SPAM-PROOF
YOUR WEBSITE EMAIL ADDRESS IN TWO SIMPLE STEPS
Spam: A serious and growing problem.
In 2001, 8% of the email sent was spam. In 2008, according to industry experts, 64% to 85% of all email sent
is spam. Spam is a huge productivity drain on
business. The current popular tool for fighting spam is the spam filter. Spam
filters have proved to be a necessary but imperfect tool in the war on spam. The problem is
that spam filters often let some spam through, and worse, sometimes filter
legitimate email. What is the cost of one or two lost sales a month because of
an overzealous spam filter? A better solution to fighting spam is to keep
your email addresses off of the spam lists.
Where does spam come
from?
According to a
2003 Center for Democracy & Technology (CDT)
study, the majority of spam comes from email addresses harvested off the
internet. “Spam-bots” (also known as email harvesters and email extractors) are
programs that scour the internet looking for email addresses on any website they
come across. Spambot programs look for “myname@mydomain.com” and then
record any addresses found into the spammer’s database.
Several companies sell
Spambot programs. They can be purchased for as little as $40, and most
companies offer free limited-feature demo programs. Anyone with an internet
connection can use one. Spambot programs can do a general search, or can be
told to look at specific websites, or, for example, can be targeted to do a
Google search for “senior living” and then examine the first 10,000 websites
they find. They can follow the links in websites to find other websites. If
your website hasn’t been found by the spambots yet, it will be.
Should I worry?
Yes. The Federal Trade
Commission (FTC) did a study in 2002 in which they posted different newly created “undercover”
email addresses on various websites. They found that within six weeks, 86
percent of the posted email addresses were receiving spam.
How to avoid being
spammed.
STEP ONE: Encode your HTML (myname@mydomain.com).
The key to not having your email “harvested” is to encode or
disguise your email address so the spambots don’t recognize it. You can
accomplish this quite simply by converting part of your HTML to Unicode, a universal “symbol-based” language that uses numbers to represent
different characters (i.e. “a” is “a” and “@” is “@”).
Modify
your HTML as shown below, changing “@” is “@” and "." to ".”. Substitute your name and domain name,
of course.
find all
occurrences of
<a href=“mailto:myname@mydomain.com”>myname@mydomain.com</a>
and replace with
<a href="mailto:myname@mydomain.com">myname@mydomain.com</a>
We tested several demo-version email harvesting
programs and found that changing the "@" and "." to their Unicode equivalents
was sufficient to fool the spambots. However, if you want to convert your
entire email address to Unicode, you can use our
text-to-Unicode converter.
There are several other methods of hiding your email address, each with
advantages and disadvantages. One method, for example, is to use
javascript to disguise
your email address, but doing so limits the ability of visitors without
java-enabled browsers to email you. Whatever method is used, one should
consider that any email address that
can be seen by a visitor, can also potentially be seen by a spammer. No method should
ever be
considered completely guaranteed, and thus one should always also implement step two.
STEP TWO:
Use “disposable” contact email addresses on your website.
Do not use your primary
email addresses (i.e. “sales”, “info”, or “yourname”) on your website. Instead,
use a disposable contact email address, such as contact-us@mydomain.com,
contactus@mydomain.com, or contact04@mydomain.com. When new customers email you, reply to them with
your primary email address. If your disposable website email address is ever compromised
by a spammer,
you can then simply replace it with a new one, and set your email spam filter to delete any
future mail to the compromised address. If previous customers need to email
you, they most likely will check their email program’s inbox and reply to the primary
address that you used to respond to their initial inquiry, or they will go to
your website where they will see your current disposable contact email address.
Does Unicode email
encoding stop spam?
In CDT study sited above, email addresses that were encoded with Unicode
never received any spam. Our own experience is the same. We launched our business website,
Pinnacle Displays, in
1998. Within 2 years, business was booming, but so was the volume of spam we
were receiving. We came across the Unicode tip somewhere on the internet, and
implemented it. We also placed new, disposable contact email addresses on our
website. In the last four years, we have never received any spambot-generated
spam on our new email addresses.
Will the spambots
learn to read Unicode in the future?
Probably not, since
there is little incentive. Analyzing HTML for Unicode and then decoding it
would require more computational power and would slow the spambots down. There
really wouldn’t be much benefit to the spambots, since the vast majority of
websites have not encoded their email addresses. Based on our own experience
and informal calculations, over 90% of websites have unprotected email
addresses.
Just for giggles, we
checked the “experts” by going through the DMOZ directory for “Email:
Spam Prevention”. Of the 29 website listed, 2 were dead links, 3 used forms
for contacting them, 1 used javascript to mask their addresses, 1 used Unicode
to mask their addresses, and 22 had unprotected email addresses. But of
the 5 that attempted to protect their email addresses, 4 still had unprotected
addresses on their sites. Thus, of 27 working websites, 26 had unprotected
email addresses! If you encode your website’s email addresses, you’ll be
doing better than 96% of the experts.
