Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Best Method For Foiling Email Harvesters?

Zonk posted more than 7 years ago | from the when-the-addresses-are-high-as-an-elephants-eye dept.

506

pjp6259 writes "One of the common ways that spammers generate email mailing lists is by harvesting email addressess from websites. But in many cases you also need to make it easy for your customers to reach you. I have found three common solutions to this problem: 1.) Use an image to replace your email address. 2.) Use ascii encodings for some/all of the characters. 3.) Use javascript to concatenate and/or obfuscate your email address. Which of these methods are most effective? Are email harvesters able to interpret javascript? What do you use?"

cancel ×

506 comments

Sorry! There are no comments related to the filter you selected.

Make people think to figure out your e-mail (2, Interesting)

Salvance (1014001) | more than 7 years ago | (#16817608)

My two favorite methods are:
- Putting the e-mail in a distorted picture (like a captcha) - this is very difficult for spam crawlers to read
- Using a long human readable message "tset ta tset tod moc.reverse.each.word.prior.to.first.dot.for.addr"

In general, your best defense is to employ some method that requires human interpretation.

Re:Make people think to figure out your e-mail (4, Insightful)

leonmergen (807379) | more than 7 years ago | (#16817674)

Really, if all you want is your customers or prospects be able to reach you through a website, got yourself a contact form.. No way for a harvester to get your email address that way, and people usually don't mind filling in a contact form.. if you obligate your customers to "think" as you suggest, you're risking losing potential custemrs which is simply not worth it. Besides, it makes you look very unprofessional.

Re:Make people think to figure out your e-mail (3, Funny)

TeleoMan (529859) | more than 7 years ago | (#16817726)

Yeah. Your lmergen il.com ['gma' in gap] is reallll professional. Jerk.

Re:Make people think to figure out your e-mail (5, Funny)

WilliamSChips (793741) | more than 7 years ago | (#16817774)

Are you trying to say that Slashdot is a professional forum?

Re:Make people think to figure out your e-mail (1)

Salvance (1014001) | more than 7 years ago | (#16817730)

Good point ... I use those methods primarily on personal web pages, at work we use contact forms and never ever show an e-mail address. However, at work we get over 1000 spam messages a day coming from our contact form. We probably need to rewrite it to be a little less spambot friendly. In general though, if a person can click a button, so can a bot.

Re:Make people think to figure out your e-mail (4, Informative)

EvanED (569694) | more than 7 years ago | (#16817766)

Coincidentally, there was an article [slashdot.org] just a few days ago on how to prevent spam to contact forms.

Re:Make people think to figure out your e-mail (4, Insightful)

Ucklak (755284) | more than 7 years ago | (#16817882)

You should have a hidden field with no value and make sure it returns no value.
Bots tend to populate all form fields.

That would be the easiest step.
You could go a step further by having a text field that is hidden by a style="display: none;" and make sure that is empty as well.

Re:Make people think to figure out your e-mail (2, Informative)

bram (490) | more than 7 years ago | (#16818126)

I recently got a lot of spam through a contact form on one of my sites.

I added a checkbox which was checked by default saying "I'm a spammer" and a short explanation for people to uncheck it.
A couple of days later I started getting spam again.
Spammers aren't always stupid people (if you don't judge them by their actions).

Next thing was adding a captcha (from Free captchas [captchas.net] ) and now I don't get any spam anymore. :)

Re:Make people think to figure out your e-mail (1)

Linker3000 (626634) | more than 7 years ago | (#16817858)

Only trouble with 'plain' contact forms (ie: no captcha) is that once the spammers notice it, you get bot-driven submissions.

Re:Make people think to figure out your e-mail (1)

DDLKermit007 (911046) | more than 7 years ago | (#16817978)

That method is pretty worthless to me. I check how easy it is to get ahold of people when I go to buy stuff from them and when I see a form to fill out I just don't bother. With the company or the form. Email can be tracked far more readily than a website form. It is preferable I guess however to email addresses that are images.

Re:Make people think to figure out your e-mail (1, Interesting)

Compuser (14899) | more than 7 years ago | (#16818006)

This is a horrible solution. Please, people, don't do this. I never fill out any form
unless pressed to do so, because I assume it is itself a harvester of sorts, meaning I do
not trust companies who say that they will not resell my information.
Also, please do not use javascript, since many people (including myself) browse with
javascript off, and only enable it in tabs where it is absolutely necessary. I hate the
bother of turning on javascript. Please avoid it if at all possible. Granted, I would love
for all the web to go back to HTML 1.0 days - it looked good and was easy to read - but
even less conservative people probably hate javascript widgets which are not needed.

My favorite solutions: either use a slightly scrambled image or spell things like dot and
at so the text would not look like an email. You can also replace just the dots and ats
with images. Please, please, please, do not use forms, javascript or anything dynamic.

Re:Make people think to figure out your e-mail (1)

EvanED (569694) | more than 7 years ago | (#16818128)

You don't fill out contact forms of companies you'd email because you don't trust them?

Why the distinction?

Re:Make people think to figure out your e-mail (1)

Carthag (643047) | more than 7 years ago | (#16818142)

So you don't contact any company at all? If you call them, they can sell your phone number. If you email them or fill out a form, they can sell the email address. If you snail mail, well there's always good old fashioned junk mail.

