see how this suggestion gains us anything at all.

---

The suggestion I like best is to encapsulate the address as HTML entities. Currently, this is enough to fend off the average address harvesting software, though if the practice catches on, I assume that the harvesters would start to take this into account -- at which point I don't know what the solution should be...

Barring that, it seems like the only way to provide an address will be to use literal text such as "write to us at foo at bar.com" and hope people just get it.

Alternatively, shy away from giving out your address, and provide a form where visitors can submit comments. This could allow you to filter out some of the incoming traffic (hint, if you're going to use "off the shelf" software for this, use NMS instead of Matt Wright's ancient Formmail.PL script, it's much safer). Avoiding any publication of email addresses might piss Jakob Nielsen off, but under the circumstances I think it's probably a reasonable approach to the situation -- it's way to easy for a public address to get abused...

Re:Uhh...

[Webmonger]

You can't embed an image in the href text, so I don't see how this suggestion gains us anything at all.

Actually, you can.
data URL examples

Sick, eh?

Don't bother, it's too late

[menscher]

They already have your email address. They'll get your new one when you post to newsgroups, to mailing lists, when your virus-infested friends spew it around the net, and when you register software. Focus on solving the problem (by developing anti-spam software, by lobbying for laws, or by shooting spammers), rather than on trying to find new ways to hide.

Re:Don't bother, it's too late

[Rick+the+Red]

No kidding. Comcast gives us seven email addresses, so I set one up for each of us. My three month old gets spam, and nobody has EVER used that account (except me sending a test email when I first set it up). These scum just take a brute-force approach to generating email addresses, and don't care how many are undeliverable. They come with opt-out buttons, but all those do is confirm they found a valid address, and they never send from the same address twice, so adding them to a filter list doesn't work either. Bayesian filters on the content is the only way to go.

Re:Don't bother, it's too late

[bscott]

> Bayesian filters on the content is the only way to go.

Aren't most of the spams filled with random gibberish these days specifically targeting Bayesian filters? My Mozilla client filter was working better and better for awhile, but lately the trend has been reversing... anyhow, I disagree that it's the "only" way to go.

I think collaborative filtering (no link, I've read about it in the past but can't be bothered to look up a good example at the moment) will become a major tool. Also, why has nobody come up with an Email client which automagically puts incoming messages from senders you haven't contacted (or who aren't in your address book) into a "suspect" folder - over and above any spam-filtration? Unless you're a webmaster, writer/columnist, or are selling something online, that'd help a lot of people I reckon.

And who was it had the idea of having EVERYONE reply to EVERY spam (using a automated script or plug-in or something), thus effectively DOS-ing any spammer's server...

Re:Don't bother, it's too late

[Rick+the+Red]

effectively DOS-ing any spammer's server

That sounds good, until you find some Microsoft security hole has allowed a spammer to use your PC to send their filth for them. This approach would only DOS another of the spammer's victims (this includes the hapless ISP who didn't know they had a spammer as a customer, and all of that ISP's legitimate customers). That's worse than the blacklist vigilantes.

You're right, Bayesian filters are not the "only" way to go, but I think they'll prove to be the most effective in the long run. Any bets on how long we'll have to wait for Microsoft to include one in Outlook Express? Meanwhile, most folks can only hope their ISP is good at spam blocking.

Re:Don't bother, it's too late

[bscott]

> sounds good, until you find some Microsoft security hole has allowed a
> spammer to use your PC to send their filth for them

I'm not suggesting the auto-response go to the From: field, by any means. The one authentic part of any spam has to be the "Click here to send me your money!" link (well, granted, I've received more than a couple without even so much as that...), and that's what your target is.

Use a mega-honeypot approach - have people donate a few thousand abandoned, spam-clogged Hotmail accounts to begin with, and set up some old PCs with scripts to bang on each incoming solicitation. Next step, ask spam-fighting organizations for copies of the latest ads they've been getting - as many copies of each as possible, in fact, since many of them have unique-IDs in the links - and blast them too. Make it a distributed project, so that spammers can't block your IP ranges. And of course, figure out some legal loophole by which you can claim it's not a DOS attack - because the sender is, after all, inviting you to check out their offering...

Re:Don't bother, it's too late

[Mr+Z]

Aren't most of the spams filled with random gibberish these days specifically targeting Bayesian filters?

I've been collecting up spam in order to start writing my own spam filter. (I was planning on taking the Bayesian approach to the next level and using a simple Markov model instead.) One of the things I noticed is that "ham" tends to confine itself to a predictable dictionary, whereas "spam" misses the dictionary fairly often. Thus, biasing unknown tokens towards "spam" should be a fairly cheap and effective filter.

--Joe

The Goatse solution

I put my e-mail address in the middle of a giant Goatse graphic. It's worked pretty well so far: I've gotten no e-mail.

How I do it...

[Pathwalker]

I've been looking at a couple of different techniques over the past year or so. They are closely tied into the Roxen Webserver, and probably won't work with Caudium, or any other webserver.

The first technique I used (described here) was a simple RXML macro, that defined a tag called <cloak>. It would check to see if the client was on a list of known robots. If the client was a robot, a graphic version of the email address would be returned. If the client looked like a normal browser, then the address would be entity encoded, and returned as a mailto link.

Shortly after I set that up, I realized that entity encoding was pretty much useless - that if a web browser can figure out the address, so can a spam bot.

My second attempt appears to be working well. I wrote a Roxen module called mailcloak which takes addresses, and replaces them with a graphic link to a dynamically generated form to send an email to that address.

As an example, the code <mailcloak> maileater@ofdoom.com</mailcloak> would be replaced with a graphical version of the address maileater@ofdoom.com and a link to this page.

It also has support for finding and cloaking bare addresses in pages, and I'll probably add support for rewriting mailto tags sometime in the next few weeks.

Missing the point

[jtheory]

You have to consider the trade-off of the inconvenience of your readers/customers with the amount of spam you get.

I have a few websites with my email address all over them, in mailto links. I "mask" the email very lightly, by escaping most of the characters, and it has worked beautifully.

Here is a webpage that will quickly convert your mailto link into a form that bots will miss.

Could a bot be written that would be able to harvest these email messages? YES. But would it be worth the spammer's time to code it? NO, so it probably won't happen.

Put yourself in the spammer's shoes (or slime-covered bedroom slippers). Why would you want to go to a lot of work to build a bot that will harvest the email addresses of the very people you don't want to get your spam, because they will report you to spamcop, harass your ISP, and even hack your computer and post some very unattractive pictures of you on the internet?

No, they want the chumps, and they want to find them without needing to check every webpage for dozens of patterns.

Re:Missing the point

[zcat_NZ]

Could a bot be written that would be able to harvest these email messages? YES. But would it be worth the spammer's time to code it? NO, so it probably won't happen.

You wish.

Just like the mailing list archives that cloak everyone's address "foo AT bar DOT baz". They don't get harvested quite as frequently by the regular web-crawing bots but they DO still get harvested, because someone notices that they can get a few hundred email addresses from that archive with a fairly small amount of programming.

As soon as any reasonable number of people start using the same scheme (and particularly if it's a mailto: designed to still be machine-readable) someone will take the time to harvest that kind of obfuscated address. It's just a matter of the cost/benefit ratio being high enough to make it worthwile.

Re:Missing the point

> Why would you want to go to a lot of work to build a bot that will harvest the email addresses of the very people you don't want to get your spam

Because a "verified" address can be sold for profit? ... Especially to a sucker in your Make Money Fast With Spam pyramid scheme.

You have to understand that the 'product' isn't penis pills or diplomas -- it's the spam itself. That's why Spam will continue to grow exponentially while the number of respondents declines.

Re:Missing the point

[eugene+ts+wong]

You wish.

Just like the mailing list archives that cloak everyone's address "foo AT bar DOT baz".

I think that a partial solution is to speak about email addresses in a more casual form. For example, if my email address is foo@bar.biz.baz then I should tell people that they can contact me @ foo @ bar biz baz. You should have noticed 2 things.

Notice that there is no word, "dot", in there? That's because most people should already be able to figure it out on their own. If they can't then they shouldn't be using your time.

Also, did you notice that I used, "@", twice? That's because I use it as a part of my regular vocabulary. It consists of the same number of keystrokes, yet I end up filling the Internet with more "@" symbols, thus making it harder to find the real addresses.

Spammers could try to figure out what is an email address by searching for the top level domain names, but I'm sure that that will be harder to find as people begin to smarten up & start using much more casual domain names. Maybe they'll use the regular domain names & split it up into 2 sentences. For example, "You can contact me @ my work email address. The user name is blahblah. The company name is bizbaz.". From there, it shouldn't be too hard to figure out.

I hope that helps someone.

Re:Missing the point

[An+Anonymous+Hero]

Here is a webpage that will quickly convert your mailto link into a form that bots will miss.

You know, there is a concept here. "STOP SPAM FOREVER IN TWO EASY STEPS:

• enter your email adress HERE
• click OK!

This is the BEST, FOOLPROOF way to NOT GIVE YOUR ADDRESS AWAY!!"

Re:Missing the point

"Could a bot be written that would be able to harvest these email messages? YES. But would it be worth the spammer's time to code it? NO, so it probably won't happen."

My website uses this form for my email address, a bot came along and sent mail to the spamtrap address (on every page) AND to the encoded address on my contact page.

(A/C - my password is at home...)

Re:Missing the point

[ncc74656]

You know, there is a concept here. "STOP SPAM FOREVER IN TWO EASY STEPS:

1. enter your email adress HERE
2. click OK!

This is the BEST, FOOLPROOF way to NOT GIVE YOUR ADDRESS AWAY!!"

FWIW, I've not had any spam show up as a result of using an online email-address obfuscator. That said, I went ahead and threw together a little program when I had a bunch of addresses to munge:

#include <stdio.h>
#include <string.h>

int main (int argc, char **argv)
{

int i, j;

for (i=1; i<argc; i++)
{

for (j=0; j<strlen(argv[i]); j++) printf("&#%d;",argv[i][j]);

printf("\n");

}
return 0;
}

Re:Missing the point

[metamatic]

Put yourself in the spammer's shoes (or slime-covered bedroom slippers). Why would you want to go to a lot of work to build a bot that will harvest the email addresses of the very people you don't want to get your spam

Uh, are we talking about the same spammers who put a great deal of effort into trying to bypass my SpamAssassin filters?

