How Do Spammers Get Your Email Address?
Websites
One of the easiest ways spammers collect email addresses is by running automated harvesting scripts that parse web pages, looking for strings of characters that appear to be email addresses. These programs work automatically and can harvest thousands of addresses quickly.
As a test to see how secure your own address is, go to a search engine such as Google and enter your email address. If you see any page results, your email address is vulnerable to these automated harvesting programs.
Guessing
I'm guessing that you may have email accounts with usernames like "info", "sales", "marketing", "webmaster", "president", "ceo", etc. Automated spam programs will try to verify all commonly known user names in one of two ways, either through a SMTP VERIFY command that will verify whether or not an account is active or by connecting directly to your mail server and attempting to send a test message to see if your address 'bounces.'
Many mail servers are now accepting all mail to eliminate the verification process and are either deleting the messages or bouncing them after the fact... this process really makes it difficult for a spammer to have a valid list.
Some email domains are set up with a "fallback" or "catch-all" email address that will accept any incoming message for an entire domain. This is obviously not recommended because anything addressed to the domain will end up in your mailbox including spam, viruses, phishing scams, etc.
Forums, Testimonials, Newsgroups
Whenever you participate in an online form, you usually need to leave identifiable information so you can be contacted. Many forums in the past posted your information publicly so it could be easily collected by spammers. They didn't this on purposes... they just didn't know what they were doing or the software offered no privacy options. If you see your names in other forums, you can request that your post be removed (sometimes difficult and/or impossible.) Newer and better services will authenticate your email address by sending you a message that you have to respond to.
The best thing to do is use a throw-away email address for online posts that do not honor your privacy. Some quality email services providers (like Yahoo) offer a service like "AddressGuard" that allow you to create multiple, identifiable email addresses that you configure on a per-forum basis. You can then simply discard the address when you start getting too much spam without having to change your primary email account.
How to Protect Your Email Address
Here are a couple of ways currently used to attempt to protect your address while still have it available online. Please note that not all of these methods are 100% effective.
Reformatting the address
The simplest (and least professional) method for hiding email addresses is to display it in a way makes it difficult for automated scripts to identify the address. For example, insert some spaces into the address and/or spelling out the characters:
username @ domain . com
username (at) domain (dot) com
You could also add a word to the email address and then provide additional instructions to remove the word in order for ascertain the valid email address:
username-goodbyenospam@domain.com
Remove "-goodbye" from the above email address so send me email.
We really don't prefer this "word removal method" because it still adds value to a spammers database because they are sold based on the number of collected email address and not on the accuracy. It also causes extra network bandwidth and mail server processing during send, bounce and report bounced message operations.
Use a Graphic
This is effective, yet not the best implementation. A user cannot click on the graphic and you will need to rely on their skills to faithfully retype the email address into their email client. If a client has images turned off or is using a screen reader (ie, visually challenged), then the email address is entirely invisible and your website will not be Section 508 compliant.
Use ASCII or UTF codes in Email Addresses
Using ASCII or UTF is one way to obscure your email address.
ASCII:
username@domain.com
will display as username@domain.com
UTF
usern ame@d& #111;main.com
will display as username@domain.com
NOTE: Many developers actually believe this method is safe and will prevent spammers from identifying your email address. This is a faulty assumption and well-written spam harvesting software programs are capable of identifying the above email addresses.
Web-Based Forms
You can use a web-based mail form. This is extremely useful if the visitor is accessing your website from a computer and they do not have access to their email account. It can also protect your addresses if your email address is not exposed in the source code like this:
<form method="post" action="mailto:username@domain.com" enctype="text/plain">
<input type=text name=your_comments>
<input type=submit value="Submit Your Comments">
</form>
This method is un professional and requires than a configured email client be set up on the computer they are using. It also leaves your email address vulnerable to spammers. It may also pop-up an error dialog
Other failing attempts to protect your email address expose it in the source code like this:
<FORM ACTION="http://www.responders.com/respond/mailer/responder.asp" METHOD="POST">
<input type="Hidden" name="FormID" value="user@domain.com">
<input type="Hidden" name="Webmaster" value="user@domain.com">
<input type="Hidden" name="SendCC" value="">
<input type="Hidden" name="SendBCC" value="">
<input type="Hidden" name="TargetPage" value="http://www.domain.com/thanks.htm">
...