Re:Make people think to figure out your e-mail (2, Interesting)

Sancho (17056) | more than 7 years ago | (#16818152)

I wonder if bots have started replacing 'dot' with '.' and 'at' with '@'.

I wonder, then, if adding the word 'dot' to your e-mail address would deter bots. Probably not, though. They'd probably just try all permutations of '.' and 'dot'.

Re:Make people think to figure out your e-mail (2, Insightful)

nine-times (778537) | more than 7 years ago | (#16817750)

The problem with doing either of those things is that they could be hard to read and/or confusing. If you're dealing with customers, you don't want them to get confused, fed up, and not buy your product/services.

Personally, I think the only way to handle it is to keep everyone's personal e-mail address off of the web page, and use generalized e-mail address like "sales@your-domain.com", "contact@your-domain.com", or "support@your-domain.com". Have it be someone's job to review incoming e-mail to these addresses, understanding that the vast majority of incoming mail might be spam. Of course, you could add some sort of obfuscation to these addresses, but what's the point-- like spammers couldn't just guess "contact@your-domain.com"?

Re:Make people think to figure out your e-mail (5, Funny)

Ankou (261125) | more than 7 years ago | (#16817800)

My email contact consists of Egyptian hieroglyphics in one of those 3d art displays. First you gotta stare at it for a few minutes to have the objects pop out. Next its a trip to Egypt where you must follow clues to meet an old shaman. Use his clues to navigate though a snake infested pyramid. Find the one eyed pirate after defeating the octopus. you are rewarded with a postcard with my email address in a sack in sans script. Be sure to avoid the poison arrows and rolling rock on the way out. Spammers be dammed.

Mod parent up! (1)

slimey_limey (655670) | more than 7 years ago | (#16817926)

Damn. Already spent my mod points an hour ago.

Re:Make people think to figure out your e-mail (3, Funny)

LiquidCoooled (634315) | more than 7 years ago | (#16817950)

I use a similar method, expect them they can only actually send me mail on the Summer solstice using a special machine buried in the mountains of India and must be used whilst standing upon a hill overlooking khafkas' pyramid wearing a blue apron.
When the light shines through the fascia of the machine it powers up for a few minutes and opens a connection which is bounced around my diamond CPU initiating the SMTP process.
If you get the timing incorrect then the suns rays will instantly vaporise you.

So far I haven't had much spam.

Re:Make people think to figure out your e-mail (1)

slimey_limey (655670) | more than 7 years ago | (#16818108)

I think you mean Khufu rather than Khafka.

Still, sometimes it's hard to tell.

Re:Make people think to figure out your e-mail (0)

Anonymous Coward | more than 7 years ago | (#16818168)

Lovely! But I think you mean Sanskrit.

Not for a corporate site (1)

AlecLyons (767385) | more than 7 years ago | (#16817804)

Requiring people to work before then even know how to contact you = fewer customers. I'd also shy away from an image because I'd be worried it'd piss people off when they try to copy and paste the address.

Personally I do away with emails on sites wherever I can. Stick to a data entry form with captchas or, a rather interesting idea I think I read Slashdot somewhere - put some extra fields in a form which are not visible. If anything is posted in these fields you can strongly suspect it has been entered by a machine, rather than a person.

If I had to put an email on the site and wanted to obfuscate it my preference would be using a bit of javascript to write out the email address from some encrypted string. But you know how arms races go...

And on a side note - has anyone noticed how Firefox's spell checker thinks javascript and captchas are spelling errors?

Re:Not for a corporate site (1)

Zonk (troll) (1026140) | more than 7 years ago | (#16818056)

And on a side note - has anyone noticed how Firefox's spell checker thinks javascript and captchas are spelling errors?


The spelling checker in Firefox is a piece of shit. It's suggestions are almost always useless.

Re:Make people think to figure out your e-mail (5, Interesting)

Anonymous Coward | more than 7 years ago | (#16817848)

The whole point of posting an email address on a website is to allow and support communication, not to obfuscate it and make it more difficult for a person to use. discouraging spam is important, but it must remain secondary to allowing email communication.

I predict Technical solutions will continue to fail to solve the spam problem, because it is not primarily a technical problem. It is a moral problem. Spammers (whoever they might be) are not respecting people. They are disrespecting us in order to get some money. Their values put dollars above the needs of anonymized people.

Until the moral problem can be solved adequately through accountability or other means, we are stuck with technical "solutions". Hopefully the solutions keep in mind the original intent of the technology or else we will continue to spend our time "jumping through hoops" rather than actually accomplishing work.
While a captcha does require human intervention, it makes it more difficult for a "normal" user to access. Same with nameIhatespam@domain.com or nameih8spam@domain.com or name @ domain.com This requires manual work and appears "unprofessional" Such confusion creates a barrier to effective communication.

Sure if you are on the "hackers are us" website such tricks are fine, 100% geeks, all interested in spending time re-typing information.
However if your audience is not technical, has any kind of failing eyesight (many over 60), or limited patience (the entire web audience) you had better keep it transparent for the end user. This is where javascript has served us well.

In recently gathering information from hundreds of manufacturing websites, I've found that the "cuter" the tricks, the less likely I am to pursue a working relationship with that manufacturer.

There are still tons of websites out there with unobscured email addresses in the HTML code and even in the text of the webpages. I don't see why spam harvesters would need to bother with javascript parsing engines when there is such a rich harvest of real email addresses out there.

