Address munging to prevent email harvesting

[durangod]

I have been toying with several methods, the server side scripting method, the address character replacement and a few others. I started doing this because on the very first day of my site i started getting spam sent to a stories email that i requested customer stories.

 

I had no idea harvesting sniffer's were so quick to find an address on my little out of the main stream site.

 

I have not really made up my mind or been able to really establish which is the better or best method.

 

What are you using and how is it working for you?

 

Thanks

[tom12j]

This is not your mistake, they have some kind of their own written scripts. They generate emails addresses from one account, and vice versa.

[m8internet]

Don't post email addresses using mailto:

If you must, then place the email address in an image (with a filename that has nothing to do with email, such as contact_us.jpg)

Utilise forms where possible

[easyhosting]

this happens all the time. i am surprised at the amount of emails i seem to send to myself trying to sell myself all sorts of things

[m8internet]

this happens all the time. i am surprised at the amount of emails i seem to send to myself trying to sell myself all sorts of things

Most spam software can identify these

If this was not in place I would be receiving somewhere in the region of several thousand each day

A trick I have is to update the active email on a regular basis

Any emails to the old email address then go straight to the blackhole / delete / discard or in where I know I do not want such emails the non-responder (as if the Domain Name did not exist any more)

[easyhosting]

Most spam software can identify these

If this was not in place I would be receiving somewhere in the region of several thousand each day

A trick I have is to update the active email on a regular basis

Any emails to the old email address then go straight to the blackhole / delete / discard or in where I know I do not want such emails the non-responder (as if the Domain Name did not exist any more)

 

yes they dont get through to my mail client, but they are usually sitting in webmail even with filters etc.

[disgruntled]

There are numerous tricks for obfuscating an email address some of them use javascript some use other methods such as the image method as described above, the best way to avoid spam from harvesters is simply dont display an email address at all, If you really must display an email then do it in a way that wont allow a harvester to bother you.

 

A form is an option, in this way you can ensure they provide their email address to which they need to click a link/enter a code which ever you choose really, only once verified in this way does the form get sent to your email address.

 

It could be three emails to send, one to validate then one to you and one to the submitter if you really do want to provide them with an email to contact you at. but to be fair, the best way would be to reply to the email your system sends to yourself if it isnt spam. that way they will never have your email if they are spammers.

[durangod]

Thanks everyone, great stuff. Yeah i have been using the javascript method and i think if i had not posted the email in the first place then maybe i would not be on their list. It has seemed to work somewhat. I have been using horde with filters but still get the emails they are just marked as spam. I dont belive any of the Cpanel mail util interfaces are really that good, just very basic.

[laszlof]

I'd recommend using a server side method to convert the email address over to ASCII character codes. They will be completely visible in a browser, but most email scrubbing scripts wont find them. Heres a quick little function to convert strings:

 

function toHTMLChars($str) {
   $ret = '';
   $split = str_split($str);
   foreach ($split as $char) {
       $ret .= ''.ord($char).';';
   }
   return $ret;
}

[disgruntled]

I'd recommend using a server side method to convert the email address over to ASCII character codes. They will be completely visible in a browser, but most email scrubbing scripts wont find them. Heres a quick little function to convert strings:

 

function toHTMLChars($str) {
   $ret = '';
   $split = str_split($str);
   foreach ($split as $char) {
       $ret .= ''.ord($char).';';
   }
   return $ret;
}

 

Nice share, for now at least this should work, but it seems the more we attack these harvesters the better they get at harvesting so these methods well to be honest all methods only have limited lifespans, and to be honest unless you are simply testing all emails and dumping the ones that are spam there isnt a suitable way to avoid spam.

 

The only way i can see around this is a zero tolerance policy. Basically every mail coming to the server is junked, doesnt matter who or where the are from, then you whitelist known safe emails. you would have to allow one email address to be deliverable in whmcs case, sales emails can come from anywhere and well you cant just junk all those emails you would without a doubt lose any kind of creditbility you may have. but all the ticket support departments can be, especially if you only allow known clients.

 

This brings me to a possible feature request where by WHMCS add the client email address of paid clients to the whitelist. This would be in my view an unbeatable spam system, and at worst, you get spammed by one of your own clients, but they paid you so you can easily shut them down and report if need be, you know who they are.

 

I operate this exact sort of policy on my hotmail account, junk everything and then whitelist what i want, ofcourse junk checking is required at the beginning, but in time you can just forget about the junk and have the system take care of it.

Edited May 10, 2012 by disgruntled