Slashdot Mirror

← Back to Stories (view on slashdot.org)

How are You Preventing Mailto-Link Harvesting?

Posted by Cliff on from the making-it-harder-for-the-spammers dept.

mixwhit asks: "In our ever increasing effort against spam, we are now considering replacing all mailto: links on our website with something unharvestable (i.e. 'user (at) address', javascript mailto links, character entity evasion, etc.). Obviously this won't stop the spam, but it seems prudent to stop the harvesting so that the spam may slow down someday (year 2024 maybe?). What are others doing with this issue? We would prefer to preserve mailto link clickability, but also only want to make this adjustment once." One suggestion I would make is to put your email address in an image. People can read it, but harvesters won't be able to harvest it (unless they download the image for OCR), but any barrier you can place in front of the spammer, without blocking people honestly interested in communicating with you, is probably a good thing.

6 of 229 comments (clear)

  1. Un-what? by devphil · · Score: 5, Informative
    replacing all mailto: links on our website with something unharvestable (i.e. 'user (at) address'

    What makes you think "user at mail dot foo dot com" is unharvestable? The web archives of all the development mailing lists at gcc.gnu.org use that scheme, and we still get spam to unique addresses used only for sending mail to those lists.

    It's a handy technique, and useful, but it's certainly not foolproof.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  2. simple js by anim8 · · Score: 5, Informative

    <script>
    <!--
    var u = "sales" ;
    var d = "example" ;
    var t = "com" ;
    var a = u + '@' + d + '.' + t ;
    document.write('<a href="mailto:'+a+'">'+a+'</a>') ;
    //-->
    </script>

  3. Hiveware's Enkoder by jpsowin · · Score: 3, Informative

    Just use this. Life is good, eh?

    1. Re:Hiveware's Enkoder by dimator · · Score: 3, Informative

      This is a really cool idea, actually. Two things though: it increases the document size a good deal, since the my email address (19 characters) becomes a 1383 character string. This could really add up if you had more than one email address on the page (such as a mailing list archive). Although, in the world of broadband, thats a small price to pay.

      The other thing is, if you are using this, you'd be wise to change the string 'hiveware_enkoder' to something unique. The reason being, if spam harvesters really wanted to, they could recognize that string, and have their own javascript engine handy run the script to get at the email address hidden inside. That's a lot of work, but not entirely impossible. If the Hiveware system gains many users, it might be worthwhile for them.

      --
      python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
  4. Re:Mail form by skookum · · Score: 3, Informative

    That is only the case if you are running an ancient, brain dead copy of the original (Matt's Script Archive) formmail.pl. But you'd be a retard for doing that and deserve everything you get. Modern formmail scripts do not allow spam through.

  5. Re:Javascript mailto links... vulnerable? by Specialist2k · · Score: 4, Informative
    There are e-mail harvesting bots which use the Microsoft HTML ActiveX control, so they can and will execute any JavaScript present on the page.

    Wait... this provides some nice opportunities to cause them a major headache by including malicious JavaScript code on a page only seen by a bot not following the robots exclusion protocol (to prevent a "real" search engine spider from visiting the page) by linking to that page using some hidden link from your home page...