Preventing Spam: Bulletproof Solutions

Advertisement

Spam is probably one of the most difficult problems we have to deal with. E-Mail-filters, such as those used in GMail1, provide accurate results, but not every company is willing to use extern services for its private mails. The problem occurs when web-developers have to display e-mail-addresses on a web-page.

How can you make sure that not a single spam mail will find its path to the inbox of your client? Or, speaking in more concrete terms, the question is, how should you display e-mails on a web-page in order to minimize spam attacks? Let’s take a look at some modern and bulletproof solutions and techniques which will help you to prevent spam in your mailbox or the mailbox used by your clients.
Links checked: May/30 2008.

Avoid stereotypes

Sometimes web-developers tend to rewrite the original e-mail, so spam-bots can’t recognize it. This method might solve the problem, but spam-bots might catch on this sooner or later. Besides, many users might have problems decoding it – unless you provide some instructions how to decode the text. Most popular approaches are:

  • Replace dots with “d-o-t”, “@” with [at] and as many spaces as possible.
    Example:
    e-mail@office.com -> e-mail [at] office [d-o-t] com
  • Insert some characters before and after the “@”-symbol.
    Example:
    e-mail@office.com -> e-mail {!@!} office.com.
  • Avoid stereotypes – e-mails like info@domain.com, service@domain.com, admin@domain.com are likely to be spammed anyway.

Replace text with images

Apparently, most spam-bots don’t scan images on the web (yet?), so it seems reasonable to place the text inside of an image without referring to it as an e-mail-address. There are free web-tools which generate images “on the fly”, so the only thing you have to do is to place them on web-pages.

  • E-Mail Icon Generator2 for GMail, Hotmail, MSN, Yahoo!, AOL and many more.
  • Signature Generator3 does basically the same as E-Mail-Icon Generator.
  • Mask Email Image Generator4 will create a JPG image of your email address. Use it in place of text to fool those evil spiders that seek out email addresses for purposes of sending junk email.
  • Safe Mail5 creates your own email image in three steps.

Replace text with ASCII and Javascript-coded text

Another popular approach is to represent e-mail-adresses as ASCII code or Javascript-coded text. Users don’t see any difference in e-mail-presentation, but spam-bots won’t find the e-mail analyzing the source code – well, not yet. Some web-tools to convert e-mail links to ASCII code:

  • Online Email Protector6: to use, simply type you email address below and then click in either of the textboxes. You can use the simple link code, or the more complicated Javascript link.
  • Spam-me-not E-mail Link Obfuscator7: you can choose between different encoding modes: decimal notation will encode every character in decimal ascii code, hexadecimal notation will encode every character in hexadecimal notation, random-mixed notation mixes encoding characters randomly, this is the default and recommended choice.
  • Email Riddler8 is an online tool that encrypts and transform your email address into a series of numbers when displaying it, making it virtually impossible for spam harvesters to crawl and add your email to their list.
  • Advanced Email Link Generator with Anti-Spam Encoder9: this tool will generate mailto: links you can copy and paste into your web pages and emails. The Anti-Spam Encoder is an encoding scheme designed to cloak email addresses from spammer’s email harvesting robots, yet be visible and readable for your site visitors.

Bulletproof Solution

A simple solution I’ve been using for my recent project turned out to be the most effective I ever had. The most important rule to avoid spam is never mention it somewhere in the Web. So what I’ve suggested to do is to create two e-mail-accounts – the one for business contacts, which will be used only for communication with partners and serious clients and the second one, which will be decoded and published on the Web for any other purposes.

Once a potential client has written at the e-mail-address mentioned on the Web, the company will continue its communication via the first, “business” e-mail. On the other hand, brief questions or some small remarks will be responded via “open” e-mail, published online. Once the “open” e-mail gets included in spam databases and the company starts to get junk mail, it will be replaced by a new one.

