Preventing Spam: Bulletproof Solutions
Spam is probably one of the most difficult problems we have to deal with. E-Mail-filters, such as those used in GMail, provide accurate results, but not every company is willing to use extern services for its private mails. The problem occurs when web-developers have to display e-mail-addresses on a web-page.
How can you make sure that not a single spam mail will find its path to the inbox of your client? Or, speaking in more concrete terms, the question is, how should you display e-mails on a web-page in order to minimize spam attacks? Let’s take a look at some modern and bulletproof solutions and techniques which will help you to prevent spam in your mailbox or the mailbox used by your clients.
Links checked: May/30 2008.
Avoid stereotypes
Sometimes web-developers tend to rewrite the original e-mail, so spam-bots can’t recognize it. This method might solve the problem, but spam-bots might catch on this sooner or later. Besides, many users might have problems decoding it – unless you provide some instructions how to decode the text. Most popular approaches are:
- Replace dots with “d-o-t”, “@” with [at] and as many spaces as possible.
Example: e-mail@office.com -> e-mail [at] office [d-o-t] com - Insert some characters before and after the “@”-symbol.
Example: e-mail@office.com -> e-mail {!@!} office.com. - Avoid stereotypes – e-mails like info@domain.com, service@domain.com, admin@domain.com are likely to be spammed anyway.
Replace text with images
Apparently, most spam-bots don’t scan images on the web (yet?), so it seems reasonable to place the text inside of an image without referring to it as an e-mail-address. There are free web-tools which generate images “on the fly”, so the only thing you have to do is to place them on web-pages.
- E-Mail Icon Generator for GMail, Hotmail, MSN, Yahoo!, AOL and many more.
- Signature Generator does basically the same as E-Mail-Icon Generator.
- Mask Email Image Generator will create a JPG image of your email address. Use it in place of text to fool those evil spiders that seek out email addresses for purposes of sending junk email.
- Safe Mail creates your own email image in three steps.
Replace text with ASCII and Javascript-coded text
Another popular approach is to represent e-mail-adresses as ASCII code or Javascript-coded text. Users don’t see any difference in e-mail-presentation, but spam-bots won’t find the e-mail analyzing the source code – well, not yet. Some web-tools to convert e-mail links to ASCII code:
- Online Email Protector: to use, simply type you email address below and then click in either of the textboxes. You can use the simple link code, or the more complicated Javascript link.
- Spam-me-not E-mail Link Obfuscator: you can choose between different encoding modes: decimal notation will encode every character in decimal ascii code, hexadecimal notation will encode every character in hexadecimal notation, random-mixed notation mixes encoding characters randomly, this is the default and recommended choice.
- Email Riddler is an online tool that encrypts and transform your email address into a series of numbers when displaying it, making it virtually impossible for spam harvesters to crawl and add your email to their list.
- Advanced Email Link Generator with Anti-Spam Encoder: this tool will generate mailto: links you can copy and paste into your web pages and emails. The Anti-Spam Encoder is an encoding scheme designed to cloak email addresses from spammer’s email harvesting robots, yet be visible and readable for your site visitors.
Bulletproof Solution
A simple solution I’ve been using for my recent project turned out to be the most effective I ever had. The most important rule to avoid spam is never mention it somewhere in the Web. So what I’ve suggested to do is to create two e-mail-accounts – the one for business contacts, which will be used only for communication with partners and serious clients and the second one, which will be decoded and published on the Web for any other purposes.
Once a potential client has written at the e-mail-address mentioned on the Web, the company will continue its communication via the first, “business” e-mail. On the other hand, brief questions or some small remarks will be responded via “open” e-mail, published online. Once the “open” e-mail gets included in spam databases and the company starts to get junk mail, it will be replaced by a new one.
This way your primarily, business contacts will always stay in touch with you via your business account and you reduce the amount of received spam to 0%.
Using GMail spam-filters externally
Another useful technique to minimize the amount of spam-mails ending up in your inbox is letting it through gmail-filters. Unfortunately, GMail doesn’t have a function which would enable users to use Google’s filter directly. However, you can forward all the mails coming to your e-mail-box to your GMail account, and set your GMail account to forward the filtered messages to your private “clean” e-mail-account. The results aren’t always accurate, but you’ll see the difference immediately.
Further articles
- 99 Email Secuity and Productivity Tips: the 99 tips in this article make up the best in email practices. From how to ethically use the ‘BCC:’ to what attachments will make your mobile emailing compatible with everyone else’s, this list covers everything you need to know about emailing.
SD
December 14th, 2006 6:03 pmGreat Resources.
In the CMS I’ve built all the e-mail addresses which will be shown on the web are converted automatically to small clickable objects.
