Slashdot Mirror
Best Method For Foiling Email Harvesters?
pjp6259 writes "One of the common ways that spammers generate email mailing lists is by harvesting email addressess from websites. But in many cases you also need to make it easy for your customers to reach you. I have found three common solutions to this problem: 1.) Use an image to replace your email address. 2.) Use ascii encodings for some/all of the characters. 3.) Use javascript to concatenate and/or obfuscate your email address. Which of these methods are most effective? Are email harvesters able to interpret javascript? What do you use?"
If you make it hard for 'bad guys', you make it hard for your customers/friends too. Some people like having mail-to links, and you won't be able to do that easily with an image.
If you have a form to submit to on-line, tag it and let it go to the head of the class.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
Spend 10 minutes and make an HTML form for people to contact you. Be careful what you name your field names, though, as there are spam bots that can target web forms.
If people need to send you files, they can do so after you reply back to them.
IP geolocation and a shotgun.
Works for me.
Think of the Children; Sleep with your Sister
I have one email that I use specifically for REPLYING to emails and that one is the one that gets the MOST Spam.
I like microcars
Really, if all you want is your customers or prospects be able to reach you through a website, got yourself a contact form.. No way for a harvester to get your email address that way, and people usually don't mind filling in a contact form.. if you obligate your customers to "think" as you suggest, you're risking losing potential custemrs which is simply not worth it. Besides, it makes you look very unprofessional.
- Leon Mergen
http://www.solatis.com
With a mailto URL and deal with the resulting spam at the mail level, the cost of doing so is less than the cost of alienating potential customers.
However, on a personal site, images.
Deleted
use a table with 3 columns.. the first with the first part of your email addres, the second with @ and the third with domain.com. simple searches on the pages make it hard to find and with a border of 0 the user won't notice the table.
There exists some positive integer N that you are the Nth person to read this signature.
SpamGourmet.com
Makes it trivially easy to create a unique forwarding address for any website you care to visit, then set the domain of that site as an exclusive sender for that address.
If a 3rd party starts spamming you at that address, Spam Gourmet just drops it, but continues to deliver relevant mail.
Oh, and it's completely free.
gvcormac@uwaterloo.ca -- Bring it on!
Seriously, if we cower in fear, the spammers win. Obfuscating, Turing tests, whatever show fear.
Coincidentally, there was an article just a few days ago on how to prevent spam to contact forms.
Are you trying to say that Slashdot is a professional forum?
Please, for the good of Humanity, vote Obama.
I've heard the following works fairly well, but haven't tried it m'self.
Put 2 email addresses on your web site, the real one, and a 'decoy' one which is hidden from normal users (eg white-on-white text right at the bottom of the screen).
Any email that arrives at the 'decoy' address is parsed, and the sender added to a blacklist.
Quidquid Latine dictum sit, altum videtur (anything said in Latin sounds important)
My email contact consists of Egyptian hieroglyphics in one of those 3d art displays. First you gotta stare at it for a few minutes to have the objects pop out. Next its a trip to Egypt where you must follow clues to meet an old shaman. Use his clues to navigate though a snake infested pyramid. Find the one eyed pirate after defeating the octopus. you are rewarded with a postcard with my email address in a sack in sans script. Be sure to avoid the poison arrows and rolling rock on the way out. Spammers be dammed.
My actual e-mail address, in convenient text format and as a mailto: link, is at the bottom of every single web page at my personal web sites. I really don't see why I should change that just because spammers might harvest it. My e-mail address has been up there since about 1996, so that's at least a decade's worth of harvesting. I've also used the same e-mail address on Usenet posts.
Yes, I get quite a lot of spam. But with the usual techniques (greylisting, SpamAssassin, etc.) I only actually receive maybe half a dozen spam e-mails a day. And more importantly, all my actually valid e-mail still seems to get through just fine. I'm happy with it, and I get the personal satisfaction of being able to use my e-mail address wherever I damn well like without having to cower from spammers.
The whole point of posting an email address on a website is to allow and support communication, not to obfuscate it and make it more difficult for a person to use. discouraging spam is important, but it must remain secondary to allowing email communication.
I predict Technical solutions will continue to fail to solve the spam problem, because it is not primarily a technical problem. It is a moral problem. Spammers (whoever they might be) are not respecting people. They are disrespecting us in order to get some money. Their values put dollars above the needs of anonymized people.
Until the moral problem can be solved adequately through accountability or other means, we are stuck with technical "solutions". Hopefully the solutions keep in mind the original intent of the technology or else we will continue to spend our time "jumping through hoops" rather than actually accomplishing work.
While a captcha does require human intervention, it makes it more difficult for a "normal" user to access. Same with nameIhatespam@domain.com or nameih8spam@domain.com or name @ domain.com This requires manual work and appears "unprofessional" Such confusion creates a barrier to effective communication.
Sure if you are on the "hackers are us" website such tricks are fine, 100% geeks, all interested in spending time re-typing information.
However if your audience is not technical, has any kind of failing eyesight (many over 60), or limited patience (the entire web audience) you had better keep it transparent for the end user. This is where javascript has served us well.
In recently gathering information from hundreds of manufacturing websites, I've found that the "cuter" the tricks, the less likely I am to pursue a working relationship with that manufacturer.