In conclusion...
1) If you don't do anything to protect your email address, it most likely
will be spammed. In the 2002 FTC study, 86% of their new unprotected addresses were being
spammed within six weeks.
2) There are several ways to disguise your email address - Unicode is one simple
and effective method. However, no solution is guaranteed. Any email address that can be obtained
by a visitor could also potentially be obtained by a spammer.
3) Because no solution is guaranteed,
always use a
disposable contact email address on your website that you can then discard if it is
every compromised by a spammer.
2015 UPDATE
I wrote the above article back in 2004, and then updated
it in 2008. Since then, I've created a few other websites and have always used unicode to protect any
email addresses on the websites. Spam from website email
harvesters has never been a significant problem. Then in 2013, I
created a small personal website for a project I was working on. I worked on the
site for a month and then got side tracked. About a year later (in 2014) I went to check on it and
logged into the email account I had set up for it, and was stunned to find the
account loaded with spam email! At last count, it was getting 20 to 30 spam
emails a day. All of the spam was being sent to the contact email
address posted on the website. When I the website, I was embarrassed
to discover that I had neglected to protect the email address with unicode. The
website in question is pretty darn obscure. Although can be found in Google, it gets
very few visits. And yet the spambot email harvesters found the site and
harvested the contact email, and started spamming it. The lesson is that spambot email
harvesters are still stalking the internet, and if your email address is out
there and isn't protected, it will be found, and it will be spammed.
Now some of you might be saying, well, so what? That's what
email spam filters are for! I agree that spam filters are a life-saver, but I
found both person and business emails in my own email spam folders. Fortunately
I don't get that much spam so I'm able to check and retrieve the legitimate
emails, but it can mean a delay in finding and responding to legitimate emails,
or if you get too much spam, going through the spam folder can become
impractical, and legitimate emails can be discarded. I also see some spam email still slip through the filters, and
personally, getting spam email annoys the heck out of me. I also regularly get
spam email that contain virus attachments and that try to trick me into opening
them. Spammers are getting better at impersonating legitimate businesses, and a
less than careful reader can inadvertently click the wrong link. Spam isn't just
annoying, it can be dangerous. It's so easy to
protect your email address and stop the spambots from ever harvesting your email
address in the first place, that it just
seems the right thing to do. Continue to use a spam filter of course, but cut down on
the sheer amount of spam in the first place.
Based on my own embarrassing episode above of getting spammed on
an accidentally unprotected email address, I decided to expand and update this
article both to explain what current options there are for protecting your
website email address, and to discuss the benefits and drawbacks to each option,
and how effective each method probably is. I
did a bit of internet research, and the most recent study I found was by a
German blogger (who I was able to read thanks to Google translate), who ran a
one year test in 2011 posting on his blog an unprotected email address, as well
as addresses protected with unicode, javascript, and css. At the end of a
year, the unprotected address had received 911 spam emails, while the unicode,
javascript, and css protected addresses all received NO spam emails at all! His
2011 test would indicate a little protection goes a long way! Other older
studies I found indicated that some of the protection methods were not
completely effective, but were still highly effective.
METHODS FOR PROTECTING (OBFUSCATING, MUNGING) YOUR WEBSITE
EMAIL ADDRESS 2015
I've listed below various methods for preventing the spambot
email harvesters from reading and harvesting your email address. The basic idea
is to make your email address unreadable to the spambots (which is also called
email munging or
email obfuscating, as in to munge or mung your email address or to obfuscate your email
address). The key is to keep the email harvester program
from reading your email, but to allow a human to read your email address. Some
email-munging methods maintain a clickable "mailto:" link so your human visitor
to simply click on your email address, while other methods are much less user
friendly and require a visitor to read and then retype your email address into
their email program.
1. Complete unicode obfuscation. Convert your entire email
address to unicode in your html as discussed in article above.
Effectiveness: probably good.
Simple to implement using unicode converter/encoder above. Just be sure to also
use a "disposable" email address. If your address is ever compromised and you
determine it has been harvested, then you can switch to a new disposable email
address and use a higher level of protection as discussed below.
Disadvantage: None. Completely user friendly. Email address is clickable. Human
visitor should be unaware email is protected.
2. Replace @ with "at"
Example: joe at nospamforjoe.com
Effectiveness: probably ok to start as long as you use a disposable email
address in case it is compromised, and certainly better than nothing.
Disadvantage: Email address is not clickable.
Human visitor can cut, paste, and fix email to make it work. Pretty
straightforward, but not completely user friendly.
