Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Best Method For Foiling Email Harvesters? 506

Posted by Zonk
from the when-the-addresses-are-high-as-an-elephants-eye dept.
pjp6259 writes "One of the common ways that spammers generate email mailing lists is by harvesting email addressess from websites. But in many cases you also need to make it easy for your customers to reach you. I have found three common solutions to this problem: 1.) Use an image to replace your email address. 2.) Use ascii encodings for some/all of the characters. 3.) Use javascript to concatenate and/or obfuscate your email address. Which of these methods are most effective? Are email harvesters able to interpret javascript? What do you use?"
This discussion has been archived. No new comments can be posted.

Best Method For Foiling Email Harvesters?

Comments Filter:
  • by Salvance (1014001) * on Sunday November 12, 2006 @06:44PM (#16817608) Homepage Journal
    My two favorite methods are:
    - Putting the e-mail in a distorted picture (like a captcha) - this is very difficult for spam crawlers to read
    - Using a long human readable message "tset ta tset tod moc.reverse.each.word.prior.to.first.dot.for.addr"

    In general, your best defense is to employ some method that requires human interpretation.
    • Really, if all you want is your customers or prospects be able to reach you through a website, got yourself a contact form.. No way for a harvester to get your email address that way, and people usually don't mind filling in a contact form.. if you obligate your customers to "think" as you suggest, you're risking losing potential custemrs which is simply not worth it. Besides, it makes you look very unprofessional.

      • by Salvance (1014001) *
        Good point ... I use those methods primarily on personal web pages, at work we use contact forms and never ever show an e-mail address. However, at work we get over 1000 spam messages a day coming from our contact form. We probably need to rewrite it to be a little less spambot friendly. In general though, if a person can click a button, so can a bot.
      • Only trouble with 'plain' contact forms (ie: no captcha) is that once the spammers notice it, you get bot-driven submissions.
      • Re: (Score:2, Interesting)

        by Compuser (14899)
        This is a horrible solution. Please, people, don't do this. I never fill out any form
        unless pressed to do so, because I assume it is itself a harvester of sorts, meaning I do
        not trust companies who say that they will not resell my information.
        Also, please do not use javascript, since many people (including myself) browse with
        javascript off, and only enable it in tabs where it is absolutely necessary. I hate the
        bother of turning on javascript. Please avoid it if at all possible. Granted, I would love
        for all
        • by Carthag (643047)
          So you don't contact any company at all? If you call them, they can sell your phone number. If you email them or fill out a form, they can sell the email address. If you snail mail, well there's always good old fashioned junk mail.
        • Re: (Score:3, Interesting)

          by Sancho (17056)
          I wonder if bots have started replacing 'dot' with '.' and 'at' with '@'.

          I wonder, then, if adding the word 'dot' to your e-mail address would deter bots. Probably not, though. They'd probably just try all permutations of '.' and 'dot'.
    • Re: (Score:3, Insightful)

      by nine-times (778537)

      The problem with doing either of those things is that they could be hard to read and/or confusing. If you're dealing with customers, you don't want them to get confused, fed up, and not buy your product/services.

      Personally, I think the only way to handle it is to keep everyone's personal e-mail address off of the web page, and use generalized e-mail address like "sales@your-domain.com", "contact@your-domain.com", or "support@your-domain.com". Have it be someone's job to review incoming e-mail to these ad

      • Re: (Score:3, Interesting)

        by arivanov (12034)
        Absolutely.

        And, for all practical purposes the fear of harvested mail addresses is silly, irrational and stupid. There is a very good method of dealing with harvesters. You combine greylisting with spambait driven blacklists and you get 99% of them right away.

