Fighting Spam at the Source

There are a lot of ways for a spammer to get your e-mail. They can buy it in a package of a thousand e-mails from a third-party; they can get it by asking you to “register” with them; they can use a random name generator and then “ask” your mail-server if that name exists (most servers support that and do not have time protection)… These are very “successful” tactics, but the cheapest and safest (hence, most popular) is to “snag” e-mails from websites. Lists compiled this way have many advantages for the spammer (a href=”http://www.awael.net/tools/antispam.shtml" target=”_blank”>find out how some people try to fight back).

You can protect yourself from these e-mail-mongers, but not every protection is bulletproof.

1. How do you make an e-mail link? Just like the URL, only the “href” attribute says “mailto:” and then your e-mail. This is the default way that makes it easier for the automatic programs to gather your e-mail addresses.

2. Those who know about spammers go a bit further. They make a form that uses some script/program (i.e. Matt Script Archive’s “FormMail“) to send the e-mails. This way they don’t have the “mailto” word and some of the programs are unable to get their e-mail. Still, most spammer bots are advance enough to get that e-mail from the source code (you will have a “hidden” tag with your e-mail that follows strict standards like the “@” tag and at least one dot after it).

3. Some know about the “intelligent” spammer bots or simply don’t want to use scripts or programs to send e-mail. They use either JavaScript to hide their e-mail or HEX (or both). What these people fail to realize is that internet has same principles as the real life. If you have a key, somebody else will be able to copy it. As Steve Williams puts it: “it’s trivial to write a spambot that recognizes character entities and/or follows the redirect.” In other words- if your browser can see the address, spammers will be able to see it and so will their programs.

4. I know of only one bulletproof solution (even though all of the solutions above are pretty robust). “My” solution is step above the second method as it involves making a form. In fact, that’s the only problem with it- if user decides not to give you their real e-mail, they could make something up. On the other hand, most people would be able to live with it as long as their inbox stays clean.

Simply change whatever FormMail script you want to use (Perl, PHP, whatever) so that it takes any string (no need for a check if the e-mail address exists and etc.). Then write something like this:

quote:


if ($post[‘recipient’]==”john”) { $post[‘recipient’]=”john@domain.com“; }

elseif ($post[‘recipient’]==”mary”) { $post[‘recipient’]=”mary@somedomain.com“; }

else { $post[‘recipient’]=”nonexistent@domain.com“; } /you might want to play with this line to make sure that your script is more secure/


This tactic doesn’t EVER show the e-mail address and unless the spammer gets access to the source of your script he cannot see the e-mails being used.

This approach prevents bots from gathering your e-mail from YOUR website, but what about other people’s websites? Guys at SpamGourmet.com provide a first-rate solution. I really like it and recommend it to anyone who doesn’t fall for schemes like “Work full time while earning your degree” or “Loose 100 pounds in only 5 days for FREE“.

Edited by Alex Pupko (Pupko.com)

Comments