Slashdot Mirror
Best Method For Foiling Email Harvesters?
pjp6259 writes "One of the common ways that spammers generate email mailing lists is by harvesting email addressess from websites. But in many cases you also need to make it easy for your customers to reach you. I have found three common solutions to this problem: 1.) Use an image to replace your email address. 2.) Use ascii encodings for some/all of the characters. 3.) Use javascript to concatenate and/or obfuscate your email address. Which of these methods are most effective? Are email harvesters able to interpret javascript? What do you use?"
My two favorite methods are:"
- Putting the e-mail in a distorted picture (like a captcha) - this is very difficult for spam crawlers to read
- Using a long human readable message "tset ta tset tod moc.reverse.each.word.prior.to.first.dot.for.addr
In general, your best defense is to employ some method that requires human interpretation.
Crack - Free with every butt and set of boobs
Yes, new email harvesters can parse javascript. A good spam filter in your inbox is nice...
If you make it hard for 'bad guys', you make it hard for your customers/friends too. Some people like having mail-to links, and you won't be able to do that easily with an image.
If you have a form to submit to on-line, tag it and let it go to the head of the class.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
Spend 10 minutes and make an HTML form for people to contact you. Be careful what you name your field names, though, as there are spam bots that can target web forms.
If people need to send you files, they can do so after you reply back to them.
IP geolocation and a shotgun.
Works for me.
Think of the Children; Sleep with your Sister
As for whether the harvesters can interpret javascript, I think that it depends on the particular harvester. You could analyze the source or the created page.
I have one email that I use specifically for REPLYING to emails and that one is the one that gets the MOST Spam.
I like microcars
I believe that slashdot has a system for doing this. You the option to hide your email, display it, or display a spam-resistant version of it. It seems to change all the time, currently mine is missing a chunk, replaced by [], and after the end it says ['ade' in gap]. I haven't gotten any extra spam in that account so it seems to work fine.
Does a line appended to your comment give your post meaning in and of itself, or only in relation to those without?
I use javascript and html encoded ASCII. The website my organization uses ( nonlogic.org ) is almost entirely php based with headers. So including the php header also includes the obfuscation script (which is only 1 line). To display an email addy we just do addy('name','domain') and that's that. Combined with gmail's filters and the fact I have a personal account for talking to humans, and a spam account that I use for anything requiring an email address to use, I never get a single piece of spam in my inbox. (And to my knowledge have never had any false positives).
Skiffy is Spiffy, but Ort is tort.
With a mailto URL and deal with the resulting spam at the mail level, the cost of doing so is less than the cost of alienating potential customers.
However, on a personal site, images.
Deleted
use a table with 3 columns.. the first with the first part of your email addres, the second with @ and the third with domain.com. simple searches on the pages make it hard to find and with a border of 0 the user won't notice the table.
There exists some positive integer N that you are the Nth person to read this signature.
I always assumed that my_email@removethis.gmail.com was enough.
Am I wrong?
The
Use a web form for message entry combined with a capcha to prevent spam from bot's. The web app that processes the page can dump the message into a DB (for later retrieval by an admin page) or forward it via mail. Do NOT embed e-mail addresses in the page, even e-mail addresses built via JavaScript.
[Insert pithy quote here]
SpamGourmet.com
Makes it trivially easy to create a unique forwarding address for any website you care to visit, then set the domain of that site as an exclusive sender for that address.
If a 3rd party starts spamming you at that address, Spam Gourmet just drops it, but continues to deliver relevant mail.
Oh, and it's completely free.
I've had success using a simple server-side script that simply sets the 'Location:' header to an e-mail URL such as mailto:foo@bar.com. The advantage is that the e-mail address is not in the client-side code at all. Does anyone know if spam bots are able to harvest redirects like this?
--bsiegel
I used to list mine as lordkaNOSPAM@whatever.com
When the spambots started to strip out the NOSPAM they'd try sending email to lordka@whatever.com, that wasn't me.
Now, I just live with spam filters.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
edu@berkeley.student
gvcormac@uwaterloo.ca -- Bring it on!
Seriously, if we cower in fear, the spammers win. Obfuscating, Turing tests, whatever show fear.
I use a spam filter. Much easier than having everyone read your email through a captcha.
provide your own custom contact us form and have it written to some backend database.
Hide in the webpage a bogus email address. Maybe in comments, maybe in the corner with a super tiny font which matches the background. Whatever mail gets sent to that address should be automagically blocked to all other accounts.
----
Go canucks, habs, and sens!
I've heard the following works fairly well, but haven't tried it m'self.
Put 2 email addresses on your web site, the real one, and a 'decoy' one which is hidden from normal users (eg white-on-white text right at the bottom of the screen).
Any email that arrives at the 'decoy' address is parsed, and the sender added to a blacklist.
Quidquid Latine dictum sit, altum videtur (anything said in Latin sounds important)
I use Maia MailGuard and just set a bunch of spam traps in my html files.
Any mail sent to these traps are automatically marked as spam and filtered according to your spam settings
Some of the "traps" are super obvious too but,it works.
here's a few:
spamking@frodoslair.net
dumbass@frodoslair.net
idiotspammers@frodoslair.net
and so on....
I believe anyone that would sell these harvested addresses would have some pissed off customers when they saw these entries in the list!
I'd rather have a bottle in front of me than a frontal lobotomy
You know when they said you were special? They were trying to tell you to just do something different than everyone else. If everyone did a table trick or wrote "blank at blank dot com" or did any other clever little thing a programmer could come along and regex the hell out of it. Be unique and make them deal with your site individually.
That being said, I don't think spammers crawl the net looking for addresses so much. Their zombies have all the addresses they need. Just try to give out your email address to people that don't have an affinity for virus infections. In my case, I protect my customers so my address hasn't been abuse too heavily thus far.
check+the+rfc+this+is+legal+but+nobody+codes+for+i t@yourdomain.com
Help poke pirates in the eyepatch, arr.
Requiring people to work before then even know how to contact you = fewer customers. I'd also shy away from an image because I'd be worried it'd piss people off when they try to copy and paste the address.
Personally I do away with emails on sites wherever I can. Stick to a data entry form with captchas or, a rather interesting idea I think I read Slashdot somewhere - put some extra fields in a form which are not visible. If anything is posted in these fields you can strongly suspect it has been entered by a machine, rather than a person.
If I had to put an email on the site and wanted to obfuscate it my preference would be using a bit of javascript to write out the email address from some encrypted string. But you know how arms races go...
And on a side note - has anyone noticed how Firefox's spell checker thinks javascript and captchas are spelling errors?
My actual e-mail address, in convenient text format and as a mailto: link, is at the bottom of every single web page at my personal web sites. I really don't see why I should change that just because spammers might harvest it. My e-mail address has been up there since about 1996, so that's at least a decade's worth of harvesting. I've also used the same e-mail address on Usenet posts.
Yes, I get quite a lot of spam. But with the usual techniques (greylisting, SpamAssassin, etc.) I only actually receive maybe half a dozen spam e-mails a day. And more importantly, all my actually valid e-mail still seems to get through just fine. I'm happy with it, and I get the personal satisfaction of being able to use my e-mail address wherever I damn well like without having to cower from spammers.
Put in plain sight: on your homepage which you submit to Google for indexing.
It's so obvious, they'd NEVER think to look there.
Just in case someone has some program that will recognize characters in an image (hence why some sites have the mangled-looking image that you have to try to read the letters off of), I went with a slightly different approach.
.gif image of my email address in the font I was using on my site, and then split it into 5 different images. Then in the html, I just have all of the images running one after another without spaces, and it looks correct on the website.
:P
I just took a
As well, I threw a BR tag or two before that particular line, and put the email address towards the start of the sentence, to avoid the problem of half of it appearing on a second line. Well... unless they have their monitor set to like... 320x240 resolution or have their IE window really friggin' small
Planet Zebeth - Metroid with a twist
For a a couple years I used a javascript encoder for public web pages. But somewhere between getting 20 SPAM a day and getting 250 SPAM a day, I had to setup better anti-SPAM systems. So there wasn't much benefit to trying to hide various email addresses with convoluted hacks like JS. Another option is to include a "email contact form", but those have downsides too.