Yes, since the few who make it past get immediately reported, it's hard to see why they put in the effort. Nevertheless, they do.

Re:Missing the point

[drpentode]

I administered a site where every e-mail address was encoded with

&#64;

for the @ symbol, both in the tag code and in the displayed text. I didn't get a single bit of spam.

Re:Missing the point

[AShocka]

We were using this technique at csu.edu.au back in 97. I suggested it again on a mailing list recently and most of the knowledgable users on it all said that most spam bots harvest this character set as a normal course of action now.

Re:Missing the point

[AShocka]

Oh, I should add, I saw a guy with a site a long time ago (can't remember the site). He had dummy mailtos on his site with an explicit message that they were there to identify spam bots. His main address was deciphered from a simple sentence. He stated on his site that he was easily able to sort out who were the spam bot harvesters. This was back half a decade ago too.

Re:Missing the point

[bobbozzo]

Simply changing the @'s to "& # 64;" (without the spaces; stupid slashcode) will also do the trick without having to code the whole email address. You can do it on the href and the text and it will still be clickable.

I've been doing this for awhile, with a "spamtrap" on a busy site with some obfuscated address to test their effectiveness.

Unfortunately, yesterday, for the first time, I got 1 spam to each of the 2 addresses that were obfuscated this way. This tells me that spammers are starting to decode this encoding.
I doubt that encoding the entire address would be any more effective.

Also, you have to be careful with this as some editors (GoLive cough cough) will decode it and save it as plaintext again, ruining your obfuscation.

it works like this

[metalhed77]

or maybe you could have a non-clickable email link that is just an image. I believe that is what poster was referring to.or if you really wanted to have it clickable, have it look like this

<a href="wewillnevergethere.html" onclick="alert('myreal' + 'addy@site.com'); return false;">
<img src="pictureofemailaddy.png" />
</a>

See it works. Note, it is important to concatenate the email address as i'm willing to bet mailto harvesters don't parse it out as being javascript. The extra obfuscation is necessary. (apologies for any javascript mistakes, i suck at javascript).

Re:it works like this

[FrenZon]

Alternatively, to keep it transparently usable by end-users, you can just do like this:

<a href="false@false.com" onmouseover="var a = 'in.com'; this.href = 'real@doma'+a;">email me</a>.

Re:it works like this

[FrenZon]

In a flash of brilliance, I left out the mailto: .. but you get the idea.

Re:it works like this

I guess you're willing to make the sacrifice, but to those who don't realize the drawbacks of this method: Only users with a Javascript enabled graphical browser will be able to email you. That means no blind people and no IE-surfers who have 'temporarily' disabled Javascript to avoid the security hole du jour. The latter may read the image, if you choose to replace 'email me' with one, but people with disabilities which force them to use a textual browser get nothing.

Re:it works like this

[FrenZon]

Only users with a Javascript enabled graphical browser will be able to email you.

If this is the case, you may put a notification and workaround instructions in the title attribute for the link, which most text browsers should pick up.

Re:it works like this

That would be the "alt" attribute.

Re:it works like this

[FrenZon]

That would be the "alt" attribute.

No, it would be the 'title' attribute - 'alt' applies to images, forms or applets. 'title' applies to things like links, which are what we were talking about.

Re:it works like this

It should be obvious from the linked description and the name of the attributes, but if you think a title tag is the right one, go ahead and see where the enclosed text shows up. The alt attribute is an "alt"ernative for browsers which can't render an image. The equivalent for scripts is the "noscript" element. There is no such thing for links because every webbrowser needs to be able to follow links. Your link breaks because it uses scripting (and most likely images), so use "noscript" (or "alt").

Re:it works like this

Make that title _attribute_.

Not to give myself away

But I use a combination of things:

1. Images for the email text using php and some caching
2. ROT13 for the text to make the images (so the parts of the email address aren't as easily visible).
3. A mailto redirect, rather than a a mailto: url. The redirect goes to the mailto:, and works fine is most clients, except it leaves users with a blank page (which they can easily go back from).
4. I leave "honeypot" email addresses on everypage marked with the IP address and the time the page was viewed. Makes tracking down harvesters easiers, and gives me guaranteed spam for filters/spamcop/etc. I also use a secondary domain which I don't use for any regular email, so I can always drop it if I decide I'm sick of it.

convert it to a form that...

[illegalien]

harvesters don't take the time to decode
Email Encoder

Re:convert it to a form that...

That encoder is really lame.

It leaves the "mailto:" portion of the reference intact, and only obfuscates the characters of the user's email address. A robot would simply harvest that which followed the "mailto:" and send spam to it. It wouldn't care if it were encoded, and the recipient would still get it.

If it had at least obfuscated the mailto: protocol it might have accomplished a little more spam defense...

Use a Form

[Alethes]

I recommend that you use a form that does NOT have the user's email address in a hidden input. Just have the user's ID, then on the server, find the address based on that ID and send the message accordingly. I know you want to keep the mailto: link thing happening, but if you do that, harvesters will always find a way to decode whatever you're doing.

Re:Use a Form

[Specialist2k]

More importantly, this technique will prevent spammers from abusing your form mailer to send out spam to arbitrary recipients...

disposable email addresses

[donutz]

Use an email address on your website that you don't use anywhere else. If you do start to collect spam there, change to a different email address.

Might be interesting to try encoding the month and year into the email address, and change the address each month. That way you could get some measurements of how much those addresses are being harvested for spam. Who knows, maybe you'd find out October is a big spam harvesting month, when you get deluged with spam to me-oct2003@blahblahblah.com over Thanksgiving break...

Just a thought.

Re:disposable email addresses

Use an email address on your website that you don't use anywhere else. If you do start to collect spam there, change to a different email address.

This doesn't solve his problem of getting spam, though, it just finds a way to side-step it.

For your solution to work, you'd still need SpamAssassin or a Bayesian-type filter running against your incoming mail.

Might be interesting to try encoding the month and year into the email address, and change the address each month. That way you could get some measurements of how much those addresses are being harvested for spam. Who knows, maybe you'd find out October is a big spam harvesting month, when you get deluged with spam to me-oct2003@blahblahblah.com over Thanksgiving break...

Interesting...I've heard about reports claiming which days of the week are the worst for getting spam; I wonder if there's any monthly/yearly cycles....

Re:disposable email addresses

[KlaymenDK]

I use [spammotel.com] to get me throw-away relay email addresses. These are great for dubious sites and especially one-shot usage, and allow you to narrow down the source of the "leak".
But still, I'd say the above poster is right about this being merely a means to side-step the underlying problem.

Oh, and let's not forget -- an equally valid form of leak is through your very own friends who are using a, shall we say, "very common email client from a certain proprietary vendor". When-if these folk get hit by various worms and whatnot, they (unknowingly) send your email address (and even email) to whomever.
I consider that a serious problem, not least because it's well outside my circle of influence. (And no, I don't fancy getting all those Johhny PC users to switch to some ooh-strange-and-difficult other software!)

So, I use Mozilla and its almost-great filter and accept the wasted bandwidth. I think that *not getting upset about it* is just as valuable as finding clever ways to avoid the problem, or at least it can be for the home user, in terms of frustration and time spent. //BTW ... this is my first ever /. post! :-D

Re:disposable email addresses

[LiquidCoooled]

Klaymen :) welcome to /.
You make a valid point about your friends, sofar thats the only source of spam on my main account (i've had about 15-20 in total in 4 years).

Small point about the message you replied to - they were an Anonymous Coward, as such replying directly to them is futile unless you are making a point to the rest of us as well :)

Hivelogic Enkoder

[jcbphi]

I use some variant on this encoder from Hivelogic, where the whole address is encoded into javascript, which needs to be executed to decode any part of the name.

The downside is that javascript is necessary to read any portion of my email address, and it only works if spambots refuse to execute arbitrary javascript. But in a year of use, I haven't had any problems with it, and my primary email address is remarkably spam-free. Nothing the spam filters can't handle anyway.

In message forums, etc, I just don't use my email address, ever. My name is easily Googled if someone really wants to contact me.

Re:Hivelogic Enkoder

[Yottabyte84]

this script reqires a mail deamon that delivers user+anything@example.org to user@example.org.

#!/usr/bin/perl -w

use Socket; # Load socket functions
use CGI qw(:standard); # Load CGI standard functions

my $name = "harvestbait"; # yourname
my $domain = "example.org"; # yourdomain.tld

my $ipaddr = $ENV{'REMOTE_ADDR'}; # Get the requester's IP
$ipaddr = unpack 'H*', inet_aton($ipaddr); # Convert the IP to hex
my $date = `/bin/date +%H%M%m%d`; # Get a compact timestamp
chomp($date); # Get rid of the newline char
my $addr = $name."+".$ipaddr.$date."@".$domain; # Make email addy from bits

print header, # Print HTTP header
start_html(-meta=>{'robot'=>'noindex'},
# Print HTML document header
-title=>'Send me an email!'), # Page title
q(You can send me an email by clicking ), # Page content
a({href=>"mailto:$addr"},"here"), # The time+ip tagged mailto:
q(. No junk mail please! ^_^), # More content
end_html; # End the HTML document

Re:Hivelogic Enkoder

[greck]

now that's a clever idea... I'd sit around WAITING for spam, just to have interesting data to poke at.

Re:Hivelogic Enkoder

This kind of tagging has already unmasked some companies as spam sources (by linking spam to the grabber's IP address which was on the network of the company which the spam advertised). If this becomes common knowledge, grabbers will start to look for ways to clean name+extension addresses. So in order to make this unforgeable, I propose the following improvement:

• Generate the extension as usual
• Sign and encrypt the extension with a private key on the server
• Only accept mail to addresses which contain a correctly signed plus-extension (to stop spammers from simply cutting off all extensions)

Re:Hivelogic Enkoder

Besides, the concept of signed addresses (!) facilitates server-side filtering without keeping a list of valid addresses on the server, so it is ideal for whitelisting-schemes. Someone wants your email address? Enter a few identifying words into a program, have it generate a signed email address containing this information. No need to tell the server that you just created a new address. You may want to leave the address unencrypted to show what it contains, either as a warning to spammers or in order to avoid frightening legitimate users.

homebrew

[vericgar]

On my website I have a homebrew solution that took me about 15 minutes of time to implement.

