Email spam bots - display name vs. actual email address

[apalmer123@msn.com]

A webmaster that I thought was pretty knowledgeable insists that having the displayed text for an email hyperlink NOT be the actual email address reduces the amount of spam sent to that email.

I think that the bots are smart enough to get the email address from the anchor tag and that it doesn't matter what the displayed text says.

Anyone know the real truth?

Thanks!

[carpediem]

Hi apalmer123,

My understanding is that the bots are looking for anchor tags with mailto: reference. As they are usually working for spammers, the context of the display links probably don't matter to the bot program.

We utilize javascript and a secured contact form in an attempt to prevent web bots from stealing e-mail addresses from our websites.

Hope that helps,

Danielle

[wige]

Out of curiosity, I downloaded a bot that was designed to harvest e-mail addresses and other text from web sites. The bots look at the source code of the page and pull out any string that looks like an e-mail address, regardless of whether it is a mailto: link, the link text or even plain text. The bot I played with was even smart enough to drop added nospam text and could convert "something at somewhere dot com" into "something@somewhere.com". The bot was also able to crawl SSL pages. The only method I have seen that worked against the bot was putting the e-mail address into an image that is not linked, or using a secure contact form.

[RegDCP]

IMO the only safe way is having a captcha protected secure contact form.

Reg

[wpriley]

I've used a free application called E_Cloaker with good results for several years. You can download it at CodeFoot.com: Software: E Cloaker 2.0.

Wige, I would be curious if your bot picks up E-mail addresses encrypted with the above application.

Thanks.

[wige]

The bot I tested with had a decode option for unencoding, but it was off by default. This does look like at least a partially effective method. A bot would have no problem processing this code, but as it is not commonly used, the bot would more likely skip over it.

[deepsand]

If you can read the source and at least deduce what is most likely an e-mail address, so can a bot.

Therefore, if you want to provide the user with on-site contact, use a secure form; if you want to provide for their e-mailing you, display the address as an image.

Be aware, though, that even images are not guaranteed to be unreadable by bots. By employing OCR, and building a database of observed CAPTCHA images and the corresponding proper characters, there have been bots available for some time now that serve as effective CAPTCHA decoders.

[deepsand]

Quote:

Originally Posted by RegDCP

IMO the only safe way is having a captcha protected secure contact form.

Reg

Unfortunately, CAPTCHA is not 100% reliable.

By employing OCR, and building a database of observed CAPTCHA images and the corresponding proper characters, there have been bots available for some time now that serve as effective CAPTCHA decoders.

That is why some sites frequently change their library of CAPTCHA character strings; needless to say, these changes occur just about the time that human users have trained themselves to be able to reliably read them, leading to yet another round of pissed-off users!

[dean]

If I did use mailto links, I would escape some of the characters in both the anchor tag itself and in the text. There may be some bots that can still grab the address, but I think it prevents at least some harvesting.
What I'm really surprised about is why more webmasters don't speak about the basic unuseability and annoyance factor of mailto links. Just guessing, I think that a rather large percentage of internet users only use web-based email. Most likely, the one they get from their ISP. Even geeks, I would think, use both a client and web-based mail with multiple addresses. I know that I don't like it when a link with unclear anchor text suddenly opens my email client. It's annoying.
Just curious, what would a captcha have to do with preventing email harvesting from a secure contact form? I assume a secure form means that there are no email addresses in the html code, among other things.
I'm also wondering why the OP has an email address as a forum name?

[itsdonny]

This is a great email encoder here. The you can add your email to any page you want.

Mysterious Ways - Hide Email Addresses from Spam Harvesters

[holmpage]

This is the one I've been using for years: Hivelogic: Enkoder Web Form - it generates a long complex encoded mess in the source code, but looks normal in the browser. Seems to work quite well. Anyone else have experience with this one?

[edhan]

Personally if you want to avoid email harvesting, I do believe that image will be the best. Of course there are other method like cloaking or encryption but using image is far more easy and straight forward to prevent such incident.

[chaoley]

The unicode solution has been working well for me for years, try this online email unicoding tool.

fantomas mailShield ver. 01.01.01-e

[simmo]

alpamer123

Have you considered not using what looks like your full email address as your WPW username?

Seriously though, I use safemail. It is not particularly sophisticated but it seems to work. If you are at all familiar with java script, you could mess about with it more, maybe reverse the text of the names.

Here is the link:- FakeTP | Free Perl & PHP Scripts

[wige]

One of the problems with images and captcha technology is usability. Visually impaired users can not view the text in an image and in many cases can not get past a CAPCHA form. I have not experienced spam coming through a secured form, and by secure I mean with no viewable e-mail address and extensive input validation.

I also think that obsfucating the e-mail address using some type of encoding is effective. It is not commonly done right now, so most bots don't waste the processing time to look for encoded e-mail addresses, but these addresses will still work in a text browser, with screen reading software, etc. Although I still think forms provide the best user experience because they keep the user on site and can be customized to ask the questions you need answers to that users might forget to answer in a freeform e-mail.