3. Replace @ with "(at)"
Example: joe (at) nospamforjoe.com
Effectiveness: may be slightly better than #2 above.
Disadvantage: Email address is not clickable.
Human visitor can cut, paste, and fix email to make it work. It may be more
effective than method #5, but also could be more confusing. Fairly
straightforward, but not completely user friendly.
4. Minimal unicode abfuscation. Replace @ only with "@" in html.
HTML sample code:
<a href="mailto:joe@nospamforjoe.com">joe@nospamforjoe.com</a>
Example: joe@nospamforjoe.com
Effectiveness: probably ok to start as long as you use a disposable email
address in case it is compromised, and certainly better than nothing.
Disadvantage: None. Completely user friendly. Email address is clickable. Human
visitor should be unaware email is protected.
5. Partial unicode abfuscation. Replace e@n with "7@n" in html.
Alternative is to convert entire address to unicode.
HTML sample code:
<a href="mailto:joe7@nospamforjoe.com">joe7@nospamforjoe.com</a>
Example: joe@nospamforjoe.com
Effectiveness: probably good.
Simple to implement using unicode converter/encoder above.
Disadvantage: None. Completely user friendly. Email address is clickable. Human
visitor should be unaware email is protected.
6. Use a logic test/instructions to change a non-working
email address to a working email address.
Example: x@nospamforjoe.com
(change "x" to "joe")
Effectiveness: probably extremely high and should defeat all spambot computer
programs.
Disadvantage: requires your human visitor to change the email address to make it
work. They could miss the instruction to change the address, or make a mistake
doing it. Not completely user friendly.
7. Use javascript to unscramble an otherwise munged email address.
HTML sample code:
<script type="text/javascript">
var name = 'user';
var at = '@';
var domain = 'domain.com';
document.write(name + at + domain);
</script>
Example:
Effectiveness: probably very good unless the spambot computer program reads
javascript.
Disadvantage: requires your human visitor's browser to read javascript,
otherwise the email address won't display. Email address is not clickable. Not completely user friendly.
8. Use css to un-reverse a munged (reversed) email address.
HTML sample code:
<span style="direction: rtl; unicode-bidi: bidi-override;">eojrofmapson@eoj</span>
Example: eojrofmapson@eoj
Effectiveness: probably very good unless the spambot computer program reads
css.
Disadvantage: A cool idea. Your email address is backwards (i.e. moc.321zyx@eoj),
which is what the spambot should see, but then the css command displays it in
reverse (joe@xyz123.com), so it is now correct. Although it's a cool idea, I wouldn't use it.
It requires your human visitor's
browser to display css properly,
otherwise the email address will be backwards. The email address is not clickable.
If you try to cut and paste the address it is still backwards, thus you must re-type
the address to use it, with a possibility of making a mistake. Not user friendly.
9. Change your email address into an image.
Example:
Effectiveness: probably very high. There are image-reading programs available,
but I doubt the spambots are using them.
Disadvantage: kind of a pain to implement (that is, you need to create the
image), and your human visitor will have to read and
then retype (and hopefully not misspell) your email address. Whether or not it
works, I think this is a
BAD solution.
CONCLUSION AND RECOMMENDATION 2015
1. You should protect any email address you post on the internet. Why invite
unnecessary spam? Don't make yourself rely too heavily on email spam filters and
potentially miss important emails, or get spam emails carrying obnoxious or
damaging computer viruses. Protect your email address!
2. At least use unicode obfuscation in your html or simply write your address as
[name at domain.com]. Both methods are very simple to implement, and should drastically
cut down on spam. I prefer unicode obfuscation since you still have a clickable
email address for your human visitors.
3.
Also use a "disposable" email address on your website, such as [contact.14@nospamforjoe.com].
In the event the address is compromised, you can simply change it to [contact.15@nospamforjoe.com]
and turn off the old email address.
Just don't use the disposable email address to email people as they may then store it in their
address books. Only use the disposable email address for initial contacts from your website.
4. If you use unicode obfuscation (and use a disposable email address of course)
and you determine that a spambot has still managed to harvest your website
contact email address, then pick a new disposable contact email address for your
website (turn off the old one) and encode it with one of the methods above that
should have a higher level of effectiveness, such as a combination of javascript
and unicode obfuscation.
LORD NEFARIOUS, THE EVIL EMAIL-HARVESTING SPAM-BOT!
Lord Nefarious (named after Lord
Business from the Lego Movie) is the diabolical
email harvester spambot created by my slightly Lego-obsessed 9-year-old son
Jack. Feel free to use his image in the fight again spam, just please include an
image credit link back to this page (http://www.pinnacledisplays.com/unicode-converter.htm),
giving credit to the artist and creator, Jack Peterson.
|