This way your primarily, business contacts will always stay in touch with you via your business account and you reduce the amount of received spam to 0%.

Using GMail spam-filters externally

Another useful technique to minimize the amount of spam-mails ending up in your inbox is letting it through gmail-filters. Unfortunately, GMail doesn’t have a function which would enable users to use Google’s filter directly. However, you can forward all the mails coming to your e-mail-box to your GMail account, and set your GMail account to forward the filtered messages to your private “clean” e-mail-account. The results aren’t always accurate, but you’ll see the difference immediately.

Further articles

  • 99 Email Secuity and Productivity Tips10: the 99 tips in this article make up the best in email practices. From how to ethically use the ‘BCC:’ to what attachments will make your mobile emailing compatible with everyone else’s, this list covers everything you need to know about emailing.

Footnotes

  1. 1 http://www.gmail.com
  2. 2 http://services.nexodyne.com/email/index.php
  3. 3 http://www.signaturegenerator.net/
  4. 4 http://digitalcolony.com/02/maskemail/inc/genEmailMask.asp
  5. 5 http://safemail.justlikeed.net/
  6. 6 http://www.iconico.com/emailProtector/
  7. 7 http://www.ianr.unl.edu/email/encode/
  8. 8 http://www.dynamicdrive.com/emailriddler/
  9. 9 http://www.willmaster.com/possibilities/demo/aelgwase.html
  10. 10 http://www.itsecurity.com/features/99-email-security-tips-112006/

↑ Back to topShare on Twitter

Vitaly Friedman loves beautiful content and doesn’t like to give in easily. Vitaly is writer, speaker, author and editor-in-chief of Smashing Magazine. He runs responsive Web design workshops, online workshops and loves solving complex performance problems in large companies. Get in touch.

Advertising
  1. 1

    Great Resources.
    In the CMS I’ve built all the e-mail addresses which will be shown on the web are converted automatically to small clickable objects.

    And those who don’t have flash. Well they see a automatically generated gif image. But it’s not clickable, maybe with the resources you’ve given me, I’ll also make them clickable. If I find the time.

    1
  2. 2

    Nice tips!

    Until now, I thought that “email[at]something[dot]com” was only a different way to display email address, but now I know that it helps to prevent spams…

    Thank you for help :)

    1
  3. 3

    Nice resources, thank you very much!
    Personally I think converting the address to ASCII code is the best way to obfuscate an email address. That way the address stays accessible to a wider public (say, users with Javascript disabled, users using a screen readers, etc.)

    0
  4. 4

    I think that showing the “@” character with its name in your own language is nice too. or simply writing the email with spaces along:

    someemail [at ]domain [dot] com

    I use this in my projects, with my language (Brazillian Portuguese) it look like:

    someemail [arroba] domain [ponto] com

    Nice article!!

    -1
  5. 5

    it’s funny but without knowing the language, “arroba” and “ponto” in that context still keeps the suggestion that that’s an email for me. I would doubt the majority of users would be able to put two and two together though.

    1
  6. 6

    alternative : e-mail@office.com -> e-mail |at| office |d-o-t| com :-)

    0
  7. 7

    Obfuscating your email address is all well but it doesn’t really help with the accessability of your site. In the footer of this site you have an email link with an obfuscated address, if I hadn’t just read your article on that very subject then I doubt I’d actually have looked at the email address I was sending my email to.

    Personally I think that you should be making it as easy as possible for your users to contact you with valid email links, contact forms etc and then deal with the spam either on your server or your mail client. Half the time it’s hard enough finding someones email address on a website, then I have to figure out how to decode it just so that they don’t get any spam?

