I've come across so much free software and so many great online resources that I felt a need to organize them somewhere. Hopefully what I've found can be of use to you too.
If you've ever had a website on which you've linked an email address, if you've left an email address on an online guestbook, or if your email is available in your online profile on an insecure discussion board or other list, chances are that you've received droves of unsolicited email at that address. Spam.
This is because at any given time, there are thousands of computer programs collectively known as "bots" surfing the web. Some bots are good, such as the spiders used by search engines. They collect info from web pages that is presented to users in their searches. But there are also spambots, which crawl around the net looking for email addresses. These are collected into a database, and unsolicited emails are sent to those addresses.
So how can you prevent bots from getting your email address? A list of methods follows, from easiest to most complex.
- Method 1: Change the text
- Changing the text of the mail address and not using a mailto link can be very effective in stopping spambots. If your address is joe@fakedomain.com, changing it to joe AT fakedomain DOT com or joe @ fakedomain.com or joeREMOVE@fakedomain.com won't stop people from mailing you, but anything but a very sophisticated bot won't know that the word REMOVE isn't part of the mail address.
- Simple and easy
- Adding REMOVE, NOSPAM, or other such text should be quite effective
- All but the most basic spambots can probably successfully bypass use of "AT", "DOT", and spaces
- In time, I'd imagine that they will be able to parse out the most commonly added words, perhaps including REMOVE, REMOVEME, and/or NOSPAM
- Test: catcher1REMOVE@greghowley.com
- Hits: 0
- Method 2: HTML Entities
- HTML Entities are the codes that allow you to use characters such as © and ½ by typing codes like © and ½. Entities begin with an ampersand and end with a semicolon. One of the best listings I've found is here, but you can find dozens of listings online. Spambots generally read the raw HTML of a page, so by encoding an email address with HTML Entities, you can fool them. You can find online tools to do this here, here and here. Another similar method is the usage of hex encoding. A french website called neokraft.net has a tool which you can easily use to do the encoding. They've also released the (very simple) source under a creative commons license. Honestly, I don't know if something this simple should be copyrightable, but it's no worse than Microsoft's copyright on the double-click.
- Includes an actual mailto: link
- Seems to be very effective, given its simplicity
- Easy to do if you use an encoder
- This technique is so common that in time, people will devise spambots that can bypass it, if they already have not. Hex encoding should be slightly better.
- Manual coding of entities can be tedious
- Test: catcher2@greghowley.com
- Hits: 0
- Method 3: Use an Image
- Inserting an image that looks just like text will show site visitors your email while hiding it entirely from any bot viewing the source.
- Should be very effective, as the text is completely invisible from within the page source
- True or not, I have heard that newer email harvesting bots have image-recognition capabilities
- Creating an image takes time, and the image is not able to be dynamically changed, colored or styled unless it is php-generated
- Test:
- Hits: 0
- Method 4: Javascript
- There are a number of ways in which you can use javascript or another client-side scripting language to hide your email address. Here is the most popular.
<script language="javascript"> var contact = "catcher4"; var addr = "catcher4"; var domain = "greghowley.com"; document.write("<a href=" + "mail" + "to:" + addr + "@" + domain + ">" + contact + "</a>"); </script> - Recognised as one of the most effective countermeasures, as spambots do not execute scripts
- Allows usage of a mailto: link
- Many users choose to disable scripting in their browser
- Some browsers, such as those in cell phones, PDAs, or other text browsers such as Lynx do not recognise javascript
- Test:
- Hits: 0
- Method 5: CSS Reversal
- Using CSS, you can reverse text so that it displays right-to-left. Why you'd want to do this is beyond me, but it is useful in hiding email addresses. First, type your email address backwards. gwbush@whitehouse.gov would turn into vog.esuohetihw@hsubwg. Next, apply two styles. First, "unicode-bidi:bidi-override;" and secondly "direction:rtl;" The end result should look like this, if applied in an inline style: <span style="unicode-bidi:bidi-override;direction:rtl;">vog.esuohetihw@hsubwg</span> Try selecting & copying the example below and pasting it in elsewhere!