I change @ to [at] in all e-mail addresses.

Then I have a catch all address something-whateverhere@domain and I have a php script on every page that creates a hidden mailto: link that changes thier IP address to hex and includes it in the mailto: link... i.e. a visitor from 10.0.0.1 would have something-A001@domain put in the mailto.

That's only the first step. The second is to make use of (on my server) the .courier files (.qmail where qmail is installed works similarily, check the docs, I'm sure there are other servers with similiar schemes) and execute a script for every e-mail to the catchall address, which parses the headers, adds the ip of the mail server that sent the mail to my server to a blacklist, and then adds the ip address of the bot that scraped my site to a deny list in an .htaccess file. The scripts ends with an error code (in this case 69) that bounces the mail (thus in many cases removing the address from the list anyways)

Then all mail I recieve I run through another script that checks the above mentioned blacklist and if it matches, bounces that mail as well.

Since I've implemented this scheme, I haven't gotten a single scrapped spam e-mail. In fact, along with my other spam protection methods which are easy to implement as well (using a unique address for every site I use an e-mail on, blocking and boycotting those that spam me; blacklisting servers that spam me [I run my own personal rbl]), I get no more then 5-10 spams a month - and this is all the e-mail addresses I use *combined* (about 5 of them) -- and I've had most of the addresses for several years.

If there is enough demand, I may tar up the relevant files and make it available online.

my method... entertaining and it works well

[Elivs]

~/emailme.html
----

Emailing me...

Unfortunately due to "spam" I can't put my email address on the web without "email havesting programs" finding my email address and sending me unsolicited email. However you can probably work out what my email address is...

• I own the domain frazer.co.uk
• My first name is richard
• It normal to have something like firstname@domain.co.uk as an email address

If you can guess what my email address is, feel free to email me. Most computer programs won't be clever enough to work it out, however I hope you are.

----

(names have been changed to protect the innocent/guilty)

Seems to work well, and keeps visitors to my site amused. But would not work so well on a large site.

Elivs

Re:my method... entertaining and it works well

[Trillan]

The best part of that is that if someone can't work that out, you probably don't want to talk to them anyway... :)

Re:my method... entertaining and it works well

Sad thing is, while this is harvestproof, spammers also brute-force email addresses. Thus users with memorizable short addresses practically can't keep their addresses out of spammers' lists. Firstname@shortdomain.com is certain to receive piles of spam (and .co.uk is probably not much of a difference).

"block images from this server"

[KnightStalker]

I suspect you're using an ad-blocking browser or proxy, which has blocked the image itself but has left a large (clickable) white space that would be the image if you hadn't blocked it. That's the behavior Firebird shows for me, blocking ads.osdn.com. If you're using Mozilla or Firebird, and you right-click on the "background" I think you'll find "block images from this server" or "block images from ads.osdn.com" checked.

Re:"block images from this server"

I block all /. adds and images. I really really care about not using too much of /. server bandwidth.

Lil' CGI thingy.

[dbirchall]

For years (literally, since the late '90s - to my knowledge I was among the earlier people to do this) I've simply done something like this:

<a href="/x.cgi/mailto:abuse@localhost">mail me</a>

And then had x.cgi be a PERL script that generated an HTTP "Location" header to the real mailto: URL.

If I wanted more complexity, I'd substitute in whatever I felt like for the @ in the address, and have the PERL script un-do that. It's probably also doable in PHP, shells, TCL, or whatever. I like to leave something resembling a "real" address in the HREF, so the most clueless harvesters can grab it.

The other cost/benefit

[jtheory]

As soon as any reasonable number of people start using the same scheme (and particularly if it's a mailto: designed to still be machine-readable) someone will take the time to harvest that kind of obfuscated address. It's just a matter of the cost/benefit ratio being high enough to make it worthwile.

I think you're right as more websites use automated obfuscation; then the spammers need to decode it to get to their victims. But as long as most websites aren't doing what I'm doing, I know they don't want to target the techies.

Here's another POV, though -- I'm considering the *other* cost/benefits ratio. I want my users to be able to easily email me, and giving them a simple mailto: link is the best way to do that. We'll have to wait and see.

Right now, it seems to be costing nothing, since I'm only getting spammed on the standard "guessed" names at my domains, like "sales@" and "webmaster@". But 5 spams a day would still be worth the trouble.

If the bots do start to really catch up (they may... I'm hoping enforced laws will start to catch up over the next few years!), at some point I might move on to the next-least-inconvenient masking method, which is probably randomized JavaScript masking. I.e., the mailto: link is generated by custom JavaScript that builds the address across a few lines of code. That would prevent users w/o JavaScript from using the link, though, which is a cost I want to avoid.

Re:The other cost/benefit

[Cecil]

Anyone who is too lazy to read the image of my email address I provide rather than just clicking on it probably didn't have anything important to say to me anyway.

There are way too many ridiculously lazy people around these days.

Re:The other cost/benefit

[eugene+ts+wong]

There are way too many ridiculously lazy people around these days.

I agree. I'm not making any attempt to make my email address obvious on my personal web site. I'll tell them how to form it, but they'll have to look around. My belief is that I'm not trying to be contacted @ that address.

I have to ask you though, can't they harvest mailto links like this? After all, if we can do it with a couple of clicks, then why can't the bots?

Re:The other cost/benefit

[ptomblin]

Yes, all those "ridiculously lazy people" who can't even be bothered to get eye transplants, or who can't be bothered to invent a high resolution screen that fits on a PDA so they could use a graphic browser on your site. Damn them all.

Re:The other cost/benefit

[Cecil]

I do sympathise, actually. My email address is also non-standardly obfuscated in several ALT tags. They should be readable in any non-graphical browser, but without making any clear sense to a traditional spider. (Assuming it even is smart enough to span together multiple alt tags in an attempt to find email addresses)

Use Flash!

[zsazsa]

I've only seen flash used for spamproof mailtos on one or two sites, but I think it's a pretty good idea as long as all of your users have the Flash player. Just make a little .swf of clickable text linking to the mailto: you want. You probably can even have them dynamically generated if you have a lot of different address across your site. PHP, for example, can do this with its built-in Flash functions.

You insensitive clod!

[BladeMelbourne]

I dont have an email address or a website you insensitive clod! Oh wait, I do.

My php based site has a form that allows people to email me. They never get my email address until I reply to them.

My previous site was only allowed [X]HTML, no PHP/ASP. To combat harvesters, I had in my XHTML:

<a href="javascript:emailAuthor()">Email Author</a>

Then, in an embedded JavaScript file (email.js) I had:

function emailAuthor()
{
document.location.href="mailto:" + "username" + "@" + "domain" + ".com"
}

How would this extend to multiple authors on a site? I would give each author a samlple link with javascript:emailAuthor("firstname lastname)". The JavaScript file would then need an array to find the corresponding address and change the document.location.href.

Unicode

[vitaflo]

I actually just use unicode for the @ symbol (&#064;). It seems that most of the time the harvesters just read the HTML source, and don't actually render HTML entities or unicode. Thus the harvester will get user&#064;example.com, a non valid address, but a user on your site will see user@example.com and the mailto: link will function normally.

Great Idea

[metalhed77]

Great way of handling it. I'd still use an image or spam armored text for the actual address though. Not all browsers have JS turned on. But killer way to implement it. I knew my JScript knowledge was substandard.

Re:Great Idea

[arkanes]

Simply put: if an IE user can click on your link and have it work as a mailto, then it's harvestable. This is the spammer equivilent of the analog hole - there's no 100% workaround.

And even if you could prevent automated harvesting, theres still people who'll do things like pay stay at home moms to harvest manually from mailing lists and archives.

Put it in a table

[venom600]

One of my colleagues came up with the following the other day:

If you put your email address in a table with the border set to '0' cell-padding and cell-spacing also set to '0', then it will still be readable by humans. But, the code to create the table will obfuscate the address enough that it won't be harvestable.

Re:Put it in a table

[bhtooefr]

Spambots don't optically scan. They scan the HTML of the page. And, even if there's a lot of surrounding code, keep in mind that computers don't get impatient. They'll just scan the page for mailto:, then copy everything between : and " and they'll have an address.

Oh yeah been there done that

[mnmn]

How are You Preventing Mailto-Link Harvesting? I'm not. I just put up my address on the website and started manually cleaning 40 emails daily. Life was good until I started bothering this guy on eBay to send me my ATM switch 3 months after I paid for it. The day after I threatened him with legal action, and ever since, Ive been receiving 1200+ Microsoft subscription-type spam daily. Short story that particular address has been shut down permanently thus I'm losing possibly good traffic to me. All of a sudden, I'm interested in Bayesian filtering and legal action against spammers. Face it. Spam is a bigger problem than the small speedbreakers in its path (like riding a motocross bike at high speed over a speedbreaker on a flat road), we all will continue to get irritated until some kind of social, legal or technical revolution fixes things for a while.

Re:Oh yeah been there done that

Filtering is working for my 40 or so spams a day - I've got lots of addresses coming into 1 place, so if one of my email addresses begins receiving lots of spam, I ditch and blacklist it...

Did you get your switch??

Re:Oh yeah been there done that

[mnmn]

Switch? No I think Ive lost the $50. I'm budgeting for a new one.

Try this

[askegg]

Webmaster //The function will append "@domain.com" to the name provided and return a "mailto:" type link. function Email(name) { var EmailLink = "mailto:" + name + "@domain.com"; parent.location=EmailLink; } //--> email me here

Here is what we do

[wolfson]

Here is the php code that I use on Aginet.com

function gen() {
mt_srand(make_seed());
$x = "aginet3";
$list= "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
$x .= $list[mt_rand(0,61)];
$x .= $list[mt_rand(0,61)];
$x .= $list[mt_rand(0,61)];
$x .= $list[mt_rand(0,61)];
$x .= $list[mt_rand(0,61)];
$x .= $list[mt_rand(0,61)];
$x .= $list[mt_rand(0,61)];
echo "<a href=\"mailto:$x@aginet.com\">$x@aginet.com</a> ";
$x .= "\t" . date("m/d/Y h:i A");
$x .= "\t" . $_SERVER["REMOTE_ADDR"];
$x .= "\t" . $_SERVER["HTTP_REFERER"];
$x .= "\t" . $_SERVER["HTTP_USER_AGENT"];
$fp = fopen("/xxx/xxx/xxx.xxx", "a");
fwrite($fp, $x . "\n", 1024);
fclose($fp);
}

In my mail server I redirect the random addresses to a single e-mail. Then when I get spammed, I can trace it back to an IP, and contact the hosting company or ISP that it originated from.