I then use separate email addresses for everything I sign up for. E.g. my bank email address is different from my health fund email address, which is different from my all of mp3 email address etc. I use a little code which isn't obvious(similar to a lookup table) to code each website into the username portion of the email address... That's why I'm a little annoyed at allofmp3.com at the moment, as I've supplied two email addresses to them on only two occassions, and both are huge spam recipients. So it's clear that not only does their financial arm sell my email address, but their online store does too.
This method is good for 2 reasons: It's very easy to direct all email from particular addresses straight to the trash should they become spam targets and secondly, it's very easy for me to figure out (such as the allofmp3.com case) who sold my email address to spammers and when.
I'm surprised I haven't seen the usual somesuchname at somesuchsite.com, and I'm wondering just how useful doing this is.
Damn. Already spent my mod points an hour ago.
☠
I try to run any mailtos through an email obfuscator .. as the link says, a 6 month study showed that obfuscated emails "do not receive junk mail."
My theory is that harvesters have enough email addresses out there to gather and that the spammers are too lazy/have no need to write algorithms that interpret these types of mailtos.
...unfortunately no one can be told what The Mat^H^H^HGoatse is...they must experience it for themselves...
How about creating a form that they can fill out with your email address stored and the email processed on the server. Add a CAPTCHA to prevent the form from being spammed, and bang! your done and your address is protected. That's what I do and no problems--yet.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
...unfortunately. No matter how cleverly you hide your address from the bots, the humans that you actually want to hear from have to enter the real thing into their email client. If the client stores the address in its address book, or it keeps a copy of the message, any piece of malware that infects the user's machine can discover your address and transmit it back to Spam Central for bombardment with the latest round of pump-n-dump.
I'm convinced this is how those bastards got the address of mine that currently gets the most spam. I maintain two sites, each with a contact address. They're minimally obfuscated - instead of user@example.com it says user at example dot com. One address gets almost no legitimate mail, but almost no spam. The other gets one legitimate mail every month or so, and spam maybe once a week. (Oh yes, I count myself lucky. My spam load peaked at a hundred a day a few years ago.)
I wonder if there would be any mileage in a mail client that encrypted the address book and mail folders, so that other processes running under your user ID couldn't read them? Trouble is, anyone savvy enough to choose a client because it has such a feature probably isn't going to get hit by malware in the first place. Good luck getting this feature into Outlook and switched on by default...
Just another wannabe fantasy novelist...
I have found that using SPAM as your username works wonders
just post it right there on the webpage or leave it as a mailto:spam@example.com
So many people use NOSPAMjohn@NOSPAMexample.com (remove the NOSPAM to reply)
or some variation of that, I tried using spam@example.com as my email address on Google Groups and previously on Usenet.
I got pretty much nothing. No spam. Not then, not now.
Since the email harvesters apparently filter out variations of addresses with SPAM, NOSPAM, DIESPAMMERS etc in them, once they filter out the "SPAM" part of spam@example.com they are left with @example.com which is not a valid email address.
I like microcars
Use webmail or forms to take customer requests, complaints, etc. instead of public email addys. When someone is assigned to handle the request, they can provide their email address for followup. That way none of the company email addresses are "public", and you can still have a full contact directory.
Such forms require the customer to provide a reply-to address, which you can then add to a whitelist.
Spam is a nuisance, but it's not worthwhile to make it hard for customers just to avoid address harvesting.
I do not fail; I succeed at finding out what does not work.
how about this: j o e [ a t ] j o e b o t . c o m
I insert a fake email address into the comments section of the html such as mailto:blah@mydomain.com and have blah@mydomain.com redirect as an alias to newspam@mydomain.com which then trains my spam filter. Of course this means you definitely will get mail from the spam harvesters, but it also allows you to keep an old fashioned useful real link on your website to a real email address.
Instead of everyone spending millions a year to try and stop spam, how about the ISPs do something like:
1) Stop the machines becomming BOTs in the first place, ie close down all the ports except the common ones but have the option for those who have special requirements to open up those ports. Heck for a lot of the Mum and Dads out there they could almost get away with only port 80 open to the outside world.
2) When they get a complaint about spam, actively seek out the owner and give them some HELP to kill off the bot on their machine, get rid of the viruses, and get them updated with a virus checker/spyware checker etc.
3) Start listing "danerous web sites", ie those known to have spyware/viruses and then giving people the OPTION of allowing the ISP to firewall those sites for them
4) Having tutorials on their sites explaining how viruses work, how spyware works, how phishing scams work, why penny stocks are a scam, as are all the viagra adds etc.
5) Instead of blocking the spam, block the web sites they point to, you can send as many spams as you like, but if no one can buy your fake watches, fake viagra then you will go out of business fairly quickly, and by blocking the domain name this will stop them from shifting the domain from hacked server to hacked server as it will not matter WHERE it is located.
6) Web hosts who do not kill of spmavertised sites and phishing sites quickly (1-2 hours MAX) repeatedly should become permanently blocked.
ISPs should take more responsibility for their customers.
10. Boiling in oil.
9. Bamboo splinters under the fingernails.
8. Water-drip torture.
7. Genitals screwed into a light bulb socket.
6. Two words: trash compactor.
5. Covered in honey over a fire-ant nest.
4. Piranha.
3. Buried to the neck at low tide.
2. Cannibal Pygmies.
and the number one answer is:
1. {you guys figure it out / I need another beer.}
The higher the technology, the sharper that two-edged sword.
with thousands of fake e-mail addresses...
if they use linux, they must be fags.
Recently I came across a website of a security software programmer who asked visitors of his personal website to run a specific C code in order to obtain his email address. He had used a variation on the ROT-based encryption so it wasn't as trivial as cout"johnsmith@somewhere.com".
var mailto = 'm' + 'e@e' + 'xampl' + 'e.com';
document.write('<a href="mailto:'+mailto+'">'+mailto+'</a>');
It's easy to make it much harder, of course, and most (all?) spam harvesters don't interpret Javascript.
Best way to stop them? Project Honeypot. http://www.projecthoneypot.org/
Comment removed based on user account deletion
I dont bother.
I just post my email address clean and let the bots use it.
Seamonkey's spam filtering lets through 2 out of every hundred or so and gets false positives of far less than that.
It also filters those emails designed to untrain beysian filters and emails which only contain images.
Mind you my case isnt standard. Its filters have got over 3 years of email to train it and its got 18,500 spam filtered.
No markov chains will untrain it any time soon.
Just had a thought for something I haven't tried yet. But what if your websites contact form asks the user for their email address. They enter it and press send, then your site sends them an email to which they can reply. I'm sure making a bot to harvest emails from this kind of system, but if not everyone is using it, then maybe they wont bother...
Thoughts?
Scott Swezey
A lot of these suggestions are fine for personal sites; but if you're actually in business they aren't practical.
We use Javascript. You don't want to make life more difficult for the person trying to correspond - the point is to raise the cost to the spammer. If they have to add a Javascript parser to their spider, it's going to slow them way down. It's not going to make financial sense for them to do a custom solution for each site (and if they do, the "image" methods will break down as well).
When someone writes to me and says "reply to joe at gmail dot com" (or whatever), they generally don't get a reply. Why is their time more valuable than mine?
#DeleteChrome
and flash them.
more people have flash enabled than javascript, and they can use then a mailto: or copy paste the email address. Combine it with a contact for with spam protection.
How about this idea:
Setup a script to display a unique email address for every IP that visits your page. Save the IP, timestamp and email address given.
Allow all emails to be forwarded to your sales address (or whatever)
Then when you get spam, just look up the IP of the harvesting bot
2)...
3)Profit!
Turkeyphant
It is impossible to keep your address out of Spammer address books. Therefore, you can just as well assume that all the spammers in the world already have your email address and run SpamAssassin and an RBL or two to get rid of the crap.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
For example, on your website, write your name someplace, then say that your email address is your last name @example.com
I've been successfull using a database lookup and redirecting to a mailto: url.