        Note - it is essential to use both grey and black in order for it to work. Using greylists allows to defer all mail until the spammer has fired its entire volley. If one of the addresses in the volley is a spambait you blacklist the source IP with a dy
    • by Ankou (261125) on Sunday November 12, 2006 @07:03PM (#16817800)
      My email contact consists of Egyptian hieroglyphics in one of those 3d art displays. First you gotta stare at it for a few minutes to have the objects pop out. Next its a trip to Egypt where you must follow clues to meet an old shaman. Use his clues to navigate though a snake infested pyramid. Find the one eyed pirate after defeating the octopus. you are rewarded with a postcard with my email address in a sack in sans script. Be sure to avoid the poison arrows and rolling rock on the way out. Spammers be dammed.
      • Re: (Score:3, Funny)

        by LiquidCoooled (634315)
        I use a similar method, expect them they can only actually send me mail on the Summer solstice using a special machine buried in the mountains of India and must be used whilst standing upon a hill overlooking khafkas' pyramid wearing a blue apron.
        When the light shines through the fascia of the machine it powers up for a few minutes and opens a connection which is bounced around my diamond CPU initiating the SMTP process.
        If you get the timing incorrect then the suns rays will instantly vaporise you.

        So far I
      • So, you have the email address of noted archaeologist Dr. Indiana Jones?
      • by EMH_Mark3 (305983) on Sunday November 12, 2006 @10:41PM (#16819328)
        Damnit, why did it have to be snakes?!
    • by Anonymous Coward on Sunday November 12, 2006 @07:08PM (#16817848)
      The whole point of posting an email address on a website is to allow and support communication, not to obfuscate it and make it more difficult for a person to use. discouraging spam is important, but it must remain secondary to allowing email communication.

      I predict Technical solutions will continue to fail to solve the spam problem, because it is not primarily a technical problem. It is a moral problem. Spammers (whoever they might be) are not respecting people. They are disrespecting us in order to get some money. Their values put dollars above the needs of anonymized people.

      Until the moral problem can be solved adequately through accountability or other means, we are stuck with technical "solutions". Hopefully the solutions keep in mind the original intent of the technology or else we will continue to spend our time "jumping through hoops" rather than actually accomplishing work.
      While a captcha does require human intervention, it makes it more difficult for a "normal" user to access. Same with nameIhatespam@domain.com or nameih8spam@domain.com or name @ domain.com This requires manual work and appears "unprofessional" Such confusion creates a barrier to effective communication.

      Sure if you are on the "hackers are us" website such tricks are fine, 100% geeks, all interested in spending time re-typing information.
      However if your audience is not technical, has any kind of failing eyesight (many over 60), or limited patience (the entire web audience) you had better keep it transparent for the end user. This is where javascript has served us well.

      In recently gathering information from hundreds of manufacturing websites, I've found that the "cuter" the tricks, the less likely I am to pursue a working relationship with that manufacturer.

      There are still tons of websites out there with unobscured email addresses in the HTML code and even in the text of the webpages. I don't see why spam harvesters would need to bother with javascript parsing engines when there is such a rich harvest of real email addresses out there.

      I think people who are wiser than me need to consider how a community approach could seriously hamper spam. Maybe it is shaming the companies that build spam harvesting software. (we have imagination, we could 'make' them stop) I know that phoning and talking crossly to the wife of a spammer at an inconvenient time certainly created a stress reaction in her, which probably translated into stress reaction at their dinner table etc... I made the social cost of spamming high by phoning their 1800 number (costs them $0.05/minute). I made it real, I humanized my email address by "calling them on it" and complaining about their practices. (they still spam)...

      Filtering is huge, but ultimately we need to call peopel to social responsiblity, and that requires one of two approaches that I can see.
      1. Grassroots community accountabiltiy/reaction to spam
      2. Top down legislative control.

      Its a war, but the war isn't for or against SPAM, the war is for and against respecting others on the NET.

      Greg.
      • Re: (Score:2, Funny)

        by f1055man (951955)
        baseball bat in hand. give me an address and a plane ticket and I'll solve our moral problem.
    • Use webmail or forms to take customer requests, complaints, etc. instead of public email addys. When someone is assigned to handle the request, they can provide their email address for followup. That way none of the company email addresses are "public", and you can still have a full contact directory.

      Such forms require the customer to provide a reply-to address, which you can then add to a whitelist.