I think people who are wiser than me need to consider how a community approach could seriously hamper spam. Maybe it is shaming the companies that build spam harvesting software. (we have imagination, we could 'make' them stop) I know that phoning and talking crossly to the wife of a spammer at an inconvenient time certainly created a stress reaction in her, which probably translated into stress reaction at their dinner table etc... I made the social cost of spamming high by phoning their 1800 number (costs them $0.05/minute). I made it real, I humanized my email address by "calling them on it" and complaining about their practices. (they still spam)...

Filtering is huge, but ultimately we need to call peopel to social responsiblity, and that requires one of two approaches that I can see.
1. Grassroots community accountabiltiy/reaction to spam
2. Top down legislative control.

Its a war, but the war isn't for or against SPAM, the war is for and against respecting others on the NET.

Greg.

Re:Make people think to figure out your e-mail (2, Funny)

f1055man (951955) | more than 7 years ago | (#16818070)

baseball bat in hand. give me an address and a plane ticket and I'll solve our moral problem.

Why use public email addresses at all? (1)

msobkow (48369) | more than 7 years ago | (#16818008)

Use webmail or forms to take customer requests, complaints, etc. instead of public email addys. When someone is assigned to handle the request, they can provide their email address for followup. That way none of the company email addresses are "public", and you can still have a full contact directory.

Such forms require the customer to provide a reply-to address, which you can then add to a whitelist.

Spam is a nuisance, but it's not worthwhile to make it hard for customers just to avoid address harvesting.

or just use spaces... (1)

mitchell_pgh (536538) | more than 7 years ago | (#16818016)

how about this: j o e [ a t ] j o e b o t . c o m

fp (0)

Anonymous Coward | more than 7 years ago | (#16817610)

Yes, new email harvesters can parse javascript. A good spam filter in your inbox is nice...

Re:fp (1)

Ucklak (755284) | more than 7 years ago | (#16817894)

Do you happen to have one I could review? I have had my emails javascript obfuscated for about 2 years now and haven't gotten spam yet.

You can't have your cake an eat it too ... (4, Insightful)

un1xl0ser (575642) | more than 7 years ago | (#16817632)

If you make it hard for 'bad guys', you make it hard for your customers/friends too. Some people like having mail-to links, and you won't be able to do that easily with an image.

If you have a form to submit to on-line, tag it and let it go to the head of the class.

Re:You can't have your cake an eat it too ... (1)

epee1221 (873140) | more than 7 years ago | (#16818018)

If you make it hard for 'bad guys', you make it hard for your customers/friends too.
Keep in mind that the bad guys generally don't do the work by hand, and ewmail harvesting bots are much easier to defeat than humans. But yes, the mailto link is out.

Re:You can't have your cake an eat it too ... (4, Interesting)

somethinghollow (530478) | more than 7 years ago | (#16818130)

I think you hit the nail on the head. Strictly speaking, if you want to use text and don't leave a plain text version of your e-mail, you are at risk of being inaccessible.

  1. Use an image to replace your email address: I browse with images off on my cell phone and screen readers can't read images. Not to mention there are projects around that do OCR on captchas. If a spammer was resourceful enough, this wouldn't defeat them.
  2. Use ascii encodings for some/all of the characters.: Again, some cell phones (and probably other browsers) don't know about these encodings. Again, a resourceful spammer would figure it out.
  3. Use javascript to concatenate and/or obfuscate your email address: Lots of people browse with Javascript off. Not to mention that this could be gotten around with, maybe, a GreaseMonkey script that runs, say, 20 seconds after page load and parses the HTML for RegEx patterns of e-mail addresses in document.body.innerHTML (syntax may be wrong).

I made a contact form for my site to avoid harvesters. While spammers do have scripts to submit contact forms, it's easier to trick a robot based on it's form input than based on what the robot can parse from the page (e.g. put a hidden field called phone number and fail the form on the backend if it has a value since most spam bots will try to enter something, and make sure there is an HTTP_REFERER, or ask for the user to duplicate some text in a field that is on the page somewhere else).

Form (4, Interesting)

daeg (828071) | more than 7 years ago | (#16817644)

Spend 10 minutes and make an HTML form for people to contact you. Be careful what you name your field names, though, as there are spam bots that can target web forms.

If people need to send you files, they can do so after you reply back to them.

Re:Form (1)

Cylix (55374) | more than 7 years ago | (#16817716)

I use a form, but the e-mail address is kept on the server configs.

A simple form with subject, reply to and message body is then whisked away to a general account.

At that point, it is at our discretion to reply and give out email addresses.
No harvesting possible...

Except when your fellow co-workers send you a lovely e-greeting card! BAM!

Instant harvesting.

All that time you spent setting up those web forms and hiding delicate information from the public... WASTED!

Now, get yourself a good spam filter because no matter what you do... you will be assimilated.

Re:Form (2, Insightful)

eighty4 (987543) | more than 7 years ago | (#16817944)

Now, get yourself a good spam filter because no matter what you do... you will be assimilated.

This is totally it. In many ways, no matter what you do, you're only delaying the inevitable. If the spammers don't get it from your site, they'll get it from somewhere else sooner or later.

Re:Form (2, Interesting)

garcia (6573) | more than 7 years ago | (#16817744)

Be careful what you name your field names, though, as there are spam bots that can target web forms.

