WebProWorld Part of WebProNews.com
Page One Link To Us Edit Profile Private Messages Archives FAQ RSS Feeds  
 

Go Back   WebProWorld > Webmaster, IT and Security Discussion > Web Programming Discussion Forum
Subscribe to the Newsletter FREE!


Register FAQ Members List Calendar Arcade Chatbox Mark Forums Read

Web Programming Discussion Forum Working with an API? Developing a plugin? Writing a Mod or script for your favorite blog, Web 2.0 site or Forum? Welcome.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 07-23-2007, 12:16 AM
WebProWorld New Member
 

Join Date: Oct 2005
Posts: 4
apalmer123@msn.com RepRank 0
Default Email spam bots - display name vs. actual email address

A webmaster that I thought was pretty knowledgeable insists that having the displayed text for an email hyperlink NOT be the actual email address reduces the amount of spam sent to that email.

I think that the bots are smart enough to get the email address from the anchor tag and that it doesn't matter what the displayed text says.

Anyone know the real truth?

Thanks!
Reply With Quote
  #2 (permalink)  
Old 07-23-2007, 12:38 AM
carpediem's Avatar
WebProWorld Pro
 

Join Date: Oct 2006
Location: StudioKraft Creative Services
Posts: 105
carpediem RepRank 2carpediem RepRank 2
Default Re: Email spam bots - display name vs. actual email address

Hi apalmer123,

My understanding is that the bots are looking for anchor tags with mailto: reference. As they are usually working for spammers, the context of the display links probably don't matter to the bot program.

We utilize javascript and a secured contact form in an attempt to prevent web bots from stealing e-mail addresses from our websites.

Hope that helps,

Danielle
__________________
MODPlug Central | Free Music Software
StudioKraft | Ecommerce Web Site Development
Reply With Quote
  #3 (permalink)  
Old 07-23-2007, 12:18 PM
wige's Avatar
Moderator
WebProWorld Moderator
 

Join Date: Jun 2006
Location: United States
Posts: 1,722
wige RepRank 4wige RepRank 4wige RepRank 4wige RepRank 4
Default Re: Email spam bots - display name vs. actual email address

Out of curiosity, I downloaded a bot that was designed to harvest e-mail addresses and other text from web sites. The bots look at the source code of the page and pull out any string that looks like an e-mail address, regardless of whether it is a mailto: link, the link text or even plain text. The bot I played with was even smart enough to drop added nospam text and could convert "something at somewhere dot com" into "something@somewhere.com". The bot was also able to crawl SSL pages. The only method I have seen that worked against the bot was putting the e-mail address into an image that is not linked, or using a secure contact form.
__________________
The best way to learn anything, is to question everything.
Interestingly Average Security Blog
Reply With Quote
  #4 (permalink)  
Old 07-23-2007, 04:22 PM
RegDCP's Avatar
WebProWorld Pro
 

Join Date: Oct 2005
Location: Courtenay BC
Posts: 223
RegDCP RepRank 0
Default Re: Email spam bots - display name vs. actual email address

IMO the only safe way is having a captcha protected secure contact form.

Reg
__________________
http://DotCom-Productions.com Website Management
http://0Grief.com Budget PHP/MySQL hosting
Reply With Quote
  #5 (permalink)  
Old 07-23-2007, 04:36 PM
WebProWorld Member
 

Join Date: Feb 2005
Location: Albuquerque, NM
Posts: 32
wpriley RepRank 0
Default Re: Email spam bots - display name vs. actual email address

I've used a free application called E_Cloaker with good results for several years. You can download it at CodeFoot.com: Software: E Cloaker 2.0.

Wige, I would be curious if your bot picks up E-mail addresses encrypted with the above application.

Thanks.
__________________
Pat Riley
Reply With Quote
  #6 (permalink)  
Old 07-23-2007, 05:33 PM
wige's Avatar
Moderator
WebProWorld Moderator
 

Join Date: Jun 2006
Location: United States
Posts: 1,722
wige RepRank 4wige RepRank 4wige RepRank 4wige RepRank 4
Default Re: Email spam bots - display name vs. actual email address

The bot I tested with had a decode option for unencoding, but it was off by default. This does look like at least a partially effective method. A bot would have no problem processing this code, but as it is not commonly used, the bot would more likely skip over it.
__________________
The best way to learn anything, is to question everything.
Interestingly Average Security Blog
Reply With Quote
  #7 (permalink)  
Old 07-23-2007, 05:50 PM
WebProWorld 1,000+ Club
 

Join Date: May 2004
Location: Philadelphia, PA
Posts: 1,607
deepsand RepRank 2
Default Re: Email spam bots - display name vs. actual email address

If you can read the source and at least deduce what is most likely an e-mail address, so can a bot.

Therefore, if you want to provide the user with on-site contact, use a secure form; if you want to provide for their e-mailing you, display the address as an image.