      Spam is a nuisance, but it's not worthwhile to make it hard for customers just to avoid address harves

    • how about this: j o e [ a t ] j o e b o t . c o m
  • by un1xl0ser (575642) on Sunday November 12, 2006 @06:46PM (#16817632)
    If you make it hard for 'bad guys', you make it hard for your customers/friends too. Some people like having mail-to links, and you won't be able to do that easily with an image.

    If you have a form to submit to on-line, tag it and let it go to the head of the class.
    • by somethinghollow (530478) on Sunday November 12, 2006 @07:45PM (#16818130) Homepage Journal

      I think you hit the nail on the head. Strictly speaking, if you want to use text and don't leave a plain text version of your e-mail, you are at risk of being inaccessible.

      1. Use an image to replace your email address: I browse with images off on my cell phone and screen readers can't read images. Not to mention there are projects around that do OCR on captchas. If a spammer was resourceful enough, this wouldn't defeat them.
      2. Use ascii encodings for some/all of the characters.: Again, some cell phones (and probably other browsers) don't know about these encodings. Again, a resourceful spammer would figure it out.
      3. Use javascript to concatenate and/or obfuscate your email address: Lots of people browse with Javascript off. Not to mention that this could be gotten around with, maybe, a GreaseMonkey script that runs, say, 20 seconds after page load and parses the HTML for RegEx patterns of e-mail addresses in document.body.innerHTML (syntax may be wrong).

      I made a contact form for my site to avoid harvesters. While spammers do have scripts to submit contact forms, it's easier to trick a robot based on it's form input than based on what the robot can parse from the page (e.g. put a hidden field called phone number and fail the form on the backend if it has a value since most spam bots will try to enter something, and make sure there is an HTTP_REFERER, or ask for the user to duplicate some text in a field that is on the page somewhere else).

    • Re: (Score:3, Interesting)

      by mr_matticus (928346)
      How about instead of entire contact form, which might not allow bullet points or attachments, etc. that people may wish to use, just use a basic email submit?

      Take a form putting the email alias in the table, and write a simple HTML form control that clicking the submit button takes the text on the page ("example") and appends the '@' sign and the domain ("example.com") in a two-step process, and spits out a "mailto:" link as the final step.

      From the user's perspective, you get a little box that has you
  • Form (Score:5, Interesting)

    by daeg (828071) on Sunday November 12, 2006 @06:47PM (#16817644)
    Spend 10 minutes and make an HTML form for people to contact you. Be careful what you name your field names, though, as there are spam bots that can target web forms.

    If people need to send you files, they can do so after you reply back to them.
    • by Cylix (55374)
      I use a form, but the e-mail address is kept on the server configs.

      A simple form with subject, reply to and message body is then whisked away to a general account.

      At that point, it is at our discretion to reply and give out email addresses.
      No harvesting possible...

      Except when your fellow co-workers send you a lovely e-greeting card! BAM!

      Instant harvesting.

      All that time you spent setting up those web forms and hiding delicate information from the public... WASTED!

      Now, get yourself a good spam filter because
      • Re: (Score:2, Insightful)

        by eighty4 (987543)
        Now, get yourself a good spam filter because no matter what you do... you will be assimilated.

        This is totally it. In many ways, no matter what you do, you're only delaying the inevitable. If the spammers don't get it from your site, they'll get it from somewhere else sooner or later.
    • Re: (Score:3, Interesting)

      by garcia (6573)
      Be careful what you name your field names, though, as there are spam bots that can target web forms.

      All it takes is one of the dickwads to manually figure out your form and then they all do it. In addition to whatever you have as your form, make certain you disallow HTML in any of the fields or they will own you.

      I have one set to show that it all went through just fine but it really just ignores their entry. It has worked so far.
      • Indeed I have found that my most "mature" forms out on the web are targeted for spam.. I've added CAPTCHA though, seems to nip it in the butt... but at what cost.. AT WHAT COST?!?!?!?

        Won't someone think of the users? :(
        • by garcia (6573)
          I don't use captcha on one of my forms for a website that I'm in the interim webmaster for because I already have to deal with numerous e-mails from users that have difficulty filling out the form in its current setup.

          I don't have time to explain to them how to decipher the image and I don't want to field the questions as to why we are using it.

