iEntry 10th Anniversary Forum Rules Search
WebProWorld
Register FAQ Calendar Mark Forums Read
Web Programming Discussion Forum Working with an API? Developing a plugin? Writing a Mod or script for your favorite blog, Web 2.0 site or Forum? Welcome.

Share Thread: & Tags

Share Thread:

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 07-23-2007, 01:16 AM
WebProWorld New Member
 
Join Date: Oct 2005
Posts: 4
apalmer123@msn.com RepRank 0
Default Email spam bots - display name vs. actual email address

A webmaster that I thought was pretty knowledgeable insists that having the displayed text for an email hyperlink NOT be the actual email address reduces the amount of spam sent to that email.

I think that the bots are smart enough to get the email address from the anchor tag and that it doesn't matter what the displayed text says.

Anyone know the real truth?

Thanks!
Reply With Quote
  #2 (permalink)  
Old 07-23-2007, 01:38 AM
carpediem's Avatar
WebProWorld Pro
 
Join Date: Oct 2006
Location: StudioKraft Creative Services
Posts: 110
carpediem RepRank 3carpediem RepRank 3
Default Re: Email spam bots - display name vs. actual email address

Hi apalmer123,

My understanding is that the bots are looking for anchor tags with mailto: reference. As they are usually working for spammers, the context of the display links probably don't matter to the bot program.

We utilize javascript and a secured contact form in an attempt to prevent web bots from stealing e-mail addresses from our websites.

Hope that helps,

Danielle
__________________
MODPlug Central | Free Music Software
StudioKraft | Ecommerce Web Site Development
Reply With Quote
  #3 (permalink)  
Old 07-23-2007, 01:18 PM
wige's Avatar
Moderator
WebProWorld Moderator
 
Join Date: Jun 2006
Location: United States
Posts: 2,648
wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9
Default Re: Email spam bots - display name vs. actual email address

Out of curiosity, I downloaded a bot that was designed to harvest e-mail addresses and other text from web sites. The bots look at the source code of the page and pull out any string that looks like an e-mail address, regardless of whether it is a mailto: link, the link text or even plain text. The bot I played with was even smart enough to drop added nospam text and could convert "something at somewhere dot com" into "something@somewhere.com". The bot was also able to crawl SSL pages. The only method I have seen that worked against the bot was putting the e-mail address into an image that is not linked, or using a secure contact form.
__________________
The best way to learn anything, is to question everything.
Reply With Quote
  #4 (permalink)  
Old 07-23-2007, 05:22 PM
RegDCP's Avatar
WebProWorld Pro
 
Join Date: Oct 2005
Location: Courtenay BC
Posts: 222
RegDCP RepRank 0
Default Re: Email spam bots - display name vs. actual email address

IMO the only safe way is having a captcha protected secure contact form.

Reg
__________________
http://DotCom-Productions.com Website Management
http://0Grief.com Budget PHP/MySQL hosting
Reply With Quote
  #5 (permalink)  
Old 07-23-2007, 05:36 PM
WebProWorld Member
 
Join Date: Feb 2005
Location: Albuquerque, NM
Posts: 48
wpriley RepRank 1
Default Re: Email spam bots - display name vs. actual email address

I've used a free application called E_Cloaker with good results for several years. You can download it at CodeFoot.com: Software: E Cloaker 2.0.

Wige, I would be curious if your bot picks up E-mail addresses encrypted with the above application.

Thanks.
__________________
Pat Riley
Reply With Quote
  #6 (permalink)  
Old 07-23-2007, 06:33 PM
wige's Avatar
Moderator
WebProWorld Moderator
 
Join Date: Jun 2006
Location: United States
Posts: 2,648
wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9
Default Re: Email spam bots - display name vs. actual email address

The bot I tested with had a decode option for unencoding, but it was off by default. This does look like at least a partially effective method. A bot would have no problem processing this code, but as it is not commonly used, the bot would more likely skip over it.
__________________
The best way to learn anything, is to question everything.
Reply With Quote
  #7 (permalink)  
Old 07-23-2007, 06:50 PM
deepsand's Avatar
WebProWorld 1,000+ Club
WebProWorld MVP
 
Join Date: May 2004
Location: Philadelphia, PA
Posts: 3,201
deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9
Default Re: Email spam bots - display name vs. actual email address

If you can read the source and at least deduce what is most likely an e-mail address, so can a bot.

Therefore, if you want to provide the user with on-site contact, use a secure form; if you want to provide for their e-mailing you, display the address as an image.