    0
  8. 8

    I like hiveware enkoder combined with a element for screen readers and the like. The just has a link to our contact form. For an example, see http://selkirk.ca/discover/staff/detail/index.asp?StaffID=524

    The ‘email’ link for a staff member takes people to the contact form; the hiveware enkoder is to the generic account — see the footer at the bottom of the page. Seems to work well for us…

    0
  9. 9

    Sorry, that should have been “combined with a [ noscript ] element… the noscript element has a link…”

    0
  10. 10

    Well for me i uses the simple method of having two emails address – one for official stuffs and one open address for the world at large (spammers include:P)

    0
  11. 11

    I use a custom, one-off JavaScript function that I change up a little each time I use it. It’s not foolproof, but it seems to be working so far.

    0
  12. 12

    I put up a contact form with a challenge question.

    0
  13. 13

    All of you have mentioned.
    I use Gmail as home e-mail and another e-mail (my business e-mail) to communicate to my customer.
    But I also use “10 minute mail” when I need an e-mail to register on web site.

    (sorry for my english)

    0
  14. 14

    Here is another unobtrusive anti-spam solution for accessible email obfuscation: SpamSpan

    0
  15. 15

    I have been using the gmail solution for a while now and the results are staggering.

    I have all email forward to gmail then back to a clean mailbox. I leave them on gmail so I can get them remotely if I want and also to keep count.

    In 6 weeks, with 2000 or so emails forwarded over 20,000 spam were filtered!!!!

    Gmail isn’t too aggressive on spam so the best thing to do is use spambayes (http://spambayes.sourceforge.net) with your mail client.

    I see maybe one or two spam a day and spambayes has even learned to filter out those penny stock image emails that appeared recently.

    -1
  16. 16

    Rather than treating *some* of the inputs to spam in your inbox – which is ineffective, does not prevent brute force mass mailing, or forwards that get circulated – why not consider something more sensible like Tagged Messaging : http://www.tmda.net which assumes all email is spam and allows you to permit and monitor email inputs flexibly. Ive been using this on our mail system at work for 3 years and enjoy 0 spam inputs.

    0
  17. 17

    An interesting article, and I can agree that these techniques would be effective at preventing spiders from capturing email addresses, but from what I have been told, and what I have seen, alot of spammers are now simply using sequencial string generators to send out emails (ie systems which try “AAA@server.com”, “AAB@server.com”, “AAC@server.com”, etc.

    As such, whilst these techniques may have been essential to reduce spam exposure maybe 5 years ago, now, you will still get hit with spam regardless.

    You are far better off focusing your energy on an effective spam filter in your email client/server (like that included in Thunderbird) than these techniques.

    But, that’s just my opinion.

    0
  18. 18

    Tristan Laurillard

    December 20, 2006 11:49 pm

    Combine some of these:

    – method 1 –
    Not one or two e-mail addresses.
    No, thousands.

    Such as on this very site (smashingmagazine.com)
    I would have signed off with
    smashingmagazine@myowndomain.com

    I announce this method should be named:
    ” ad-hoc e-mail addressing ”.

    All e-mails, except the ones sent
    to myrealaddress@myowndomain.com, will then
    end up in spam@myowndomain.com
    And I go there once a week or so to
    quickly browse through them to see
    if anything important has arrived,
    besides spunk- and jam-mail.

    When the address is never published,
    as is the case on this page,
    but I do suddenly receive FREE PENIS ENLARGEMENT,
    I know who has been selling my e-mail address.

    – method 2 –
    Auto-reply with:
    ” This address is actually fake. Please re-submit to myrealaddress@myowndomain.com

    – method 3 –
    Auto-reply with:
    ” Please visit myowndomain.com/whitelist/ to add your e-mail address to my whitelist. ”

    – regarding method 4 –
    The trick to use alternative punctuation, such as peter[at]home[dot]com, or any other clever form:
    f o r g e t i t .

    I am not even a super programmer,
    and I could easily still data-mine
    very very many of those.

    0
  19. 19

    Eventually, some spammer will add one of the available open-source Javascript engines to their crawler and then Javascript obfuscation will offer less protection.