All it takes is one of the dickwads to manually figure out your form and then they all do it. In addition to whatever you have as your form, make certain you disallow HTML in any of the fields or they will own you.

I have one set to show that it all went through just fine but it really just ignores their entry. It has worked so far.

Re:Form (1)

celerityfm (181760) | more than 7 years ago | (#16817980)

Indeed I have found that my most "mature" forms out on the web are targeted for spam.. I've added CAPTCHA though, seems to nip it in the butt... but at what cost.. AT WHAT COST?!?!?!?

Won't someone think of the users? :(

Re:Form (1)

fractalVisionz (989785) | more than 7 years ago | (#16818044)

Thats great and all, but I just did a test. I made a bot to submit thousands of times a second and it had my reply email address (not the email address the suggest went to). My email address, using php's mail function, was insert as the reply to. Soon, I received a email bounce back saying that the email couldn't be sent, and guess what, it had the email of the person who was receiving the contact emails.

A better method to possibly avoid this is to place all contacts in a database, and have a email sent to check the database so no bouncing can occur.

Personally I go for (5, Funny)

also-rr (980579) | more than 7 years ago | (#16817652)

IP geolocation [ip2location.com] and a shotgun.

Works for me.

Re:Personally I go for (2, Interesting)

Iphtashu Fitz (263795) | more than 7 years ago | (#16817812)

Same here. I block ALL incoming mail traffic from China, Korea, Japan, etc. on my personal domains because of the volume of spam that originates from those countries. The remainder is fed through SpamAssassin which does a pretty darned good job of tagging likely spam and filtering out obvious spam.

Image (2, Interesting)

Gemini_25_RB (997440) | more than 7 years ago | (#16817654)

Personally, I don't have this issue too much (no business, ergo no customers), but I think that the image would be the most effective. Almost like a CAPTCHA, but not nearly as hard (you want your customers to read it easily), but the image would likely still work because (speculation) most harvesters analyze text because it is easy. Image analyzing takes more processing (or human victims), so the harvester would probably get more email addresses by skipping the images and going for text.

As for whether the harvesters can interpret javascript, I think that it depends on the particular harvester. You could analyze the source or the created page.

disallow Windows users (3, Interesting)

microcars (708223) | more than 7 years ago | (#16817656)

seriously, the most spam I get comes from bots that reside on Windows user's computer and troll through their Outlook Inbox for email addresses.

I have one email that I use specifically for REPLYING to emails and that one is the one that gets the MOST Spam.

Re:disallow Windows users (1)

Threni (635302) | more than 7 years ago | (#16817814)

> seriously, the most spam I get comes from bots that reside on Windows user's computer and troll through their Outlook Inbox for
> email addresses.

I think it was sort of a given that he'd also like to stay in business, so he's probably not going to want to lose the 90% or whatever it is of the market that uses Windows to send emails...

Re:disallow Windows users (4, Interesting)

MobileTatsu-NJG (946591) | more than 7 years ago | (#16818050)

"disallow Windows users"

Har har.

Anyway, I did an experiment once years ago where I created a brand new mail account and turned off 'spam armor plating' (or whatever it's called) on Slashdot. Then I went about making my posts etc. To my surprise, I started getting messages rather quickly. It didn't take more than a week or two to start recieving enough unsolicited mail to shut the experiment down.

Fast forward to last year. I told a coworker friend about this. He didn't believe me. So I tried the experiment again and... uh.. actually I only got one or two messages over a period of two weeks. I'm not really sure what happened. It's as if they gave up on Slashdot.

I cannot draw any real solid conclusions from these experiments other than to say that yes, email addresses on websites do get harvested. Yes, you could disallow Windows users, but that wouldn't do a thing to protect any other user. The only possible way that would work is if spam harvesting apps ONLY happened on Windows machines, and let's be realistic, there's nothing to prevent that software from making its way to Linux etc. Once it gets harvested, it doesn't matter which OS you run, you can get spam just as easily.

It's a tough problem with no single solution.

Re:disallow Windows users (0)

Anonymous Coward | more than 7 years ago | (#16818104)

the most spam I get comes to me when I email a friend's AOL or Yahoo address. I am convinced there is a netowrk of bots watching the inbound traffic to those email servers and harvesting and spamming gathered addresses. Example: Less than a second after I email a friend at one of those places I have 2 to 5 new spam messages, otherwise I rarely get spam at my gmail account (about 1 per day).

Well lets see.... (1)

PieSquared (867490) | more than 7 years ago | (#16817660)

I believe that slashdot has a system for doing this. You the option to hide your email, display it, or display a spam-resistant version of it. It seems to change all the time, currently mine is missing a chunk, replaced by [], and after the end it says ['ade' in gap]. I haven't gotten any extra spam in that account so it seems to work fine.

Re:Well lets see.... (1)

daranz (914716) | more than 7 years ago | (#16818138)

It's only partially effective, though. There's a limited amount of obfuscation schemes that you can code into the system. A spammer can browse slashdot and note a bunch of methods used to hide email addresses, and then write something to convert those back into a usable form. Chances are, he'll get a whole bunch of usable addresses. Sure, it is better than nothing, and somewhat increases your chances.

nfp (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16817666)

not first post

javascript (1)

Zashi (992673) | more than 7 years ago | (#16817668)

I use javascript and html encoded ASCII. The website my organization uses ( nonlogic.org ) is almost entirely php based with headers. So including the php header also includes the obfuscation script (which is only 1 line). To display an email addy we just do addy('name','domain') and that's that. Combined with gmail's filters and the fact I have a personal account for talking to humans, and a spam account that I use for anything requiring an email address to use, I never get a single piece of spam in my inbox. (And to my knowledge have never had any false positives).