Be aware, though, that even images are not guaranteed to be unreadable by bots. By employing OCR, and building a database of observed CAPTCHA images and the corresponding proper characters, there have been bots available for some time now that serve as effective CAPTCHA decoders.
Reply With Quote
  #8 (permalink)  
Old 07-23-2007, 05:57 PM
WebProWorld 1,000+ Club
 

Join Date: May 2004
Location: Philadelphia, PA
Posts: 1,607
deepsand RepRank 2
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by RegDCP View Post
IMO the only safe way is having a captcha protected secure contact form.

Reg

Unfortunately, CAPTCHA is not 100% reliable.

By employing OCR, and building a database of observed CAPTCHA images and the corresponding proper characters, there have been bots available for some time now that serve as effective CAPTCHA decoders.

That is why some sites frequently change their library of CAPTCHA character strings; needless to say, these changes occur just about the time that human users have trained themselves to be able to reliably read them, leading to yet another round of pissed-off users!
Reply With Quote
  #9 (permalink)  
Old 07-23-2007, 06:07 PM
WebProWorld Member
 

Join Date: Jul 2003
Location: Philadelphia
Posts: 75
dean RepRank 0
Default Re: Email spam bots - display name vs. actual email address

If I did use mailto links, I would escape some of the characters in both the anchor tag itself and in the text. There may be some bots that can still grab the address, but I think it prevents at least some harvesting.
What I'm really surprised about is why more webmasters don't speak about the basic unuseability and annoyance factor of mailto links. Just guessing, I think that a rather large percentage of internet users only use web-based email. Most likely, the one they get from their ISP. Even geeks, I would think, use both a client and web-based mail with multiple addresses. I know that I don't like it when a link with unclear anchor text suddenly opens my email client. It's annoying.
Just curious, what would a captcha have to do with preventing email harvesting from a secure contact form? I assume a secure form means that there are no email addresses in the html code, among other things.
I'm also wondering why the OP has an email address as a forum name?
Reply With Quote
  #10 (permalink)  
Old 07-23-2007, 06:07 PM
WebProWorld Member
 

Join Date: Jun 2006
Location: Los Angeles
Posts: 60
itsdonny RepRank 0
Default Re: Email spam bots - display name vs. actual email address

This is a great email encoder here. The you can add your email to any page you want.

Mysterious Ways - Hide Email Addresses from Spam Harvesters
Reply With Quote
  #11 (permalink)  
Old 07-23-2007, 07:17 PM
holmpage's Avatar
WebProWorld Member
 

Join Date: Apr 2004
Location: Nova Scotia
Posts: 28
holmpage RepRank 0
Default Re: Email spam bots - display name vs. actual email address

This is the one I've been using for years: Hivelogic: Enkoder Web Form - it generates a long complex encoded mess in the source code, but looks normal in the browser. Seems to work quite well. Anyone else have experience with this one?
__________________
Heather Holm
Web Design: www.holmpage.com
Nova Scotia: www.NovaScotiaPhotoAlbum.com
Reply With Quote
  #12 (permalink)  
Old 07-23-2007, 09:44 PM
edhan's Avatar
WebProWorld Veteran
 

Join Date: Aug 2003
Location: Singapore
Posts: 524
edhan RepRank 1
Default Re: Email spam bots - display name vs. actual email address

Personally if you want to avoid email harvesting, I do believe that image will be the best. Of course there are other method like cloaking or encryption but using image is far more easy and straight forward to prevent such incident.
__________________
Receiving & Giving To Society
Thai Buddha Amulets & Tibetan dZi Beads | Ads Revenue Sharing | Shopping Online
Reply With Quote
  #13 (permalink)  
Old 07-24-2007, 03:02 AM
WebProWorld New Member
 

Join Date: Jul 2003
Location: Australia
Posts: 4
chaoley RepRank 0
Default Re: Email spam bots - display name vs. actual email address

The unicode solution has been working well for me for years, try this online email unicoding tool.

fantomas mailShield ver. 01.01.01-e
Reply With Quote
  #14 (permalink)  
Old 07-24-2007, 04:01 AM
WebProWorld New Member
 

Join Date: Jan 2006
Location: Salisbury, England
Posts: 13
simmo RepRank 0
Default Re: Email spam bots - display name vs. actual email address

alpamer123

Have you considered not using what looks like your full email address as your WPW username?

Seriously though, I use safemail. It is not particularly sophisticated but it seems to work. If you are at all familiar with java script, you could mess about with it more, maybe reverse the text of the names.

Here is the link:- FakeTP | Free Perl & PHP Scripts
__________________
Don't think outside of the box - get rid of the box.
Reply With Quote
  #15 (permalink)  
Old 07-24-2007, 09:50 AM
wige's Avatar
Moderator
WebProWorld Moderator
 

Join Date: Jun 2006
Location: United States
Posts: 1,722
wige RepRank 4wige RepRank 4wige RepRank 4wige RepRank 4
Default Re: Email spam bots - display name vs. actual email address

One of the problems with images and captcha technology is usability. Visually impaired users can not view the text in an image and in many cases can not get past a CAPCHA form. I have not experienced spam coming through a secured form, and by secure I mean with no viewable e-mail address and extensive input validation.