Visit blue.aginet.com for my other GPL'd code. Feel free to use the source code in this example. I only ask that you give me credit if its used for a commercial purpose.

blocking mailbots

[engine+matrix]

I have a 1 pixel transparent gif link at the very top of my page that links to /guestbook/jackhole. In my robots.txt file I have "User-agent: * Disallow: /jackhole/ Disallow: /jackhole/guestbook/". When a harvester traverses this link their IP is added to a text file via a php script that I wrote and they immediately get a 403 page.

Each page of my site checks against this text file so the mailbot gets a 403 page for almost all pages/sites that I host. To deal with false positives there is a mailto link on the 403 page that goes to a TMDA address. At the very least it saves me bandwidth.

Re:blocking mailbots

[suricatta]

Correct me if I'm wrong, but wouldn't that also work on search engine robots as well?

It might not be the best idea if you want all of your pages to be listed on Google or something.

Re:blocking mailbots

[suricatta]

Ok.. I just realised that any good search engine robot that behaves itself won't have a problem... ignore me :)

stuff

[falsification]

You could try using your IP address, in the form of:

a href="mailto:joeblow@[10.0.0.1]"

Substituing your IP address, of course. Maybe spam harvesting bots would fail to treat that as a valid address.

On another note, this is a CGI thing that looks interesting: Master Spambot Buster.

My new brilliant idea...

[kwerle]

Set up a CGI server that knows people's email addresses. Anytime you want to post an address, use the cgi which does a mailto:yellowpages@yourdomain.com
Subject: Please send me the email address for #TAG#

Which yellowpages@yourdomain.com answers (with the address in the body).

Maybe that's too much work, though...

I leave my address out in the open and use a spam filter...

pretty simple actually

I have a pretty simple scheme. I never, ever put my first name in a mailto: link. I use my first initial, and then my last name, usually. That way, the spambots never get my first name. Makes life a LOT easier for my spam filter (Latent Semantic Analysis, in OS X Mail.app) to do its job.

S. ;-)

Operation Barndoor

[Door-opening+Fascist]

I'm one of the sysadmins for a CS department in a liberal arts college. I've been working with the web content admins off and on for a couple months as they prepare a system that will execute a Perl script to generate an image that will replace the e-mail address. The project is still in its infancy, but here's the URL to the description, and here's the URL to the current version of the project, in gzip'd tarball format.

There is a simpler one

[zhiwenchong]

This one doesn't use Javascript at all. And it's only 4k.
Obfusticated Email Link Creator

It does mixed dec and hex. Creates links like this. But check the underlying code....

It's a Tripod site, so don't /. it.....

Re:There is a simpler one

[WTFmonkey]

For those who don't want to look at source,

<a HREF="mailto:te%73t%40t%65%73%74%2E%63%6Fm" TITLE="mailto">this</a>

Images are probably the easiest all around.

[WoTG]

For simplicity, an image is probably best. Heck, with PHP (and probably other web languages) you could probably hack up some code to automatically create the image for you (more useful if you have a large number of addresses to display).

For folks who won't be able to handle the images, you could put some human decipherable text in the "ALT" or Title text of the image- e.g. jim@_REMOVE_ALL_OF_THIS_23421232_me.com.

Re:Images are probably the easiest all around.

[Zocalo]

The use of an image is good (for the non-vision impaired), including a poorly munged ALT tag is not so good. Any spam harvesting robot is not going to be bothered too much about the page layout, it's just going to be looking for regexps that look like email addresses. "jim@_REMOVE_ALL_OF_THIS_23421232_me.com" is a very recognisable email address, and the mixed case is a sign munging is going on.

Personally, I think this is a case of diminishing returns. Putting your email address in clear text on a mailto is an invitatation to spammers, but the more effort you put into obfuscation, the less returns you get for later efforts. My personal website uses a little JavaScript routine that breaks the entire "mailto" into vars, ammends some of those by adding substrings, then prints the result. I also include an explaination of why I've done this and a verbose description of how to take my initial, surname and domain name and generate a valid email from that. Clickable links and no spam received yet!

At some point, I might get around to using extended character encodings in the JavaScript, but frankly, the few robots that are going to get *this* far have earned the right to try the next step. Congratulations; you have passed the enterance exam and earned the right to try and get your spam through the SpamAssassin Gauntlet!

Re:Images are probably the easiest all around.

[MImeKillEr]

Which JS does this?

Re:Images are probably the easiest all around.

[Zocalo]

'
a+='lto:'
b+='@zocalo'
e=''
b+='.uk.com'
d=b
document.write(a+b+c+d+e)
}
escramble() //-->

Re:Images are probably the easiest all around.

[Zocalo]

Let's try that again... Clicked "Submit" instead of "Preview" thanks to the damn Citrix display lags... Still, at least I know what tags need work now! Anyhow, the following obfuscates the email address "no-one@nowhere.com":

<script>
<!--
function escramble(){
var a,b,c,d,e
a='<a href="mai'
b='no-one'
c='">'
a+='lto:'
b+='@nowhere'
e='</a>'
b+='.com'
d=b
document.write(a+b+c+d+e)
}
escramble()
//-->
</script>

Re:Images are probably the easiest all around.

[MImeKillEr]

Thanks!!

Javascript mailto links... vulnerable?

[jumpfroggy]

I definately use javascript, never the same scheme twice. I'd suggest scrambling the emails into randomly sized segments (you can do this once per email, copy the contents into a DB or the actual page) for JS to put back together.

Does anyone see a vulnerability with this? I know anything can be hacked, given enough time, but I really don't see how a spammer would get around the simple javascript thing (besides executing all scripts on all pages). Any Ideas how it could be abused?

Re:Javascript mailto links... vulnerable?

[Specialist2k]

There are e-mail harvesting bots which use the Microsoft HTML ActiveX control, so they can and will execute any JavaScript present on the page.

Wait... this provides some nice opportunities to cause them a major headache by including malicious JavaScript code on a page only seen by a bot not following the robots exclusion protocol (to prevent a "real" search engine spider from visiting the page) by linking to that page using some hidden link from your home page...

Re:Javascript mailto links... vulnerable?

[merlin_jim]

this provides some nice opportunities to cause them a major headache by including malicious JavaScript code on a page only seen by a bot not following the robots exclusion protocol

A lot of people do that with a malicious honeypot page. It just outputs X phony, but real-looking, mailto links, where X is a member of the set of Very Large Integers.

(note to /. math freaks: yes I know there's no set called Very Large Integers. It's a joke. Laugh.)

Re:Javascript mailto links... vulnerable?

I'm not bloody laughing, "cock-ass".

Email address in an image make things worst

[choka]

One suggestion I would make is to put your email address in an image. People can read it, but harvesters won't be able to harvest it (unless they download the image for OCR)...

I've tried it, and it doesn't work. I used to put my email address on my web page in this format:
my_address at domain dot com
I receive approximately 20 spam a day. Not bad, huh?
20 a day is still annoying. I've wanted to reduce it, so I converted the email into a gif, I call it em.gif (so no one would imagine it is an email address just by looking at the code), also in the my_address at domain dot com format. A few days later, I begin to receive 80 spam a day.

Re:Email address in an image make things worst

[bhtooefr]

Someone might have put MSGTAG (a forced delivery reciept) on one of the 20, so they know you're a live address.

Resistance is futile; all addresses will be spamed

[grolaw]

There is no effective deffense. Any technology (short of smoke signals) will be beaten.

What have we done in the US with the "no call list" but to have made the US government the distributor (free of charge) of a totally "clean" DB of all names and numbers of citizens who are perfect targets of telephone solicitations.

The very idea that the FTC will step in and act where the FCC won't (in the face of two STATUTES struck down by fed ct judges) is absurd.

We just gave the industry a nice clean list.

There are two ways to avoid this problem: eliminate all technology (defaulting to bearskin rugs and stone knives); or, ELIMINATE the PROBLEM.

I favor the second option. SUE THE BASTARDS over and over and over and over. Maybe we could tell the "Right-to-lifer's" that they are good target practice?

The world is nuts: email is way over 50% garbage and the ramp-up has been only a year or so in the making. Hurt these fools now.

I don't advise harming anybody, physically, but the effect of posting these bastards pictures in every grocery store and coffee shop could expose them to a "public shunning" unlike anything since the Puritans.

We could also pass a law barring all medical care for spammers, their family and friends. How about no police response to their calls? No power to their homes? No telco connections? No wood in the winter? How about not taking their checks or cash? Revoking their driving rights? Barring them from holding office or making political donations?

What about we simply deny them the right to BUY food? If they're out hunting for food they can't spam....

In a generation we could select for no spammers.....

blind people

[kipple]

already have a lot of trouble with that picture-of-the-email-address thing. it is a neat solution but it lacks portability, to state it another way.

Re:blind people

blind people also miss out on all the porn :(

Amen, brother!

[Trillan]

Security through obscurity is always a bad idea.

The trick is finding the right combination of tools to automatically reduce your spam to managable levels. If I get just one or two pieces of spam a day, I'm happy.

Bring it on.

[CGP314]

On my London Blog I don't use any form of obfuscation. The reason for this is I want people to contact me about my writing. I want to know what people think, and barrier I put in the way will reduce the number of legitimate emails I get. I'm not confident that most of the Internet population would understand that they need to remove the REVOVE.THIS.TO.EMAIL.ME part of my address.

Sure, I drastically increase the number of spams I get, but popfile takes care of them all.

Re: do you really want that?

[ubiquitin]

If you're running a mail server with, say, 250 people doing what you're doing, the spam connections might very well denial-of-service your mail server, assuming it is running on a typical T1. The expense of bandwidth, not to mention the inconvenience of less-reliable mail, is what leads sysadmins and the companies who employ them to take email obfuscation seriously.

unicode, base-64 encoded

[ubiquitin]

I have a unicode converter that works really well. It will put your email address into a form like:

& # 105;& # 032;& # 100;& # 111;& # 032;& # 105;& # 116;& # 032;& # 116;& # 104;& # 105;& # 115;& # 032;& # 119;& # 097;& # 121;

For the past three years or so, the spammers haven't caught on to this, and they are unlikely to do so given the few people who take the effort to put this measure into place.