And those who don’t have flash. Well they see a automatically generated gif image. But it’s not clickable, maybe with the resources you’ve given me, I’ll also make them clickable. If I find the time.
Carlos Eduardo
December 14th, 2006 7:22 pmNice tips!
Until now, I thought that “email[at]something[dot]com” was only a different way to display email address, but now I know that it helps to prevent spams…
Thank you for help :)
Harmen Janssen
December 14th, 2006 8:54 pmNice resources, thank you very much!
Personally I think converting the address to ASCII code is the best way to obfuscate an email address. That way the address stays accessible to a wider public (say, users with Javascript disabled, users using a screen readers, etc.)
Erick Wilder
December 14th, 2006 10:55 pmI think that showing the “@” character with its name in your own language is nice too. or simply writing the email with spaces along:
someemail [at ]domain [dot] com
I use this in my projects, with my language (Brazillian Portuguese) it look like:
someemail [arroba] domain [ponto] com
Nice article!!
bryan
December 15th, 2006 2:32 amit’s funny but without knowing the language, “arroba” and “ponto” in that context still keeps the suggestion that that’s an email for me. I would doubt the majority of users would be able to put two and two together though.
zoel
December 15th, 2006 11:03 amalternative : e-mail@office.com -> e-mail |at| office |d-o-t| com :-)
Patrick Robin
December 15th, 2006 7:22 pmObfuscating your email address is all well but it doesn’t really help with the accessability of your site. In the footer of this site you have an email link with an obfuscated address, if I hadn’t just read your article on that very subject then I doubt I’d actually have looked at the email address I was sending my email to.
Personally I think that you should be making it as easy as possible for your users to contact you with valid email links, contact forms etc and then deal with the spam either on your server or your mail client. Half the time it’s hard enough finding someones email address on a website, then I have to figure out how to decode it just so that they don’t get any spam?
Jason Friesen
December 16th, 2006 12:27 amI like hiveware enkoder combined with a element for screen readers and the like. The just has a link to our contact form. For an example, see http://selkirk.ca/discover/staff/detail/index.asp?StaffID=524
The ‘email’ link for a staff member takes people to the contact form; the hiveware enkoder is to the generic account — see the footer at the bottom of the page. Seems to work well for us…
Jason Friesen
December 16th, 2006 12:29 amSorry, that should have been “combined with a [ noscript ] element… the noscript element has a link…”
henry
December 18th, 2006 10:46 amWell for me i uses the simple method of having two emails address – one for official stuffs and one open address for the world at large (spammers include:P)
Jon Sagara
December 20th, 2006 1:01 amI use a custom, one-off JavaScript function that I change up a little each time I use it. It’s not foolproof, but it seems to be working so far.
Doug Karr
December 20th, 2006 1:08 amI put up a contact form with a challenge question.
diego
December 20th, 2006 5:15 amAll of you have mentioned.
I use Gmail as home e-mail and another e-mail (my business e-mail) to communicate to my customer.
But I also use “10 minute mail” when I need an e-mail to register on web site.
(sorry for my english)
SpamSpan
December 20th, 2006 6:49 amHere is another unobtrusive anti-spam solution for accessible email obfuscation: SpamSpan
Ranjit
December 27th, 2010 3:28 amIts interesting.. Thanks for sharing
Steve
December 20th, 2006 7:16 amI have been using the gmail solution for a while now and the results are staggering.
I have all email forward to gmail then back to a clean mailbox. I leave them on gmail so I can get them remotely if I want and also to keep count.
In 6 weeks, with 2000 or so emails forwarded over 20,000 spam were filtered!!!!
Gmail isn’t too aggressive on spam so the best thing to do is use spambayes (http://spambayes.sourceforge.net) with your mail client.
I see maybe one or two spam a day and spambayes has even learned to filter out those penny stock image emails that appeared recently.
Aaron
December 20th, 2006 10:22 amRather than treating *some* of the inputs to spam in your inbox – which is ineffective, does not prevent brute force mass mailing, or forwards that get circulated – why not consider something more sensible like Tagged Messaging : http://www.tmda.net which assumes all email is spam and allows you to permit and monitor email inputs flexibly. Ive been using this on our mail system at work for 3 years and enjoy 0 spam inputs.
Luke S
December 20th, 2006 11:05 pmAn interesting article, and I can agree that these techniques would be effective at preventing spiders from capturing email addresses, but from what I have been told, and what I have seen, alot of spammers are now simply using sequencial string generators to send out emails (ie systems which try “AAA@server.com”, “AAB@server.com”, “AAC@server.com”, etc.
As such, whilst these techniques may have been essential to reduce spam exposure maybe 5 years ago, now, you will still get hit with spam regardless.
