Page style:

A Blue Perspective: ... just like spiced ham!

... just like spiced ham!
7 January 2004

Arriving back from holidays to a quiet office I was greeted by 276 e-mails. 4 of those I kept.

The place where I work has a real problem with spam. Our web site gets moderate traffic and on it somewhere are the mailto: links which chew up so much of our time. Obviously, the addresses have been culled by some devious uber-spammer and now do the rounds on a CD with some other "175,000 real names and addresses!" And there's now nothing we can do about it – the addresses are on all our stationery, advertising and yo-yos, so we can hardly abandon them in favour of a more discreet handle.

On my own web site I have a bit more control and like to take preventative measures against the enemy. Some sites leave their only point of access as a CGI form, but I feel that this is a bit too hermitic; people often have legitimate reasons for looking up your e-mail address and you shouldn't surrender good service in the name of spam prevention. As most e-mail addresses would be automatically culled by a web spider, the key in placing an e-mail address on a web page is to make it human readable, but not machine readable. This can be achieved by writing "here AT there dot com", but this automatically breaks the ability to have a mailto: link attached to your e-mail address. I strayed away from using character codes because I figured they were too easily translatable and could be circumvented by a trivial improvement to your average spider.

On my contact page the actual text of my mailto: link is interspersed with some CSS hidden HTML tags, meaning that a spider would not decipher the text as an e-mail address unless it contained a CSS parsing engine that calculated the actual text that is rendered. In addition to that, the href of the mailto: link is actually blank and I rely upon JavaScript calls to perform the mailto: action when someone clicks on the link. Again, a spider would only be able to decipher the e-mail address if it contained a JavaScript parsing engine. From a usability and semantic viewpoint these methods are a bit naughty, but I figure they provide decent service to most users while giving me protection, so its a worthwhile trade-off.

As a last resort, the actual e-mail address listed on the site is just a series of numbers. Anyone wishing to contact me for the first time may do so using that address, but further correspondence is done using my "real" address. Therefore, I can easily abandon the e-mail listed on the web site without affecting my lines of communication, and replace it with another series of numbers.

These measures have worked so far – no spam yet (jinx) – but each of them is bound to give way over time as spammers become more wily. And, eventually, some careless correspondent will leave my treasured e-mail address lying in some online forum or in a virus addled mail client and I'll have to start all over again *sigh*. So hopefully, action like the US anti-spam legislation and Microsoft's anti-spam algorithms will cut spam at its source – the only way to stop it.

How do you keep your life spam free? Reveal your secrets!


1/8. 7 January 2004 @ 05:47, kartooner wrote:

I use Mailwasher, a nifty program by Firetrust (and Nick Bolton).

It essentially allows you to filter out SPAM messages from legitimate emails. It's simple, inexpensive and effective.

My two cents worth, anyways. Worth a look if you're running into SPAM issues.

2/8. 7 January 2004 @ 07:17, Unearthed Ruminator wrote:

I use Dan Benjamin's Hiveware Enkoder to put my email address on my site -

3/8. 7 January 2004 @ 08:13, RMCox wrote:

Another perspective on the anti-spam legislation (by Robert X. Cringely) is available here:

In my professional experience, where addresses may not be changed or be numbers and have never been spoofed, exposed naked to the interweb, those users who get the most spam (in multiples of ten over the average user) also use their email for internet purchases, mailing lists, memberships, credit card applications, etc. I have 4 very exposed emails on well-trafficked sites (my day job) and even before spam filtering software was installed on the incoming mail server (the answer to your workís problems), I would only see a handful of spam emails a week. Other users, with less exposed emails, were getting 150 spams a day from excessive use of their email by plugging it into any old web form. Which is not to say that your problems aren't because your email wasnít harvested and sold, just that that has been my experience.

In my personal experience, where I have more control over mailtoís I did add [] to my listed email addresses (with deletion instructions) to an unknown degree of effectiveness. The only email of three listed to get any spam was the email listed in whois. Go figure. That (the []) may be as futile as character encoding and as annoying as 'rmcox (at)' but I donít get enough traffic for any real testing to be accomplished. Your mailto doctoring method is clever but I would be interested if you have any actual stats on its effectiveness. Maybe have a doctored mailto and a non-doctored mailto available on the same page and see which, if either, gets spammed and by what percentages?

(Also, the solution is also clever, but very heavy in terms of file size: imagine a page with 20 emails!)

4/8. 7 January 2004 @ 10:02, Keith Bell wrote:

Interesting method you have, Cameron. On my personal site I take an even simpler JavaScript approach which degrades gracefully in non-JS browsers (one of the downfalls of more complex methods like Dan Benjamin's Enkoder). So far it's been completely effective, and I've had no reports of problems in any browser or e-mail client. I've described the method at:

5/8. 7 January 2004 @ 14:03, The Man in Blue wrote:

We did trial a server-based filter application at work, but it classified a small percentage of proper e-mails as spam; people got worried, so it was removed.

Even on my Yahoo account (my selected "spam account") which would presumably use some pretty heavy spam filtering algorithms, I keep clicking the "this is spam" button but it doesn't seem to decrease the influx.

As a test of my own personal spam evasion tecniques, there are two links here, one using the evader, one not. The one that receives the most spam wins!

6/8. 8 January 2004 @ 01:18, RMCox wrote:

The false positive is a valid concern and certainly the most fundamental problem with many spam filtering agents. Our filtering system attaches 'spam?' to the subject line of all potential spam, then ranks it with a series of #'s -- you can turn on and off the filter, set the sensitivity of the filter and messages are never deleted but rather moved to a spam folder which the user can periodically check. This allows for very customizable filtering dictated by specific individual user needs. The mail server also has anti-virus software too, so any email I actually view has been through a battery of tests, the attachments are scanned, the domains must be valid and so on.

Keith's (#comment4) link is an excellent (& elegant) solution -- thanks for providing that, as well as providing a detailed critical analysis of the other options as well.

7/8. 8 January 2004 @ 10:20, The Man in Blue wrote:

Only just followed Keith's link :D

Fairly similar to mine, just a bit more elegant. However, instead of using onmouseover, I'd use something a bit more accessible (non-mouse users wouldn't be able to access the link) e.g. onfocus, onkeypress.

8/8. 9 January 2004 @ 11:21, Matt Burris wrote:

I use a combination of Mozilla Thunderbird's spam filtering and SpamPal. That pretty much covers most of it, with a very small amount of false positives.

On webpages, I've found a Javascript solution, but I'm open to better ideas for those who have jscript disabled.

If you go to sign up for something, and email is asked to send you a password, and you don't trust the website/company, use Mailinator:

Post your own comments

Fields marked with an asterisk* are mandatory. All HTML tags will be escaped. http:// strings in comments will be auto-linked.