P.S. It's not just mailto links that are being harvested here. They'll scrape anything with an @ or a "at" or ...

/.'s obfuscation is harvested so why not?

[DrSkwid]

I've had email sent to me via the address I posted here and /. auto obfuscates it in various ways.

It is retarded to think that "fred at sheila dot com" won't get converted.

Once one has written one's harvester, it is prudent for one to inspect the results and tweak it.
It's for profit not fun! If it is possible to increaes the yield in *any* measure it will be done by someone somwhere.

Encoders Mostly Suck

[the+pickle]

The problem with most encoders is their use of JavaScript, which still isn't universally implemented across all browsers or used by all Web surfers.

The problem with the non-JS-based encoders is that, well, they're based on a simplistic encoding method. Anything you can use your computer to easily encode can be just as easily decoded by a similar program. (We're talking encoding, not encryption.) So in theory, a well-written scraperbot can simply de-ASCII-fy any numerical entities it runs into (the common method of encoding without resorting to JavaScript) and then scrape the address in clear text.

The problem with e-mail forms is that they're a pain in the arse, and people like me who keep archives of all incoming and outgoing e-mail are rather disinclined to use them.

Right now I use solution #2, because spammers don't seem to be writing smart enough scraperbots (yet) to justify moving to either #1 or #3. Instead of moving to either of those, I'll probably end up using a CGI-based solution that does some mucking about with HTTP headers. It combines the absolute unscrapeability and universal compatibility of a form with the ease of use of an encoded address.

p

maybe, just maybe

[DrSkwid]

they spam :
info@yourdomain
sales@yourdomain
help@yourdom ain
webmaster@yourdomain
postmaster@yourdomain

etc.etc.

JavaScript tricks

[Kanasta]

I don't know why a people suggest JavaScript tricks to hide their addresses.

In the end , the browser renders it as text which can be selected and copied. what makes you think that mail harvesters will not render the webpage as well before searching for addresses?

Re:JavaScript tricks

[taff^2]

Because the javascript has to be executed in order for the address to be rendered in a readable format. Most if not all harvesters will not execute javascript, and hence will be unable to read the email address.

Re:JavaScript tricks

[plover]

"Address harvesters" in this context are not people sitting in front of web browsers. They are programs, and they are not based on rendering engines such as Mozilla or IE. These programs are dedicated web crawlers that open sockets to web servers, pull in data, recognize a limited subset of tags that represent links to more pages, and attempt to perform character recognition on text strings that resemble valid email addresses. When they find text that looks like this: href="mailto:myaddress@myserver.dom" they've hit the jackpot. These programs don't execute javascript, they don't pull in IMG tags, they simply scan for text strings that smell like foo@bar.baz and follow links that might lead them to more addresses.

I have noticed that people do tend to forget that there are other schemes for harvesting addresses that have nothing to do with web page encoding or mailto: URIs.

One of the most productive sources of addresses for spammers are copies of chain letters. You've probably received some sent by well-meaning but clueless relatives. "Here's an ASCII snowball, throw it at your friends!!!" Your friend clicks "Forward", then clicks on every name in her address book. When a spammer gets a bonanza like this, they have not only a To: line containing all the entries in your friends' address book, but all the To: lines contained within that have survived a dozen forwardings.

Re:JavaScript tricks

[bhtooefr]

Thing is, many harvesters ARE based on the IE engine. The IE engine is rather easy to integrate into your own program if: you're using a Microsoft compiler, and the system you're running the harvester on has IE (3 or 4 and higher).

Re:JavaScript tricks

[plover]

Oh, that's sad.

I forgot how illiterate spammers are; that they can't write their own socket programs and instead point'n'click VB calls to IE.

Even so, please tell me they don't actually render these pages they're fetching. Or are these things really designed to be "operated" by a person? Seems horribly inefficient for an industry based solely on volume.

Re:JavaScript tricks

[bhtooefr]

They're not designed to be operated by a person, but I'd think it renders and then looks for things vaguely resembling email addresses and follows links.

Re:JavaScript tricks

[plover]

Rendering (in Windows parlance) typically means "outputting to a display device." Once you've rendered the data, the only way to get it back out of a window like that is with some really clever GDI tricks. If they're not operated by a person, rendering would be a costly extra step. Why spend the time downloading IMG tags for doubleclick, for example? I seriously doubt they're going to that effort.

The SHDocVwCtl COM objects provide an InternetExplorer interface for operating IE from within a program. They can request a URL and retrieve it as a Document. They can get tags and attributes from that Document automatically. But rendering the page would be counterproductive if a human isn't there to watch the screen.

I certainly believe you that they'd use the COM interface to IE. I am sure they examine the attributes of the tags coming back, looking for mailto: URIs. I also believe they'd look at the text surrounding every "@" sign or "mailto:" phrase they encounter, trying to simply determine whether or not they might be part of a valid email address. But I don't think they'd render, and I really don't think they'd execute javascript.

Fight the problem, not the symptoms

[Baloo+Ursidae]

Focus on reporting, not prevention. You'd be amazed how quickly making yourself a hostile target gets spammers to stop spamming you.

Also, don't munge.

Screen Readers

[Dooferlad]

Remember that putting email addresses in pictures meens that only people who can read the picture can email you. This excludes anyone who has their computer read the screen for them from contacting you. It is far better to have a contact form on your site that emails you - it will still hide the email address. If you have a domain and want to use a mailto then you can simply change the contact email address when it gets too drowned in SPAM and either bounce messages or simply delete them using your favourite mail processor.

If you want to not only filter out SPAM easily but also track who sold out then get a domain and when you sign up for something that requires an email address then put an ID in the address you use, for example user-site_url@domain.com - this way you can filter out spam from just one source and also stop reading (and thus supporting) junk mail from the offending web site. You can even sue the pants off the web site if the law permits and you really care that much.

Do spambait and spider traps work?

[Unsolicited+Commando]

I know there are a lot of these dynamic websites out that generate random emails and links to infinitely more pages with more emails and links... Does anyone have any evidence of these things actually working? Does anyone have any record of a spider getting caught in one of these?

Re:Do spambait and spider traps work?

[Dr.+Manhattan]

Does anyone have any evidence of these things actually working?

Well, my lame little website has had a few harvesters hit it. (Fairly obvious by their behavior and failure to process the javascript munging of my email address). I have a robots.txt file that disallows everyone from an "email" directory.

For a while, I had it set up that if anyone went in there, they'd get a big list of fake addresses spammers have used when emailing me, and the connection is throttled to something like 10 bytes/second. But no one ever went in there.

Now it just does an http redirect back to 127.0.0.1. Let them harvest their own website, I say. Still haven't seen it happen yet, though.

Re:Do spambait and spider traps work?

[jbrayton]

This is obviously a very small sample set, but I have a homepage with a hidden "spambait@..." mailto link which has been there for many months. In the past month, there have been no attempts to send mail to that address. Several theories to explain that:

• Harvesting from random web sites is not as common as thought. It may be that harvesting is not common at all, or that it is targeted towards sites with lots of exposed email addresses.
• Harvesters are smart enough to ignore the address because the username is "spambait".
• Harvesters are smart enough to ignore the address because it is hidden on the page. [It is after several blank paragraphs, and the text color is the same as the background color.
• The address was harvested, but then removed from lists because the address has always bounced.

Re:Do spambait and spider traps work?

[bhtooefr]

Good idea, and all, but something tells me that the box that's doing the harvesting will not be running a webserver.

Re:Do spambait and spider traps work?

Maybe the harvesters recognize the hidden address and thus ignore it. I have several visible trap addresses which do indeed get spam.

Re:Do spambait and spider traps work?

[Dr.+Manhattan]

Good idea, and all, but something tells me that the box that's doing the harvesting will not be running a webserver.

True, but I also do it for the common worms when feasible. Let them reinfect themselves. I thought about redirecting them to, e.g., microsoft.com, but then I could theoretically be considered guilty of aiding and abetting an attack.

By reflecting it back on the originating host, the problem solves itself. If it's wrong for me to send that traffic back at them, it was wrong for them to have sent it to me in the first place.

See my sig.

[bobv-pillars-net]

The nine domains for whom my email is the catch-all address receive an average of a hundred spams a day, but I don't see them, thanks to a Bayesian filter.

Any spammer who harvests the email address in my sig just registers their latest spam so that I (and the dozen-odd other people who use the same filter) are that much less likely to see it.

Nothing's Perfect

[Finuvir]

I've seen a number of varying responses to this question and, quite frankly, none of them work. Here's a short list:

• As Cliff recommended, put your email address in an image, because we all hate those annoying blind people who keep trying to email us.
• Use javascript to write the link -- Not everyone has a js-enabled browser, and of those whose browsers do support js, many have it switched off.
• Use an email form on the site -- This seems less problematic, but you would need to ensure that you do let people see your address in further communication, so they don't have to keep returning to your site.

The OP wants to retain link-clickability. The only method above that would do this is the js method. But where it fails, it fails horribly.

Accessibility

[Hallow]

Cliff's suggestion of using an image for the email address doesn't take into account that not every visitor to your site is necessarily sighted. This is a bad, bad, BAD idea. Preventing mailto: harvesting by excluding people with visual impairments is not the way to go.

The best method is to use a mailto form that allows you to receive the message but doesn't give away your address. That way you leave your site open and accessible to all users, but can protect your email address.

Re:Accessibility

[MImeKillEr]

Agreed, except I'd add that you obfuscate the address in the form. I'm the webauthor for my in-laws lamaze business and to prevent harvesting, I put site feedback in a form and obfuscated the email address.

In the year or so that the site's been up, I've not received a single bit of spam.

Sure, I had a couple of people input bogus information attempting to get the address from the results page, but that doesn't show them anything except a thank you message.

I can't seem to locate the link I originally used to do this, but these might work:

http://www.zapyon.de/spam-me-not/
http://www.killersites.com/webDesignersHandbook/em ailObscucator.htm

Don't put your email address on at all ..