Be aware, though, that even images are not guaranteed to be unreadable by bots. By employing OCR, and building a database of observed CAPTCHA images and the corresponding proper characters, there have been bots available for some time now that serve as effective CAPTCHA decoders.
Reply With Quote
  #8 (permalink)  
Old 07-23-2007, 06:57 PM
deepsand's Avatar
WebProWorld 1,000+ Club
WebProWorld MVP
 
Join Date: May 2004
Location: Philadelphia, PA
Posts: 3,201
deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by RegDCP View Post
IMO the only safe way is having a captcha protected secure contact form.

Reg

Unfortunately, CAPTCHA is not 100% reliable.

By employing OCR, and building a database of observed CAPTCHA images and the corresponding proper characters, there have been bots available for some time now that serve as effective CAPTCHA decoders.

That is why some sites frequently change their library of CAPTCHA character strings; needless to say, these changes occur just about the time that human users have trained themselves to be able to reliably read them, leading to yet another round of pissed-off users!
Reply With Quote
  #9 (permalink)  
Old 07-23-2007, 07:07 PM
WebProWorld Member
 
Join Date: Jul 2003
Location: Philadelphia
Posts: 82
dean RepRank 1
Default Re: Email spam bots - display name vs. actual email address

If I did use mailto links, I would escape some of the characters in both the anchor tag itself and in the text. There may be some bots that can still grab the address, but I think it prevents at least some harvesting.
What I'm really surprised about is why more webmasters don't speak about the basic unuseability and annoyance factor of mailto links. Just guessing, I think that a rather large percentage of internet users only use web-based email. Most likely, the one they get from their ISP. Even geeks, I would think, use both a client and web-based mail with multiple addresses. I know that I don't like it when a link with unclear anchor text suddenly opens my email client. It's annoying.
Just curious, what would a captcha have to do with preventing email harvesting from a secure contact form? I assume a secure form means that there are no email addresses in the html code, among other things.
I'm also wondering why the OP has an email address as a forum name?
Reply With Quote
  #10 (permalink)  
Old 07-23-2007, 07:07 PM
WebProWorld Member
 
Join Date: Jun 2006
Location: Los Angeles
Posts: 62
itsdonny RepRank 0
Default Re: Email spam bots - display name vs. actual email address

This is a great email encoder here. The you can add your email to any page you want.

Mysterious Ways - Hide Email Addresses from Spam Harvesters
Reply With Quote
  #11 (permalink)  
Old 07-23-2007, 08:17 PM
holmpage's Avatar
WebProWorld Member
 
Join Date: Apr 2004
Location: Nova Scotia
Posts: 30
holmpage RepRank 1
Default Re: Email spam bots - display name vs. actual email address

This is the one I've been using for years: Hivelogic: Enkoder Web Form - it generates a long complex encoded mess in the source code, but looks normal in the browser. Seems to work quite well. Anyone else have experience with this one?
__________________
Heather Holm
Web Design: www.holmpage.com
Nova Scotia: www.NovaScotiaPhotoAlbum.com
Reply With Quote
  #12 (permalink)  
Old 07-23-2007, 10:44 PM
edhan's Avatar
WebProWorld Veteran
 
Join Date: Aug 2003
Location: Singapore
Posts: 716
edhan RepRank 3edhan RepRank 3edhan RepRank 3
Default Re: Email spam bots - display name vs. actual email address

Personally if you want to avoid email harvesting, I do believe that image will be the best. Of course there are other method like cloaking or encryption but using image is far more easy and straight forward to prevent such incident.
Reply With Quote
  #13 (permalink)  
Old 07-24-2007, 04:02 AM
WebProWorld New Member
 
Join Date: Jul 2003
Location: Australia
Posts: 4
chaoley RepRank 0
Default Re: Email spam bots - display name vs. actual email address

The unicode solution has been working well for me for years, try this online email unicoding tool.

fantomas mailShield ver. 01.01.01-e
Reply With Quote
  #14 (permalink)  
Old 07-24-2007, 05:01 AM
simmo's Avatar
WebProWorld New Member
 
Join Date: Jan 2006
Location: Salisbury, England
Posts: 16
simmo RepRank 0
Default Re: Email spam bots - display name vs. actual email address

alpamer123

Have you considered not using what looks like your full email address as your WPW username?

Seriously though, I use safemail. It is not particularly sophisticated but it seems to work. If you are at all familiar with java script, you could mess about with it more, maybe reverse the text of the names.

Here is the link:- FakeTP | Free Perl & PHP Scripts
__________________
Don't think outside of the box - get rid of the box.
Reply With Quote
  #15 (permalink)  
Old 07-24-2007, 10:50 AM
wige's Avatar
Moderator
WebProWorld Moderator
 
Join Date: Jun 2006
Location: United States
Posts: 2,648
wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9wige RepRank 9
Default Re: Email spam bots - display name vs. actual email address

One of the problems with images and captcha technology is usability. Visually impaired users can not view the text in an image and in many cases can not get past a CAPCHA form. I have not experienced spam coming through a secured form, and by secure I mean with no viewable e-mail address and extensive input validation.

