Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best Method For Foiling Email Harvesters?

Posted by ryuzaki0 on from the when-the-addresses-are-high-as-an-elephants-eye dept.

pjp6259 writes "One of the common ways that spammers generate email mailing lists is by harvesting email addressess from websites. But in many cases you also need to make it easy for your customers to reach you. I have found three common solutions to this problem: 1.) Use an image to replace your email address. 2.) Use ascii encodings for some/all of the characters. 3.) Use javascript to concatenate and/or obfuscate your email address. Which of these methods are most effective? Are email harvesters able to interpret javascript? What do you use?"

13 of 506 comments (clear)

  1. Form by daeg · · Score: 4, Interesting

    Spend 10 minutes and make an HTML form for people to contact you. Be careful what you name your field names, though, as there are spam bots that can target web forms.

    If people need to send you files, they can do so after you reply back to them.

  2. disallow Windows users by microcars · · Score: 3, Interesting
    seriously, the most spam I get comes from bots that reside on Windows user's computer and troll through their Outlook Inbox for email addresses.

    I have one email that I use specifically for REPLYING to emails and that one is the one that gets the MOST Spam.

    --
    I like microcars
    1. Re:disallow Windows users by MobileTatsu-NJG · · Score: 4, Interesting

      "disallow Windows users"

      Har har.

      Anyway, I did an experiment once years ago where I created a brand new mail account and turned off 'spam armor plating' (or whatever it's called) on Slashdot. Then I went about making my posts etc. To my surprise, I started getting messages rather quickly. It didn't take more than a week or two to start recieving enough unsolicited mail to shut the experiment down.

      Fast forward to last year. I told a coworker friend about this. He didn't believe me. So I tried the experiment again and... uh.. actually I only got one or two messages over a period of two weeks. I'm not really sure what happened. It's as if they gave up on Slashdot.

      I cannot draw any real solid conclusions from these experiments other than to say that yes, email addresses on websites do get harvested. Yes, you could disallow Windows users, but that wouldn't do a thing to protect any other user. The only possible way that would work is if spam harvesting apps ONLY happened on Windows machines, and let's be realistic, there's nothing to prevent that software from making its way to Linux etc. Once it gets harvested, it doesn't matter which OS you run, you can get spam just as easily.

      It's a tough problem with no single solution.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  3. use a Table! by Nova1313 · · Score: 4, Interesting

    use a table with 3 columns.. the first with the first part of your email addres, the second with @ and the third with domain.com. simple searches on the pages make it hard to find and with a border of 0 the user won't notice the table.

    --
    There exists some positive integer N that you are the Nth person to read this signature.
    1. Re:use a Table! by Repton · · Score: 4, Interesting

      Couldn't you equivalently do <span>jsmith</span>@<span>example.com</span> ? You still lose the mailto though..

      (I suppose you could toss in <span style="display: none">fnarfnarfnar</span> or something as well, if you want to confuse matters slightly more)

      Would copy/paste insert whitespace anywhere where you don't want it?

      --
      Repton.
      They say that only an experienced wizard can do the tengu shuffle.
    2. Re:use a Table! by eric76 · · Score: 3, Interesting

      You could use 2 columns.

      In the right column, create an e-mail address that is missing the first letter or more of the actual e-mail address. Put the missing letters in the left column.

      For example, if your e-mail address is "jack@example.com", "ja" would go in the left column and "ck@example.com" in the right column.

      Then /dev/null any and all e-mail addressed to ck@example.com.

  4. Decoy address to build a spammer blacklist by The+Famous+Druid · · Score: 5, Interesting

    I've heard the following works fairly well, but haven't tried it m'self.

    Put 2 email addresses on your web site, the real one, and a 'decoy' one which is hidden from normal users (eg white-on-white text right at the bottom of the screen).

    Any email that arrives at the 'decoy' address is parsed, and the sender added to a blacklist.

    --
    Quidquid Latine dictum sit, altum videtur (anything said in Latin sounds important)
  5. Fuck 'em! by shawnmchorse · · Score: 4, Interesting

    My actual e-mail address, in convenient text format and as a mailto: link, is at the bottom of every single web page at my personal web sites. I really don't see why I should change that just because spammers might harvest it. My e-mail address has been up there since about 1996, so that's at least a decade's worth of harvesting. I've also used the same e-mail address on Usenet posts.

    Yes, I get quite a lot of spam. But with the usual techniques (greylisting, SpamAssassin, etc.) I only actually receive maybe half a dozen spam e-mails a day. And more importantly, all my actually valid e-mail still seems to get through just fine. I'm happy with it, and I get the personal satisfaction of being able to use my e-mail address wherever I damn well like without having to cower from spammers.

  6. Re:Make people think to figure out your e-mail by Anonymous Coward · · Score: 5, Interesting

    The whole point of posting an email address on a website is to allow and support communication, not to obfuscate it and make it more difficult for a person to use. discouraging spam is important, but it must remain secondary to allowing email communication.

    I predict Technical solutions will continue to fail to solve the spam problem, because it is not primarily a technical problem. It is a moral problem. Spammers (whoever they might be) are not respecting people. They are disrespecting us in order to get some money. Their values put dollars above the needs of anonymized people.