I also think that obsfucating the e-mail address using some type of encoding is effective. It is not commonly done right now, so most bots don't waste the processing time to look for encoded e-mail addresses, but these addresses will still work in a text browser, with screen reading software, etc. Although I still think forms provide the best user experience because they keep the user on site and can be customized to ask the questions you need answers to that users might forget to answer in a freeform e-mail.
__________________
The best way to learn anything, is to question everything.
Interestingly Average Security Blog
Reply With Quote
  #16 (permalink)  
Old 07-24-2007, 10:12 AM
southplatte's Avatar
WebProWorld Veteran
 

Join Date: Jul 2003
Location: Colorado
Posts: 380
southplatte RepRank 1
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by deepsand View Post
Unfortunately, CAPTCHA is not 100% reliable.
Is any technology 100% reliable and hack proof?

As soon as a security or preventative technology comes out, the race is on to break it.
Reply With Quote
  #17 (permalink)  
Old 07-24-2007, 10:13 AM
southplatte's Avatar
WebProWorld Veteran
 

Join Date: Jul 2003
Location: Colorado
Posts: 380
southplatte RepRank 1
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by wige View Post
One of the problems with images and captcha technology is usability. Visually impaired users can not view the text in an image and in many cases can not get past a CAPCHA form.
Many sites now employ an auditory version of the captcha so that if a user cannot recognize or read the characters they can have them read to them.
Reply With Quote
  #18 (permalink)  
Old 07-24-2007, 10:22 AM
southplatte's Avatar
WebProWorld Veteran
 

Join Date: Jul 2003
Location: Colorado
Posts: 380
southplatte RepRank 1
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by apalmer123@msn.com View Post
A webmaster that I thought was pretty knowledgeable
Many web masters come across and pretty knowledgable - because they expect their clients to not be pretty knowledgable.

It is the same old addage of the auto mechanic selling you parts you don't absolutely need for the repair - they know how many average users do not know the internal parts of an engine or a suspension system and get away with it most of the time, until they try to pull it on someone who maybe knows a bit about cars, but does not work on them due to time or just a lack of desire to.

Years ago I had a guy want to partner with me for web design and programming - sure he talked the talk - acted like he knew what he was doing - but in all reality he didn't have the basic concepts of site design, development and publishing in his grasp - even though he had taken several courses on web design.

The other item to remember is many college text books exist on the subject of web design, and many of these courses are taught by teachers that normally teach business or graphic design courses - not what you would call the best line of instruction since many times the instructor only knows what the teacher prep courses and teacher guides tell them. Many times, with the fast pace of the web, the information contained in these books is 6-months to 2 years old and is often not the current mainstay in the industry based upon the amount of hacking, spam bots and such that exist and current threat trends. So he may have learned that linking email this was was more secure according to some text book written by a business degree holder teaching about e-commerce that had absolutely no clue about true web security other than the IT department and server admins make sure things are secure and you should make sure that you run SSL on your payment pages.
Reply With Quote
  #19 (permalink)  
Old 07-24-2007, 10:31 PM
WebProWorld Pro
 

Join Date: Nov 2006
Posts: 100
qh4dotcom RepRank 0
Default Re: Email spam bots - display name vs. actual email address

I use an image instead of text on my site to display a contact e-mail address...since spambots can't read images, it helps reduce spam.
__________________
You'll love this free traffic site...now it's getting me 4,000 targeted hits every day.
http://www.traffficswarm.com/wpw.html
Reply With Quote
  #20 (permalink)  
Old 07-25-2007, 04:04 PM
WebProWorld New Member
 

Join Date: Jan 2006
Location: US Virgin Islands
Posts: 8
prof611 RepRank 0
Default Re: Email spam bots - display name vs. actual email address

On all of my websites, I use an offpage javascript to insert the email address onto the page. This means that the address is not visible by bots, since they can only read the code, not the page as it appears to humans. The only thing visible in the code is:

<span id="mailTo"></span>

and the javascript inserts the mailTo link between the tags.

I know that people who have javascript disabled won't see anything, but that is a very small proportion of websurfers nowadays.

I don't know why noone else has thought of this solution, as it seems foolproof to me. The code is freely available at the website below.

Professor
Professor's Coding Corner
Reply With Quote
  #21 (permalink)  
Old 07-25-2007, 05:13 PM
syd syd is offline
WebProWorld New Member
 

Join Date: Oct 2005
Location: Stourbridge (UK)
Posts: 7
syd RepRank 0
Default Re: Email spam bots - display name vs. actual email address

A solution I have used is antispambotmailto(). This uses javascript to create an encoded mailto. It is very easy to use and is free.
It can be found at:
AntiSpambotMailto()
__________________
Syd
www.britishproductsdirectory.co.uk
Reply With Quote
  #22 (permalink)  
Old 07-26-2007, 02:19 AM
WebProWorld Member
 

Join Date: Jul 2006
Location: Oakland, CA
Posts: 45
holyhttp RepRank 0
Default Re: Email spam bots - display name vs. actual email address

To prevent bots from harvesting your email address there are 2 solutions I can think of.
- display your email as a graphic (no hyperlink mailto:....). Those who want to send you an email will mnake the effort of manually entering it in their email program.
- use an external javascript file that write your email link in a specific location on your web pages. It will be clickable by users but will not be seen by bots.