The method does have one issue that I worked around, the browser will end up with a blank tab/window from redirecting to a non-display url. So what I came up with was having an iframe that is empty when the page loads, and then by clicking on a send email link, javascript sets the location for the iframe source which is a script that looks up the email and redirects the request from the iframe to a mailto url.
As the database url can be obscured, and that it is a plain url not a mailto, it has been very successful at avoiding bots.
Now if only patents were like copyrights, this could have been covered by a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 Patent! I get paid of you get paid, otherwise enjoy free ideas!
They use "sender verify" on the mail server.
When the mail server gets an incoming email, it sends a request back to the "sending" email server listed in the headers. Since most spam is sent with falsified headers, the reply from the "sending" email server will respond that no mail was sent. Then my host mail server simply dev/nulls the spam. In the case of real mail, the sending server responds that it did indeed send the mail and my host then delivers it.
The only troubles I've run into are servers that don't support "sender verify". If the email doesn't get a verification message, its returned to the sender. Oddly enough, of the servers I've found that don't support "sender verify" they have been IIS servers. While there are still other IIS servers that do support it, I find it interesting that most of the servers not running IIS seem to have this feature turned on.
The nice thing about it is 90% of the spam never reaches a mailbox, and the filters from Spam Assassin catch the rest. This also removes the image only spam.
-Goran
Carpe Scrotum - The only way to deal with your competition.
I use a hyperlink with an image for the arial (@) sign that links to a page. The link would look something like href=em/?u=contact.
I'm a php guy, so the code on the page goes something like this:
Easy breezy covergirl!
Here's my code. Just replace yourname and domain.com. I suppose you could expand it so the com/net/org/co.uk/etc is a third field. If you want the link to use CSS classes, just add them in.
-Kinsey
First you need to know what your target audience will be. Are they click-drones, or are they hackers (in the good way). How urgent will they need to reach you? How important is it to you to recieve their mail and/or message.
It all depends on your target audience. First you have to decide if it should be clickable or not. I use http://www.zapyon.de/spam-me-not/index.html The adres that you use will be spammed by bots after a while due to Winders users and people will use it later for contact as well. So you can not very easy just turn it off, or people won't be able to contact you.
If you use a form, remember the person won't have a copy by default and some people might want that. However if it is something that actualy mails you, you can easily change the emailadress.
If you do not care for the ease customers or visitors, then go with somthing where people need to fill in the email adress themselves. This can be done by an image or even a soundtrack or by any other method.
Don't fight for your country, if your country does not fight for you.
Yea right. Like all those people who use Lynx because they are too cheap to buy a computer with a video card, are going to be good costumers. If you make the page with your Telephone number available next to the email address, that way you don't purposely alienate the blind or disabled who are unable to see the images. The cost of keeping you email clean is from spam will actually help improve business. Hyperactive Spam Filtering especially for businesses could lead to a lot of false positives. Being the Spam mail is designed to look like legit business stuff. A false positive could cause you to loose more business then from some guy who is so Stuck up about not using modern equipment, and so anal about what Web technologies you are using, who probably cant afford most services anyways. Most of these tricks can still make a perfectly readable email for computers that are over 10 years in age. What is more those mailto: links are really annoying because most people I know use Web Mail for their email and less and less depend on systems such as Outlook or ThunderBird, so they click the link and they cant open the email automatically. The cost of say making an image with your email address vs. working on filtering your email is both cheaper in the short term and the long term.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
A while ago, I've set up an article on my homepage that combines all techniques without compromising usability:
http://www.thany.org/article/73/E-mail_hiding
I've found it quite effective to simply put up an email address you make especially for you website, then just tell your customers to put a certain phrase or one of several phrases in the subject line, and set up your email account to automatically delete any emails with other subject lines.
This is not a sig. This is a llama-duck. Quack.
The Hivelogic Enkoder keeps the email address clickable.
(The website for Automatic Corporation (automaticlabs.com), home to the Enkoder, is currently down.)
John Haller's Obfuscate Mailto 1.01 email address not clickable but remains visible if JavaScript disabled.
We can accomplish a little with spamd and server side scripting. Spam assasin also helps.
Nothing is going to be totally effective until we get actual law enforcment.
While the net has been viewed as the wild west and with a certain degree of nostalgia, its becoming clear that the reason we have laws and law enforcement is because of the bad apples like our spammer friends. I see spam as not being a whole lot different than if every merchant in the area sent people around who threw their flyers and junk mail on people's front lawns. Its called litering.
Law enforcement could start with ISP's being required to release the identity of anyone who contacts via email. If this is combined with the ability to bill them for mail sent... then perhaps the problem goes away. You see - you can spoof an address, but in order for the mail systems to work, the deamons need physical addresses. Using physical addresses it is not possible to hide. However it might not be possible to obtain realiable physical addresses from some countries or companies. One solution is to black list them. Do I recall reading a few years back that Telstra was dropped into a black hole? If so - how long did it take them to clean up their act?
The thing is there are some bad apple ISP's who greatly contribute to the problem. IMHO, when ISP refuses to disconnect a cracked machine until the owners take responsibility, then this ISP is a bad apple. But the general public is guilty of contributory negligence as well.
I would prefer to not make a "big" example out of a small number of people... I would rather make a small example of a larger number of people.
Shutting people's connections down and holding them responsible for costs say up to some number people consider "reasonable" is a way to start. People who abuse the credit of the phone company often receive disconnection notices with a reconnection charge. If the ISP uses a strategy like this then they may have an opportunity to make a few bux consulting as part of their reconnection charge.
Thing is there are large ISP's who actively contribute to the problem by even hosting spammers and who think this is ok. Some have even offered reduced connection rates because of high volumes.
I use AntiSpambotMailto() myself.
How about just using a secure contact form? That way, you do not have to post your email address, and you can use capcha or whatever method to ensure you form is being filled out by a real person.
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
So, you want your customers to contact you without thinking too hard, but don't want spammers stealing your address...
. pesky
a Why
s not
d just
f put
@ your
h e-mail
j like
k this? Or some other way easily read by humans but illegible to machines?
l Those
c e-mail
o harvesters
m _ARE_ only using bots, after all...
No silly unreadable captchas or anything, just read top to bottom (put it on the right side of your webpage).
Just a suggestion.
I use spam poison to fool the bots. http://www.spampoison.com/
Good karma sticks to me like velcro on a piece of plexiglass.
Move along, citizen.
I think it is convenient to let people reach me by clicking on the mailto: link. It's not like obfuscating my email would suddenly stop the flow of spam and for that I have a really effective setup. So my approach it to know how to deal with the spam and not to care about the harvesters. Recently I received and email for a really interesting job proposal in Silicon Valley and I'm taking the plane on Friday for and on-site interview. Imagine if my clever scheme of email obfuscation was too cleaver for the recruiter. My setup is really simple: graylistd and spamoracle. Apt-get install both and read the doc, you can instantly filter out 95% of the stuff. There is no spam problem, I receive a lot more junk snail mail than I receive junk email. Don't try to hide, learn how to defend yourself instead.
I made a plugin for the blog software I use, that uses javascript obfuscation. The purpose here is to prevent comments spam ( random key is hidden in session, and provided in an obfuscated form with javascript on the page ). But that's the same problem.
... before that, I've made several changes that forced the spammer to specially adapt his robot to my blog ( false form hidden by stylesheet, etc. ) . But he still passed through after a few days. He either really loved or hated me.
.js that outputs the key ( or email ), and that's it. So I've got to obscure the code even more, get it to use some dom elements, load some secret parts, or whatsoever.
... I guess it'll happen.
The one that spammed my blog liked a bit of challenge
But once I've made that javascript obfuscation he finally stopped and I've no more spams. So I guess he was motivated and not dumb, but this trick was too much for him. I was not worth all that effort - In fact I never was. I figure he had no life and/or had some fun with me, but breaking that protection was not even worth the fun to do it.
But I still think this trick will not last forever. Like an antivirus database, a spam filter is worthless unless you keep it up-to-date.
