Slashdot Mirror
How Do You Fool Spam Bots?
ThisIsAnExampleAccou asks: "I am currently researching Spam Bots, and the various methods by which they collect addresses. While doing my research, I have started to notice the various ways that people post their email addresses to fool spam filters (i.e. bob@hottroutmail.com - go fishing to mail me) What clever ways have you seen/done to fool spambots while still letting people know how to get in contact with you?"
I post my address unobfuscated, you insensitive clod!
455fe10422ca29c4933f95052b792ab2
On another web page, the email addresses are protected by passwords, so the general public can't see it.
On another web page, I use a web-based form people can fill in, so there is no email address exposed.
I'm frustrated because my spambot hasn't been picking up nearly as many email addresses recently, as comparared to what it used to. Some people out there are really clever! :-( Could you please detail to me exactly how you try and keep me from harvesting your address? Oh, and putting into a testcase form would just be the icing on the cake!
Sincerely,
Your Friendly Neighborhood Spammer
You just need your own domain... where you can recieve email for any address at that domain.
Every time I give out an email address to someone new I give them a unique email address. Every time I put my email into a web form for some company they get it in the following format:
companyname@mydomain.com
friends can get silly things like:
spankie@mydomain.com or whatever.....
other examples:
planetside@myname.com
jobs@myname.com
bioinformatics@myname.com
Then, if I begin recieving spam on one of the addresses I know exactly who it is coming from or who at least is responsible for giving out my email address. I can also go in and specifically turn off the offending email address, or better yet have each mail recieved fire off a "custom" error message or some script I have setup.
I've been using this method for a year and believe it or not I don't recieve more than 1 spam mail a week and never recieve it more than once on any given address. What is wonderful is that I have no fear or worry about giving out email addresses any more.
--Chris
You could add both a "From: " and a "Sender: " header to your usenet/mailing list postings:
:-)
From: you@yourdomain
Sender: blockme@yourdomain
You'll gets tons of spam to both addresses (not neccessarily the same spam, unfortunately - that would make filtering real easy). You run SpamAssassin (or similar) to filter mail to your real address, and you run "spamassassin -r" or "razor-report" to handle mails sent to your spamtrap address (making the Razor service, and in turn, SpamAssassin, more efficient at identifying these spams).
Better yet, if your MTA is Exim, use SA-Exim to add teergrubing functionality to SpamAssassin. Oh, the satisfaction!
- Don't post/give out the address in the first place.
;)
- Use a fairly trivial bit of JavaScript to mangle the address, but render it properly in the browser.
- Referral to my CGI based contact form that doesn't include the addresses on the client.
- Lame mangling such as used by Slashdot.
Note that posting in plain test is not up there. I've recently dumped an email address I've been using for over a decade due to an inordinate amount of spams and Joe Jobs. Times have changed, and so have my attitudes to giving out my email address. Total spams in my inbox since doing this in August is just three (yes that's right - I've seen one spam a month), previously I was getting (with filtering) about 40 a day!UNIX? They're not even circumcised! Savages!
I encode the IP address of whoever's requesting the email address and the current date and time. So each request gets a unique email address.
;)
The file is forbidden by the robots.txt file. I don't think that it surprises anybody that it still has gotten spambotted.
Gentoo Sucks
I am currently researching Spam Bots, and improving the methods by which they collect addresses. While doing my research, I have started to notice that people post their email addresses to fool spam filters (i.e. bob@hottroutmail.com - go fishing to mail me) What clever ways have you seen/done to fool spambots while still letting people know how to get in contact with you?
There are no trails. There are no trees out here.
I recently tried to email the maintainer of a web page and quickly discovered that the listed email address wasn't text, it was rasterized text in a GIF file. Unless the bot can do OCR, it can't read it. The only problem is that this trick is hostile to the blind.
Mea navis aericumbens anguillis abundat
Sometimes I spell mine out. As in, myadress AT hotmail DOT com.
Someone ever tries to kill you, you try to kill them right back!
1) For USENET messages, I use a Hotmail address that I check once in a blue moon, and a note in my sig that I don't check that address very often
2) For mailing lists, I use a free address that I can change at any time.
3) For online forums, "PM me for my e-mail address"
Does quite well at keeping my main address free of spam
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I use a good ol' jpeg file. Has never ever let me down. Not even once. Also, I've got a spider trap on my website.