          Won't someone thing of the admins?
  • by also-rr (980579) on Sunday November 12, 2006 @06:48PM (#16817652) Homepage
    IP geolocation [ip2location.com] and a shotgun.

    Works for me.
  • Image (Score:2, Interesting)

    by Gemini_25_RB (997440)
    Personally, I don't have this issue too much (no business, ergo no customers), but I think that the image would be the most effective. Almost like a CAPTCHA, but not nearly as hard (you want your customers to read it easily), but the image would likely still work because (speculation) most harvesters analyze text because it is easy. Image analyzing takes more processing (or human victims), so the harvester would probably get more email addresses by skipping the images and going for text.

    As for whether t

  • by microcars (708223) on Sunday November 12, 2006 @06:48PM (#16817656) Homepage
    seriously, the most spam I get comes from bots that reside on Windows user's computer and troll through their Outlook Inbox for email addresses.

    I have one email that I use specifically for REPLYING to emails and that one is the one that gets the MOST Spam.

    • by MobileTatsu-NJG (946591) on Sunday November 12, 2006 @07:34PM (#16818050)
      "disallow Windows users"

      Har har.

      Anyway, I did an experiment once years ago where I created a brand new mail account and turned off 'spam armor plating' (or whatever it's called) on Slashdot. Then I went about making my posts etc. To my surprise, I started getting messages rather quickly. It didn't take more than a week or two to start recieving enough unsolicited mail to shut the experiment down.

      Fast forward to last year. I told a coworker friend about this. He didn't believe me. So I tried the experiment again and... uh.. actually I only got one or two messages over a period of two weeks. I'm not really sure what happened. It's as if they gave up on Slashdot.

      I cannot draw any real solid conclusions from these experiments other than to say that yes, email addresses on websites do get harvested. Yes, you could disallow Windows users, but that wouldn't do a thing to protect any other user. The only possible way that would work is if spam harvesting apps ONLY happened on Windows machines, and let's be realistic, there's nothing to prevent that software from making its way to Linux etc. Once it gets harvested, it doesn't matter which OS you run, you can get spam just as easily.

      It's a tough problem with no single solution.

  • by Colin Smith (2679) on Sunday November 12, 2006 @06:49PM (#16817678)
    With a mailto URL and deal with the resulting spam at the mail level, the cost of doing so is less than the cost of alienating potential customers.

    However, on a personal site, images.

     
  • use a Table! (Score:4, Interesting)

    by Nova1313 (630547) * on Sunday November 12, 2006 @06:50PM (#16817690)
    use a table with 3 columns.. the first with the first part of your email addres, the second with @ and the third with domain.com. simple searches on the pages make it hard to find and with a border of 0 the user won't notice the table.
    • Re:use a Table! (Score:5, Interesting)

      by Repton (60818) on Sunday November 12, 2006 @07:06PM (#16817834) Homepage

      Couldn't you equivalently do <span>jsmith</span>@<span>example.com</span> ? You still lose the mailto though..

      (I suppose you could toss in <span style="display: none">fnarfnarfnar</span> or something as well, if you want to confuse matters slightly more)

      Would copy/paste insert whitespace anywhere where you don't want it?

    • Re:use a Table! (Score:4, Interesting)

      by eric76 (679787) on Monday November 13, 2006 @01:28AM (#16820300)
      You could use 2 columns.

      In the right column, create an e-mail address that is missing the first letter or more of the actual e-mail address. Put the missing letters in the left column.

      For example, if your e-mail address is "jack@example.com", "ja" would go in the left column and "ck@example.com" in the right column.

      Then /dev/null any and all e-mail addressed to ck@example.com.
  • Use a web form for message entry combined with a capcha to prevent spam from bot's. The web app that processes the page can dump the message into a DB (for later retrieval by an admin page) or forward it via mail. Do NOT embed e-mail addresses in the page, even e-mail addresses built via JavaScript.
  • SpamGourmet.com (Score:5, Informative)

    by gumpish (682245) on Sunday November 12, 2006 @06:50PM (#16817698) Journal
    SpamGourmet.com [spamgourmet.com]

    Makes it trivially easy to create a unique forwarding address for any website you care to visit, then set the domain of that site as an exclusive sender for that address.