Simply put the address in clear text (4, Insightful)

Colin Smith (2679) | more than 7 years ago | (#16817678)

With a mailto URL and deal with the resulting spam at the mail level, the cost of doing so is less than the cost of alienating potential customers.

However, on a personal site, images.

 

Re:Simply put the address in clear text (2, Funny)

Ankou (261125) | more than 7 years ago | (#16817886)

Thats why all my mailtos are "root@localhost" :)

use a Table! (4, Interesting)

Nova1313 (630547) | more than 7 years ago | (#16817690)

use a table with 3 columns.. the first with the first part of your email addres, the second with @ and the third with domain.com. simple searches on the pages make it hard to find and with a border of 0 the user won't notice the table.

Re:use a Table! (4, Interesting)

Repton (60818) | more than 7 years ago | (#16817834)

Couldn't you equivalently do <span>jsmith</span>@<span>example.com</span> ? You still lose the mailto though..

(I suppose you could toss in <span style="display: none">fnarfnarfnar</span> or something as well, if you want to confuse matters slightly more)

Would copy/paste insert whitespace anywhere where you don't want it?

Re:use a Table! (0)

Anonymous Coward | more than 7 years ago | (#16817974)

Couldn't you equivalently do jsmith@example.com ? You still lose the mailto though..

no because a simple regular expression (which is what most of the bots use) would just ignore/strip the html tags anyway

removethis (1)

the_povinator (936048) | more than 7 years ago | (#16817694)

I always assumed that my_email@removethis.gmail.com was enough.
Am I wrong?

Re:removethis (0)

Anonymous Coward | more than 7 years ago | (#16817872)

It might help some if you don't run a business where people who might not be as internet savvy want to contact you.

Stupid people have money too, spam is evidence of that.

Re:removethis (1)

rduke15 (721841) | more than 7 years ago | (#16817918)

Yes, I'm afraid. Many users read neither the address, nor the bounce message they get. Sometimes, if I'm around, they ask me why some of their emails don't go through... That's how I know.

But maybe you don't want email from people like that...

Re:removethis (1)

the-amazing-blob (917722) | more than 7 years ago | (#16818052)

Someone quickly copy-pasting it, especially someone of the non-geek type, might not notice. I've had people ask me if mailer-daemon was a virus, so they won't notice when it bounces back.

Use a Web form (1)

rlp (11898) | more than 7 years ago | (#16817696)

Use a web form for message entry combined with a capcha to prevent spam from bot's. The web app that processes the page can dump the message into a DB (for later retrieval by an admin page) or forward it via mail. Do NOT embed e-mail addresses in the page, even e-mail addresses built via JavaScript.

SpamGourmet.com (5, Informative)

gumpish (682245) | more than 7 years ago | (#16817698)

SpamGourmet.com [spamgourmet.com]

Makes it trivially easy to create a unique forwarding address for any website you care to visit, then set the domain of that site as an exclusive sender for that address.

If a 3rd party starts spamming you at that address, Spam Gourmet just drops it, but continues to deliver relevant mail.

Oh, and it's completely free.

Re:SpamGourmet.com (2, Interesting)

v1 (525388) | more than 7 years ago | (#16817846)

If you run your own mailserver this is a handy option. I have my primary email address that I only give to people I trust that are not using windows machines. Anytime I have to give my email to a "risky" place, like to submit a request for something, that requres a valid email address, or to register, I create a new email alias.

This spring I was shopping for a new SUV, interested in an Escape. I went to ford's web site and they had a "submit email address to have dealers in your area contact you". Sure that's easy enough. But I'm paranoid. Yes it's Ford but still. So I made "v1ford" forward to my main email address. I got five replies from dealers in my area and forgot about the whole thing.

SIX MONTHS LATER I started receiving spam, one per day, to v1ford. Bastards. And they waited half a year before sellign me out, thinking I would not know! So that alias which I had forgotten to delete after I got my replies, I just deleted and they "went away". It astounds me that someone that I am about to buy a $26k product from is doing things to piss me off.

Tho to be fair it was probably one of the five that replied to me, that got his PC owned by a spam virus. But still, that's not responsibly protecting the privacy of your (potential) customers. Just goes to show, you really can't trust ANYONE with your real address nowadays - even if they are reputable and have integrity, you can't count on them ALL being bright bulbs, and it only takes one to ruin it for you.

Using this system I have only received spam on a few occasions, one of which was when a large company I trusted posted my email address on their web site. (d'oh!)

Re:SpamGourmet.com (1)

jmv (93421) | more than 7 years ago | (#16818164)

It doesn't solve the problem here. When you want people to be able to contact you, you want to post an email address that will not go away.

Server-side redirection (1)

bsiegel (751984) | more than 7 years ago | (#16817704)

I've had success using a simple server-side script that simply sets the 'Location:' header to an e-mail URL such as mailto:foo@bar.com [mailto] . The advantage is that the e-mail address is not in the client-side code at all. Does anyone know if spam bots are able to harvest redirects like this?

