Skip over navigation

Winning the SPAM wars

By on Jun 12, 2005 in Web Engineering

I don’t like spam. I don’t know anyone that does. Luckily, there are a variety of tools and techniques that help me win the spam wars. The most obvious – or at least the most well known – are the variety of programs that filter, sort and block spam headed for your inbox. Less obvious are the ways you can prevent spammers from getting your e-mail address in the first place. Since the first is really the domain of IT folks and System Administrators, this article focuses on how to prevent spammers from getting your e-mail, or at least lessening the possibility.

How the spammers got your e-mail address.

Before we can dive into how to prevent spammers from getting your email address, we need to thing like a spammer for a minute. Spammers collect e-mail addresses through four basic methods:

  • They try typical words at known domains: for instance, if your company has the domain goodcompany.com, they will probably try to e-mail webmaster@goodcompany.com, sales@goodcompany.com, etc.
  • They buy lists of e-mail addresses from other companies and websites that collect them. Confirmed “live” e-mail addresses are much more valuable than unconfirmed addresses.
  • They analyze mailing lists for e-mail addresses.
  • They use “spambots” to scour the web for new e-mail addresses. Spambots are automated spiders that surf the Internet – including websites, usenet postings, forums.

A general theory about protecting e-mail addresses.

Protecting your e-mail address is a compromise. It is possible to fully protect your e-mail address: choose an obscure domain, create a difficult-to-guess e-mail address and don’t tell it to anyone. The usefulness of an e-mail address graphed against its protection follows a bell curve, and highly-protected e-mail addresses have a very low usefulness. Paradoxically, if you don’t protect your e-mail address at all, the flood of spam will render it useless again.

The right level of protection depends on the e-mail address.

The right level of protection is somewhere in between, and varies according to the purpose of the e-mail address. If you’re thinking about your company, it makes sense to accept more spam in order to make it easier for your customers (or potential customers) to reach you. On the other hand, if it’s your personal address, it probably makes sense to stringently protect it.

Commonsense protection.

There are a number of steps you should take either way.

  • Don’t download images when you receive spam. Most modern e-mail clients allow you to only download images if you explicity choose to. When you download an image, it tells the sender of the e-mail that you’ve read it. If the sender is a spammer, the value of your e-mail address just tripled.
  • Don’t unsubscribe from spam. Remember what spam is: _unsolicited_ e-mail. If you subscribed to a list, and know and trust the sender, go unsubscribe. If you don’t know the sender, _don’t_! Again, you’ve just confirmed that your address is “live.”
  • And whatever you do, don’t click the link! Not only does clicking the link confirm that your e-mail address is active, but it encourages spammers. Obviously people respond to spam; otherwise no one would do it. Everytime someone clicks a link in a spam e-mail, they are supporting spam in general.
  • Use a different e-mail address to sign up for mailing lists and when you buy things online. If you’re at a company, see if your IT Dept will allow aliases (i.e. josh-newsletters@abc.com forwards to josh@abc.com).
  • Don’t give your e-mail address to marketers, etc. Or at least know that they’re going to be selling it, and you’ve just agreed to let them. Yes, this may prevent you from a chance to win that car, so in the end, the decision is yours.

Other techniques include using disposable addresses that change frequently, white-list programs that only let through senders that are on your list and other techniques. I choose not to use these because my spam-blocking software is good enough that the spam I actually deal with is at a manageable level.

Protecting your company’s e-mail address from spambots.

Beyond the commonsense protections is the spambot. If your company displays e-mail addresses on its website, those address will be found by a spambot.

The basic code for displaying a clickable e-mail address is: <a href="mailto:email@abc.com">blah blah</a>

Spambots scour webpages for this pattern, and when they find it, they log it.

There are variety of ways to protect your e-mail addresses – basically by removing that pattern from your site, and the guidelines explained above apply here as well: each level of protection makes it more difficult for your users to reach you.

Contact Us Form

The best protection is a contact us form. There are no e-mail addresses on the page, and thus nothing for a spambot to grab. The problem we have with the Contact Us form is that it’s not especially user friendly. Some users report that they like to have a copy of what they sent stored in their e-mail program; others simply say that the feeling they get is one of submitting a question to a large machine – which, in fact, is what they are doing.

The best way to make your current and future customers comfortable with you is to enable them to have a personal connection: this is why “dave@abc.com” is better than “sales@abc.com,” and why an e-mail address is better than a submit button.

Images and descriptions

Some people advocate displaying an email address as an image. Here’s my e-mail address: myemail.gif. Looks like you should be able to click on it, right? That is so frustrating. Even if it didn’t look like you could click on it, it tells your customers that your concerns about getting spam are more important than letting them contact you easily. Yes, it’s not hard to open up an Outlook window and type the address in, but staying on hold with the phone company also isn’t hard.

Along this same line, some people advocate displaying e-mail addresses like “josh AT abc DOT com.” This may be fine for an individual, but it’s not appropriate for a corporate site, and eventually spambots will be able to understand them.

A better way: obscuring e-mail addresses

The third way of protecting your e-mail addresses depends on making e-mail addresses difficult for spambots to read, but easy for humans. These techniques are not foolproof, but they can offer a fairly high level of protection.

Using HTML entities to encode the e-mail address.

HTML entities are numerical designations of characters. “a” is “a” for instance. If a spambot is looking for a pattern text@text.com, replacing that “@” with a “@” may confuse some spambots. You could take it a step farther and encode the entire e-mail address. Obviously, sophisticated spambots will be able to figure this out, however.

Using mixed entities to encode the e-mail address.

The next level in obscurity to mix it up, literaly. We use an algorithm that randomly substitutes HTML entities, Hexadecimal entities and normal characters in an email address. email@abc.com ends up looking like %65&109;a%69l@abc.c%6f%6d. Hopefully, this will further confuse spambots.

Using JavaScript to obscure the address.

The final step is to use JavaScript to confuse spambots. There are thousands of different ways of doing this, and quick Google search will bring up dozens.

The final step: combining them all.

We combine all of these into a single solution that so far works well, while giving visitors a great (expected) experience.

We use PHP to dynamically create an external javascript function that looks like this (for josh@abc.com):

function safe(text){
   var alink = new Array;
   var name = new Array;

   alink['josh'] = 'mailto:josh@%61bc.%63om';
   name['josh'] = 'josh@abc.com';
   document.write('<a href="' + alink[text] + '">' + name[text] + '');
}

We then refer to email addresses in our pages as

The whole example can be found here.

Further reading.

Project Honeypot

Spambot Beware

Win the SPAM Arms Race at A List Apart

Hey! This wasn't written by a pod of sea lions! It was written by , who does awesome work at Loud Dog, a digital branding firm in San Francisco that helps businesses express themselves authentically via identities, websites, and marketing collateral.

If you want us to do awesome work for you, if you have a question, or if you're just feeling lonely and want to chat, we want to hear from you!

Get in touch

Leave a Reply

Your email address will not be published. Required fields are marked *