    If a 3rd party starts spamming you at that address, Spam Gourmet just drops it, but continues to deliver relevant mail.

    Oh, and it's completely free.
    • Re: (Score:3, Interesting)

      by v1 (525388)
      If you run your own mailserver this is a handy option. I have my primary email address that I only give to people I trust that are not using windows machines. Anytime I have to give my email to a "risky" place, like to submit a request for something, that requres a valid email address, or to register, I create a new email alias.

      This spring I was shopping for a new SUV, interested in an Escape. I went to ford's web site and they had a "submit email address to have dealers in your area contact you". Sure
    • by jmv (93421)
      It doesn't solve the problem here. When you want people to be able to contact you, you want to post an email address that will not go away.
  • by gvc (167165) on Sunday November 12, 2006 @06:55PM (#16817732)
    gvcormac@uwaterloo.ca -- Bring it on!

    Seriously, if we cower in fear, the spammers win. Obfuscating, Turing tests, whatever show fear.
  • by Goalie_Ca (584234) on Sunday November 12, 2006 @06:57PM (#16817752)
    Hide in the webpage a bogus email address. Maybe in comments, maybe in the corner with a super tiny font which matches the background. Whatever mail gets sent to that address should be automagically blocked to all other accounts.
  • by The Famous Druid (89404) on Sunday November 12, 2006 @07:00PM (#16817776)
    I've heard the following works fairly well, but haven't tried it m'self.

    Put 2 email addresses on your web site, the real one, and a 'decoy' one which is hidden from normal users (eg white-on-white text right at the bottom of the screen).

    Any email that arrives at the 'decoy' address is parsed, and the sender added to a blacklist.

    • Re: (Score:2, Interesting)

      by yupie (772822)
      Put 2 email addresses on your web site, the real one, and a 'decoy' one which is hidden from normal users (eg white-on-white text right at the bottom of the screen).
      Any email that arrives at the 'decoy' address is parsed, and the sender added to a blacklist.


      This does not work, for the simple reason that nowadays, spam machines virtually always use a different sender (and very probably different sending IP address etc., given bots) for each mail.
    • One of the problems I see with this is that it's also an old search engine spam technique and could lead your site to being penalized in search results. I advocate email obfuscation [seowebsitepromotion.com] if you must have a mailto :)
    • I just dont get it (Score:3, Interesting)

      by XSforMe (446716)
      If the spammers want so bad email addresses, why not give it to them? List poisoning will sting them right in the buttocks, and will make them think twice before they even consider sending there dumb spiders to your servers again. Take a look at the following sites for more info:

      http://www.monkeys.com/wpoison/ [monkeys.com]
      http://www.spampoison.com/ [spampoison.com]
  • Just be unique (Score:3, Interesting)

    by Statecraftsman (718862) * on Sunday November 12, 2006 @07:01PM (#16817786) Homepage
    You know when they said you were special? They were trying to tell you to just do something different than everyone else. If everyone did a table trick or wrote "blank at blank dot com" or did any other clever little thing a programmer could come along and regex the hell out of it. Be unique and make them deal with your site individually.

    That being said, I don't think spammers crawl the net looking for addresses so much. Their zombies have all the addresses they need. Just try to give out your email address to people that don't have an affinity for virus infections. In my case, I protect my customers so my address hasn't been abuse too heavily thus far.
    • by rduke15 (721841)
      I don't think spammers crawl the net looking for addresses so much.

      They do. I put a few honeypot addresses on a small personal web page, and most of them get spam daily.
  • Fuck 'em! (Score:5, Interesting)

    by shawnmchorse (442605) on Sunday November 12, 2006 @07:03PM (#16817806) Homepage
    My actual e-mail address, in convenient text format and as a mailto: link, is at the bottom of every single web page at my personal web sites. I really don't see why I should change that just because spammers might harvest it. My e-mail address has been up there since about 1996, so that's at least a decade's worth of harvesting. I've also used the same e-mail address on Usenet posts.