--bsiegel

I used to... (1)

Lord Kano (13027) | more than 7 years ago | (#16817706)

I used to list mine as lordkaNOSPAM@whatever.com

When the spambots started to strip out the NOSPAM they'd try sending email to lordka@whatever.com, that wasn't me.

Now, I just live with spam filters.

LK

reverse email (0)

Anonymous Coward | more than 7 years ago | (#16817718)

edu@berkeley.student

Publish your email address. (3, Insightful)

gvc (167165) | more than 7 years ago | (#16817732)

gvcormac@uwaterloo.ca -- Bring it on!

Seriously, if we cower in fear, the spammers win. Obfuscating, Turing tests, whatever show fear.

Re:Publish your email address. (1)

Rosonowski (250492) | more than 7 years ago | (#16818140)

If the spammers didn't harvest that on their own, I'm sure a dozen people just did it for you. =/

Why bother? (1)

Nemetroid (883968) | more than 7 years ago | (#16817738)

I use a spam filter. Much easier than having everyone read your email through a captcha.

contact us form (1)

cmanuh (731680) | more than 7 years ago | (#16817742)

provide your own custom contact us form and have it written to some backend database.

There is a simpler ingenius method. (2, Interesting)

Goalie_Ca (584234) | more than 7 years ago | (#16817752)

Hide in the webpage a bogus email address. Maybe in comments, maybe in the corner with a super tiny font which matches the background. Whatever mail gets sent to that address should be automagically blocked to all other accounts.

Exploit poor coding standards. (2, Informative)

patio11 (857072) | more than 7 years ago | (#16817792)

check+the+rfc+this+is+legal+but+nobody+codes+for+i t@yourdomain.com

Decoy address to build a spammer blacklist (5, Interesting)

The Famous Druid (89404) | more than 7 years ago | (#16817776)

I've heard the following works fairly well, but haven't tried it m'self.

Put 2 email addresses on your web site, the real one, and a 'decoy' one which is hidden from normal users (eg white-on-white text right at the bottom of the screen).

Any email that arrives at the 'decoy' address is parsed, and the sender added to a blacklist.

Re:Decoy address to build a spammer blacklist (2, Interesting)

yupie (772822) | more than 7 years ago | (#16817992)

Put 2 email addresses on your web site, the real one, and a 'decoy' one which is hidden from normal users (eg white-on-white text right at the bottom of the screen).
Any email that arrives at the 'decoy' address is parsed, and the sender added to a blacklist.


This does not work, for the simple reason that nowadays, spam machines virtually always use a different sender (and very probably different sending IP address etc., given bots) for each mail.

Re:Decoy address to build a spammer blacklist (1)

celerityfm (181760) | more than 7 years ago | (#16818014)

One of the problems I see with this is that it's also an old search engine spam technique and could lead your site to being penalized in search results. I advocate email obfuscation [seowebsitepromotion.com] if you must have a mailto :)

Spam Traps (1)

GeorgeS069 (956679) | more than 7 years ago | (#16817782)

I use Maia MailGuard and just set a bunch of spam traps in my html files.
Any mail sent to these traps are automatically marked as spam and filtered according to your spam settings
Some of the "traps" are super obvious too but,it works.
here's a few:
spamking@frodoslair.net
dumbass@frodoslair.net
idiotspammers@frodoslair.net

and so on....
I believe anyone that would sell these harvested addresses would have some pissed off customers when they saw these entries in the list!

Re:Spam Traps (0)

Anonymous Coward | more than 7 years ago | (#16817956)

Why would they care what their customers think? It's not like they can take them to court for it or anything.

Besides, harvested addresses doesn't cost much per million addresses so I don't think anyone who is buying them are going to care enough to acctually look at the list before they spew crap all over the internet.

Just be unique (2, Interesting)

Statecraftsman (718862) | more than 7 years ago | (#16817786)

You know when they said you were special? They were trying to tell you to just do something different than everyone else. If everyone did a table trick or wrote "blank at blank dot com" or did any other clever little thing a programmer could come along and regex the hell out of it. Be unique and make them deal with your site individually.

That being said, I don't think spammers crawl the net looking for addresses so much. Their zombies have all the addresses they need. Just try to give out your email address to people that don't have an affinity for virus infections. In my case, I protect my customers so my address hasn't been abuse too heavily thus far.

Re:Just be unique (1)

rduke15 (721841) | more than 7 years ago | (#16817988)

I don't think spammers crawl the net looking for addresses so much.

They do. I put a few honeypot addresses on a small personal web page, and most of them get spam daily.

Fuck 'em! (4, Interesting)

shawnmchorse (442605) | more than 7 years ago | (#16817806)

My actual e-mail address, in convenient text format and as a mailto: link, is at the bottom of every single web page at my personal web sites. I really don't see why I should change that just because spammers might harvest it. My e-mail address has been up there since about 1996, so that's at least a decade's worth of harvesting. I've also used the same e-mail address on Usenet posts.

Yes, I get quite a lot of spam. But with the usual techniques (greylisting, SpamAssassin, etc.) I only actually receive maybe half a dozen spam e-mails a day. And more importantly, all my actually valid e-mail still seems to get through just fine. I'm happy with it, and I get the personal satisfaction of being able to use my e-mail address wherever I damn well like without having to cower from spammers.