I also think that obsfucating the e-mail address using some type of encoding is effective. It is not commonly done right now, so most bots don't waste the processing time to look for encoded e-mail addresses, but these addresses will still work in a text browser, with screen reading software, etc. Although I still think forms provide the best user experience because they keep the user on site and can be customized to ask the questions you need answers to that users might forget to answer in a freeform e-mail.
__________________
The best way to learn anything, is to question everything.
Reply With Quote
  #16 (permalink)  
Old 07-24-2007, 11:12 AM
southplatte's Avatar
WebProWorld Veteran
 
Join Date: Jul 2003
Location: Colorado
Posts: 358
southplatte RepRank 1
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by deepsand View Post
Unfortunately, CAPTCHA is not 100% reliable.
Is any technology 100% reliable and hack proof?

As soon as a security or preventative technology comes out, the race is on to break it.
Reply With Quote
  #17 (permalink)  
Old 07-24-2007, 11:13 AM
southplatte's Avatar
WebProWorld Veteran
 
Join Date: Jul 2003
Location: Colorado
Posts: 358
southplatte RepRank 1
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by wige View Post
One of the problems with images and captcha technology is usability. Visually impaired users can not view the text in an image and in many cases can not get past a CAPCHA form.
Many sites now employ an auditory version of the captcha so that if a user cannot recognize or read the characters they can have them read to them.
Reply With Quote
  #18 (permalink)  
Old 07-24-2007, 11:22 AM
southplatte's Avatar
WebProWorld Veteran
 
Join Date: Jul 2003
Location: Colorado
Posts: 358
southplatte RepRank 1
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by apalmer123@msn.com View Post
A webmaster that I thought was pretty knowledgeable
Many web masters come across and pretty knowledgable - because they expect their clients to not be pretty knowledgable.

It is the same old addage of the auto mechanic selling you parts you don't absolutely need for the repair - they know how many average users do not know the internal parts of an engine or a suspension system and get away with it most of the time, until they try to pull it on someone who maybe knows a bit about cars, but does not work on them due to time or just a lack of desire to.

Years ago I had a guy want to partner with me for web design and programming - sure he talked the talk - acted like he knew what he was doing - but in all reality he didn't have the basic concepts of site design, development and publishing in his grasp - even though he had taken several courses on web design.

The other item to remember is many college text books exist on the subject of web design, and many of these courses are taught by teachers that normally teach business or graphic design courses - not what you would call the best line of instruction since many times the instructor only knows what the teacher prep courses and teacher guides tell them. Many times, with the fast pace of the web, the information contained in these books is 6-months to 2 years old and is often not the current mainstay in the industry based upon the amount of hacking, spam bots and such that exist and current threat trends. So he may have learned that linking email this was was more secure according to some text book written by a business degree holder teaching about e-commerce that had absolutely no clue about true web security other than the IT department and server admins make sure things are secure and you should make sure that you run SSL on your payment pages.
Reply With Quote
  #19 (permalink)  
Old 07-24-2007, 11:31 PM
WebProWorld Pro
 
Join Date: Nov 2006
Posts: 115
qh4dotcom RepRank 1
Default Re: Email spam bots - display name vs. actual email address

I use an image instead of text on my site to display a contact e-mail address...since spambots can't read images, it helps reduce spam.
__________________
You'll love this free traffic site...now it's getting me 2,000 targeted hits every day.
http://www.traffficswarm.com/wpw.html
Reply With Quote
  #20 (permalink)  
Old 07-25-2007, 05:04 PM
WebProWorld New Member
 
Join Date: Jan 2006
Location: US Virgin Islands
Posts: 8
prof611 RepRank 0
Default Re: Email spam bots - display name vs. actual email address

On all of my websites, I use an offpage javascript to insert the email address onto the page. This means that the address is not visible by bots, since they can only read the code, not the page as it appears to humans. The only thing visible in the code is:

<span id="mailTo"></span>

and the javascript inserts the mailTo link between the tags.

I know that people who have javascript disabled won't see anything, but that is a very small proportion of websurfers nowadays.

I don't know why noone else has thought of this solution, as it seems foolproof to me. The code is freely available at the website below.