So I tried to hack myself. And succeeded in no time, unfortunately. The easy way is to take a standalone javascript interpreter like http://www.njs-javascript.org/ . Get the page, use a pattern to grab the javascript, create a
Just figure your antispam system is great if it stopped all spam without annoying the legitimates users for at least three months. And that's all you can expect.
Also think about profitability. If you use a widely used antispam it has to be really great. Because the more use an antispam solution, the more it's profitable to crack it. So you could use a lame system, even home-made, that just few use, and you could be safer than with mainstream antispams.
One of these days spammers will understand it's easy to parse javascript with the right tools, and I'll be one of their victims. And then, someday one will come with some all-purposes javascript de-obfuscator that does not even need specific code to grab and execute the obfuscation script. That will not be easy, but profitable for sure. So
I tend to get my spams in pairs to two seperate addresses. Both come from the same sender (name) with the same subject. Sometimes I get 3-4 of the same email, sent to my various email aliases.
Setting up a system that checks the dupes and blacklists the sender (or the title) would work. Personally I'd prefer one that holds emails for about 1 minute, parses them for duplicates between various accounts, and then for the spammy multimessages it nukes all the copies.
really, there are upsides and downsides to every measure you can take. Using images works well, but it leaves out people who are using screen readers or text based browsers. Right now I doubt that any email harvesters are using OCR to look for images, but if this became more widespread you can bet that an OCR feature would be added to most of the spam harvesters out there. You could display the image as more of a captcha, but even sighted people using graphical browsers can have difficulty reading those.
Using javascrip basically runs into the same problem. A lot of people turn javascript off, and if it was in widespread use then email harvesters would just add javascript support.
One of the better solutions is to never show the email address. Instead use a contact page, and run the message through a filter before sending it. If you find someone who tries to send a message that is marked as spam, block the ip address. The biggest problem with this is that if someone does manage to start automatically sending out spam from your form, you are going to piss a lot of people off, and possibly get yourself blacklisted.
The best thing to do is to probably use a combination of techniques. Display an obfuscated image of the email address, and if someone can't see the image, offer a form to allow them to send email from. Mask the filter so it doesn't look to spambots like a form for sending email (avoid having any fields marked "to" "from" "subject" or "body" specifically) and a honeypot as well.
Famous Last Words: "hmm...wikipedia says it's edible"
*read 130 euro as 130 Bucks
http://request-header.info
I often use a small piece of flash text to contain the email address and and a mailto: command in the on(press) function. Works 100%.
I find the gmail spam filters to be quite sufficient. It seems like I only have to manually deal with spam every few months at this point. For one partcularly annoying spammer, I:
1. Tracked down the "owner" of the spam through a dnsstuff search
2. Wrote a quick script that looped from 0 to 5000
3. Sent him/her an email at each pass....Never got another one from that organization. YMMV on that technique, obviously.
Contact us form that generates the email server side is the best way as it doesn't expose the email address client side at all.
I publish my personal addr in clear text everywhere because I can setup a mailserver to deal with the spam but my university addr on the otherhand I really don't want to end up on the web. They force us to use a crappy webmail and they can't filter spam properly. An email can easily sit for a few days in the mail queue before it gets delivered! If you don't fear to publish your uni email, I guess that people at Waterloo know their shit and I congratulate them. This might be a new criterion to know if a potential uni is worth it: do faculty obfuscate their email addrs?
nothing beats plain english replacements, especially since 80%+ of spammers aren't from english speaking countries. Like bobATblah.com or bobREMOVETHIS@blah.com or my e-mail isbob@blah.com Any reasonably smart person would be able to detect those as fake typos or at least be able to decrypt them. If they can't figure out bobREMOVETHIS@blah.com then they'd probably send really dumb e-mails too so it's a great protection feature lol.
Is it just me or is it not going to upgrade to Vista in here?
I'm not a programmer, so I just took some code over at http://www.jracademy.com/~jtucek/email/index.php and used it. The link still appears as a mailto: link, but if you look at the page source there is nothing for a harvester to find.
There are actually two kinds of spammers as I know, just like cars:
1. automatic
2. manual
For the manual ones, you can use ways like web form. But it is also impossible
to block them totally in an automatic way. Though you can filter spams from manual
spammers with filtering programs, the limit could be the trade-off between the
accuracy and false positive.
For the automatic ones, as the spammers typically craw your whole site and collect
every email addresses it founds. I think a complicated method can be used is to add a
false email account on your mail server and publish this email on your website in a
way that your friends/customers will never found it. (How about a tiny hidden link?)
The mails received in this account can be considered spam and be compared with all
received emails in normal accounts. Maybe some intelligence is needed to compare
if some spam mails change its text dynamically.
I usually use a link in a Flash file. Most browsers are equipped with Flash, and I don't think most harvesters are (yet) equipped to scan Flash files.
I have several sites, and have found that the easiest way to obfuscate my e-mail address is to put REMOVETHISPART.com at the end (i.e., joeblow@mywebsite.REMOVETHISPART.com.) Most people seem capable of figuring it out, and no one has complained so far.
The Big News Page
Several people have mentioned using unique email addresses to "figure out who sold my email address". But while it may be LIKELY that (in this case) allofmp3.com sold you out, it could also be the operator of any of 15 routers between you and them. It wouldn't take much for an employee of a major ISP to tap a router and have it scan TCP packets for email addresses.
I find that encoding the text in the href and the link works fairly well. It still works fine for your browser but most harvesters don't seem to bother decoding them.
Me lost me cookie at the disco.
I list my email address using an ASCII art "big" figlet font. Stupid lamness filter won't let me show it here, but check on my website. Here is one site where you can make your own.
Why do you want to foil the harvesters? Feeding them bogus addresses helps you build a honeypot database which, combined with graylisting, is just about the most effective anti-spam measure there is. I need tips on how to get my bogus addresses into more spammers databases!
The email address in question is not posted anywhere and nothing even close to it ever gets Spam.
The only conclusion I can come to at the moment is that the spam is coming from other User's computers with Windows OS installed.
If that is the case, how do you "foil" the email harvesters that are ON SOMEONE ELSE'S WINDOWS COMPUTER?
my suggestion was a bit extreme, but I am open to other options that are on topic with this subject.
I like microcars
email could be obcosolated and encrypted and could be only determined by email clients.. e.g. heres an email address that was obsuclated then hexified..
:P
mailto:000101010101000011100010100
but sadly both computers and people are idiots
The website I run came with a tool called "Boxtrapper." Basically, if a new email comes in from an unknown address, it sends an email back to verify that the sender is human. Once the email is verified, it adds that sender to a whitelist and their subsequent emails come through to me. Also, any email addresses I send messages out to are automatically added to my whitelist. (The list is editable, of course.) Thus I am able to display my address on my website with no fear, and not become the target of spam. And I have yet to receive any incoming spam, despite having run the website for 2 years.
Now granted this runs off of a whitelist/blacklist system, and there is a possibility of it being fallable, but thus far it's run smoothly, so I'll take it for what it is until it fails me. Also, Boxtrapper is a part of cPanel, which is not free software (to my knowledge), so people running their own servers may have to look elsewhere if they prefer a FOSS solution.
If the spammers want so bad email addresses, why not give it to them? List poisoning will sting them right in the buttocks, and will make them think twice before they even consider sending there dumb spiders to your servers again. Take a look at the following sites for more info:
http://www.monkeys.com/wpoison/
http://www.spampoison.com/
My other OS is the MCP!
This code has been OK for me:
No spam from that kind of system yet. However, all that really means is that the email harvesting programs don't parse JavaScript yet. I'm sure if they were smart, they'd use IE to render the page and run their harvesting program on the post-rendered page. So far they don't in my experience. But I'm surprised about that. So consider JavaScript a temporary measure.
My Greasemonkey scripts for Digg &
etc. Actually there's a long list of places that want to be spammed.
I've even been tempted to include former employers & ex-lovers addresses.