Get revenge: Unsolicited Commando
very simple, and the address I post to newsgroups rot13'd doesn't recieve very much spam at all.
I am fooling spam engines using many of the techniques discussed in the /. article posted on this subject earlier this month.
/ 22 6221
http://ask.slashdot.org/article.pl?sid=03/10/02
Cheers,
J
How'd ya piece that one together, Steinbeck?
Sincerely,
3s93jgwd6hyj61g6uo9@4ur5o5cfhp25qpahtr12.com
Damn it - all this work to obfuscate my email address ( bob AT hottroutmail DOT com), the hours and hours of research, the black/grey/whitelists, the spamassassin configs - all to no avail as some smart guy posts my email on the "Email Account O Rama" that is /.! ALL WASTED!
Seriously though, on a side note - I used to do the easy obfuscating, the user(AT)domain(DOT)com, the user@no-spamdomain.com, etc etc but then I started thinking...
I know if *I* were to plan an email harvesting bot, I'd definately add things like "(AT)", "(DOT)", "NO-Spam", "RemoveTHis", "Remove-This", etc etc as keywords to email addresses. Odds are I'd get even more valid addresses that way, since it's so common place. You could even do it via a Google search of "NOSPAM" +COM -"nospam.com" and variations of it. Sure, there's a lot of things that pop up that DON'T have to do with an email address, but click next a few times and look, it'll pull things up. I'm almost attempted to write a little script with the google api to see how many valid addresses I could pull up like this.
It's because of this reason that (except for Slashdot's obfuscating) I don't do anything except try to run the best anti-spam setup I can.
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
There's been some research on what methods work best. The CDT put out a paper in March detailing their experiment and its results. It was also covered on Slashdot.
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
I'm writing an evil spambot email collection tool. Much to my surprise, people are making it hard for me to collect email addresses to sell to the scum-of-the-earth spammers. How do you change your email address to fool spambots like mine? This way I can create a new spambot that can determine what your real email address is so that we can stuff it with spam. Please ignore my shinny new account and the trolling I'm doing cleverly disguised as an EXPERIMENT.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
If you have your own domain you can do this:
I set up 1000 mx records like mail0001.mydomain.com, mail0002... etc. Then I setup my mail program with myaddress@mail0001.mydomain.com. Every time I sent mail to someone I would increment the number by one. Whenever one of those addresses got spammed I would delete the MX record. And I would know which asshole spammed me.
The nice thing about blocking spam via DNS is that the spammers never connect to your SMTP server, which saves a lot of bandwidth.
My email is filtered, so I don't worry about hiding my email address. It's pretty much always at the cost of the convenience of people trying to mail me, and the spammers will find the one place where it is posted (possibly by someone else) in the clear.
By the time spam gets through SpamCop with the zones I've said, two spam a day is unusually high.
Other ANTI-SPAM techniques: Basically the best method is to never let your e-mail address appear in a machine-parseable format except in places where other data is supposed to go. For example, the 'from' address in all my e-mails is just a forwarder address and not my real address. The point of this is that when some luser that I sent mail to gets infected with the latest mass mailing worm, my real e-mail address will NOT appear in their address book and be spread across half the net. I can just change the forwarder whenever I want. Of course in the 'name' field if the e-mail it shows [My Name (myname-at-mydomain-org)] so the real address can be found that way by anyone with a clue.
Life is too short to worry about obfuscation. I post my full email everywhere, and if I get spammed, well, I use AOL's handy dandy "Report Spam" button. It blocks the domain and keeps me from getting spam in the future. Pushing the limit: Can I mention that I use AOL for email and not get -1 Flamebait?
There are some people who spell out the email address as "john at domain dot com" as if the spam harvester hasn't heard of regular expression and wild card searches. All they need to do is search for a pattern "* at * dot com" or something similar. Then they can do a lookup on the domain name to be even more confident.
I use attribute around "@" on my homepage. me<strong>@</strong>mydomain.org renders to me@mydomain.org, which is easy to cut and paste, but not trivial for bots to extract.
Anybody who reads slashdot, or obfuscates their email address, is not going to buy any spam advertised product. So perhaps, it's better you don't harvest those emails.