[southplatte]

Quote:

Originally Posted by deepsand

Unfortunately, CAPTCHA is not 100% reliable.

Is any technology 100% reliable and hack proof?

As soon as a security or preventative technology comes out, the race is on to break it.

[southplatte]

Quote:

Originally Posted by wige

One of the problems with images and captcha technology is usability. Visually impaired users can not view the text in an image and in many cases can not get past a CAPCHA form.

Many sites now employ an auditory version of the captcha so that if a user cannot recognize or read the characters they can have them read to them.

[southplatte]

Quote:

Originally Posted by apalmer123@msn.com

A webmaster that I thought was pretty knowledgeable

Many web masters come across and pretty knowledgable - because they expect their clients to not be pretty knowledgable.

It is the same old addage of the auto mechanic selling you parts you don't absolutely need for the repair - they know how many average users do not know the internal parts of an engine or a suspension system and get away with it most of the time, until they try to pull it on someone who maybe knows a bit about cars, but does not work on them due to time or just a lack of desire to.

Years ago I had a guy want to partner with me for web design and programming - sure he talked the talk - acted like he knew what he was doing - but in all reality he didn't have the basic concepts of site design, development and publishing in his grasp - even though he had taken several courses on web design.

The other item to remember is many college text books exist on the subject of web design, and many of these courses are taught by teachers that normally teach business or graphic design courses - not what you would call the best line of instruction since many times the instructor only knows what the teacher prep courses and teacher guides tell them. Many times, with the fast pace of the web, the information contained in these books is 6-months to 2 years old and is often not the current mainstay in the industry based upon the amount of hacking, spam bots and such that exist and current threat trends. So he may have learned that linking email this was was more secure according to some text book written by a business degree holder teaching about e-commerce that had absolutely no clue about true web security other than the IT department and server admins make sure things are secure and you should make sure that you run SSL on your payment pages.

[qh4dotcom]

I use an image instead of text on my site to display a contact e-mail address...since spambots can't read images, it helps reduce spam.

[prof611]

On all of my websites, I use an offpage javascript to insert the email address onto the page. This means that the address is not visible by bots, since they can only read the code, not the page as it appears to humans. The only thing visible in the code is:

<span id="mailTo"></span>

and the javascript inserts the mailTo link between the tags.

I know that people who have javascript disabled won't see anything, but that is a very small proportion of websurfers nowadays.

I don't know why noone else has thought of this solution, as it seems foolproof to me. The code is freely available at the website below.

Professor
Professor's Coding Corner

[syd]

A solution I have used is antispambotmailto(). This uses javascript to create an encoded mailto. It is very easy to use and is free.
It can be found at:
AntiSpambotMailto()

[holyhttp]

To prevent bots from harvesting your email address there are 2 solutions I can think of.
- display your email as a graphic (no hyperlink mailto:....). Those who want to send you an email will mnake the effort of manually entering it in their email program.
- use an external javascript file that write your email link in a specific location on your web pages. It will be clickable by users but will not be seen by bots.

[shannonlp]

Since I create bots for a living. I would say nothing will stop it from happening. Encoding works for simple bots. Captcha is probably the best. The Captcha can't be something that stores the answer to the image within a javascript file. Everything about the Captcha needs to be encoded.

The best method I have seen is storing the contents of the Captcha on the server and not using client-side script.

Make sure the Captcha is hard to read just and image will not work.

[DrTandem1]

A good answer to this is to use a PHP script. It can be done with a form using CAPTCHA in conjunction with email validation to check the host, not just the configuration. Also, strip tags, linefeeds and have the script die, if a URL is entered or the site's own domain. Many spammers launch their spam using an unprotected form and the site's own domain name as the sender's address.

Lastly, don't put the email address in any of the source code being displayed. The PHP coding will not be displayed, so the actual email address is fairly well hidden.

[gr8dane]

Quote:

Originally Posted by DrTandem1

...in conjunction with email validation to check the host, not just the configuration.

How would you do this? What would you be checking for?

[shannonlp]

Quote:

Originally Posted by itsdonny

This is a great email encoder here. The you can add your email to any page you want.

Mysterious Ways - Hide Email Addresses from Spam Harvesters

I have written many spiders including email harvesters. All this software is doing is converting the characters to a hex equivalent of the given character.

Example:
%74 = t

A spambot can simple look for this pattern and run it through a built in decoder and have the email in the same amount of time as if it was not encoded.

Using the Javascript version makes it a little more difficult to figure out the email address. The concept is to take a key and assign to values then change the values according to the key. In a very generic sense.

It is much safer than just using your email address. If it is a professional spammer then your probably out of luck. Most people downloading a email harvester are not developers they are just looking for email addresses.

If the person has a good knowledge of Regex and a fairly robust bot then you are probably going to get an email from them.

The good news is that most people with software and this knowledge level have far better things to do then harvest emails.

Hope some of this helps.