Simply using a web-base form is not enough. Neither of the above method protect your email address. It needs to be a web-form that doesn't list your email address in the code. Like this:
<form action="./index.cfm" method="post">
TO: <select name="To">
<option value="1">Sales<option>
<option value="2">Marketing<option>
<option value="3">Support<option>
<option value="4">Webmaster<option>
</select>
...
and will look like this:
Web-based Forms are great to use, but make sure that you are sending the email from yourself and set the "replyto" email address as the actual sender. The reason for this is you will never get your email if they use an improperly formated email address like "Don't know" or "don't have an email address" or "AOLUser". Sender Policy Framework (SPF) is another critical reason to send it from yourself since AOL won't acknowledge your webserver as being authorized to send email on behalf of it's users and your mailserver may delete/reject the message. To learn more about SPF, go to OpenSPF.org. To test your webform sending ability for SPF compliancy, use the DNSStuff SPF Tester
In addition to using an online form, it's highly recommended to have some sort of additional security built into the form so that spammers don't take your form parameters and use automated software to post spam through your form. This is known as
Blog or Comment Spam. Some ways to combat this include using a time-based encoded hash parameter that allows the user a 15 minute window to compose and send their message... if anyone saves the form and tries to send automated messages after 15 minutes, the messages are simply discarded and not sent. My favorite method to effectively stopping automated comment spam is to use a
CAPTCHA that changes with every message attempt. For more information on CAPTCHAs visit
Wikipedi'a entry on Captcha.
Use Javascript to Obfuscate the Email Address
This is both a highly effective and personally recommended method. We do this on a many websites where we the client requires us to display multiple email address so they can be both printed and clicked on as regular "mailto" link. We do do not want our clients to be responsible for having having the addresses harvested by spammers. [We additionally block known spam harvesting programs at the application level before the webpage is ever delivered.]
<script language="JavaScript">
function DisplayMail(Server, Login, Display){
if ((Display.length == 0) || (Display.indexOf('@')+1)) {
document.write("<a href=" + "'mai" + "lto:" + Login + "@" + Server + "'>" + Login + "@" + Server + "</a>"); }
else {
document.write("<a href="+ "'mai" + "lto:" + Login + "@" + Server + "'>" + Display + "</a>"); }
}
</script>
Then display your email address, use the following syntax:
<script language="javascript">DisplayMail('domain.com', 'username');</script>
will look like this:
<script>DisplayMail('domain.com', 'username', 'Send Email');</script>
will look like this:
<script language="javascript">DisplayMail('domain.com', 'username', '<img src="email.gif" border="0" width="19" height="13" alt="Send Email"/>');</script>
will look like this:
Here are some links to some related javascript methods:
- Email Riddler
- Encrypts one address at a time; need to go back to the website to encrypt each new address; requires a javascript variable assigned for every email address; email address is not displayed on page for printing purposes.
- Email Protector
- Encrypts one address at a time using RSA encryption (10 bit); need to go back to the website to encrypt each new address; randomizes the javascript each time so that each new address requires a whole new function; email address is not displayed on page for printing purposes; Recommended for a single email address.
- Anti-Spam Email Link Obfuscator
- Encrypts one address at a time; need to go back to the website to encrypt each new address; randomizes the javascript each time so that each new address requires a whole new function; email address is not displayed on page for printing purposes.
Conclusion
There are many other techniques to combat spammers. Many require a highly configurable mailserver or involve third-party service providers. I'll reserve this information for another article. Please note that these hardware/provider services can be easily and unintentionally misconfigured and reject/delete too much of your desired email. For personally taking control and monitoring your own mailbox, we use and highly recommend FireTrust MailWasher.