With that said, I prefer my analog generated, random noise filtered, grayscale solution. Yes, nothing beats a black and white scan of a handwritten copy of my email address. How many shades of gray can you parse.
What do you mean my sig is repetitive? What do you mean my sig is repetitive? What do you mean....
the spam bot authors have already patched their bots for anything mildly useful mentioned in this thread.
Hey, what says you aren't a spammer who urges to find out our secret tricks?! =D
Dispose of them if you ever get junk mail, and you will know exactly which companies not to trust or which web page got spidered.
I get no spam and haven't for several years now. I have had to generate a total of 5 or 6 new addresses for my own vanity page since that one does get spidered from time to time. People can still simply click and mail me.
The downside is that the address that someone uses today to mail me may not exist 6 months from now, and unless he checks my page for an updated address, he may think I don't exist any longer either. But that's okay, I think.
-h
the email links on my site bring up a little php form which asks for name of the president of the usa, like the turing test in blade runner. javascript checks onkeyup for input. when it matches bush, the form submits and displays an email link. since php is server side there is no way round answering the question to get at the address. i also have catch all email at the domain, so i use php to make the email address start with the current ip address of the sender. that way, if a generated address gets spammed it is easy to filter. of course, no manual spammer would be stupid enough to give away his ip address like this...
the other day somebody called me and said they couldn't send an email to me as the form didn't react. i asked what she was typing in and she said "clinto... whoops!" We both laughed out loud and she was embarrassed. now it accepts 'bush' or 'clinton'.
Comment removed based on user account deletion
Displays perfectly, user can copy and paste, but slightly harder for spambots.
:(
micah@yoderdev.com
There was a Slashdot story about someone's research on this topic a while ago, and they found that entities do decrease the amount of spam significantly.
Of course, the $#@%$# spammers probably figured that out by now.
I wrote a simple CGI page that spews forth about 100 very annoyingly random email address, such as:
t ...
hdyewjds@kfdjufkfdiu.com
jdydmjfud@jrjcufdk.ne
The trick is that it waits for 5 seconds in between each email address, giving the viewer the impression that the page is loading slow as balls for some reason. In theory, a spambot will sit there and wait for the page to load, then parse it, and follow any links to more pages. You have a link waiting that sends you to another site with the same CGI on it, they in turn pass the bot on, and etc....
Its all theory based on my limited knowlage of how spam bots work. But if it succeeds at loading up spam lists with tons of crap, we should all be doing it.
I may rewrite it to just insert tons of crap commented emails in all my main pages, make it even harder for the spammers to avoid.
--Nuintari
slashdot : where an opinion can be wrong.
very effective!!
raj
Sarovar.org Hosting for open source projects in Indi
Any method of munging the address must still be clickable within the visitor's browser. If it is clickable, it can be harvested. Javascript and html encoding may stop most of the bots, but bots exist that can slurp the address no matter how much javascript you wrap it in.
I use a PHP email form that never sends the address to the to client accessing it. Short of hacking the server and looking at the php script in plain text, there is no way to harvest the address. I have no need to let the public know my address. If they want to email me, use the form or use my site's message board.
I don't want the guy getting slashdotted, so I won't link his site. If you really want the script I use (available in PHP or ASP), go to hotscripts.com and search for dbmaster's mail form.
Only on
for yet another javascript address mangler/demangler, check out
AddressScrambler
Don't listen to people who say these don't work -- if a spammer can spend $x and a get buzillion unmasked addresses, but has to spend a great deal more to get a few hundred masked ones, what do you think he or she will do? And to the people who say -- yeah, but what about when everyone starts doing this? Everyone is not about to start doing this. Relax.
who's moderating the meta-moderators?
Look, the guy who wrote this isn't a spammer. I think spammers know that anyone on /. isn't going to open spam anyway.
It creates email addresses on the fly, and forwards email to my real email address. If I buy something from amazon.com, I'll create an address like amazon@myUsername.endjunk.com. If I start getting spam at that address, I block email to that address, and I also know who the bastard is--and don't go to that website anymore.
http://www.mailinator.com
Are you a Candy Addict?
I'm on a Mac and my unit requires using Lotus Notes and I am NOT an administrator. I use Lotus Notes built in filter but it is not nearly enough. What can I do?
Can I bum a sig?