... just like spiced ham!

7 January 2004


A Blue Perspective: ... just like spiced ham!

Arriving back from holidays to a quiet office I was greeted by 276 e-mails. 4 of those I kept.

The place where I work has a real problem with spam. Our web site gets moderate traffic and on it somewhere are the mailto: links which chew up so much of our time. Obviously, the addresses have been culled by some devious uber-spammer and now do the rounds on a CD with some other "175,000 real names and addresses!" And there's now nothing we can do about it – the addresses are on all our stationery, advertising and yo-yos, so we can hardly abandon them in favour of a more discreet handle.

On my own web site I have a bit more control and like to take preventative measures against the enemy. Some sites leave their only point of access as a CGI form, but I feel that this is a bit too hermitic; people often have legitimate reasons for looking up your e-mail address and you shouldn't surrender good service in the name of spam prevention. As most e-mail addresses would be automatically culled by a web spider, the key in placing an e-mail address on a web page is to make it human readable, but not machine readable. This can be achieved by writing "here AT there dot com", but this automatically breaks the ability to have a mailto: link attached to your e-mail address. I strayed away from using character codes because I figured they were too easily translatable and could be circumvented by a trivial improvement to your average spider.

On my contact page the actual text of my mailto: link is interspersed with some CSS hidden HTML tags, meaning that a spider would not decipher the text as an e-mail address unless it contained a CSS parsing engine that calculated the actual text that is rendered. In addition to that, the href of the mailto: link is actually blank and I rely upon JavaScript calls to perform the mailto: action when someone clicks on the link. Again, a spider would only be able to decipher the e-mail address if it contained a JavaScript parsing engine. From a usability and semantic viewpoint these methods are a bit naughty, but I figure they provide decent service to most users while giving me protection, so its a worthwhile trade-off.

As a last resort, the actual e-mail address listed on the site is just a series of numbers. Anyone wishing to contact me for the first time may do so using that address, but further correspondence is done using my "real" address. Therefore, I can easily abandon the e-mail listed on the web site without affecting my lines of communication, and replace it with another series of numbers.

These measures have worked so far – no spam yet (jinx) – but each of them is bound to give way over time as spammers become more wily. And, eventually, some careless correspondent will leave my treasured e-mail address lying in some online forum or in a virus addled mail client and I'll have to start all over again *sigh*. So hopefully, action like the US anti-spam legislation and Microsoft's anti-spam algorithms will cut spam at its source – the only way to stop it.

How do you keep your life spam free? Reveal your secrets!




  1. 1/8

    kartooner commented on 7 January 2004 @ 05:47

    I use Mailwasher, a nifty program by Firetrust (and Nick Bolton).

    It essentially allows you to filter out SPAM messages from legitimate emails. It's simple, inexpensive and effective.

    My two cents worth, anyways. Worth a look if you're running into SPAM issues.

  2. 2/8

    Unearthed Ruminator commented on 7 January 2004 @ 07:17

    I use Dan Benjamin's Hiveware Enkoder to put my email address on my site - http://hiveware.com/enkoder_form.php

  3. 3/8

    RMCox commented on 7 January 2004 @ 08:13

    Another perspective on the anti-spam legislation (by Robert X. Cringely) is available here: http://www.pbs.org/cringely/pulpit/pulpit20031218.html

    In my professional experience, where addresses may not be changed or be numbers and have never been spoofed, exposed naked to the interweb, those users who get the most spam (in multiples of ten over the average user) also use their email for internet purchases, mailing lists, memberships, credit card applications, etc. I have 4 very exposed emails on well-trafficked sites (my day job) and even before spam filtering software was installed on the incoming mail server (the answer to your work’s problems), I would only see a handful of spam emails a week. Other users, with less exposed emails, were getting 150 spams a day from excessive use of their email by plugging it into any old web form. Which is not to say that your problems aren't because your email wasn’t harvested and sold, just that that has been my experience.

    In my personal experience, where I have more control over mailto’s I did add [] to my listed email addresses (with deletion instructions) to an unknown degree of effectiveness. The only email of three listed to get any spam was the email listed in whois. Go figure. That (the []) may be as futile as character encoding and as annoying as 'rmcox (at)' but I don’t get enough traffic for any real testing to be accomplished. Your mailto doctoring method is clever but I would be interested if you have any actual stats on its effectiveness. Maybe have a doctored mailto and a non-doctored mailto available on the same page and see which, if either, gets spammed and by what percentages?

    (Also, the http://hiveware.com/enkoder_form.php solution is also clever, but very heavy in terms of file size: imagine a page with 20 emails!)

  4. 4/8

    Keith Bell commented on 7 January 2004 @ 10:02

    Interesting method you have, Cameron. On my personal site I take an even simpler JavaScript approach which degrades gracefully in non-JS browsers (one of the downfalls of more complex methods like Dan Benjamin's Enkoder). So far it's been completely effective, and I've had no reports of problems in any browser or e-mail client. I've described the method at:


  5. 5/8

    The Man in Blue commented on 7 January 2004 @ 14:03

    We did trial a server-based filter application at work, but it classified a small percentage of proper e-mails as spam; people got worried, so it was removed.

    Even on my Yahoo account (my selected "spam account") which would presumably use some pretty heavy spam filtering algorithms, I keep clicking the "this is spam" button but it doesn't seem to decrease the influx.

    As a test of my own personal spam evasion tecniques, there are two links here, one using the evader, one not. The one that receives the most spam wins!


  6. 6/8

    RMCox commented on 8 January 2004 @ 01:18

    The false positive is a valid concern and certainly the most fundamental problem with many spam filtering agents. Our filtering system attaches 'spam?' to the subject line of all potential spam, then ranks it with a series of #'s -- you can turn on and off the filter, set the sensitivity of the filter and messages are never deleted but rather moved to a spam folder which the user can periodically check. This allows for very customizable filtering dictated by specific individual user needs. The mail server also has anti-virus software too, so any email I actually view has been through a battery of tests, the attachments are scanned, the domains must be valid and so on.

    Keith's (#comment4) link is an excellent (& elegant) solution -- thanks for providing that, as well as providing a detailed critical analysis of the other options as well.

  7. 7/8

    The Man in Blue commented on 8 January 2004 @ 10:20

    Only just followed Keith's link :D

    Fairly similar to mine, just a bit more elegant. However, instead of using onmouseover, I'd use something a bit more accessible (non-mouse users wouldn't be able to access the link) e.g. onfocus, onkeypress.

  8. 8/8

    Matt Burris commented on 9 January 2004 @ 11:21

    I use a combination of Mozilla Thunderbird's spam filtering and SpamPal. That pretty much covers most of it, with a very small amount of false positives.

    On webpages, I've found a Javascript solution, but I'm open to better ideas for those who have jscript disabled.

    If you go to sign up for something, and email is asked to send you a password, and you don't trust the website/company, use Mailinator: http://www.mailinator.com

  9. Leave your own comment

    Comments have been turned off on this entry to foil the demons from the lower pits of Spamzalot.

    If you've got some vitriol that just has to be spat, then contact me.

Follow me on Twitter

To hear smaller but more regular stuff from me, follow @themaninblue.

Monthly Archives

Popular Entries

My Book: Simply JavaScript

Simply JavaScript

Simply JavaScript is an enjoyable and easy-to-follow guide for beginners as they begin their journey into JavaScript. Separated into 9 logical chapters, it will take you all the way from the basics of the JavaScript language through to DOM manipulation and Ajax.

Step-by-step examples, rich illustrations and humourous commentary will teach you the right way to code JavaScript in both an unobtrusive and an accessible manner.

RSS feed