There are still tons of websites out there with unobscured email addresses in the HTML code and even in the text of the webpages. I don't see why spam harvesters would need to bother with javascript parsing engines when there is such a rich harvest of real email addresses out there.
I think people who are wiser than me need to consider how a community approach could seriously hamper spam. Maybe it is shaming the companies that build spam harvesting software. (we have imagination, we could 'make' them stop) I know that phoning and talking crossly to the wife of a spammer at an inconvenient time certainly created a stress reaction in her, which probably translated into stress reaction at their dinner table etc... I made the social cost of spamming high by phoning their 1800 number (costs them $0.05/minute). I made it real, I humanized my email address by "calling them on it" and complaining about their practices. (they still spam)...
Filtering is huge, but ultimately we need to call peopel to social responsiblity, and that requires one of two approaches that I can see.
1. Grassroots community accountabiltiy/reaction to spam
2. Top down legislative control.
Its a war, but the war isn't for or against SPAM, the war is for and against respecting others on the NET.
Greg.
I then use separate email addresses for everything I sign up for. E.g. my bank email address is different from my health fund email address, which is different from my all of mp3 email address etc. I use a little code which isn't obvious(similar to a lookup table) to code each website into the username portion of the email address... That's why I'm a little annoyed at allofmp3.com at the moment, as I've supplied two email addresses to them on only two occassions, and both are huge spam recipients. So it's clear that not only does their financial arm sell my email address, but their online store does too.
This method is good for 2 reasons: It's very easy to direct all email from particular addresses straight to the trash should they become spam targets and secondly, it's very easy for me to figure out (such as the allofmp3.com case) who sold my email address to spammers and when.
You should have a hidden field with no value and make sure it returns no value.
Bots tend to populate all form fields.
That would be the easiest step.
You could go a step further by having a text field that is hidden by a style="display: none;" and make sure that is empty as well.
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
I try to run any mailtos through an email obfuscator .. as the link says, a 6 month study showed that obfuscated emails "do not receive junk mail."
My theory is that harvesters have enough email addresses out there to gather and that the spammers are too lazy/have no need to write algorithms that interpret these types of mailtos.
...unfortunately no one can be told what The Mat^H^H^HGoatse is...they must experience it for themselves...
I use a similar method, expect them they can only actually send me mail on the Summer solstice using a special machine buried in the mountains of India and must be used whilst standing upon a hill overlooking khafkas' pyramid wearing a blue apron.
When the light shines through the fascia of the machine it powers up for a few minutes and opens a connection which is bounced around my diamond CPU initiating the SMTP process.
If you get the timing incorrect then the suns rays will instantly vaporise you.
So far I haven't had much spam.
liqbase
I have found that using SPAM as your username works wonders
just post it right there on the webpage or leave it as a mailto:spam@example.com
So many people use NOSPAMjohn@NOSPAMexample.com (remove the NOSPAM to reply)
or some variation of that, I tried using spam@example.com as my email address on Google Groups and previously on Usenet.
I got pretty much nothing. No spam. Not then, not now.
Since the email harvesters apparently filter out variations of addresses with SPAM, NOSPAM, DIESPAMMERS etc in them, once they filter out the "SPAM" part of spam@example.com they are left with @example.com which is not a valid email address.
I like microcars
Two distinctions:
1. The forms usually ask for your name, address, and other stuff.
I have never seen an admin restrict themselves to just asking for your email.
It's very typically set up along the lines of: tell us about yourself and we will
respond.
2. Your submission does not get copied to your "sent" folder so you forget you ever
communicated with the company. I like to keep a record.
A lot of these suggestions are fine for personal sites; but if you're actually in business they aren't practical.
We use Javascript. You don't want to make life more difficult for the person trying to correspond - the point is to raise the cost to the spammer. If they have to add a Javascript parser to their spider, it's going to slow them way down. It's not going to make financial sense for them to do a custom solution for each site (and if they do, the "image" methods will break down as well).
When someone writes to me and says "reply to joe at gmail dot com" (or whatever), they generally don't get a reply. Why is their time more valuable than mine?
#DeleteChrome
As someone pointed out in that topic, make sure you don't make it impossible to use with a screen reader... blind people aren't necessarily spammers! :)
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
They use "sender verify" on the mail server.
When the mail server gets an incoming email, it sends a request back to the "sending" email server listed in the headers. Since most spam is sent with falsified headers, the reply from the "sending" email server will respond that no mail was sent. Then my host mail server simply dev/nulls the spam. In the case of real mail, the sending server responds that it did indeed send the mail and my host then delivers it.
The only troubles I've run into are servers that don't support "sender verify". If the email doesn't get a verification message, its returned to the sender. Oddly enough, of the servers I've found that don't support "sender verify" they have been IIS servers. While there are still other IIS servers that do support it, I find it interesting that most of the servers not running IIS seem to have this feature turned on.
The nice thing about it is 90% of the spam never reaches a mailbox, and the filters from Spam Assassin catch the rest. This also removes the image only spam.
-Goran
Carpe Scrotum - The only way to deal with your competition.
Problem with captchas is the accessibility issue. People using screen readers and the like (visually impaired) won't be able to contact you using the form.
No sig
Damnit, why did it have to be snakes?!
Burn the land and boil the sea, you can't take the sky from me
confuse bots, and confuse the hell out of people at the same time. I seriously have no idea what address that is supposed to be.