    Yes, I get quite a lot of spam. But with the usual techniques (greylisting, SpamAssassin, etc.) I only actually receive maybe half a dozen spam e-mails a day. And more importantly, all my actually valid e-mail still seems to get through just fine. I'm happy with it, and I get the personal satisfaction of being able to use my e-mail address wherever I damn well like without having to cower from spammers.
    • "...and I get the personal satisfaction of being able to use my e-mail address wherever I damn well like without having to cower from spammers."

      Cower? It's about signal to noise, not the Borg taking over the ship. Heh.
  • by DoofusOfDeath (636671) on Sunday November 12, 2006 @07:05PM (#16817820)
    Put in plain sight: on your homepage which you submit to Google for indexing.

    It's so obvious, they'd NEVER think to look there.
  • For a a couple years I used a javascript encoder for public web pages. But somewhere between getting 20 SPAM a day and getting 250 SPAM a day, I had to setup better anti-SPAM systems. So there wasn't much benefit to trying to hide various email addresses with convoluted hacks like JS. Another option is to include a "email contact form", but those have downsides too.
  • Another method.. (Score:5, Informative)

    by catwh0re (540371) on Sunday November 12, 2006 @07:10PM (#16817868)
    To get around spam issues I bought a cheap domain and use an included service to redirect all the email that gets sent to that domain to a single email address. (Most will offer this service for free.)

    I then use separate email addresses for everything I sign up for. E.g. my bank email address is different from my health fund email address, which is different from my all of mp3 email address etc. I use a little code which isn't obvious(similar to a lookup table) to code each website into the username portion of the email address... That's why I'm a little annoyed at allofmp3.com at the moment, as I've supplied two email addresses to them on only two occassions, and both are huge spam recipients. So it's clear that not only does their financial arm sell my email address, but their online store does too.

    This method is good for 2 reasons: It's very easy to direct all email from particular addresses straight to the trash should they become spam targets and secondly, it's very easy for me to figure out (such as the allofmp3.com case) who sold my email address to spammers and when.

    • Re: (Score:3, Funny)

      by shmlco (594907)
      "That's why I'm a little annoyed at allofmp3.com at the moment, as I've supplied two email addresses to them on only two occassions, and both are huge spam recipients."

      Just wait til you see what they do with your credit card number...
  • Email Obfuscation (Score:4, Interesting)

    by celerityfm (181760) * on Sunday November 12, 2006 @07:18PM (#16817930) Journal
    I try to run any mailtos through an email obfuscator [seowebsitepromotion.com] .. as the link says, a 6 month study [cdt.org] showed that obfuscated emails "do not receive junk mail."

    My theory is that harvesters have enough email addresses out there to gather and that the spammers are too lazy/have no need to write algorithms that interpret these types of mailtos.
    • Note that to the end user the obfuscation is transparent- they see a regular email address when they click the mailto link and in the webpage. Harvesters OTOH do not....atleast, again, according to the CDT, which IMHO is a good, respectable source for these kinds of things.

      TLAs FTW!
  • How about creating a form that they can fill out with your email address stored and the email processed on the server. Add a CAPTCHA to prevent the form from being spammed, and bang! your done and your address is protected. That's what I do and no problems--yet.
  • ...unfortunately. No matter how cleverly you hide your address from the bots, the humans that you actually want to hear from have to enter the real thing into their email client. If the client stores the address in its address book, or it keeps a copy of the message, any piece of malware that infects the user's machine can discover your address and transmit it back to Spam Central for bombardment with the latest round of pump-n-dump.

    I'm convinced this is how those bastards got the address of mine that curr

  • by microcars (708223) on Sunday November 12, 2006 @07:27PM (#16817994) Homepage
    Since this topic is about "foiling email harvesters"...

    I have found that using SPAM as your username works wonders

    just post it right there on the webpage or leave it as a mailto:spam@example.com [mailto]

    So many people use NOSPAMjohn@NOSPAMexample.com (remove the NOSPAM to reply)
    or some variation of that, I tried using spam@example.com as my email address on Google Groups and previously on Usenet.

    I got pretty much nothing. No spam. Not then, not now.

