Jump to content
PC Security Forum

Spam-Proofing Your Site To Save Your Inbox From Unwanted Email

Recommended Posts

Spam mail, including unsolicited commercial email and unwanted bulk email, is an endemic problem that plagues our inboxes daily. This menace costs businesses billions of dollars worth of lost working time, resources, and expenditure on anti-spam measures. Each day most of us receive more spam than real email.  These unwanted emails offer dubious products, doubtful financial services, promotions for prescription drugs, and invitations to pornographic websites. Despite advances in tools to protect against spam, the truth is, you just cannot escape it — and it hurts. Spam wastes resources, takes up bandwidth, increases frivolous internet traffic, and burns legitimate marketers because people tend to dismiss genuine emails when overwhelmed with spam.

Why Are You Getting So Much Spam?

To stop spam dead in its tracks, it is vital to understand how spammers target an email address to send unsolicited mail. There are two ways spammers find valid email addresses that they then turn into a spam list.

  • Dictionary Harvest Attack: Spammers send mail to general mailbox names such as admin@mydomain.com. This technique can be nullified by using unique email account names instead of general accounts.  Replace admin@mydomain.com with mycompany.admin@mydomain.com
  • Email Harvesting:  This technique is the preferred method for identifying valid and responsive email addresses. Spammers can harvest email addresses by stealing them from websites using “spambots” to automatically crawl web pages looking for forms, comments, user logins, and valid email addresses and add them to their mailing lists. Spam lists of active emails are then traded in bulk to make the email address available to more spammers over time, resulting in thousands of spam messages.

Email harvesting is devastating and you can end up receiving large amounts of spam if you are placed on these lists. Though the law specifically states that you have to opt-in to mailing lists and also be able to unsubscribe from the list, spammers ignore the law with impudence.

Most websites have their email advertised on the contact page for their clients, customers, or visitors to get in touch easily. Chances are if you have your email written plainly out there, or you are using a ’mailto’ link then you are probably getting a constant barrage of voluminous, offensive, and unsolicited emails. Spammers are becoming more creative in designing new ways of finding vulnerabilities in traditional anti-spam methods; therefore, webmasters must be constantly improving the anti-spam tactics for their own websites.

Avoiding Spam When Posting an Email Address

How can you stop these annoying automated spambots from compromising your website and sending email spam to the website owner?  There are a number of tips and tricks you can effectively use to prevent spambots from putting your email address on spammers’ lists, while still giving your visitors ways to easily get in touch with you.

Address “Munging”

Address munging is the practice of disguising an email address to prevent it from being automatically collected by unsolicited bulk email providers.

Use Plain Text

To prevent spambots from harvesting addresses on your web pages, you can hide them. The common practice is to place your email address on a page by using a link for people to click on.  While it is easy for your users, spambots can still see emails hidden behind an html link. Spambots generally look for patterns of text to identify them as an email address. Email addresses always contain an @ so spambots scan the page to find the @ symbol. An effective technique for disguising your email address from spambots is by eliminating the @ symbol from addresses and substituting it with words. For example-
youremail AT example DOT com
Admittedly, this is not how most web users are used to seeing email addresses and it may prove inconvenient for some users who may not recognize it as a valid email address.  However, employing this technique will keep the pesky spam crawlers away, and most human visitors will easily be able to replace the words with the correct symbols and contact you.

Use ASCII Character Codes

It is also possible to completely disguise an email address with its corresponding ASCII codes.  Human users will be able to see the addresses without any apparent munging. So for example, to represent the @ symbol, you can use the machine language for representing characters on a web page @ (ampersand number-sign six four semi-colon).

To any human visitor the following formatted addresses will all appear the same, if they are included in the HTML of your site because their browsers automatically translate the character code; however, most spambots will not be able to recognize the codes.  That said, some address-harvesting spambots can already read ASCII character codes.

Disguise Your Email Address By Adding Javascript Code

With more advanced spam harvesting techniques being used today, munging your email address alone will not be enough to stop spambots from misusing your email. Rather than simply writing your email address straight out, consider the user-friendly way of veiling your email address with JavaScript to guard it from spambots.  To do this you would insert the code into an HTML Snippet on the page so that the email address still appears as a clickable link to the users. You must have Javascript enabled in your browser for the email address to appear like a normal, clickable email address. The code separates the different elements of your address, so bots can’t extract it. Harvesters trying to interpret the Javascript run the risk of being stuck in infinite loops or crashing from malformed Javascript.

Post Your Email Address As An Image

You can hide your email address in an image by using popular graphics imaging programs to encode your email address as a GIF, PNG, JPEG, or other standard web format. You can also post your email as an image using free online Email-Address-to-Image converters. Forego the “mailto” link on the image. Spambots are not likely to be capable of optical character recognition needed to process the contents of images. The downside is that users still need to retype the email address in order to send you a message and visually impaired visitors may not be able to access your address.

Identifying and Blocking Spambots

Spambots can modify their behavior to fight off munging techniques.  The next likely defense is to identify visitors that are likely to be spambots and deny them access to your page or simply not make your email address visible to them at all.

Add A Contact Form

Users on text-based browsers like Lynx will not be able to see your email addresses. It’s a good idea to have an alternate means for users to be able to get in touch with you.  A “contact us” form allows users to email you through the website.  A well-constructed contact form does not publish your email address to the public and all communication made through contact forms are sent indirectly to you through your content management system. Adding a contact form keeps spammers away but unfortunately spambots may still be able to send you email this way. You can secure your web forms by using validation methods to prevent spambots from filling out forms. The best method is using CAPTCHA links on your webforms and using hidden Honeypots to check if you are a real human and to filter out automated bots from extracting your address to add to their list.

Check The Referer String

The referer string provides an indication as to how your visitors linked over to your website.  Generally, spambots do not set the referer string, or they have it set to some third-party’s URL, so you can spot robots by looking for referer strings that come from a remote website in order to limit their access to any email addresses on your page.

Set Up A Robots TXT File

Site owners can set out instructions using a robots.txt file to restrict robots from accessing your website. In order to determine the robots to block, you should do some research on the robots likely to invade your site.  If there is not enough reliable information about a robot or its function seems questionable, simply block it by using the robots.txt file.  You can control how your site is crawled with the robots.txt file using the ‘User-agent’ rule to set who the rule applies to.  You can also use ‘Disallow’ to specify the files or folders that are not allowed to be crawled.

Use Mod_Rewrite

In case a robot is found not obeying the robots.txt file you can use mod_rewrite to block bots from finding your email. You can check with the server administrator of your primary hosting company to find out if you have mod_rewrite installed and the permissions to edit the .htaccess file.  If you do not have this permission you will not be able to use mod_rewrite.

A Little Effort Goes A Long Way

Most spam prevention techniques are about staying ahead of the curve.  While they may not be able to completely protect your email address from spammers, they will certainly reduce the offenses. Keep your primary address off public websites and post alternative addresses that you do not mind being compromised. Cleaning up spam promptly will discourage spammers, who will move on to easier targets. Most importantly, always stay up to date with the latest methods of fighting spam.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...