Most spammers use bots to harvest their stuff, soo, why not say, bury hundreds of false yet apparently legit email addresses under hidden links on your pages.... the bot will spider through your pages and then dig down
to them. This is even more likely if it appears in your robots.txt and/or contains email in its name.
Even a novice programmer can write a php or perl script to spit fake emails out. From there i'm not certain what would be good. Feed it enough fake emails to keep it connected, or just let the connection time out so it gives up.
Non sequitur: Your facts are uncoordinated.
most CS/Mathies and/or Engs wouldn't do what you did.
Use a little flash movie that only acts as an email link. There are no Flash parsers (ah, how long i searched for tools to automate flash testing...)
That, or JavaScript.
To foil email harvesters I use two method. The first is to not put the email on the page. Make use of a contact form that will do the needful. If I do need to embed my email on the page, I make use javascript to cocatenate a link. I released the Transpose Email Plugin for WordPress that does the same.
I used WPOISON on my web site for about a month and had to remove it. Most of the Google entries for my site started going into the vortex. Took about a year for that to wash out. Don't do it.
Most of the stuff on
I have seen no change in the level of spam since then.
I like microcars
Do you have any blind customers? Do you want to lose them to your competitors?
I just use a flash image- I believe it foils the spammers as it is not an image
I use the Email Protector javascript decryptor. It lets tou proide a mail-to link without showing the email in plain text.
Never ask for directions from a two-headed tourist! -Big Bird
I replace the dots with [dot] and the 2 with [at]. steven [dot] streight [at] gmail [dot] com
web analyst/API specialist
This is going to sound like a pitch for Spamex.com and I guess it is, but I am in no way affiliated with Spamex other than as a happy customer.
Spamex.com lets me create a new and unique valid email address for every single correspondent I have. It also lets me enable, disable, and delete those email addresses. The first time I get a Spam email from one of the email addresses I've assigned, I either disable or delete that email address, so Spam is very rare for me.
Spamex's forum has been silent for several months and I fear they may be going out of business. There is no good replacement for them that I know of, so I encourage everyone to check them out, maybe try a free account, and then sign up for a premium account to help keep them going.
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
Tin
Aluminum just does not cut it.
My consulting-business domain name, jcb-sc.com, got so slammed by spam and joe jobs, starting a few years ago, that it convinced me to switch to hosting it on my own server (dynamic-IP Comcast, yeah, I know ;-), rather than my original dialup ISP, so I could do a "better" job of filtering.
Among my many experiments and observations, I set up a few "spamtrap" addresses for harvesting on my web sites -- using white on white to be transparent to visual users, and tags saying things like "Don't send mail to this spamtrap" for anyone. Of course, those spamtraps quickly went on spammers' lists.
But so did a lot of other nonexistent addresses that I never in any way advertised or publicized. They were made up, apparently out of whole cloth, by spammers!
Earlier this year I decided to disable "unknown-user bouncing", which is the default for qmail, so my server wouldn't flood the rest of the 'net with the same sorts of joe-jobs that were such a problem for me (and aren't so much these days, probably because most of the Internet is now much better at filtering spam and/or just dropping lots of mail, most of it spam).
Instead, I diverted all mail for unknown users into a single Maildir that, months and thousands of mails later, I finally got around to looking through in an organized fashion (but still have a lot of older mail to check out...someday). I did catch a few legitimate mails to "slightly wrong" versions of proper usernames! The rest I looked at and designated as "Junk" -- that is, actual spam, not bounces of spam.
Recently, I wrote a script to go through all that "Junk" and call out the email addresses that were sent more than N (10, I think) messages, so I could designate those addresses as "spamtraps" on my system and /dev/null them (or maybe someday use them to generate my own RBL on the fly).
As a result, I now have nearly 500 "spamtrap" addresses for jcb-sc.com alone. That is, in addition to the handful of "legit" addresses, there are nearly 500 addresses the spammers have invented, apparently out of whole cloth, including some doozies, like a5cbdgk9ecd1fae3, alexiobpyjkh, close_bugid1_bugid2_aix, g77_lstat_0g (particularly amusing, since I wrote g77), heavyhosting:netransom, iamjustsendingthisleter (seen that used for one of my other domain names too), mcintoshzmop34fdg, office:spain:ruralphodysseus, and z_sin:g (and I think "z_sin" was the name of a library function in libf77/libg2c).
So I don't worry about publishing my email addresses anymore. Any spammer that sends mail to one of them is likely to send it to at least a few of those 500 or so spamtrap addresses around the same time, and there are likely to be enough similarities in the mails that my MTA can easily detect all of them as likely spam and not accept them. (Similarities might be "obvious" -- I get a fair amount of SMTP injections, which my "special" SMTP server ultimately reject, that try to deliver a single message to several spamtraps as well as one or two legit addresses at once; suggestive of a zombie, when multiple SMTP connections each delivering to spamtraps come in from a particular IP address; or less obvious, as when the content is roughly similar, but includes apparently-randomized portions.)
I've come to believe (with less than 100% certainty) that the "solution" to the spam problem is not to focus so much on identifying its sources, blocking them, challenging them (e.g. in court), detecting spam via automated content analysis, and so on -- although those techniques obviously have some utility -- but, rather, to use the same environment that makes spamming cost-effective for spammers, except changed in certain ways (some subtle, some maybe more overt) so the same environment becomes much more hostile to spammers, just as my domain names are "hostile" in that they nicely accept entire emails from most spam sources and th
Practice random senselessness and act kind of beautiful.
Your post must have caught me at just the right time and in the right mood, because I literally cried from laughter for about two minutes when I read your post. Then I cried and stuttered for another three minutes trying to read it out loud to my wife - you know when you are trying to retell something that is so funny that you keep getting interrupted by your own uncontrollable laughter? I'm embarassed for myself, but I still think this is the funniest thing I've ever read on Slashdot, based on my reaction... Thanks!
I mean yeah some of the tips and tricks may (or may not) work in the short run but eventually the spammers will get your id (not to mention the trouble to your customers if you obfuscate the id too much). Its not always how you displayed you mailid on your website or webpage that ultimately gets it harvested. More often than not, its stupid users with your address in their contact lists who get it out in the open.
Like most of the people, I use multiple mail ids for different uses. Lots of them are fakes just to register to sites and such, and a couple are private ones which are used only to correspond with the closest friends and family members. Recently one of my friends told me that he has used my address to register for a gaming site since his was already being used for one account and apparently creating a new id takes ages and he may die before he gets a new one so why not use mine which is totally personal to me but who gives a damn. He actually has no idea why he should Not be doing it. And he is a CS major from the one of the best colleges in the country! Now think of the regular users you may have corresponded to and how easy it is for them to fuck everything trick you have tried to evade harvester bots.
Politicians and Pedophiles: Two groups of exploitive bastards who are most dangerous when they're thinking of children.
Since I don't use Exchange, I can set up a catch-all mailbox that anything sent to anything not elsewhere configured @ [mydomain].com is routed to that box. I can set the first part of the email address to be dynamically generated via script to match the IP address of the remote client. You could also figure in additional info like date/time.
So, the result could be something like 205.245.222.222.061113@[mydomain].com
Then when an address starts to collect spam I simply assign it to another mailbox that has a 1kb mailbox limit, and is already full. Theoretically, the main way that this would exclude a customer would be if a zombie at their ip address was the machine to harvest the email address that same day.
This also works with every vendor I visit and every web form I fill out. (i.e., my email address at Amazon.com is Amazon.com@[mydomain].com)
If you're unlucky, your e-mail server gets scanned with kind of brute-force solution from harversters. The harverster takes all combinations of popular names and popular extensions ( john, john1, john2, john.smith and so on) and sends a message to them. In case it gives no usable results, the e-mail server is scanned with real brute-force solution - aaa, aab, aac, aad and so on.
Ok, you can have your e-mail in whatever form you like on your website.
Straight through the brainpan.