    Since the email harvesters apparently filter out variations of addresses with SPAM, NOSPAM, DIESPAMMERS etc in them, once they filter out the "SPAM" part of spam@example.com they are left with @example.com which is not a valid email address.

  • 10. Boiling in oil.

    9. Bamboo splinters under the fingernails.

    8. Water-drip torture.

    7. Genitals screwed into a light bulb socket.

    6. Two words: trash compactor.

    5. Covered in honey over a fire-ant nest.

    4. Piranha.

    3. Buried to the neck at low tide.

    2. Cannibal Pygmies.

    and the number one answer is:

    1. {you guys figure it out / I need another beer.}
  • by Vexler (127353)
    Recently I came across a website of a security software programmer who asked visitors of his personal website to run a specific C code in order to obtain his email address. He had used a variation on the ROT-based encryption so it wasn't as trivial as cout"johnsmith@somewhere.com".
  • Use Javascript and document.write. In its simplest form it looks like:

    var mailto = 'm' + 'e@e' + 'xampl' + 'e.com';
    document.write('<a href="mailto:'+mailto+'">'+mailto+'</a>');

    It's easy to make it much harder, of course, and most (all?) spam harvesters don't interpret Javascript.

  • Before I decided to just remove all e-mail addresses from my sites, I used to just generate a random e-mail address for my contact page.

    It would say on the page that it's a temp address so not to add it to your address book or anything and that it would expire within 72 hours.

    When the address expired, a new one would be created and that old one would stay active for an additional 24 hours and then it would be deleted.

    This seemed to work well except for the occasional spams that were sent as soon as the emai
  • Use Javascript (Score:4, Interesting)

    by 93 Escort Wagon (326346) on Sunday November 12, 2006 @07:59PM (#16818240)
    A lot of these suggestions are fine for personal sites; but if you're actually in business they aren't practical.

    We use Javascript. You don't want to make life more difficult for the person trying to correspond - the point is to raise the cost to the spammer. If they have to add a Javascript parser to their spider, it's going to slow them way down. It's not going to make financial sense for them to do a custom solution for each site (and if they do, the "image" methods will break down as well).

    When someone writes to me and says "reply to joe at gmail dot com" (or whatever), they generally don't get a reply. Why is their time more valuable than mine?
    • Re: (Score:3, Interesting)

      by jpetts (208163)
      I use JavaScript too. Something like:

      <script type="text/javascript">
      <!--
      var foo = '&#109;';
      var trund = '&#97;';
      var bar = '&#105;';
      var droob ='&#108;';
      var quux = '&#116;';
      var bleen = '&#111;';
      var guy = '&#119;&#101;&#98;&#109;&#97;&#115;&#116;&#101;&#1 14;';
      var place = '&#102;&#111;&#111;&#98;&#97;

  • by sirgoran (221190) on Sunday November 12, 2006 @08:15PM (#16818348) Homepage Journal
    They use "sender verify" on the mail server.

    When the mail server gets an incoming email, it sends a request back to the "sending" email server listed in the headers. Since most spam is sent with falsified headers, the reply from the "sending" email server will respond that no mail was sent. Then my host mail server simply dev/nulls the spam. In the case of real mail, the sending server responds that it did indeed send the mail and my host then delivers it.

    The only troubles I've run into are servers that don't support "sender verify". If the email doesn't get a verification message, its returned to the sender. Oddly enough, of the servers I've found that don't support "sender verify" they have been IIS servers. While there are still other IIS servers that do support it, I find it interesting that most of the servers not running IIS seem to have this feature turned on.

    The nice thing about it is 90% of the spam never reaches a mailbox, and the filters from Spam Assassin catch the rest. This also removes the image only spam.

    -Goran
  • by Renesis (646465) on Monday November 13, 2006 @10:21AM (#16823668)
    Have your code produce a unique contact e-mail address on the page for each visitor, so for instance:
    support-312321@example.com

    Then set up a catch all on the first part of the address.

    If you get any spam, just block out that one receiving address.

No hardware designer should be allowed to produce any piece of hardware until three software guys have signed off for it. -- Andy Tanenbaum

Working...