Slashdot Mirror
Best Method For Foiling Email Harvesters?
pjp6259 writes "One of the common ways that spammers generate email mailing lists is by harvesting email addressess from websites. But in many cases you also need to make it easy for your customers to reach you. I have found three common solutions to this problem: 1.) Use an image to replace your email address. 2.) Use ascii encodings for some/all of the characters. 3.) Use javascript to concatenate and/or obfuscate your email address. Which of these methods are most effective? Are email harvesters able to interpret javascript? What do you use?"
If you make it hard for 'bad guys', you make it hard for your customers/friends too. Some people like having mail-to links, and you won't be able to do that easily with an image.
If you have a form to submit to on-line, tag it and let it go to the head of the class.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
Really, if all you want is your customers or prospects be able to reach you through a website, got yourself a contact form.. No way for a harvester to get your email address that way, and people usually don't mind filling in a contact form.. if you obligate your customers to "think" as you suggest, you're risking losing potential custemrs which is simply not worth it. Besides, it makes you look very unprofessional.
- Leon Mergen
http://www.solatis.com
With a mailto URL and deal with the resulting spam at the mail level, the cost of doing so is less than the cost of alienating potential customers.
However, on a personal site, images.
Deleted
gvcormac@uwaterloo.ca -- Bring it on!
Seriously, if we cower in fear, the spammers win. Obfuscating, Turing tests, whatever show fear.
The problem with doing either of those things is that they could be hard to read and/or confusing. If you're dealing with customers, you don't want them to get confused, fed up, and not buy your product/services.
Personally, I think the only way to handle it is to keep everyone's personal e-mail address off of the web page, and use generalized e-mail address like "sales@your-domain.com", "contact@your-domain.com", or "support@your-domain.com". Have it be someone's job to review incoming e-mail to these addresses, understanding that the vast majority of incoming mail might be spam. Of course, you could add some sort of obfuscation to these addresses, but what's the point-- like spammers couldn't just guess "contact@your-domain.com"?
You should have a hidden field with no value and make sure it returns no value.
Bots tend to populate all form fields.
That would be the easiest step.
You could go a step further by having a text field that is hidden by a style="display: none;" and make sure that is empty as well.
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
Now, get yourself a good spam filter because no matter what you do... you will be assimilated.
This is totally it. In many ways, no matter what you do, you're only delaying the inevitable. If the spammers don't get it from your site, they'll get it from somewhere else sooner or later.
Two distinctions:
1. The forms usually ask for your name, address, and other stuff.
I have never seen an admin restrict themselves to just asking for your email.
It's very typically set up along the lines of: tell us about yourself and we will
respond.
2. Your submission does not get copied to your "sent" folder so you forget you ever
communicated with the company. I like to keep a record.
As someone pointed out in that topic, make sure you don't make it impossible to use with a screen reader... blind people aren't necessarily spammers! :)
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
They use "sender verify" on the mail server.
When the mail server gets an incoming email, it sends a request back to the "sending" email server listed in the headers. Since most spam is sent with falsified headers, the reply from the "sending" email server will respond that no mail was sent. Then my host mail server simply dev/nulls the spam. In the case of real mail, the sending server responds that it did indeed send the mail and my host then delivers it.
The only troubles I've run into are servers that don't support "sender verify". If the email doesn't get a verification message, its returned to the sender. Oddly enough, of the servers I've found that don't support "sender verify" they have been IIS servers. While there are still other IIS servers that do support it, I find it interesting that most of the servers not running IIS seem to have this feature turned on.
The nice thing about it is 90% of the spam never reaches a mailbox, and the filters from Spam Assassin catch the rest. This also removes the image only spam.
-Goran
Carpe Scrotum - The only way to deal with your competition.
sounds like a form ready to be abused by spambots. I'd assume this is the reason you rarely see 'send me a copy' checkboxes.
:x
Problem with captchas is the accessibility issue. People using screen readers and the like (visually impaired) won't be able to contact you using the form.
No sig
They have. It is very simple for them to distinguish the two apart, even if you put spaces in between or obfuscate it in some way that still has [at], [ a t ], or whatever... Just look at how many ways they spell Viagra, you think they couldn't do the same with at or dot?? To think otherwise would be naive.
Thanks. The Do Not Call registry is another way to get around this problem too. Asking to be removed from a telemarketer's list reduces the number of calls as well. It's just aggravating when it's a machine, because you can't even cut them off or tell them that you'd like to be removed. You have to listen to the whole message before you can get to information on unsubscribing. It's a good method of reducing the number of people interested in your product.
I was mostly ranting, and I hope the guy I attached it to understood who "you" was.
SRSLY.
Perhaps I don't want to send mail to companies who have broken only-tested-on-IE-on-WindowsXP preferences anyway...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
confuse bots, and confuse the hell out of people at the same time. I seriously have no idea what address that is supposed to be.
Yeah! If you can't trust the Russian Mafia, who can tou trust?
This is like the classic story/problem:
You and Bob are being chased by a cheetah that can run 70mph.
How fast do you have to run not to be eaten?
Wrong answer: 71mph
Correct answer: Anything faster than Bob.
The same thing applies to harvesters, spam, and other pesky problems. You only have to make it so that your site is more of a PITA to abuse than someone else's site. CAPTCHAs and the like only succeed because it's easier to find another unprotected site than it is to read the CAPTCHA. It's not impossible - some OCR programs have 90%-ish recognition on common CAPTCHAs - it's just more difficult than typing "contact us" into Google to find someone else with a more spam-friendly page.
The same goes for JavaScript protection, image links, tarpits, grey listing and anything else that you put in as a roadblock - it only has to make your site inconvenient to abuse, not 100% perfectly resistant.