It takes a bit of time to set up and will probably be three years before the momentum is there, but it's the only _real_ solution.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
captchas.net referred to by a recent poster has audio as well as visual, and many other sites that use them also have audio options.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Perhaps I don't want to send mail to companies who have broken only-tested-on-IE-on-WindowsXP preferences anyway...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
OCR this!
http://taat.fi/tmdc/email.html
I run a small mailing list for a group of people who have dinner and parties together. Most of the people are sufficiently technical to be able to figure out the details, and I'm just trying to reduce harvesting. Spammers already know there's a majordomo there...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Here's how to use javascript but still get a normal mailto: link in the browser and in the statusbar.
Change all your email addresses to some form of human readable nonsense, i.e. "user AT whatever DOT com". You can add a bunch of extra characters and html tags if you want.
Write some javascript that runs when any given page loads, accesses the DOM and changes all the human readable nonsense to a nice pretty mailto link.
This way, anyone with a javascript enabled browser gets a regular link that shows up properly in the statusbar, and anyone without javascript can still at least read the address.
As far as I know, this is the cleanest way to get the job done.
1. Put your contact info on a page that is excluded by robots.txt.
2. Put some trap links to other pages banned by robots.txt liberally around your site in hidden links.
3. Ban anyone who goes to the trap pages.
3. Spammers will either follow robots.txt or not, but either way they won't get your email.
P.S. mailto will still work. I wrote a public domain PHP script to do this last year.
Everyone's sharing their dearest spam-protection techniques in a public forum ... so they can be harvested?????
I'd share my amazing, foolproof technique, but I don't have a good spam-harvester-obfuscation-trick obfuscation trick.
This may be old-school... okay, it is old-school. Back around '97 or '98 I had a bunch of simple CGI scripts in use on various sites that would be fed a munged or bogus email address, and generate a redirect to a mailto link to the real address.
i l me</a>
So, for example, one might click on the link resulting from code looking like:
<a href="/cgi-bin/mailto:abuse@localhost">email me</a>
Or:
<a href="/cgi-bin/mailto:shagmeep@meepmy.domain">ema
And the CGI script would spit out a redirect to:
mailto:shag@my.domain
Always seemed to work quite well. I'm sure it could just as easily be done in PHP or Ruby or whatever.
Village idiot in some extremely smart villages.
"or ask for the user to duplicate some text in a field that is on the page somewhere else"
Please enter the 6th word from paragraph 2 on page "About the company"
Being proactive against spam by thinking things through is your best defense against spam. Harvesters are entirely a nonissue, and changing your behavior in ways that make it harder for humans to contact you in hopes of keeping your address out of harvesters will only make it hard for humans to contact you, the spammers will still find you just fine, address munged or not.
Munging never works, and anybody who has spent at least five seconds thinking about this subject can understand why. The concept is fundamentally flawed: If a human can decode it, so can the spammer. You can bet that if this iteration of a particular spammer's harvester can't unmunge your address itself, the next one will. So why make people have to jump through hoops to get the address right instead of being able to just click Reply via email or your email address on a web page?
The only way to solve this problem is to use a responsible email provider that gives you control over what email gets rejected at SMTP time (ie, an email provider that lets you feed a bayesian filter for yourself; yes, rejecting email after DATA breaks the strict interpretation of the relevant RFCs, but based on what I've seen with my mail server, not in a way that actually causes problems) and proactive reporting of spam. Anything less is tantamount to email masturbation (literally, with the pornspam you'll be getting).
Help us build a better map!
A Swedish newspaper uses a fun approach where they send the mailto link in the Location HTTP header. So the link you click on to get the e-mail address is a regular url to some page but once you get there the cgi sends the e-mail to you and it acts like a mailto link in Opera at least. Probably in other browsers to since it's Swedens largest and oldest newspaper. On my own personal webpage i just write "my e-mail user is called nocturnal on the domain swehack.se", simply because i already have a job and it's just a personal hobby webpage.
I've embedded the email in a flash link -- not 100% accessible, but you can display an alternative image/form if the browser has flash turned off. In general, I don't find micromanaged forms very future-proof, as can be seen by the number of blogs/wikis that have form spam.
Why not just put your email address on your website and get a spam filter to deal with unwanted messages. If you want to make it easy for people to contact you then you have to let it hang out there a little bit.
I have several emails.
1. the personal one for friends and fmily only.
2. a hotmail spam honeypot for when I order things online. hotmail tend to be rather good at filtering out the garbage
3. an email forwarding service from my ISP for online,
eg apple1 "at" something.domain which, once it starts attracting the spammers then becomes cabbage1 "at" something.domain etc.
Finally, when posting online I mess around with the "at" bit as above. I use various techniques.
When acting as sysadm I always create 2 emails for users. The regular one and a spam honeypot that I can change every few months. I also encourage them to have a hotmail honeypot as well. My general advice is to "mutate often".
http://en.wikipedia.org/wiki/Address_munging#Alter natives
"Posting an e-mail address as a text logo and shrinking it to normal size using inline CSS.[4] As with an image this is readable by a real person, not by an automated system."
[4] ^ Email CSS obfuscation tool - http://mardeg.sitesled.com/ (output for displaying emails only requires basic CSS)
1. Make the target of the form something bogus, like a page with a few million fake e-mail addresses, or better, a page with a captcha for non-javascript users.
2. Using Javascript's onClick, change the submit button so when it's clicked, it changes the action part of the form, for example getElementById('myform').action = 'targetpage.html'.
Project Honey Pot has a good tutorial on how to avoid spambots: http://www.projecthoneypot.org/how_to_avoid_spambo ts.php
When inserting e-mail addresses into web pages, I use a little bit of PHP code to generate a unique user part with a suffix representing the time, date and IP address of the looking-up machine. People who harvest e-mail addresses usually sell them on; so once I've received spam at a particular unique address and blocked that address in my .procmailrc, that's several spams I won't ever have to bother with.
.= sprintf("%02X",$j);
Note that you need a proper ISP -- that means one with virtually-hosted e-mails and PHP. Even better would be a static IP address and reverse DNS, so you can run your own MX.
Here's the code;
<?
function spamjavelin($address, $link) {
global $HTTP_SERVER_VARS;
$alpha = "abcdefghjklmnpqrstuvwxyz1234567890";
$packed_ip = "";
$ip_array = split('\.',$HTTP_SERVER_VARS['REMOTE_ADDR']);
foreach ($ip_array as $i=>$j) {
$packed_ip
};
$packed_time = date("y") % 10 . $alpha[date("m")-1] . $alpha[date("d")-1]
. $alpha[date("H")-1]. date("i") . date("s");
list($user,$domain) = split("@", $address);
$new_address = $user . "-" . $packed_time . $packed_ip . "@" . $domain;
return($link ? "<A HREF=\"mailto:$new_address\">$new_address</A>" : $new_address);
};
function sj($address) {
echo spamjavelin($address,1);
?>
To display your e-mail address as a link, use the following:
<? sj("myname@mypatch.myisp.co.uk") ?>
and it will be automagickally transformed into something like myname-6lnh502155BD0B02@mypatch.myisp.co.uk !
Je fume. Tu fumes. Nous fûmes!
I user Gmail.
I have chosen to make my email readily available for the users of my pages - and I get huge amounts of spam, but Gmail catches almost all of it.
-- A good compromise leaves everyone mad. --Calvin and Hobbes
Don't have an email address.
I want a list of atrocities done in your name - Recoil
You must be one of those retarded businesses who have flash on their front page. Javascript isn't easier, retard, it is one more thing that the person has to enable.
I would much rather a business use bob at place dot com than have, "In order to see our contact address, you must turn on javascript," or worse, and more probable, because people like you are stupid, "Contact:" and then nothing else. No explanation as to why you don't want me see your contact address.
Most of the suggestions above are a hundred times more accessible than javascript. Ironically, the one you quoted as inaccessible, and a "waste of your time", reply to joe at gmail dot com, is the most accessible, short of mailto:joe@gmail.com. joe at gmail dot com is text only. Does not require images, or javascript. The next accessible is those that require css or tables. The next is those that require images. 95% of people have images enabled. The least accessible is those that require javascript, flash, and those types of solutions.