Re:Fuck 'em! (1)

MobileTatsu-NJG (946591) | more than 7 years ago | (#16818064)

"...and I get the personal satisfaction of being able to use my e-mail address wherever I damn well like without having to cower from spammers."

Cower? It's about signal to noise, not the Borg taking over the ship. Heh.

Reverse psychology (2, Funny)

DoofusOfDeath (636671) | more than 7 years ago | (#16817820)

Put in plain sight: on your homepage which you submit to Google for indexing.

It's so obvious, they'd NEVER think to look there.

I take a modified approach to the 'image' method (1)

Kabuthunk (972557) | more than 7 years ago | (#16817826)

Just in case someone has some program that will recognize characters in an image (hence why some sites have the mangled-looking image that you have to try to read the letters off of), I went with a slightly different approach.

I just took a .gif image of my email address in the font I was using on my site, and then split it into 5 different images. Then in the html, I just have all of the images running one after another without spaces, and it looks correct on the website.

As well, I threw a BR tag or two before that particular line, and put the email address towards the start of the sentence, to avoid the problem of half of it appearing on a second line. Well... unless they have their monitor set to like... 320x240 resolution or have their IE window really friggin' small :P

Re:I take a modified approach to the 'image' metho (2, Insightful)

Compholio (770966) | more than 7 years ago | (#16818042)

As well, I threw a BR tag or two before that particular line, and put the email address towards the start of the sentence, to avoid the problem of half of it appearing on a second line.
You could put the images inside a table, for that matter you could just put a single character of your email address in each table cell and set the table to be border-less (and have no padding or spacing).

Give up and use SPAM filters... (1)

WoTG (610710) | more than 7 years ago | (#16817852)

For a a couple years I used a javascript encoder for public web pages. But somewhere between getting 20 SPAM a day and getting 250 SPAM a day, I had to setup better anti-SPAM systems. So there wasn't much benefit to trying to hide various email addresses with convoluted hacks like JS. Another option is to include a "email contact form", but those have downsides too.

Another method.. (4, Informative)

catwh0re (540371) | more than 7 years ago | (#16817868)

To get around spam issues I bought a cheap domain and use an included service to redirect all the email that gets sent to that domain to a single email address. (Most will offer this service for free.)

I then use separate email addresses for everything I sign up for. E.g. my bank email address is different from my health fund email address, which is different from my all of mp3 email address etc. I use a little code which isn't obvious(similar to a lookup table) to code each website into the username portion of the email address... That's why I'm a little annoyed at allofmp3.com at the moment, as I've supplied two email addresses to them on only two occassions, and both are huge spam recipients. So it's clear that not only does their financial arm sell my email address, but their online store does too.

This method is good for 2 reasons: It's very easy to direct all email from particular addresses straight to the trash should they become spam targets and secondly, it's very easy for me to figure out (such as the allofmp3.com case) who sold my email address to spammers and when.

me at gmail.com (0)

Anonymous Coward | more than 7 years ago | (#16817916)

I'm surprised I haven't seen the usual somesuchname at somesuchsite.com, and I'm wondering just how useful doing this is.

Email Obfuscation (3, Interesting)

celerityfm (181760) | more than 7 years ago | (#16817930)

I try to run any mailtos through an email obfuscator [seowebsitepromotion.com] .. as the link says, a 6 month study [cdt.org] showed that obfuscated emails "do not receive junk mail."

My theory is that harvesters have enough email addresses out there to gather and that the spammers are too lazy/have no need to write algorithms that interpret these types of mailtos.

Re:Email Obfuscation (1)

celerityfm (181760) | more than 7 years ago | (#16817958)

Note that to the end user the obfuscation is transparent- they see a regular email address when they click the mailto link and in the webpage. Harvesters OTOH do not....atleast, again, according to the CDT, which IMHO is a good, respectable source for these kinds of things.

TLAs FTW!

Serverside Form (1)

Chabil Ha' (875116) | more than 7 years ago | (#16817936)

How about creating a form that they can fill out with your email address stored and the email processed on the server. Add a CAPTCHA to prevent the form from being spammed, and bang! your done and your address is protected. That's what I do and no problems--yet.

Re:Serverside Form (1)

thewils (463314) | more than 7 years ago | (#16817968)

Exactly,

Server-side scripting is the only way to go. That way the email addy is never delivered to the browser client.

None of the above... (1)

Pembers (250842) | more than 7 years ago | (#16817966)

...unfortunately. No matter how cleverly you hide your address from the bots, the humans that you actually want to hear from have to enter the real thing into their email client. If the client stores the address in its address book, or it keeps a copy of the message, any piece of malware that infects the user's machine can discover your address and transmit it back to Spam Central for bombardment with the latest round of pump-n-dump.

I'm convinced this is how those bastards got the address of mine that currently gets the most spam. I maintain two sites, each with a contact address. They're minimally obfuscated - instead of user@example.com it says user at example dot com. One address gets almost no legitimate mail, but almost no spam. The other gets one legitimate mail every month or so, and spam maybe once a week. (Oh yes, I count myself lucky. My spam load peaked at a hundred a day a few years ago.)

I wonder if there would be any mileage in a mail client that encrypted the address book and mail folders, so that other processes running under your user ID couldn't read them? Trouble is, anyone savvy enough to choose a client because it has such a feature probably isn't going to get hit by malware in the first place. Good luck getting this feature into Outlook and switched on by default...

use: SPAM as your username (4, Interesting)

microcars (708223) | more than 7 years ago | (#16817994)

Since this topic is about "foiling email harvesters"...

