Best Method For Foiling Email Harvesters?

pjp6259 writes "One of the common ways that spammers generate email mailing lists is by harvesting email addressess from websites. But in many cases you also need to make it easy for your customers to reach you. I have found three common solutions to this problem: 1.) Use an image to replace your email address. 2.) Use ascii encodings for some/all of the characters. 3.) Use javascript to concatenate and/or obfuscate your email address. Which of these methods are most effective? Are email harvesters able to interpret javascript? What do you use?"

You can't have your cake an eat it too ...

[un1xl0ser]

If you make it hard for 'bad guys', you make it hard for your customers/friends too. Some people like having mail-to links, and you won't be able to do that easily with an image.

If you have a form to submit to on-line, tag it and let it go to the head of the class.

Re:Make people think to figure out your e-mail

[leonmergen]

Really, if all you want is your customers or prospects be able to reach you through a website, got yourself a contact form.. No way for a harvester to get your email address that way, and people usually don't mind filling in a contact form.. if you obligate your customers to "think" as you suggest, you're risking losing potential custemrs which is simply not worth it. Besides, it makes you look very unprofessional.

Simply put the address in clear text

[Colin Smith]

With a mailto URL and deal with the resulting spam at the mail level, the cost of doing so is less than the cost of alienating potential customers.

However, on a personal site, images.

 

Publish your email address.

[gvc]

gvcormac@uwaterloo.ca -- Bring it on!

Seriously, if we cower in fear, the spammers win. Obfuscating, Turing tests, whatever show fear.

Re:Make people think to figure out your e-mail

[nine-times]

The problem with doing either of those things is that they could be hard to read and/or confusing. If you're dealing with customers, you don't want them to get confused, fed up, and not buy your product/services.

Personally, I think the only way to handle it is to keep everyone's personal e-mail address off of the web page, and use generalized e-mail address like "sales@your-domain.com", "contact@your-domain.com", or "support@your-domain.com". Have it be someone's job to review incoming e-mail to these addresses, understanding that the vast majority of incoming mail might be spam. Of course, you could add some sort of obfuscation to these addresses, but what's the point-- like spammers couldn't just guess "contact@your-domain.com"?

Re:Make people think to figure out your e-mail

[Ucklak]

You should have a hidden field with no value and make sure it returns no value.
Bots tend to populate all form fields.

That would be the easiest step.
You could go a step further by having a text field that is hidden by a style="display: none;" and make sure that is empty as well.

Re:Form

[eighty4]

Now, get yourself a good spam filter because no matter what you do... you will be assimilated.

This is totally it. In many ways, no matter what you do, you're only delaying the inevitable. If the spammers don't get it from your site, they'll get it from somewhere else sooner or later.

Re:I take a modified approach to the 'image' metho

[Compholio]

As well, I threw a BR tag or two before that particular line, and put the email address towards the start of the sentence, to avoid the problem of half of it appearing on a second line.

You could put the images inside a table, for that matter you could just put a single character of your email address in each table cell and set the table to be border-less (and have no padding or spacing).

Re:Make people think to figure out your e-mail

[Compuser]

Two distinctions:

1. The forms usually ask for your name, address, and other stuff.
I have never seen an admin restrict themselves to just asking for your email.
It's very typically set up along the lines of: tell us about yourself and we will
respond.

2. Your submission does not get copied to your "sent" folder so you forget you ever
communicated with the company. I like to keep a record.

Re:Make people think to figure out your e-mail

[MightyYar]

As someone pointed out in that topic, make sure you don't make it impossible to use with a screen reader... blind people aren't necessarily spammers! :)

How my Host does it

[sirgoran]

They use "sender verify" on the mail server.

When the mail server gets an incoming email, it sends a request back to the "sending" email server listed in the headers. Since most spam is sent with falsified headers, the reply from the "sending" email server will respond that no mail was sent. Then my host mail server simply dev/nulls the spam. In the case of real mail, the sending server responds that it did indeed send the mail and my host then delivers it.

The only troubles I've run into are servers that don't support "sender verify". If the email doesn't get a verification message, its returned to the sender. Oddly enough, of the servers I've found that don't support "sender verify" they have been IIS servers. While there are still other IIS servers that do support it, I find it interesting that most of the servers not running IIS seem to have this feature turned on.

The nice thing about it is 90% of the spam never reaches a mailbox, and the filters from Spam Assassin catch the rest. This also removes the image only spam.

-Goran

Re:Make people think to figure out your e-mail

[Random Destruction]

sounds like a form ready to be abused by spambots. I'd assume this is the reason you rarely see 'send me a copy' checkboxes.

Re:Make people think to figure out your e-mail

[secolactico]

Problem with captchas is the accessibility issue. People using screen readers and the like (visually impaired) won't be able to contact you using the form.

Re:Make people think to figure out your e-mail

[m-wielgo]

They have. It is very simple for them to distinguish the two apart, even if you put spaces in between or obfuscate it in some way that still has [at], [ a t ], or whatever... Just look at how many ways they spell Viagra, you think they couldn't do the same with at or dot?? To think otherwise would be naive.

Re:Publish your email address.

[wayne]

Seriously, if we cower in fear, the spammers win.

Indeed. I have noticed that almost everyone who is involved with stopping spam does not munge or hide their email addresses. Julian Haight is the only person that I can think off of-hand that does not publish his email address.

I've been publishing my email address since the late 80s, I'm not going to start hiding it now.

Re:Make people think to figure out your e-mail

[DeadChobi]

Thanks. The Do Not Call registry is another way to get around this problem too. Asking to be removed from a telemarketer's list reduces the number of calls as well. It's just aggravating when it's a machine, because you can't even cut them off or tell them that you'd like to be removed. You have to listen to the whole message before you can get to information on unsubscribing. It's a good method of reducing the number of people interested in your product.

I was mostly ranting, and I hope the guy I attached it to understood who "you" was.

Javascript is evil and often broken

[billstewart]

Perhaps I don't want to send mail to companies who have broken only-tested-on-IE-on-WindowsXP preferences anyway...

Re:Make people think to figure out your e-mail

[m-wielgo]

confuse bots, and confuse the hell out of people at the same time. I seriously have no idea what address that is supposed to be.

Re:Another method..

[Anonymous Coward]

Yeah! If you can't trust the Russian Mafia, who can tou trust?

Re:Make people think to figure out your e-mail

[Meostro]

This is like the classic story/problem:

You and Bob are being chased by a cheetah that can run 70mph.
How fast do you have to run not to be eaten?

Wrong answer: 71mph
Correct answer: Anything faster than Bob.

The same thing applies to harvesters, spam, and other pesky problems. You only have to make it so that your site is more of a PITA to abuse than someone else's site. CAPTCHAs and the like only succeed because it's easier to find another unprotected site than it is to read the CAPTCHA. It's not impossible - some OCR programs have 90%-ish recognition on common CAPTCHAs - it's just more difficult than typing "contact us" into Google to find someone else with a more spam-friendly page.

The same goes for JavaScript protection, image links, tarpits, grey listing and anything else that you put in as a roadblock - it only has to make your site inconvenient to abuse, not 100% perfectly resistant.