- Seems very effective
- May be combinable with other methods to create a usable mailto: link - I haven't tried
- Users cannot copy & paste the address into their email
- Some browsers may not support this CSS
- Spambots will likely find a way around this at some point
- Test: moc.yelwohgerg@5rehctac
- Hits: 0
- Method 6: Hiveware Enkoder
- Automaticlabs.com has come up with a javascript method even more devious than method 4, using CDATA. You can view their encoder at www.automaticlabs.com/enkoderform/. The output result is complete garbage. Just beautiful.
- Until spammers come up with a fully javascript-capable email harvester, this will continue to be 100% effective
- Easy to do using the encoder
- Like example four, javascript-incapable browsers and users who disable scripting will not see the email address
- Very difficult to change without Automaticlabs.com's tool
- Test:
- Hits: 0
- Method 7: Form Mail
- Another option is to write code or install prewritten code for form mail. This is one of the two methods I use on this site, as you can see if you visit my contact page. Personally, I use php, which is very easy, but there are other methods using CGI, ASP, and many other languages.
- If you know server-side scripting, this is very easy, especially using php's mail() function
- Only usable by those familiar with form design and server-side scripting
- It is possible for bots to submit forms, and although this will not get them your address, it will send an email.
- no test
- Method 8: Detect the user agent, referrer string, or cookie use
-
This is best done as a server-side script. Detecting one or more of these things can weed out many email harvesters, as bots generally do not accept cookies and do not pass referrer strings or user agents. All can be obtained in php from the $_SERVER variable.
A referrer string will tell you from what page the browsing visitor linked to yours. Since spambots do not pass referrer strings, you can check to be sure that the referring domain is your own before you provide an email address. In php, the variable to check would be $_SERVER["HTTP_REFERER"]. On my page, if the referring domain is not my own, I will not provide a link to my contact page. Instead, I provide a link to a spam-trap script I've written.
A cookie is a small text file stored on your machine which allows you to save information, often between site visits. This is the way in which some sites log you in automatically when you visit them after signing up. Scripts can detect whether or not a browser will accept cookies - a php method is available at us2.php.net/set-cookie under the 05-Feb-2004 11:31 post. I chose not to use this method on my site when I realized that this cookie-detection method prevents search engine spiders from indexing my site.
A browser passing a user agent is illlegedly telling what browser it is. Your full user agent string is CCBot/1.0 (+http://www.commoncrawl.org/bot.html). A very good listing of know user agents can be found here. In general, if a user agent contains "mail", then it's a spambot.
- Little-used enough to be effective
- Even sophisticated spambots are unlikely to accept cookies
- Many people disable cookies in their browsers
- Many newer email harvesters will fake a mozilla-compliant user agent
- If not careful, you may hide your pages from search engine spiders or legitimate unknown browsers
- Careless use of referrer strings can prevent people from externally linking to your pages
- no test
Pros:
Cons:
Pros:
Cons:
Pros:
Cons:
Pros:
Cons:
Pros:
Cons:
Pros:
Cons:
Pros:
Cons:
Pros:
Cons:
Note that bots are not the only way in which spammers can get your email address. A while back, I was using greg@swingmonkey.com for my primary email address. I was careful not to post it online, not to use it for any online transactions, and I only emailed friends and family from that account. Still, I eventually got spammed so hard that I had to stop using the account. How? Dictionary Spamming. Sometimes, spammers will pick a domain and spam any address they can think of. Bill@thisdomain.com, Henry128@thisdomain.com, Joe_Smith@thisdomain.com, etc... That happened to me at swingmonkey. So when picking an address, you're probably better off picking FDMiller@mysite.org than Fred@mysite.org.
Some very good anti-spam sites are spam.abuse.net, Spambot Beware, and Neil Gunton's Spambot Trap. I especially like the SpamThis program.