Slashdot Mirror

← Back to Stories (view on slashdot.org)

How are You Preventing Mailto-Link Harvesting?

Posted by Cliff on from the making-it-harder-for-the-spammers dept.

mixwhit asks: "In our ever increasing effort against spam, we are now considering replacing all mailto: links on our website with something unharvestable (i.e. 'user (at) address', javascript mailto links, character entity evasion, etc.). Obviously this won't stop the spam, but it seems prudent to stop the harvesting so that the spam may slow down someday (year 2024 maybe?). What are others doing with this issue? We would prefer to preserve mailto link clickability, but also only want to make this adjustment once." One suggestion I would make is to put your email address in an image. People can read it, but harvesters won't be able to harvest it (unless they download the image for OCR), but any barrier you can place in front of the spammer, without blocking people honestly interested in communicating with you, is probably a good thing.

16 of 229 comments (clear)

  1. Mail form by NaDrew · · Score: 4, Insightful

    Just use a mail form instead of mailto: links. Once you reply to feedback mail, the sender has your address and you can correspond normally. Meanwhile, evil spambots can't harvest an address that isn't shown anywhere.

    --
    Vista:XPSP2::ME:98SE
    1. Re:Mail form by skookum · · Score: 3, Informative

      That is only the case if you are running an ancient, brain dead copy of the original (Matt's Script Archive) formmail.pl. But you'd be a retard for doing that and deserve everything you get. Modern formmail scripts do not allow spam through.

  2. Beware of disability advocates by bluelip · · Score: 4, Interesting

    People fighting for those who have difficulty seeing have been complaining about the sites that have a person type a number displayed in an image to verify that they're not a bot. They say it causes undue hardship on sight impaired folks. That may not be a legal fight your company would like to enter.

    I can see both sides of this. Can't say I know where to stand though.

    --

    Yep, I never spell check.
    More incorrect spellings can be found he
    1. Re:Beware of disability advocates by glivings · · Score: 4, Insightful

      The problem with having e-mail addresses encoded in images goes beyond excluding the blind. People with text-only browsers (a la lynx), screen readers, PDAs, cell phones, etc. are all excluded.

      It's important to remember that web pages are not always rendered visually.

  3. Un-what? by devphil · · Score: 5, Informative
    replacing all mailto: links on our website with something unharvestable (i.e. 'user (at) address'

    What makes you think "user at mail dot foo dot com" is unharvestable? The web archives of all the development mailing lists at gcc.gnu.org use that scheme, and we still get spam to unique addresses used only for sending mail to those lists.

    It's a handy technique, and useful, but it's certainly not foolproof.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  4. simple js by anim8 · · Score: 5, Informative

    <script>
    <!--
    var u = "sales" ;
    var d = "example" ;
    var t = "com" ;
    var a = u + '@' + d + '.' + t ;
    document.write('<a href="mailto:'+a+'">'+a+'</a>') ;
    //-->
    </script>

    1. Re:simple js by xingdiego · · Score: 3, Interesting

      I recommend the above method plus:

      1) Randomize the variable names for u, d, t, and a
      2) Randomize the position of var XX = XX statements.

      This will reduce simple regex replacements if you site is big enough with enough emails that someone would want to create a simple reg mod to harvest it.

  5. Hiveware's Enkoder by jpsowin · · Score: 3, Informative

    Just use this. Life is good, eh?

    1. Re:Hiveware's Enkoder by dimator · · Score: 3, Informative

      This is a really cool idea, actually. Two things though: it increases the document size a good deal, since the my email address (19 characters) becomes a 1383 character string. This could really add up if you had more than one email address on the page (such as a mailing list archive). Although, in the world of broadband, thats a small price to pay.

      The other thing is, if you are using this, you'd be wise to change the string 'hiveware_enkoder' to something unique. The reason being, if spam harvesters really wanted to, they could recognize that string, and have their own javascript engine handy run the script to get at the email address hidden inside. That's a lot of work, but not entirely impossible. If the Hiveware system gains many users, it might be worthwhile for them.

      --
      python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
  6. Missing the point by jtheory · · Score: 4, Insightful

    You have to consider the trade-off of the inconvenience of your readers/customers with the amount of spam you get.

    I have a few websites with my email address all over them, in mailto links. I "mask" the email very lightly, by escaping most of the characters, and it has worked beautifully.

    Here is a webpage that will quickly convert your mailto link into a form that bots will miss.

    Could a bot be written that would be able to harvest these email messages? YES. But would it be worth the spammer's time to code it? NO, so it probably won't happen.

    Put yourself in the spammer's shoes (or slime-covered bedroom slippers). Why would you want to go to a lot of work to build a bot that will harvest the email addresses of the very people you don't want to get your spam, because they will report you to spamcop, harass your ISP, and even hack your computer and post some very unattractive pictures of you on the internet?

    No, they want the chumps, and they want to find them without needing to check every webpage for dozens of patterns.

    --
    There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
    1. Re:Missing the point by An+Anonymous+Hero · · Score: 3, Funny
      Here is a webpage that will quickly convert your mailto link into a form that bots will miss.
      You know, there is a concept here. "STOP SPAM FOREVER IN TWO EASY STEPS:
      • enter your email adress HERE
      • click OK!
      This is the BEST, FOOLPROOF way to NOT GIVE YOUR ADDRESS AWAY!!"
  7. Re:Don't bother, it's too late by Rick+the+Red · · Score: 5, Interesting

    No kidding. Comcast gives us seven email addresses, so I set one up for each of us. My three month old gets spam, and nobody has EVER used that account (except me sending a test email when I first set it up). These scum just take a brute-force approach to generating email addresses, and don't care how many are undeliverable. They come with opt-out buttons, but all those do is confirm they found a valid address, and they never send from the same address twice, so adding them to a filter list doesn't work either. Bayesian filters on the content is the only way to go.

    --
    If all this should have a reason, we would be the last to know.
  8. Re:it works like this by FrenZon · · Score: 3, Interesting

    Alternatively, to keep it transparently usable by end-users, you can just do like this:

    <a href="false@false.com" onmouseover="var a = 'in.com'; this.href = 'real@doma'+a;">email me</a>.

  9. "block images from this server" by KnightStalker · · Score: 3, Insightful

    I suspect you're using an ad-blocking browser or proxy, which has blocked the image itself but has left a large (clickable) white space that would be the image if you hadn't blocked it. That's the behavior Firebird shows for me, blocking ads.osdn.com. If you're using Mozilla or Firebird, and you right-click on the "background" I think you'll find "block images from this server" or "block images from ads.osdn.com" checked.

    --
    * And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla."
  10. Re:Uhh... by Webmonger · · Score: 3, Interesting

    You can't embed an image in the href text, so I don't see how this suggestion gains us anything at all.

    Actually, you can.
    data URL examples

    Sick, eh?

  11. Re:Javascript mailto links... vulnerable? by Specialist2k · · Score: 4, Informative
    There are e-mail harvesting bots which use the Microsoft HTML ActiveX control, so they can and will execute any JavaScript present on the page.

    Wait... this provides some nice opportunities to cause them a major headache by including malicious JavaScript code on a page only seen by a bot not following the robots exclusion protocol (to prevent a "real" search engine spider from visiting the page) by linking to that page using some hidden link from your home page...