.. try something like this instead:

http://www.wildpuma.com/steve/

I don't bother.

[Fweeky]

See my address up there? Yup, I'm not letting a few scumbags reduce my ability to use the Internet. I filter so much that I barely notice any more.

Of course, I take more care with other people's addresses; using mailto forms, intra-site private messaging systems, one-time-only addresses, that sort of thing. I also wrote a bit of PHP to munge email addresses (phps/php), but I don't actually use it.

You XHTML users better not be using these JS "solutions" which use document.write() by the way (that's HTML DOM, not XML DOM).. in fact, the entire idea of putting content in JS is so braindead you shouldn't be doing it anyway.

Forms

[gorfie]

I tackled this problem a year ago because I feared that addresses were being harvested off of our site. The webmaster address was on the front page and got the most traffic, but even those that were buried were affected (looking through the logs showed some artcompendium.com browser, likely a bot harvesting addresses... it hit every page).

I couldn't use images because we have rules regarding usability.

I decided to use forms and server-side scripting. You can do it with PHP or ASP and it doesn't reveal the address to the world, but it allows any browser that handles forms to send e-mail. I also captured the IP address and placed redundant checks in the code to ensure that mail would ONLY go to a single address within our organization. The last thing I wanted to do was open the door to spam abuse through our site.

My solution...

[cmowire]

I provide two options.

1) I have a mail form. It will only send to one mail address, it's not anything like formmail.pl.

2) I generate a unique email address with the IP address and time encoded in it. I actually could use spamgourmet to do this, but I've been doing things by hand because I want to collect some observations about how far a single address travels.

hrmm? Bad subject perhaps?

[xNullx]

Assuming spammers read slashdot, this story is the perfect way to find common methods to hide from the spambots and learn how to circumvent them. Wonder if this is helping the spammers or the people being spammed more.

bad solution

[anthony_dipierro]

One suggestion I would make is to put your email address in an image. People can read it

Unless they're blind! Yeah, yeah, no one cares about the blind, you insensitive clods.

After the harvest: broadcast seeding

[unfortunateson]

As a domain name owner, I have found that our basic "webmaster@example.com" doesn't get a huge quantity of spam. Perhaps the spammers recognize that as a corporate entity or something, because it's not so bad.

But it mutates: aster@example.com, r@example.com, bob37, jenna624, etc. etc. Most of the spam we receive isn't to one of our known addresses. But we don't want to lock down all but a few (sales@, help@, webmaster@, orders@, myname@, hername@) so that we can help the poor sods who misspell "orders" (it happens).

So I've put filters on "aster" so far. Last sunday, though, we got 500 near-identical spams (some loan scam) addressed to about 50 different names @www.example.com. I was developing a filter while my wife was manually deleting them... and then they stopped alogether, without my taking action. Some spambot burped, I guess.

Fraid Not

[tomblackwell]

It doesn't beg the question. "Begging the question" is making a logical argument that depends on the assumption of that argument's truth as a pillar of that argument.

Instead of "begging the question" it just "makes you want to ask".

Re:Fraid Not

[arkanes]

I'd be interested if you could up with definitions of "begging", "the", and "question" to support you hypothesis.

Re:Fraid Not

[Mr+Z]

Agreed. It "raises the question", not "begs the question."

Re:Fraid Not

[Mr+Z]

"Beg the question" is a shortening of "beggaring the question"--ie. answering a question with the question itself. "Why don't parallel lines cross? Because lines that never cross are parallel!"

If you look at the definition for beggar, you'll see one of the definition "One who assumes in argument what he does not prove." (Source: Webster's Revised Unabridged Dictionary, (C) 1996, 1998 MICRA, Inc.) In fact, this meaning of beggar has survived as a submeaning of 'beg.' This link on dictionary.reference.com supports my point. Look at definitions 3a and 3b.

So, the parent poster to your post is quite correct. His statement was not a hypothesis, but rather closer to fact, based on accepted usage.

Granted, standard American usage seems to treat "beg the question" as a synonym for "raise the question", but that's a rather incorrect usage, IMHO.

--Joe

Re:Fraid Not

[arkanes]

I've never heard the "correct" usage actually used outside the context of telling someone they're wrong. I'm very well read and familiar with a wide variety of both popular and not-so-popular writing and literature. I think thats at least a reasonable cause for thinking that the meaning has changed.
Furthermore, "beg the question" is NOT short for "beggaring the question", which doesn't even make sense, and sounds to me the like the kind of nonsense people liked to use in the 19th century to confuse debating partners. It's "beg the question", which quite reasonable means "pleads for a question to be asked". If you want to use the phrase "beggaring the question", and then get to act smart explaining it, be my guest.

Re:Fraid Not

[Mr+Z]

I believe the phrase is used correctly in a court context, wherein the council for one side can raise an objection to an answer stating that it is "begging the question, your honor."

As for "beggaring the question" being nonsense--have you ever searched for uses of that phrase? Look at the hits google brings up. It tends to be used more consistently to mean "answering the question with the question itself."

I personally have heard it used both correctly and incorrectly, although I have heard it used incorrectly more often. It really does grate on my ears though.

That doesn't justify the use, however. For example, here in Texas, for instance, I have heard the word "whenever" used in places where "when" is the correct word. Such as "Whenever I was in third grade, yadda yadda..." or "Whenever I was falling asleep last night..." and so on. Basically, the word "whenever" (which implies any of a multitude of equally interchangeable instances amongst a list of many general such occurrances) used in a context where "when" (which implies a specific instance) should of been used. For instance, you've likely only been in third grade once, and even if you repeated it more than once, it's not a general occurrance. You don't just decide to attend third grade this month for the heck of it. "Whenever" is supposed to be used when describing a general case, such as "Whenever I debate grammatical usage on Slashdot..."

--Joe

Re:Fraid Not

[hondo77]

It doesn't beg the question.

Sure it does.

Links as generated graphic

[mwilliamson]

I have a small site that I wanted to list email addresses on and not expose them to harvesting, so I came up with a fairly simple scheme. Using PHP/GD, I wrote a script that would take an email address in the URL (obfuscated) and generate a png graphic of the email address. It's not clickable, but visible.

Just to note, I realize OCR could be used to get around this, but I've only a few addresses anyway. In the future, I may generate "messy" images that are difficult to process with OCR.

example: http://mhs1994.com/listing/

Re:Links as generated graphic

Firstly, are spam harvesters really going to use OCR anytime soon? Doubt it.
When/if they do, it is likely they will go for images with the word "email" or "mail" in them, and they will go for small-sized images. What you want to do is call your image something like "f345.png" and you want to make it a large-sized image (say 800*600). The large size won't matter as most of it will be whitespace/blackspace that PNG will compress down to what it would be as a small-sized image, and then you just use the size stuff in the HTML tag.
By making your image have these attributes, you are shedding it of any clues that it may contain an email address. If spam harvesters want to still collect your email address, they would end up having to churn through all large peculiarly named image files. It means they have to spend more CPU time and more bandwidth on harvesting. It is unlikely they would be willing to do this.

I hate sites that I have to fill out forms!

[kabocox]

I hate websites that have no real e-mail address to contact. Yesterday, I was trying to contact anyone at the FBI that was involved in UCR and NIBRS. I couldn't find a single e-mail address anyone. They had mailing addresses. I don't want to send a letter. I want to make a simple e-mail inquiry. It may be nice for others, but I hate that approach. I hate forms, because you never know where that message went off to. I like having a person to contact. Would you like trying to do business with someone without their e-mail address?

The solutions we offer here will not solve the....

[Alpha27]

problem.

The issue isn't with the emails getting harvested. The issue is with a global infrastructure that uses an old policy of sending emails.

We need a new improved protocol that does a level of authentication at the host/isp level to say, this is a legitemate server with an emal from an acceptable user. All isps should be held up to a spam policy enforcement where if a user violates the policy, are automatically terminated, and their name, with evidence provided of course, is sent to a spammer list system to keep track of these individuals. If a spammer bounces around to a new isp, the isp can check the system and see if this person is listed.

This would require all ISPs to verify the user signing up for the account, and placing strict penalties on the user such as fines. If the right pieces are in place, we can see a substantial amount of email gone in a few years.

low tech solution

[ArmorFiend]

I simply create a PNG, JPG, or GIF with a picture of my email address. No they can't copy-paste it, but you'd have to be a really dedicated address-farmer to automatically harvest that.

Re:The solutions we offer here will not solve the.

Well that ain't going to happen anytime soon. And it's not a watertight solution anyway.

Unicode actually works!

[aquarian]

Believe it or not, this actually works. These days most harvester programs still don't read Unicode. Once I started doing this, I saw a great reduction in spam. It won't work forever, of course -- eventually the spambots will read Unicode, and the game will be over for this technique. But in the meantime, it's easy enough to do a search and replace of every "@" symbol.

If you want to convert your whole address, E-cloaker is a neat little free program for converting text to Unicode.

Proposed Solution

[jbrayton]

I propose the following (somewhat complicated) software solution for generating automatically-expiring email addresses:

On the web server:

Generate all email addresses on the site dynamically, using something like:

(prefix)-(timestamp)-(ctr)-(hash)@domain

Replace (prefix) with a unique meaningful string.

Replace (timestamp) with the UNIX timestamp (the number of seconds since 1970-01-01 at midnight GMT) at which the email address was generated (the page was served).

Replace (ctr) with a unique identifier for the address generation. (The first address should use 1, the second address should use 2, and so on.) This will make the generated address unique in case the timestamp itself is not.

Come up with a password, and replace (hash) with:

MD5(prefix + timestamp + ctr + password)

On the mail server (or perhaps at the client):

Send all email to (prefix)-*@domain to an automated utility. That utility would be configured with the same password as the web server. For the recipient address in each incoming message, it would check:

• That the format of the address is that described above.
• That the hash in the address is valid.
• That the address was generated somewhat recently, based on the timestamp in the address. [recently can be defined any way you want.]

If the address passes all of these tests, and if (based on the timestamp in the address) it was generated recently, treat it as valid. If not, treat it as spam.

This won't stop a harvester finding an address and immediately sending spam to it, but it will limit the length of time for which the address is valid.

This also may be difficult to validate if the address is BCC'd, but that in itself could be an indicator of spam.