Sorry for calling you retarded. It is a problem of timing. Your doublespeak is the straw that broke my calm demeanor.
Hivemind harvest in progress..
I use a small javascript code:5 ,0x4C,0x41,0x4E,0x50,0x52,0x4F,0x44,0x0E,0x43,0x4F ,0x4D);
i pt language="Javascript">printEmail();</script>
a ve a look at my own web site (http://www.elanprod.com) if you want.
<script>
var encode= new Array(0x4E,0x49,0x43,0x4F,0x4C,0x41,0x53,0x20,0x4
function printEmail() {
var s = new String; for (i=0;i<encode.length;i++) { s+=String.fromCharCode(encode[i]+0x20); } document.write(s);
}
</script>
[...]
<scr
H
With such, i never had to install an anti-spam filter on my email server. In 3 years I shoud got 4/5 spam. No more.
Test it, you will love it (but i will look and test the <span></span> seems interesting also)
Ok this is javascript things, but nobody complains until now.
/nicolas
...because you can limit user input to ordinary text.
Parent and GP are 100% correct. Spammers have scripts for forms provided by the main blogging systems, but everyone else is likely to be OK. I've created dozens of comment forms and never received organized spam. The only time I've had problems is when some moron who disagrees with my views spends 10 minutes pressing send, but this is rare and takes seconds to clean up. Also it now carries a 10 year prison sentence here in the UK!
Reduce, reuse, cycle
Go ahead guys.. use all the dirty [at] and _dot_ triccks you want, I'll collect all of them and mail em to every nigerian in my address book..
On a more serious note: there are better methods for mail harvesters. The biggest one for them is forwards. You know the one about pepsi to clean the toilet.. Every forward can contain anything from around 20 to 200 email addresses.. so if you ever forward mail's be rest assured, it'll land on their list them sooner or later.
Another method spammers utilize is joining mailing lists (the digest mode), and harvesting from there.
Yet another method (hypothetically, of course) is distributed harvestsing.. spyware sitting on thousands of PCs monitoring webpages for mail IDs.
Not to forget accounts compromised by keyloggers being looked into.. an average netter would have say 10 unique IDs in his addressbook (yahoo/gmail/msn harvesting is easily done using their respective chat protocols).
In short, to keep your ID out, dont create it really.
http://dilemma.gulecha.org - My philospohical short film.
What we need for someone to instead of talk, perform two experiments:
1. Create 10 new email addresses, and post them around the net with 10 obfuscation tricks (plenty of examples can be found in this thread). Which of these tricks actually foiled the spammers, and which did not? Obviously, spammers can theoretically get around any obfuscation, but which obfuscations are still "safe"?
2. Do an experiment to figure how how "safer" is an address that was never posted on the Web. Does it just cause a small delay in spam (say, you only start getting spam after a month) or does it get noticably less spam?
The answer to #2 isn't as obvious as some may think. One important problem to consider is spamming worms which use fake "from" addresses. These worms take your friends' email addresses - potentially addresses which have never been published - and use them as spam to random people. If a spammer also receives these mails, he gets a constant stream of real email addresses which were never published on the web. Another obvious issue is dictionary attacks, which are especially practical on large domains (e.g., gmail).
Wow, that was hard
People who think they know everything really piss off those of us that actually do.
if the people who are responsible for the spam read this article as well. Surely they are software developers as well, having to improve their spam systems all the time?
My clients don't get any spam through these addresses, for the moment anyway, and I've been using this for three years for clients who want a clickable link: javascript:window.navigate('mailto:my.name'+'@'+'m ydomain.com')
and then link it to an image like so : http://www.brunelpartners.com/contactus.html
If you're creative you can also use the method of collection AGAINST the spammer. Make sure your usable email addresses are not on the page (other than via a webform - with the usual precautions) and/or an image file, and add a couple of dud email addresses to the site.
:-)
This allows you to do the following things:
(1) identify spam. Email arriving at those dud addresses MUST be from a web scrape as you never gave them out otherwise. You can use that to feed a filter or time-based banning of the origin.
(2) absorb spam resources. Especially if you use a different domain you can set up an MTA with a La Brea tarpit, which means the moment the spammer will try and use that email server it'll tie up his/her resources.
(3) use it to generate forensics. If you want to go the legal route, make sure you randomise the email addresses you use for seeding, and take good care of your logging. I don't give you much luck, though, these days you're dealing with organised crime (FYI, spamming itself amounts to unauthorised use of computing resources, ie long distance theft) and they cover their tracks reasonably well.
So there. Any other problems to solve?
Just try www.tinymailto.com, your contact will be protected by captcha whenever someone asks for it.
Example,
John Doe, (http://www.tinymailto.com/johndoeEmail here)
In addition to using spam filters, I also set up my mail filters. Most spam related email I get is addressed to anyone but me, so I just filter on the to: field looking for anything other than my name. Gets shunted straight into trash!
My web domain.
I have one public email address that has been so for many years. It appears in various places including many USENET posts. It receives lots of spam, but with a good spam filter and the fact that it is not my main mailing address, this is copeable with. However, in the last couple of months some spammer or other has taken to faking my domain name as their From: address in their spam. This means I am getting piles and piles of bounces, auto-replies and whatnot for emails I never sent. Is there any way I can stop my domain name from being used in this way?
If they want email addresses, give them some. Give them all they can handle. Fill their database with junk.
Write a dynamic page which randomly generates a large list of bogus email addresses. Within the page, put anchors to random page names in the same directory. Use a URL rewrite rule on your web server to map all requests to that directory to that page so that the program responds to any page name.
I am so sick of spam, that I have gone extreme. I find that 90% of the time I send and receive email from people I know. I created 2 accounts, and ditched all other accounts. 1 account has a serious filter on it, i.e. mail does not come through it unless I put the address in my address book. I use this account mostly, and never, never use it for online crap. My 2nd account is my spam account, which I abandon often. I use this for online shopping, registering at sites, etc. I only login to it when I am looking for something specific, like airline ticket confirmation, passwords to demo software, stuff like that.
It gives me pleasure to know that all the crap I get on my second email falls on deaf ears, so I say, here you go email harvesters, have fun!
So there are two major techniques to harvest emails : browse webpages, and browse outlook on hijacked computers ...
My address has fallen thanks to a third technique : brute force ! This is not exactly on topic here but I was wondering if it happened to anyone here.
I received an email with something like 50 recipients, and all of them were combinations of 6 letters + @gmail.com. It was kind of weird that the spammer didn't hide the other addresses by the way. Anyway, it is easy to determine which addresses are valid by simply checking the "mail error" answers ; thus mine got caught this way.
I use Hivelogic's Enkoder form (unfortunately down today) and also the Enkoder plugin for Rails or Radiant CMS. Makes for nice and obscure Javascript. Has been very effective for us.
Here's a trick I leaned about either on /. or somewhere else: make a spam trap. It's a CGI script that adds the client's address to a blacklist. Put a hidden link to that CGI script at the beginning of every page. Then put that script in robots.txt. If we assume that most spam crawlers do not honor robots.txt then you can block most of them after they've only crawled a couple of pages. You should clear out your blacklist periodically since it will get really full fast. Also note that it may take a day or two for legitimate spiders like Googlebot to re-fetch your robots.txt.
Other ideas:
Use a contact form.
Use a different email address than your normal email address on a page. Change it frequently.
I prefer two methods:
1. Use a contact form. Easier since most people use webmail anyway. No copy paste for them. Also bypasses most spam filtering. Very good for everyone.
2. Email is also posted, but using JS to keep the bots away.
I use tinimailto
I don't have a sig.
JavaScript works, saw a dramatic drop in spam when I started using it on my sites. Should have a line on site that JavaScript is necessary for site to work.
Can't print the code here, but use document.write and string variables to write out e-mail links, spambots can't find the e-mail addresses.
Also, don't use real e-mail address when posting to message boards (thank the FSM that Slashdot hides them).
Have your code produce a unique contact e-mail address on the page for each visitor, so for instance:
support-312321@example.com
Then set up a catch all on the first part of the address.