    Until the moral problem can be solved adequately through accountability or other means, we are stuck with technical "solutions". Hopefully the solutions keep in mind the original intent of the technology or else we will continue to spend our time "jumping through hoops" rather than actually accomplishing work.
    While a captcha does require human intervention, it makes it more difficult for a "normal" user to access. Same with nameIhatespam@domain.com or nameih8spam@domain.com or name @ domain.com This requires manual work and appears "unprofessional" Such confusion creates a barrier to effective communication.

    Sure if you are on the "hackers are us" website such tricks are fine, 100% geeks, all interested in spending time re-typing information.
    However if your audience is not technical, has any kind of failing eyesight (many over 60), or limited patience (the entire web audience) you had better keep it transparent for the end user. This is where javascript has served us well.

    In recently gathering information from hundreds of manufacturing websites, I've found that the "cuter" the tricks, the less likely I am to pursue a working relationship with that manufacturer.

    There are still tons of websites out there with unobscured email addresses in the HTML code and even in the text of the webpages. I don't see why spam harvesters would need to bother with javascript parsing engines when there is such a rich harvest of real email addresses out there.

    I think people who are wiser than me need to consider how a community approach could seriously hamper spam. Maybe it is shaming the companies that build spam harvesting software. (we have imagination, we could 'make' them stop) I know that phoning and talking crossly to the wife of a spammer at an inconvenient time certainly created a stress reaction in her, which probably translated into stress reaction at their dinner table etc... I made the social cost of spamming high by phoning their 1800 number (costs them $0.05/minute). I made it real, I humanized my email address by "calling them on it" and complaining about their practices. (they still spam)...

    Filtering is huge, but ultimately we need to call peopel to social responsiblity, and that requires one of two approaches that I can see.
    1. Grassroots community accountabiltiy/reaction to spam
    2. Top down legislative control.

    Its a war, but the war isn't for or against SPAM, the war is for and against respecting others on the NET.

    Greg.

  7. Email Obfuscation by celerityfm · · Score: 3, Interesting

    I try to run any mailtos through an email obfuscator .. as the link says, a 6 month study showed that obfuscated emails "do not receive junk mail."

    My theory is that harvesters have enough email addresses out there to gather and that the spammers are too lazy/have no need to write algorithms that interpret these types of mailtos.

    --
    ...unfortunately no one can be told what The Mat^H^H^HGoatse is...they must experience it for themselves...
  8. use: SPAM as your username by microcars · · Score: 4, Interesting
    Since this topic is about "foiling email harvesters"...

    I have found that using SPAM as your username works wonders

    just post it right there on the webpage or leave it as a mailto:spam@example.com

    So many people use NOSPAMjohn@NOSPAMexample.com (remove the NOSPAM to reply)
    or some variation of that, I tried using spam@example.com as my email address on Google Groups and previously on Usenet.

    I got pretty much nothing. No spam. Not then, not now.

    Since the email harvesters apparently filter out variations of addresses with SPAM, NOSPAM, DIESPAMMERS etc in them, once they filter out the "SPAM" part of spam@example.com they are left with @example.com which is not a valid email address.

    --
    I like microcars
  9. Re:You can't have your cake an eat it too ... by somethinghollow · · Score: 4, Interesting

    I think you hit the nail on the head. Strictly speaking, if you want to use text and don't leave a plain text version of your e-mail, you are at risk of being inaccessible.

    1. Use an image to replace your email address: I browse with images off on my cell phone and screen readers can't read images. Not to mention there are projects around that do OCR on captchas. If a spammer was resourceful enough, this wouldn't defeat them.
    2. Use ascii encodings for some/all of the characters.: Again, some cell phones (and probably other browsers) don't know about these encodings. Again, a resourceful spammer would figure it out.
    3. Use javascript to concatenate and/or obfuscate your email address: Lots of people browse with Javascript off. Not to mention that this could be gotten around with, maybe, a GreaseMonkey script that runs, say, 20 seconds after page load and parses the HTML for RegEx patterns of e-mail addresses in document.body.innerHTML (syntax may be wrong).

    I made a contact form for my site to avoid harvesters. While spammers do have scripts to submit contact forms, it's easier to trick a robot based on it's form input than based on what the robot can parse from the page (e.g. put a hidden field called phone number and fail the form on the backend if it has a value since most spam bots will try to enter something, and make sure there is an HTTP_REFERER, or ask for the user to duplicate some text in a field that is on the page somewhere else).

  10. Use Javascript by 93+Escort+Wagon · · Score: 3, Interesting

    A lot of these suggestions are fine for personal sites; but if you're actually in business they aren't practical.

    We use Javascript. You don't want to make life more difficult for the person trying to correspond - the point is to raise the cost to the spammer. If they have to add a Javascript parser to their spider, it's going to slow them way down. It's not going to make financial sense for them to do a custom solution for each site (and if they do, the "image" methods will break down as well).

    When someone writes to me and says "reply to joe at gmail dot com" (or whatever), they generally don't get a reply. Why is their time more valuable than mine?

    --
    #DeleteChrome