Depending on the web server's volume of traffic and your caching techniques, it may or may not be desirable or feasible to have the server re-genereate these addresses for each page request. If it is feasible, then you have the added benefit of each user getting a different address. Once that address has been spammed, you could later block that specific address. If it is not feasible, you still have automatically expiring email addresses.

Note that I have not tried or tested this approach, and there may be caveats I can't think of. Caveats that I can think of include:

• The resulting email address would be very long. That may cause problems with mail server or client software. Using a substring of the MD5 checksum, and using short prefixes may be necessary.
• Someone could have an email address that they legitimately retrieved from the site a long time ago.
• The solution assumes that you have control over the mail system retrieving the mail. This might not be a feasible way to post email addresses in mailing list archives.

If I had the time, I would start an open source project for this. But I don't have the time, so I hope someone else has the time and inclination to do so.

My suggestions

[macdaddy]

For starters NEVER give out any addresses other than addresses for role accounts (webmaster, abuse, postmaster, hostmaster, sales, support, etc). This is Rule #1. Don't violate it, ever. Instead provided email forms for people to mail individual users within your organization. Your company policies (especially the security policy) might even prevent you from posting employee names on the website in a directory format. Look into this.

Secondly, anything you do to obscure a user's email address will eventually be able to be harvested (without human intervention). It's just a fact in the battle against spam. I highly suggest you use graphics to your advantage. Create small images for all letters; numbers; permissable punctuation such as a period, dash, plus sign (for plus notation), and underscores if you permit userids with that (I mention this one because you might use them even though they violate RFC 2821 IIRC). Now put these in a web directory and have users create their email addresses using IMG SRC links to each of the individual characters. You could spell out your domain in a single image or you could have the users spell it out with multiple images. This could easily be scripted. One thing to note is that this will most likely violate ADA requirements. It's possible that using the ALT text in each IMG for that letter could get you around this. It also gives the spammers something to harvest though. Basically ADA requirements directly interfere with spam fighting in this case.

There are other tricks you can use such as using the HTML encoding for each of the userid characters to hide them. A web browser would decode this just fine but viewing the source will only show the code. Don't provide mailto: links, period. Consider using a list of names and their external userid on a page. Simply state that all the userids below should have @yourdomain.com appended to the end of them in a MUA. This is effective but slightly cludgish. IF you provide the userids ANYWHERE make absolutely certain that you provide an external userid such as firstname.lastname@yourcompany.com which redirects to vanityname@yourcompany.com internally. You should never give away your users real userids. You need to make certain that the users MUA or your MTA transposes the internal to external addresses to hide the internal addresses. You users need to understand this as well. Mail they forward absolutely can not contain information about internal addresses. Your users should always use the external addressing, even to mail their buddy in the next cube. Your users need to know why you're doing this and they need to be educated on the many ways this information can leak out unintentionally. Basically you need a good security policy.

Deal with the symptoms and the problems

[plover]

Sorry, but that "don't munge" page is hopelessly outdated, and its advice is useless at best (although I have to admit being highly amused by the "if you munge your address then the terrorists have already won" attitude!)

Back when the 'net was young, and there was hope for stopping spam before it snowballed out of proportion, it was hoped that this naive "nip it in the bud" attitude might work. It hasn't. Spammers have proven as resilient as cockroaches, and more prolific.

Keep in mind who is paying for spamming: get-rich-quick losers. There's more than one born every minute. They're typically not successful, but there certainly are a lot of them. By the time one of them has realized they're not "getting rich quickly" and give it up, half a dozen more have started up their own "get rich quick" schemes.

Legislation, anti-spam hassling, RTBLs, threats, ISP cut-offs, they all serve to shut these fools down one at a time. But the population growth of fools far outpaces the ability to shut them up.

I agree that address munging "breaks" how things are supposed to work. The reality of spam dictates that many of us have given up how we want things to be, and instead deal with things as they are. I can't afford to fight every stinking spammer in my inbox, and those are the ones that have successfully run a couple of anti-spam gauntlets. Automated spam reporting tools proved useless to me years ago -- and now the anti-spam RTBL sites are busy collapsing. Bayesian filtering has been mostly effective for me so far, but I still find good mail in my spam box. Changing email addresses helped dramatically at home, but is not an option at work. So, if munging helps reduce the spam, it's just another useful tool in my kit. And if you think address munging prevents someone useful from contacting me, you simply have no idea of the depths of my apathy.

Any Standard is bad

[pagercam2]

If you always repalce @ with at then the change to the spambots is minimal and they get the address anyway. Many websites only display the beginging of the mail address and registered users must request the full address or use a mail entry screen to forward the email to the user without devulging the email at all and giving them privacy until they want to respond to you (your email is entered and provide as the replyto address.

Re:The solutions we offer here will not solve the.

[Alpha27]

No solution is absolutely watertight, and I know it's not going to happen anytime soon, but the current suggestions mention will create an ongoing situation.

I create uber mailto style 1, a some time passes and I find it's no longer working. I create uber mailto style 2, a some time passes and I find it's no longer working. I create uber mailto style 3, a some time passes and I find it's no longer working. I create uber mailto style Nth, a some time passes and I find it's no longer working.....

The solutions here are not permanent fixes and the time and energy we spend in developing these quick fixes should be put to better use such as a more long term approach.

Spam magnet

[retrosteve]

This works if you have your own domain. Thanks to Andrew for this idea: Put the harvestable email on your site. Also, on the same site, (less conspicously), post a similar email address, with the same domain and a similar username. Don't ever give out the second address, it's just for spam. The magnet address may be in the code but not visible, for best effect. Or make it a real mailto:link, but in invisible color and font.

Write a small filter program on your site that stores all spam coming from the spam magnet address for a week, and deletes any incoming spam on your own email address that looks too much like it. Any mail that comes to both at once is automatically deleted.

If you have a Bayesian filter, use the spammagnet address to continuously feed the filter's blacklist.

so if your address is harvey@nagila.com, post
a spammagnet address on the same pages such as hardly@nagila.com. The similarity will tend to catch the spam mailers that group addressees.

A new idea

[danielsfca2]

I've considered an autoresponder. The idea being that you give out, freely, an address like mailbot1@domain.com, and set up an autoresponder on that address that says "Thank you for requesting my address: real@domain.com"

That has the disadvantage that in the unlikely chance any spam with a valid return address hits this address, someone will unexpectedly get your autoresponder. Probably not a spammer, though. What spammer gives a correct return address? I'd add a line saying, "If you did not request John Doe's e-mail address, please disregard this message. It was likely generated by a spam message which had your address forged as the sender."

Re:A new idea

[bhtooefr]

Someone else suggested a server at yellowpages@domain.com or something. You'd send an e-mail to that saying (in the body):

What is the e-mail address of (name)?

or something like that, and it would reply to you with the actual e-mail address. This would allow multi-user systems to use your idea.

Re:A new idea

[danielsfca2]

A good idea. Although I'd worry about spammers using a dictionary attack on such a server. Actually, it would be more accurately called a "phone book attack" since it would try, not English words, but rather, permutations of names from the phone book.

I think the likelihood of that would be related to the size of the organization represented. For example, one for AOL.com would be harvested daily. Ditto for comcast.net, verizon.net, sbcglobal.net. But such an attack on my friend's company, alexrthomas.com, would be far less likely. Actually, ironically enough, any addresses created on that domain, even if never given out, attract copious spam, so it seems it's dictionaried on a regular basis.

that's a start..

[josepha48]

I'd use web forms and split stuff up if cgi is an option.

Start with to contact so-and-so clieck here. Have the users name embedded in the email form and the second half you get from the server. So if the user was thomas@englishmuffin.com the web form would have a hidden input called loosername and its value would be thomas. Call it something different than loosername, but the idea is that you don't want to just say username. When the web form gets posted you can have it read a text file (this is what eartlink uses as cgi email (I think the program is mit's cgi-email) and in that text file is the other half of the 'to' email address @englishmuffin.com. Put the two togeather and you have the email address. What this will do is it will allow you to check to make sure that the sender has a valid email address. Check for at least the @ in the email address and prefferable a .com/uk, etc one dot(.) . This means that the sender does not know what they are sending email to until they get a rely and also it means that web harvesting programs are going to ahve a harder time figuring out wht to harvest.

Good point

[jtheory]

This is a good point -- if you are just providing your email for people reading your personal home page, there's no reason to risk getting a few spam emails by using a weak masking method. By displaying your email as an image, you can probably reduce the emails you'll get from people with only a minor comment to make, or the non-tech-savvy.

If you're selling something, it's a different story.

NOSCRIPT

You're missing the tag, needed for graceful degredation. You should include something like:
<NOSCRIPT>sales (at domain:) example .co_m</NOSCRIPT>

to make sure that a non-JS browser still sees something (it won't be a link, but it's good enough - use some obfuscation to prevent harvesting). It would look stupid if your web page had text like "Here's my email address: , write me for sales info" with no actual address.

fyi

it's javascript - it doesn't submit the form.

if you're worried you can save the source of the page and run it locally.

cheers

Not for Netscape 4

[extra88]

I haven't checked the stats recently but Netscape 4.x and earlier does not supports Unicode. Pretty much all browsers can handle the HTML entities given in other examples. You may not care.

[OT] parallel lines

[Mr+Z]

(And yes, I'm aware that lines that never cross are not necessarily parallel. They must be coplanar to be parallel. Lines that are not coplanar and never cross are askew. My question/answer example above that "begs the question" also happens to be a fallacious argument.)

Simple idea?

[Mr+Z]

How about a simple layer of redirection to a form, with method "GET" instead of "POST" that is really just an HTML file with a proper mailto: link? Do spam bots chase form submission links too?

Such an approach should be effective against most bots, I'd suspect.

If you want to go a step further, just have some text somewhere on the page and a simple CGI on the other side of the form. "Enter this text into the form field below to reveal my email address."

Thoughts?

--Joe

Uck

[piranha(jpl)]

Just use a mail form instead of mailto: links.

