Best Method For Foiling Email Harvesters? 506
pjp6259 writes "One of the common ways that spammers generate email mailing lists is by harvesting email addressess from websites. But in many cases you also need to make it easy for your customers to reach you. I have found three common solutions to this problem: 1.) Use an image to replace your email address. 2.) Use ascii encodings for some/all of the characters. 3.) Use javascript to concatenate and/or obfuscate your email address. Which of these methods are most effective? Are email harvesters able to interpret javascript? What do you use?"
You can't have your cake an eat it too ... (Score:5, Insightful)
If you have a form to submit to on-line, tag it and let it go to the head of the class.
Re:Make people think to figure out your e-mail (Score:5, Insightful)
Really, if all you want is your customers or prospects be able to reach you through a website, got yourself a contact form.. No way for a harvester to get your email address that way, and people usually don't mind filling in a contact form.. if you obligate your customers to "think" as you suggest, you're risking losing potential custemrs which is simply not worth it. Besides, it makes you look very unprofessional.
Simply put the address in clear text (Score:5, Insightful)
However, on a personal site, images.
Publish your email address. (Score:4, Insightful)
Seriously, if we cower in fear, the spammers win. Obfuscating, Turing tests, whatever show fear.
Re:Make people think to figure out your e-mail (Score:3, Insightful)
The problem with doing either of those things is that they could be hard to read and/or confusing. If you're dealing with customers, you don't want them to get confused, fed up, and not buy your product/services.
Personally, I think the only way to handle it is to keep everyone's personal e-mail address off of the web page, and use generalized e-mail address like "sales@your-domain.com", "contact@your-domain.com", or "support@your-domain.com". Have it be someone's job to review incoming e-mail to these addresses, understanding that the vast majority of incoming mail might be spam. Of course, you could add some sort of obfuscation to these addresses, but what's the point-- like spammers couldn't just guess "contact@your-domain.com"?
Re:Make people think to figure out your e-mail (Score:5, Insightful)
Bots tend to populate all form fields.
That would be the easiest step.
You could go a step further by having a text field that is hidden by a style="display: none;" and make sure that is empty as well.
Re:Form (Score:2, Insightful)
This is totally it. In many ways, no matter what you do, you're only delaying the inevitable. If the spammers don't get it from your site, they'll get it from somewhere else sooner or later.
Re:I take a modified approach to the 'image' metho (Score:3, Insightful)
Re:Make people think to figure out your e-mail (Score:4, Insightful)
1. The forms usually ask for your name, address, and other stuff.
I have never seen an admin restrict themselves to just asking for your email.
It's very typically set up along the lines of: tell us about yourself and we will
respond.
2. Your submission does not get copied to your "sent" folder so you forget you ever
communicated with the company. I like to keep a record.
Re:Make people think to figure out your e-mail (Score:4, Insightful)
How my Host does it (Score:4, Insightful)
When the mail server gets an incoming email, it sends a request back to the "sending" email server listed in the headers. Since most spam is sent with falsified headers, the reply from the "sending" email server will respond that no mail was sent. Then my host mail server simply dev/nulls the spam. In the case of real mail, the sending server responds that it did indeed send the mail and my host then delivers it.
The only troubles I've run into are servers that don't support "sender verify". If the email doesn't get a verification message, its returned to the sender. Oddly enough, of the servers I've found that don't support "sender verify" they have been IIS servers. While there are still other IIS servers that do support it, I find it interesting that most of the servers not running IIS seem to have this feature turned on.
The nice thing about it is 90% of the spam never reaches a mailbox, and the filters from Spam Assassin catch the rest. This also removes the image only spam.
-Goran
Re:Make people think to figure out your e-mail (Score:3, Insightful)
Re:Make people think to figure out your e-mail (Score:4, Insightful)
Re:Make people think to figure out your e-mail (Score:2, Insightful)
Re:Publish your email address. (Score:4, Insightful)
Indeed. I have noticed that almost everyone who is involved with stopping spam does not munge or hide their email addresses. Julian Haight is the only person that I can think off of-hand that does not publish his email address.
I've been publishing my email address since the late 80s, I'm not going to start hiding it now.
Re:Make people think to figure out your e-mail (Score:2, Insightful)
I was mostly ranting, and I hope the guy I attached it to understood who "you" was.
Javascript is evil and often broken (Score:3, Insightful)
Re:Make people think to figure out your e-mail (Score:3, Insightful)
Re:Another method.. (Score:1, Insightful)
Re:Make people think to figure out your e-mail (Score:3, Insightful)
You and Bob are being chased by a cheetah that can run 70mph.
How fast do you have to run not to be eaten?
Wrong answer: 71mph
Correct answer: Anything faster than Bob.
The same thing applies to harvesters, spam, and other pesky problems. You only have to make it so that your site is more of a PITA to abuse than someone else's site. CAPTCHAs and the like only succeed because it's easier to find another unprotected site than it is to read the CAPTCHA. It's not impossible - some OCR programs have 90%-ish recognition on common CAPTCHAs - it's just more difficult than typing "contact us" into Google to find someone else with a more spam-friendly page.
The same goes for JavaScript protection, image links, tarpits, grey listing and anything else that you put in as a roadblock - it only has to make your site inconvenient to abuse, not 100% perfectly resistant.