You are far better off focusing your energy on an effective spam filter in your email client/server (like that included in Thunderbird) than these techniques.
But, that’s just my opinion.
Tristan Laurillard
December 20th, 2006 11:49 pmCombine some of these:
– method 1 –
Not one or two e-mail addresses.
No, thousands.
Such as on this very site (smashingmagazine.com)
I would have signed off with
smashingmagazine@myowndomain.com
I announce this method should be named:
” ad-hoc e-mail addressing ”.
All e-mails, except the ones sent
to myrealaddress@myowndomain.com, will then
end up in spam@myowndomain.com
And I go there once a week or so to
quickly browse through them to see
if anything important has arrived,
besides spunk- and jam-mail.
When the address is never published,
as is the case on this page,
but I do suddenly receive FREE PENIS ENLARGEMENT,
I know who has been selling my e-mail address.
– method 2 –
Auto-reply with:
” This address is actually fake. Please re-submit to myrealaddress@myowndomain.com ”
– method 3 –
Auto-reply with:
” Please visit myowndomain.com/whitelist/ to add your e-mail address to my whitelist. ”
– regarding method 4 –
The trick to use alternative punctuation, such as peter[at]home[dot]com, or any other clever form:
f o r g e t i t .
I am not even a super programmer,
and I could easily still data-mine
very very many of those.
Angus McIntyre
December 21st, 2006 2:17 amEventually, some spammer will add one of the available open-source Javascript engines to their crawler and then Javascript obfuscation will offer less protection.
The public/private address solution is one that I currently recommend, but your private address can still be exposed if one of your correspondents allows a virus to infect their machine; I’ve seen confidential ‘never-posted-anywhere’ addresses get spam, apparently because a virus or trojan found them in the browser cache or address book of an infected machine and reported back to its masters.
So I think the title of your otherwise useful article is misleading: all these suggestions are good, but none of them are probably bulletproof.
One other thing that you don’t mention is the possibility of using a mail form rather than displaying your address on a web page. Mailforms have their own disadvantages and they’re not bulletproof either (comment-spamming bots can just as easily spam mailforms), but they’re worth considering.
Mark Crocker
January 2nd, 2007 3:47 amI’m a big fan of Spamgourmet (http://www.spamgourmet.com). Spamgourmet provides a means of creating throw-away email addresses so that I can limit how many email messages an address I give out can be used for. Even better, when I do get email, I know where it came from, so I know if an email address is being sold or passed around indiscriminantly.
So far, I mostly use it for web sites that require a valid email address for registration, but I’ve done some proof-of concept work towards creating mailto links that have the requester’s IP address and a timestamp encoded in them, so if I get spammed, I’ll be able to not only report the origin of the message, but of the spam harvester. Typically, spammers only send bulk email from temporary accounts that they expect will be shut down soon after they start spamming from them, so reporting a spam message to abuse@yourisp.net isn’t usually of much help. However, they don’t change their harvesters as often, so being able to report the IP of the harvester might actually be helpful.
Jack Yan
January 6th, 2007 7:15 amOne technique, which came about by accident, is having addresses that purposely get harvested. I found that a lot of spammers spoof headers to show the emails are from one of those fake addresses, or will cc one of the harvested addresses as well as your own (or it will be in the to field). While this doesn’t prevent spam, you can easily program filters to block out any that contain the harvested addresses.
I learned this the hard way by having addresses that did get harvested back in the early days of the web. I had to retain my personal one, but cancelled a lot of the others. Now, whenever a spam comes in with one of the old addresses in the cc or to fields, it’ll get filtered.
The other trick, if you have been harvested, is to include various words in the filters: ever noticed how spammers are usually the first to say ‘not spam’?
By having a combination of these, I manage to knock out around 60 to 70 per cent of my spams, with a tiny handful of false positives.
I must say that the latest McAfee SpamKiller is far better than the old clunker it used to retail though, and this has been rather effective.
Spam Links webmaster
January 13th, 2007 7:23 pmThat’s a couple of new links to me – useful post. I have a big list of anti-harvesting methods at Spam Links, up at , and more general ways to deal with spambots at .
Spam Links webmaster
January 13th, 2007 7:26 pmI messed the links up in my last post…
They were:
http://spamlinks.net/prevent-spambots-hiding.htm
http://spamlinks.net/prevent-spambots.htm
Hope they help.
perry
May 25th, 2008 11:40 amSpam bots are using my ordering form to send me crap, but the thing is that it isn’t filling out all the boxes. All the boxes have to be filled before it can be sent, so how in the heck are they bypassing them???
Thanks.
Perry
Carmelo Meadows
November 12th, 2008 3:15 pmsmynjgykbi0xtgfw