I for one can't stand sites that implement a mail form, and leave no other way to contact the site administrator. It's intrusive:

• I have yet to see any web browser with a usable TEXTAREA text editor for non-trivial messages (limited viewing area, no spell checking, no word wrapping, cumbersome copying/pasting). w3m's shelling out to $EDITOR is great, though.
• I like keeping copies of mail I take the time to write; being forced to use a web interface means that the message I write won't be saved into my mail client's sent mail folder. (Manually copying the message along with bogus/made-up To:, From:, Date:, and Subject: headers to the sent mail folder is a cumbersome possibility).
• Unless I've been out of the loop, form-mail scripts require the destination e-mail address to be put in a type=hidden <input> element. Why won't a spammer harvest that address?
• Finally, why won't a spammer detect mail forms as they already detect e-mail addresses, and simply spam the recipient at the other end? Just because they don't have your address doesn't mean they can't spam you.

Between challenge-response programs, misguided filters that swallow (rather than bounce) messages that might be spam, address-to-image scripts that reduce usability for the blind or Lynx-bound, form mail scripts and (a comparitively minor annoyance:) e-mail address munging programs ("piranha at ely dot ath dot cx")... Why must people go out of their way to make others go out of their way to contact them? Ultimately, it's their choice, but we need a better solution.

Re:Uck

[arkanes]

Why must people go out of their way to make others go out of their way to contact them?

Sadly, it's because so many people (or rather, a relatively few people, but with great enthusiasm) have heavily abused the free communication, making it all but useless for many people. The signal to noise ratio is just too high. If spammers had never come into existence, you wouldn't be seeing all this nonsense.

Re:Uck

[piranha(jpl)]

Heh, I've been posting my e-mail address in the clear for a few months now. But thanks anyway.

Re:Uck

[ckd]

I have yet to see any web browser with a usable TEXTAREA text editor for non-trivial messages (limited viewing area, no spell checking, no word wrapping, cumbersome copying/pasting).

Try OmniWeb. Spell checking, a "zoom" box to blow the TEXTAREA up into its own window, and it accepts Emacs control keys.

Of course, you'll have to run Mac OS X.

Re:Uck

[Elias77]

Unless I've been out of the loop, form-mail scripts require the destination e-mail address to be put in a type=hidden element. Why won't a spammer harvest that address?

At least this is preventible: You don't have to name your email adress in the html code, but let the script which forms your email add the from-header.
What is bothering me more is your last argument. Is there a way to detain a bot of misusing one's mail form?

Re:Mail form - bad idea

[John+Q.+Public]

My problem with mail forms is that I don't have a record of any messages sent or any information if things go wrong with the delivery. Black hole for information == bad.

That being said, if you have a copy sent to the sender as well it's not as evil.

try this?

[toast0]

put spam in the email... so in my case make russorspam@msoe.edu or russor@spam.msoe.edu or something like that into a valid email...

Here's simple javascript to do it

[Uzik2]

Put in a javascript function to send the email

function m_me (u) {
pre = "mail";
url = pre + "to:" + u;
document.location.href = url + "@reddawn.net";
}

In your page in place of the mailto:
link put this

href="javascript:m_me('uzik')">

Filter it with mod_perl or Mason

if using mod_perl and apache use something like Apache::Filter or Mason's built in filter thingy to use regular expressions to change mailto: links to javascript: ones, passing in the email elements so href="mailto:foo@bar.com" would change to href="javascript:form_email('bar.com','foo')

you can also use String.fromCharCode(64) as a substitute for '@'

this way you can have the acutal addresses in the html files that get rewritten when served

Attack Spammers Who Attempt To Hijack formmail.pl

[BigBlockMopar]

That is only the case if you are running an ancient, brain dead copy of the original (Matt's Script Archive) formmail.pl. But you'd be a retard for doing that and deserve everything you get. Modern formmail scripts do not allow spam through.

Looking through my server's logs, I get a lot of attempts to hijack formmail.pl and spam through it, which is a neat trick since I don't even have formmail.pl.

So I started looking around, and found a great little script which automatically reports the attempt to the spammer's ISP.

I haven't installed it yet, but it looks really great: http://home-port.net/fmreport/

Buffer overrun

[JamesP]

Just put somthing before thatll nuke the spambot

like

mailto:@#$%$%$%%##%#%%##%@@@@@22@@@@

then mailto:yourname@youraddress.com

not sure if itll work though

Research shows...

[jtheory]

I'm not an expert on this, but my experience (that most bots DON'T harvest html-encoded addresses) is backed up here.

There may be bots out there that do it, but for now, it seems most don't bother. My experience backs this up -- I started getting a few spams at one address, and sure enough, I'd forgotten to encode it. That bot didn't pick up any of the encoded addresses.

Obviously, things can change... if I do start getting spammed at the encoded addresses, obviously I'll have to make a new plan.

Re:Research shows...

[AShocka]

Actually, from what everyone else is saying here, I think you are probably correct. That is good news (for the time being... I wonder how many spammer read this site?). I'll go back to using that technique and monitor it.

CGI script that returns a mailto link

[pne]

On one of my domains, I use a CGI script that returns mailto: links.

Then I can use, for example,

<a href="/mailto.cgi?user=fred">fred<span>&#64;</span >example.com</a>

and have the address visible in plain text for copy-and-pasting (with @-to-&#64; entity replacement to foil simple-minded spambots and added

<span>...</span>

links to foil slightly more sophisticated bots that nevertheless rely on an unbroken string).

mailto.cgi, then, takes the "user=fred" parameter and returns Location: mailto:fred@example.com.

Mailto:blackhole@goatse.cx

[A55M0NKEY]

Harvest that!

PHP/sql/MTA solution

[slantymoniker]

How about this approach, which would not require anything special on the client side?

PHP (or another suitable server-side dynamic page generator) would append strings to the email address in question before placing it on the page, (strings built from a function known only to the page author or website admin), resulting in a unique mailto address for every page load. Simultaneously the function logs the unique address in a database (e.g. mysql), with a timestamp.

So the resulting HTML might look like:

href="mailto:slantymoniker_928u492@slashdot.org"

The MTA (e.g. qmail) is extended so that it examines all mail coming into the domain. If the addressee has a string on the end that fits the function, the extension checks the database for that entry. That entry is only allowed to pass 1 email through. If no email has passed through yet, and the address was "recently" registered in the db, the MTA extension marks address is "used up" and records who it's from. Then the extension passes the email through to the intended recipient, in this example "slantymoniker@slashdot.org". If the address already was used to pass an email through, or it was registered "a long time ago" (e.g. more than an hour after the page was generated for a browser), then the MTA extension would reject the email.

This way, if a harvester gathers the address in a crawling sweep, it would have to immediately fire off a spam email to that address in order to take advantage of it (unlikely since my understanding is that harvesting happens separately from spam runs). Even if spammers re-tooled to do "collect and spam immediately", they could only send one spam per harvest, and not resell or reuse the email address later since it's only good for one shot (like many anonymous address offerings out there).

I haven't seen anything quite like this implemented but would love to know if someone's already offering/doing this.

What I've been working on....

[Dr.+Evil]

...but I've just been too busy to finish... and some Perl nut could probably finish it in 2 seconds:

An Apache plugin which will activate whenever a mail address is going to be rendered, and will do the following:

1. Store semi-permanently (refresh daily) (in a DB, RAM or a file...) a hash keyed with the email address found on the requested page. The hash contains minimally, the last time the address recieved mail and a count of mail received.
2. Replace the address with only the first name of the account, with something like @nodomain.not
3. Generate a random number and use it as a key for another hash, which points to the email address. This can live for hours, it doesn't really matter.
4. Pop up a form with a hidden field containing a random number. The form has a Subject, a body, and a sender field. There is no recipient field.
5. When the correspondant hits 'send', the server uses the random number to look up the address,
6. The server then checks to see if the recipient has recieved mail from the source IP address within the past x minutes, and that the reply-to address is reasonably valid (e.g. passes a DNS query... nothing is sent to the reply-to address)
7. If everything is o.k., the server then sends the mail to the recipient, including the source IP address, along with the appropriate reply-to address and the random number
8. The fact that the message was sent is stored in the hash keyed by the email address, along with the random number (this is necessary to protect the server from being flooded by bogus undeliverable messagse)
9. The from address is set to the server... if a not found, undeliverable, or similar error appears, then the type of error is recorded in the field keyed by the mail address, the random number appears in the undeliverable message.
10. The sender gets a URL with the magic number, which they can click on to check the delivery status... Only the status is shown, not the message.
11. When the recipient receives the message, they're free to ignore it or reply.

The mail database can clear itself every arbitrary period... something to make undeliverable messages meaningful.

The system could also be expanded to allow for total refusal of receipt from that server by the recipient clicking on a URL.

It's a bit hackish, and not a thorough plan, there are abuse details I've omitted, but I think it is a relatively simple system. The important part is to make the databases transparent and the system as trival to configure as just saying "load module"... The other important part is that nobody ever sees the email address, and being a module, it even applies to dynamic pages.

Re:What I've been working on....

[hondo77]

It's not the hiding of addresses that is the problem. It is that spammers (and the ones in China seem to be a very determined lot) come up with ways to automate form submission. In my site's case, they automated pulling up the form, taking all the hidden variables and submitting the form with those variables. With the old formmail.pl, it was easy--you just submitted to formmail.pl even if the address was hidden. With my little hack, you had to get the hidden variable from the form displayed and submit it within five minutes. Spammers have deemed my little bodybuilding site worthy of their attention.

Re:What I've been working on....

[Dr.+Evil]

There are multiple problems though, hiding addresses is a problem for spammers who build target lists.

Using the cgi where the client can control the recipient address for any mail is bad, even if can't be used for high-volume spam, it can still be used by stalkers, crackers, etc.

The method I posted above does not allow you to send email to anyone who's address did not appear in a page which has been viewed (relatively) recently. The hidden field is just for the random key. There isn't a lot you can do with that key --- a govenor will trip when you've sent (or attempted to send) too much mail too quickly... unless you rotate source IP addresses... a lot.... and you still can't see or control the recipient.

Something Simple

[jawschlech]

Interestingly, I've yet to get spam on the account with which I post to Usenet(!) and I've been using it for at least a month now, albeit not too often. I just have my return address as: Name: remove the scientist Addy: foo@bar.einstein.com It seems to be rather effective, and I'm questioning whether any spambot would bother to parse emails for certain phrases. Though I'm probably gravely underestimating the lengths these people are willing to go through to offer me penis enlargements and bad real estate, you don't have to completely abolish all dreams I might have of a last shred of decency in the human race.