I have found that using SPAM as your username works wonders

just post it right there on the webpage or leave it as a mailto:spam@example.com [mailto]

So many people use NOSPAMjohn@NOSPAMexample.com (remove the NOSPAM to reply)
or some variation of that, I tried using spam@example.com as my email address on Google Groups and previously on Usenet.

I got pretty much nothing. No spam. Not then, not now.

Since the email harvesters apparently filter out variations of addresses with SPAM, NOSPAM, DIESPAMMERS etc in them, once they filter out the "SPAM" part of spam@example.com they are left with @example.com which is not a valid email address.

Use your html source to train your spam filter (1)

bollucks (450288) | more than 7 years ago | (#16818028)

I insert a fake email address into the comments section of the html such as mailto:blah@mydomain.com [mailto] and have blah@mydomain.com redirect as an alias to newspam@mydomain.com which then trains my spam filter. Of course this means you definitely will get mail from the spam harvesters, but it also allows you to keep an old fashioned useful real link on your website to a real email address.

How about fixing the problem... (1)

sit1963nz (934837) | more than 7 years ago | (#16818030)

Instead of everyone spending millions a year to try and stop spam, how about the ISPs do something like:
1) Stop the machines becomming BOTs in the first place, ie close down all the ports except the common ones but have the option for those who have special requirements to open up those ports. Heck for a lot of the Mum and Dads out there they could almost get away with only port 80 open to the outside world.

2) When they get a complaint about spam, actively seek out the owner and give them some HELP to kill off the bot on their machine, get rid of the viruses, and get them updated with a virus checker/spyware checker etc.

3) Start listing "danerous web sites", ie those known to have spyware/viruses and then giving people the OPTION of allowing the ISP to firewall those sites for them

4) Having tutorials on their sites explaining how viruses work, how spyware works, how phishing scams work, why penny stocks are a scam, as are all the viagra adds etc.

5) Instead of blocking the spam, block the web sites they point to, you can send as many spams as you like, but if no one can buy your fake watches, fake viagra then you will go out of business fairly quickly, and by blocking the domain name this will stop them from shifting the domain from hacked server to hacked server as it will not matter WHERE it is located.

6) Web hosts who do not kill of spmavertised sites and phishing sites quickly (1-2 hours MAX) repeatedly should become permanently blocked.

ISPs should take more responsibility for their customers.

Re:How about fixing the problem... (1)

fltsimbuff (606866) | more than 7 years ago | (#16818148)

While you have some good ideas there, unfortunately some of them are a lot easier said than done. Consider the *Billions* of packets going over some larger ISPs' networks hourly. Many ISPs block a few select ports for various reasons, but the larger the access list on the routers, the more processing power it takes to examine every packet. Whether they block everything, and then allow only a few ports, or vice versa, any more than a couple of entries would totally bog down high volume gateway routers at ISPs. Some Cable internet companies have the right idea. Cox actually uses the port blocking capabilities in the cable modems to block certain ports inbound on modems that support it. This offloads the processing to the individual modems rather than placing responsibility on the routers. Add in attempts to analyze packet contents so that blocking of particular sites can be done, and you have to have one hell of a powerful router. Now, IANAL, but I believe this would also raise potential legal issues. Some could say the ISP is then "responsible" for any security breeches to their subscribers' PCs, as they are presenting a "false" sense of security by taking action in the first place. (Don't you love our legal system these days?) There is a similar reason behind why the company I work for refuses to put security cameras monitoring the employee parking lot -- they could then be liable.

Best Method For Foiling Email Harvesters? (1)

ScrewMaster (602015) | more than 7 years ago | (#16818038)

10. Boiling in oil.

9. Bamboo splinters under the fingernails.

8. Water-drip torture.

7. Genitals screwed into a light bulb socket.

6. Two words: trash compactor.

5. Covered in honey over a fire-ant nest.

4. Piranha.

3. Buried to the neck at low tide.

2. Cannibal Pygmies.

and the number one answer is:

1. {you guys figure it out / I need another beer.}

Hidden sub page.... (1)

leon.gandalf (752828) | more than 7 years ago | (#16818062)

with thousands of fake e-mail addresses...

as i see it (0)

Anonymous Coward | more than 7 years ago | (#16818084)

if they use linux, they must be fags.

C Code (1)

Vexler (127353) | more than 7 years ago | (#16818086)

Recently I came across a website of a security software programmer who asked visitors of his personal website to run a specific C code in order to obtain his email address. He had used a variation on the ROT-based encryption so it wasn't as trivial as cout"johnsmith@somewhere.com".

Javascript (1)

Ian Bicking (980) | more than 7 years ago | (#16818088)

Use Javascript and document.write. In its simplest form it looks like:

var mailto = 'm' + 'e@e' + 'xampl' + 'e.com';
document.write('<a href="mailto:'+mailto+'">'+mailto+'</a>');

It's easy to make it much harder, of course, and most (all?) spam harvesters don't interpret Javascript.

Project Honeypot (1)

Shadyman (939863) | more than 7 years ago | (#16818110)

Best way to stop them? Project Honeypot. http://www.projecthoneypot.org/ [projecthoneypot.org]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?