Professor
Professor's Coding Corner
Reply With Quote
  #21 (permalink)  
Old 07-25-2007, 06:13 PM
syd syd is offline
WebProWorld New Member
 
Join Date: Oct 2005
Location: Stourbridge (UK)
Posts: 8
syd RepRank 1
Default Re: Email spam bots - display name vs. actual email address

A solution I have used is antispambotmailto(). This uses javascript to create an encoded mailto. It is very easy to use and is free.
It can be found at:
AntiSpambotMailto()
Reply With Quote
  #22 (permalink)  
Old 07-26-2007, 03:19 AM
WebProWorld Member
 
Join Date: Jul 2006
Location: Oakland, CA
Posts: 45
holyhttp RepRank 0
Default Re: Email spam bots - display name vs. actual email address

To prevent bots from harvesting your email address there are 2 solutions I can think of.
- display your email as a graphic (no hyperlink mailto:....). Those who want to send you an email will mnake the effort of manually entering it in their email program.
- use an external javascript file that write your email link in a specific location on your web pages. It will be clickable by users but will not be seen by bots.
__________________
Please read the Forum Rules about signature links.
Reply With Quote
  #23 (permalink)  
Old 07-26-2007, 10:02 PM
WebProWorld Member
 
Join Date: Nov 2006
Location: Seattle
Posts: 64
shannonlp RepRank 0
Default Re: Email spam bots - display name vs. actual email address

Since I create bots for a living. I would say nothing will stop it from happening. Encoding works for simple bots. Captcha is probably the best. The Captcha can't be something that stores the answer to the image within a javascript file. Everything about the Captcha needs to be encoded.

The best method I have seen is storing the contents of the Captcha on the server and not using client-side script.

Make sure the Captcha is hard to read just and image will not work.
__________________
Web Designer and Custom Spider Creator
eCommerce and shopping cart information
Reply With Quote
  #24 (permalink)  
Old 07-28-2007, 02:39 AM
DrTandem1's Avatar
WebProWorld 1,000+ Club
 
Join Date: Oct 2003
Location: Encinitas, CA
Posts: 1,830
DrTandem1 RepRank 2
Default Re: Email spam bots - display name vs. actual email address

A good answer to this is to use a PHP script. It can be done with a form using CAPTCHA in conjunction with email validation to check the host, not just the configuration. Also, strip tags, linefeeds and have the script die, if a URL is entered or the site's own domain. Many spammers launch their spam using an unprotected form and the site's own domain name as the sender's address.

Lastly, don't put the email address in any of the source code being displayed. The PHP coding will not be displayed, so the actual email address is fairly well hidden.
__________________
DrTandem's San Diego Web Page Design, drtandem.com
Reply With Quote
  #25 (permalink)  
Old 09-02-2007, 11:02 PM
WebProWorld New Member
 
Join Date: Sep 2007
Location: Illinois
Posts: 3
gr8dane RepRank 0
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by DrTandem1 View Post
...in conjunction with email validation to check the host, not just the configuration.
How would you do this? What would you be checking for?
Reply With Quote
  #26 (permalink)  
Old 09-04-2007, 02:13 PM
WebProWorld Member
 
Join Date: Nov 2006
Location: Seattle
Posts: 64
shannonlp RepRank 0
Default Re: Email spam bots - display name vs. actual email address

Quote:
Originally Posted by itsdonny View Post
This is a great email encoder here. The you can add your email to any page you want.

Mysterious Ways - Hide Email Addresses from Spam Harvesters
I have written many spiders including email harvesters. All this software is doing is converting the characters to a hex equivalent of the given character.

Example:
%74 = t

A spambot can simple look for this pattern and run it through a built in decoder and have the email in the same amount of time as if it was not encoded.

Using the Javascript version makes it a little more difficult to figure out the email address. The concept is to take a key and assign to values then change the values according to the key. In a very generic sense.

It is much safer than just using your email address. If it is a professional spammer then your probably out of luck. Most people downloading a email harvester are not developers they are just looking for email addresses.

If the person has a good knowledge of Regex and a fairly robust bot then you are probably going to get an email from them.

The good news is that most people with software and this knowledge level have far better things to do then harvest emails.

Hope some of this helps.
__________________
Web Designer and Custom Spider Creator
eCommerce and shopping cart information
Reply With Quote
Reply

  WebProWorld > Webmaster, IT and Security Discussion > Web Programming Discussion Forum

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Email (not address, but email body) publishing ADAM Web Design Internet Industry 1 08-23-2007 11:05 PM
Is donotreply@gmail.com a spam email address? Adamwlad Google Discussion Forum 3 05-10-2007 10:50 AM
Hiding email addresses from bots kmsd Introductions 2 09-11-2004 05:26 PM
What email address to use ? Vrindavan Marketing Strategies Discussion Forum 4 07-03-2004 07:20 PM
Obscuring email addy from bots (prob.Off topic) writergrrrl48 Search Engine Optimization Forum 3 02-18-2004 12:51 AM


All times are GMT -4. The time now is 09:52 AM.



Search Engine Optimization by vBSEO 3.3.0