If you get any spam, just block out that one receiving address.
I wonder if you could take that one step farther: If everyone with a web site published 1000 bogus e-mail addresses (in tiny white-on-white font) for each real one on their site, perhaps the wasted time/effort of spamming all the bogus addresses would reduce the number of spams hitting legit e-mail addresses, and also reduce the cost-effectiveness of spamming?
Put two addresses on your form. The real one, and a decoy one. Customers are directed to the real one, while the harvester grabs both. Automatically delete any message to the real address that has also been sent to the decoy one.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
...because we're not as gullible as the general non-tech audience. (and so modest)
I [may] disapprove of what you say, but I will defend to the death your right to say it.
Try this:
.net to create a htmlpage from any source, at least my spaces will be kept... but who knows? Maybe it's hard to do this...
<span style="color:#ffffff;letter-spacing:-0.038cm">a l b e r t . s a n d b e r g @ g m a i l . c o m</span>
I also tried javascript but as a friend pointed out, there are sime code in for instance
Good luck!
Albert Sandberg
I realize not everyone has flash installed, but would the email-id in the following be easy to spam-harvest?
www.tonyking.tk
I could easily re-program it to read a txt file to change the address details, so that a flash recompilation would not be necessary everytime the email addr changes....
.
- aqk
F U
Flood the database of the spammers with junk email, using tools like robocage.
d er_contents
From the product readme:
" RoboCage is a Zope product that produces random text out of a word dictionary. It mixes fake email addresses into that random text, as well as links back to itself (with different URLs, though). Thus, it provides a cage-like facilitly to "catch" email-harvesting robots."
http://www.zope.org/Members/philikon/RoboCage/fol
What about http://www.jracademy.com/~jtucek/email/index.php? This is a javascript solution, but I've been using it for years and it works great!
BTW: I am basically a php newbie, so please go ahead and proof my code. This code is provided free of charge and is protected by the OSDL, blah, blah, blah.
At the top of your php script use the followingThis checks that the name variable is assigned but the machine variable is unassigned. You can switch or replace these with other variables. The idea is that one of the variable must not be filled in. This is to prevent a bot from not filling in variables or filling in variables with random answers. You can also change the variable names to something not related to email addresses such as stat1 and stat2 and with the assigned variable, double check the actual variable passed.
At the bottom of the code, place the followingWhat this does is redirect you to the main mailing page (you can easily change this page to something else). The script detects the form submission and places the meta tag in the header. The meta-tag then opens up the mailer sending the mail to the desired account.
Again, I am pretty much a newbie. Please dissect the code to improve it.
Give out a trap email, one that only a bot would find, and blacklist those that use it.
I like to team this up with a tarpit like the spamd daemon on OpenBSD - get even, make sending spam take a very long time.
Also include an option to copy the sender on the email. One thing I'm frustrated with when I use contact forms, is that, unless I copy and paste my message somewhere, I have no record of what I sent or when I sent it. If you include an option to automatically send me a copy of the message I sent, I can move it to my regular Sent folder and all will be well in the world.
Obfuscating emailaddresses on websites is one way of tackling the spam harvesters problem. Training filters by becoming somewhat of a spam-magnet is another way. The only problem herein lies in the differentiation between ham and spam. Spam is here and will be here for a long time to come because people do make (a lot of) money with it. SO you could say detecting it is more sensible compared to avoiding it.
I've been experimenting by adding an automatically generated code to my email adresses on my page (recipientDELIMcode@domain.ext). Spammers keep on sending me spam on these addresses, and i accept, and train my mailfilter this way. The only thing I have to do is add 'contaminated' email addresses to my shitlist once i've found spam being sent to it. As you might already have guessed... the shitlist is a simple forward to sa-learn.
Adding an auto whitelister based on my own address book (LDAP is sweet) tackles the problem of addressbook harvesters, mail from these sources will not be fed to sa-learn, even if the email address its received on is shitlisted.
A friend of mine, who listens to the name of 'the wanker who cant keep his antivir up to date'/Paul created the need for me implement this feature by becoming infected by a _addressbook_leechin_virus_
To receive even more spam to feed to my hungry sa-learn there's a set of email addresses on my site (>50% of all email addresses there are in hidden fields/autogen'd pages) which are passed thru to sa-learn by default.
I've also been thinking of combining the unique id email address with a database in which i store served (generated) email addresses and giving them a grace period of N mins. If i recieve an email within these N mins i assume this email was sent by a visitor on my site who clicked the mailto: link and the message is passed to my mailbox and the unique id generated email address is flagged as non-spam source. However.. if I recieve mail on that email address after the N mins i assume its a spam-run and feed it to sa-learn I'm not sure on ROI (code-time/overhead/extra dependencies serverside) with this technique because what i have now works well enough for me.
The downside is you can't give out your email address on things like a business card (lastname@domain.ext). A possible solution to this is replacing your email address with an URL like http://lastname.domain.ext/ on which a mailto: refresh is generated with the unique id'ed email address. Or trusting the intelligence of the lean-mean-(and pretty well trained)-spamkilling-machine, which is good enough for me.
My 2ct.
If you run your own mail server, you might also try enforcing compliance with RFC2821. I've found that many spammers violate it, e.g., they use an unresolvable hostname in the HELO statement (forbidden in section 3.6). I've found this eliminates a very sizeable chunk of spam, as most spammers are too stupid (or insufficiently motivated) to bother to configure their systems correctly. For DNS-based checks, though, you'll want to reject the mail with a soft (4xx) code. DNS is transitory, and a hard rejection because someone's DNS is temporarily down isn't a Good Thing[tm]. It also gives the mail on the sending side a chance to queue up, hopefully giving someone an opportunity to notice there's a problem.
Additionally, once you detect a misconfigured host, blacklist it for a few days. This allows time for any mail being queued up on the sending side to expire... and makes that host temporarily useless to a spammer.
Oh, I'm sorry. I wasn't talking about the web session. I just assumed that if you gave them an email address, you had actually received email from them, and the smtp stream was what I was thinking of.
My web site contains: Email: nameexample.com. It's been up for several years and I've gotten virtually no spam. Certainly a spammer spider could recognize "mailto:" or "%40" or "@". But to do that, the spider must slow down. The spammer is better off with a high speed spider that reads ten times as many pages per hour just looking for at-signs. But I don't know for sure.
Are there open source spammer spiders? I'd like to read one.
window.onload = start;
o .uk");
function start()
{
var oEmail=document.getElementById("lnkEmail");
oEmail.setAttribute("href","mailto:name@example.c
oEmail.setAttribute("title","Email us please!");
}
like in this Piano Teaching website.
it works ok, i guess.
So why did you? Why didn't you, instead of writing this sentence, go back and remove the childish insults?
I chose that word because it was the most accurate and precise word available. I apologized because I felt (apparently, erroneously) that that would somewhat qualm the negative connotations.
Anyone who knows Javascript knows about implementing fallbacks for when Javascript is disabled.
You overestimate modern webmasters.
The obvious fallback is to have an element containing "joe at gmail dot com" and then replace that in Javascript with the mailto: link. That's what I do on my site.
Good for you. That is a perfectly acceptable solution. It is more readable for those with javascript, and viewable by those without. Unfortunately, webmasters with accessibility in mind are a minority.
Hey you frickin moron, don't post my address unobfuscated!
- Joe.
lol. Sorry. I figured that you already got so much spam that you wouldn't notice.
Modern browsers are good enough at limiting the damage it can do that it's safe to leave JavaScript turned on.
Where have you been? Try googling "firefox 1.5.0.x", where x is current minus 1. Or "IE exploit javascript." Mozilla has been known to lag behind zero day exploits for a couple of weeks, and Microsoft for a couple of months.
Besides, you can always use <noscript> for the few remaining folks who don't use JavaScript.
Unfortunately, only webmasters can do that. And most of the time, they don't even know that there are browsers besides IE, and they don't know that IE has options that can be set and unset. I expect that the original poster with "Javascript being more accessible" falls into this category. Commercial sites are especially notorious for lacking web design knowledge.