: How to avoid getting spam through a website? We seem to be getting A LOT of email spam, we have a combination of the email addresses as mailto links and contact forms that send to the same
We seem to be getting A LOT of email spam, we have a combination of the email addresses as mailto links and contact forms that send to the same address.
What measures can we put in place that will eliminate the majority of spam?
We need to keep a visible email address and contact form so there's no way to just remove those.
More posts by @Sent6035632
5 Comments
Sorted by latest first Latest Oldest Best
I have a lot of experience stopping spam. In fact, I used to speak with GFI and shared some of my filter techniques with them.
You can stop spam with near 100% effectiveness with a few simple steps. This does not negate the need for an anti-spam filter or mean that you will never get spam, however, just a couple of things will almost stop spam cold. It is actually extremely easy.
A little background:
I probably hate spam more than most. I ran a list server with several e-mail lists years ago for well over a decade. When I started the list servers, I knew that spam would be a problem so I created my own e-mail filter and not one spam e-mail ever made it through with zero false positives. I ran my personal e-mails through the list server. Simple.
But that is not what I am suggesting.
When I shut down my list servers, I had to find other highly effective ways to stop spam and I figured out that if you can stop the e-mail address scrapers from lifting your e-mail address from any website, then that is 99% of the task. But you do not always have control over all of this of course. So I used another old technique as a one-two punch (steps 1 and 2).
Step 1: Create an e-mail alias for each and every time you provide an e-mail address. This is often an extremely easy thing to do especially if you run your own e-mail server. Even if you don't run your own e-mail servers most e-mail service providers and web hosts allow for aliases to be created. So when I register for an online account, I create an alias for that account. Every time I provide an e-mail to anyone, I create an alias. No exceptions. I do warn you not to make the alias the other sites domain name, but something similar so you know where your e-mail address was compromised and where to change any e-mail address if you need to. Do not get lazy on this one. Creating a unique alias for each person, site, entity, really saves you a lot work and pain later. This is especially important for family members and some less technical friends who for some reason, never seem to keep their anti-spam up to date.
Step 2: Munge your e-mail address. I created my own e-mail munge tool over a decade ago. But here is some of the background you need to know before getting into munging.
E-mail addresses can be scraped from websites using a variety of tools that range in sophistication. Most are still limited in a particular way, but you will find that many of the munge techniques such as using [at], putting in spaces, putting in text to be modified such as [remove this], and so on can still be scraped. In fact, many JavaScript techniques can be scraped simply because they are easily recognized and written into he code as a pattern match. As well, many image munges can also be scraped simply because code can be written to recognize text within an image regardless of what you do including applying an image filter against the text object before rendering. Scrapers have become rather sophisticated for sure.
But what they cannot handle is randomness.
I wrote a munge tool that is completely anonymous and has been 100% effective for over a decade. Here it is: www.closetnoc.org/mungemaster/ Please use it. It is free to use and I created it because I hate spam that much. Every time you use this munge tool, it creates a very new munge. Is solves the pattern match problem I described earlier. One option is to munge the e-mail address several times for as many times as you post it on your site. Because randomness is important, this technique increases the likelihood of success. But you really do not need to do this if you do not want to. It is still remarkably effective and allows an e-mail link to reside on your site just the way people expect.
Step 3: Use an anti-spam filter. There are several that either work at the server level, as a gateway before your e-mail server, between the server and client, or within the client. Whichever one you chose depends upon your scenario. I used GFI as a gateway when I was a web host. I also used my own filtering mechanism mentioned before. I now use SpamAssassin. Both are highly effective, but not completely fool proof.
Step 4: This only applies for those who run their own e-mail server but it is a highly effective, little known, and simple technique. Create a list server and use Majordomo. Majordomo uses it's own highly effective anti-spam/ security filters. While I do not remember how I used to do this, it is something that does not take much time to figure out. It is highly recommended if you do not mind adding another layer.
Step 5: Quarantine spam e-mails. Most server based and client based spam filters can read header tags and segregate your spam into a folder. Most of us are used to seeing this, but it may surprise you how many people do not use this feature.
The idea is to stop the harvesters from getting your e-mail address in the first place. But if somehow this is compromised, then you have not provided a real e-mail address but an alias that you can delete and recreate as a completely new e-mail alias if required. And last, let the anti-spam filter do it's work and place the spam into a safe location that can be recovered if required.
As as side note:
The only time I have received spam is when a computer was compromised, when someone clicked on a link and manually captured the address, or when a website code/object was compromised. I can count these on my fingers in the past 12 years.
Regarding forms, I do not have much experience with spam in this regard mostly because I do not use forms on my system, so I am not sure I can help you as much as the answers above.
As spambots generally fill in all fields of a form, I use a hidden input which, if filled in, prevents the form from being submitted.
Obviously you'll need to have a label associated with it (also hidden) which states that it should be left blank so that screen reader users know what it's for and don't fill it in.
I've been using this approach for years and it seems to work pretty well.
Since you already had your emailaddress publicly available on the website it's already too late.
You can still remove the plain-text email address from the website. There are several techniques for this, e.g.:
'Ofuscate' the address: E.g. info at example dot com or inforemovethis@example.com
Use an image which contains the emailaddress
Remove the mailto: link and let the user just copy/paste the address
As others already have mentioned you should add some sort of a CAPTCHA to prevent bots from spamming you contactform.
IMHO It's impossible to prevent getting spam. Even if you wouldn't had you email address publicly available spammer will still try lots of emailaddresses on a certain domain. If the server sends back a NDR they would know the emailaddress isn't valid. I think the best thing you can do is install a spamfilter. You could either install one on the mail-server or if you don't have access to the server you can always install a spam-filter on the clientside. I use Spambayes myself on the client side and we also use server side filter. So most spam messages just don't reach the client or will be caught on the client side.
a solution to that is to render the email information encoded, and a javascript function decode them and show them after the page have been load.
Nothing hard to code and deocode, a simple one can do the work.
Other way is to render your email to an image and show the image.
With any trick like that the spammers can not easy read your email to place it on a database and starts send you spam.
I found a page with many examples: csarven.ca/hiding-email-addresses
Now, for the contact form you must use a CAPTCHA,
en.wikipedia.org/wiki/CAPTCHA
or some other similar ideas. stackoverflow.com/questions/8472/practical-non-image-based-captcha-approaches/2544519
Have a look at Recaptcha: www.google.com/recaptcha
That will solve your contact form issue, for the visible email addresses do not display them in a clickable form (i.e. contactus (AT) mydomain (DOT) com).
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.