A List Apart

Menu
Issue № 145

Win the SPAM Arms Race

by Published in HTML, JavaScript, The Server Side · 78 Comments

Most seasoned web designer/developers have learned that posting an email address on a website is a sure-fire way to guarantee a steaming pile of spam delivered to that address for years to come.

Article Continues Below

Indeed, posting a naked email link anywhere on the web (or in a newsgroup, in a chatroom, on a weblog comments page ...) is generally the kiss of death for your once-healthy address.

INVASION OF THE SPAMBOTS

It begins innocently enough: the neophyte web developer codes his address into a fresh, new web page to solicit the feedback of his adoring fans.  “Email me!”  it beckons.  A short time passes. Then the barrage of email begins.

From:   john@48_93839aac6673030.com
Subject: Make 80k working from home ...

The first few spam emails seem entertaining.  Then frustrating.  Following the so-called “unsubscribe” links in each mail only results in more mail. Eventually, the task of separating valid email from junk becomes so time consuming and problematic that the developer is forced to abandon the email address entirely.

I know this because the developer was me –  and to this day, years later, that email address still receives dozens of unwanted email messages every day.

Have you ever wondered how, almost instantly, your email address is discovered, recorded, handed down, and passed around?  This happens due to hordes of Email Harvesting Robots (aka spambots).  These autonomous bots spider the web day and night in waves, crawling pages and following links until they discover an unsuspecting MAILTO tag.  Then they pounce, devouring the address and sending it deep into the bowels of the web where the ugly, festering spam companies dwell.

TENTATIVE MEASURES DON’T HELP

Having learned your lesson, unwilling to post your naked address on a page again, you attempt to buck the system, removing any possibility that the spambots will detect your address.  Instead of providing an actual link, you type:

you at example dot com

While this will fool ’most all spambots, it fails entirely at providing your audience with an actual, clickable, email link. Your viewers will have to read and remember the text and then type it manually into their email program.  Not a big deal, but this might be the extra step that prevents them from making contact with you.

Your goal is to make their life easier, not harder; to encourage, not discourage, contact. So you abandon this technique and move on to something better. But what?

TO EMBED OR NOT TO EMBED

Your next move might be to embed the MAILTO link within a block of JavaScript, like this:

[removed]
[removed]("email me");
[removed]

At first, this would appear to be a suitable solution.  Unlike web browsers which will execute the JavaScript and display your link correctly, spambots should, in theory, ignore the JavaScript and therefore the link to your email address.

Unfortunately, spambots can read your address without executing any code at all.  This is because the link exists as plain-text within the parseable text of the page, ripe for the picking.

Drew McLellan was happy enough to prove this to us all with his Encoded email address harvester, a nice device that harmlessly scans your web page in search of vulnerable addresses. Run it against your existing web pages and see what it finds. The results should prove interesting.

DOUBLE PROTECTION: AS GOOD AS IT GETS

The best solution builds on the JavaScript-wrapping idea, but rather than leave the naked email address exposed within the easily-parsed JavaScript, the address is encoded –  translated –  into each character’s Numerical Equivalent, and then wrapped.

You see, every character can be mapped to its own special code which, when viewed by a web browser, is translated back into that character.  The following table gives you an idea of how this works:

char  code
a  a
b  b
c  c
1  1
2  2
3  3

Using this technique, you can generate a complete link that will be rendered correctly by the web browser.  Wrapping these codes yet again within a JavaScript will further limit the chances your email address will be assimilated.

NO ONE IS SAFE

Unfortunately, no email address published online is entirely safe from robots that harvest addresses, but converting your email address to numerical equivalents and then wrapping the result in JavaScript should foil all but the smartest and most dedicated spambots.

AUTOMATING ANTI-SPAM PROTECTION

Converting your email address into an encoded and JavaScript-wrapped link is a tedious process.  Fortunately, almost every programming language features an easy way to invoke this transformation.

This author’s Automatic Labs Email Address Encoder, for example, is an online resource that will handle this process for you.  Just enter your email address and the link information, and it will do the rest.  You may also download a stand-alone program to run on your own computer.  Both versions create the same results, and even allow you to specify cross-browser XHTML or HTML 4.01 code that validates.

On this code page, you’ll find a simple PHP function that will handle this transformation.Enjoy! {The product has been updated since this article was published in ALA issue 145. To download the latest version, see the Automatic Labs products page. – Ed.}

78 Reader Comments

Load Comments