    The public/private address solution is one that I currently recommend, but your private address can still be exposed if one of your correspondents allows a virus to infect their machine; I’ve seen confidential ‘never-posted-anywhere’ addresses get spam, apparently because a virus or trojan found them in the browser cache or address book of an infected machine and reported back to its masters.

    So I think the title of your otherwise useful article is misleading: all these suggestions are good, but none of them are probably bulletproof.

    One other thing that you don’t mention is the possibility of using a mail form rather than displaying your address on a web page. Mailforms have their own disadvantages and they’re not bulletproof either (comment-spamming bots can just as easily spam mailforms), but they’re worth considering.

    0
  20. 20

    I’m a big fan of Spamgourmet (http://www.spamgourmet.com). Spamgourmet provides a means of creating throw-away email addresses so that I can limit how many email messages an address I give out can be used for. Even better, when I do get email, I know where it came from, so I know if an email address is being sold or passed around indiscriminantly.

    So far, I mostly use it for web sites that require a valid email address for registration, but I’ve done some proof-of concept work towards creating mailto links that have the requester’s IP address and a timestamp encoded in them, so if I get spammed, I’ll be able to not only report the origin of the message, but of the spam harvester. Typically, spammers only send bulk email from temporary accounts that they expect will be shut down soon after they start spamming from them, so reporting a spam message to abuse@yourisp.net isn’t usually of much help. However, they don’t change their harvesters as often, so being able to report the IP of the harvester might actually be helpful.

    0
  21. 21

    One technique, which came about by accident, is having addresses that purposely get harvested. I found that a lot of spammers spoof headers to show the emails are from one of those fake addresses, or will cc one of the harvested addresses as well as your own (or it will be in the to field). While this doesn’t prevent spam, you can easily program filters to block out any that contain the harvested addresses.

    I learned this the hard way by having addresses that did get harvested back in the early days of the web. I had to retain my personal one, but cancelled a lot of the others. Now, whenever a spam comes in with one of the old addresses in the cc or to fields, it’ll get filtered.

    The other trick, if you have been harvested, is to include various words in the filters: ever noticed how spammers are usually the first to say ‘not spam’?

    By having a combination of these, I manage to knock out around 60 to 70 per cent of my spams, with a tiny handful of false positives.

    I must say that the latest McAfee SpamKiller is far better than the old clunker it used to retail though, and this has been rather effective.

    0
  22. 22

    Spam Links webmaster

    January 13, 2007 7:23 pm

    That’s a couple of new links to me – useful post. I have a big list of anti-harvesting methods at Spam Links, up at , and more general ways to deal with spambots at .

    0
  23. 23

    Spam Links webmaster

    January 13, 2007 7:26 pm

    I messed the links up in my last post…

    They were:

    http://spamlinks.net/prevent-spambots-hiding.htm
    http://spamlinks.net/prevent-spambots.htm

    Hope they help.

    0
  24. 24

    Spam bots are using my ordering form to send me crap, but the thing is that it isn’t filling out all the boxes. All the boxes have to be filled before it can be sent, so how in the heck are they bypassing them???

    Thanks.

    Perry

    0
  25. 25

    smynjgykbi0xtgfw

    0
  26. 26

    Hello, I have tried just about all of these ideas to stop the spam. One thing that I can’t seem to avoid is other people not doing the right thing with my email address. I have used the yahoo throw away domains and I have even donated MX records to the Honeypot project in an effort to be more proactive about it. About the only service this I have found that is easy, integrated, doesn’t require me to create a new email address every time I need a new disposable email address is wumber. It’s has a free subscription (and a paid one) but it’s just easy to use and this is the kicker, an email address can only be used by the person that you give it to. So even if they pass it around, it is of no value. I love it. Well worth a look wumber. com Anything that reduces spam is great, but this just eradicates it before it can start.

    0
  27. 27

    Its interesting.. Thanks for sharing

    0

↑ Back to top