Spam Protection

Most likely I don't have to explain what spam is. Surely you have seen more of it than you really care for. What can be done to reduce it? Quite a lot really.

  • Do not put your e-mail address on your web site unprotected. See the "For Web Masters" paragraph below for more details.
  • Never leave your main e-mail account on web sites which you don't trust. Use a "disposable" e-mail account instead. If that account starts to draw too much spam, simply get yourself a new one and never look at the old one again.
  • Spam, spam, spam Be careful with your main e-mail address in news groups. Use a disposable address when you intend to post messages on usenet. Mail harvesters are known to scan the usenet groups for new victims.
  • Spend a few pennies more for an internet provider or domain service which provides a good spam and virus filter. Believe me, it's worth it in the end.
  • A very good alternative is Gmail. They've got one of the best spam filters out there. And the best thing is: it's free!
  • Keep your system healthy. Use Linux. Or if you insist on running some flavour of Windows use a decent virus scanner. If your computer gets infected YOU may be sending the spam without knowing it.
  • Be careful with weblogs and forums. If such a weblog or forum shows e-mail addresses of posters unprotected, you're asking for spam. Again use a disposable e-mail account if you don't trust them with your real address.
  • Never, ever reply to a spam message. They love that, because they'll know for sure that your address is real which makes it even more vulnerable.
  • Never, ever, ever, ever buy anything from a spammer. That's why they do it in the first place. And it is worth their while if at least some people buy from them from time to time.
  • Never, ever forward "funny" mails or chain letters to your entire contacts list. If one of your contacts happens to be infected with a virus you'll all end up on a spammer's victim list.
  • Don't ever forward a mail containing hundreds of e-mail addresses from previous victims of such really "hilarious" mail.
  • If you do have to send mail to a lot of people who do not necessarily know each other, send it to yourself with all other addresses in the BCC field. That way you'll keep the other mail addresses safe and private.
  • If the web page you're visiting wants your e-mail address, and you'll never intend to return to that page again, use www.10minutemail.com. You'll get a mail address which is valid for only 10 minutes. Use this address to receive the login verification code and be gone with it.

Some Small Experiments

Experiment number 1

In November 2007 I decided to start a little experiment. On the 14th I've put two e-mail addresses on my main page with the intention to attract spam. Not to worry, it were disposable addresses. Now the experiment is done they are simply discarded and I will never see spam on them again.
Because my ISP has a pretty good spam filter I had to direct the addresses directly to my spam box, otherwise it might influence the test result.

Sitting Duck One of the addresses was an easy target. It was surrounded by a so called "mailto:" tag, which is a common way to create a clickable e-mail link on a web page. The other address was protected by a small piece of Javascript, the one I've used for several years now and which has proved to be very reliable.

Much to my surprise the easy target started drawing spam within 3 days! I knew it was a sitting duck and it was intended to be one, but that it would take only 3 days for it to be discovered by the bad guys was quite an unpleasant surprise to me.

After seeing proof that it takes only 3 days to get the spammer's attention I decided that a test period of one week would be sufficient. I don't really need more proof that the Javascript protected mail is safe. I know it is because I used it for several years now on this web site and it is still holding strong.

Experiment number 2

Mousetrap On 24 November 2007 I've started a new experiment. I've posted a message in a commonly visited usenet group using a new, unique, disposable e-mail address. Let's see what happens with that address.
Well nothing much happened. It's 5 February now and still no spam on this address. Obviously the particular news group I've used isn't visited by harvesters very often.

Experiment number 3

And on 24 November 2007 I've started yet another experiment. My main page was indexed by search engines only 2 days after I've put the new unique spam trap address on it. Possibly the spam spider uses these results to harvest new victims. Now I've created a separate page, which will not be indexed by search engines (if they obey the rules that is).
Finally on 31 January 2008 the first spam arrived. It took them long enough, but they've found it after some 2 months. Maybe some harvesters obey the robots.txt file after all.

For Web Masters

The experiments above clearly show that it is crucial to be very careful with your e-mail address on the internet at the penalty of being flooded by spam. I'm using a small piece of Javascript to hide my real e-mail address from harvesting robots on my website, while maintaining a normal clickable e-mail link. This method is quite safe, after several years of use I still don't receive any spam on it.
And even if I do get spam on it in the future, it still is a disposable address. I can change it whenever I want.

Here's the piece of Javascript I'm talking about: 

<script language="JavaScript">
<!-- Begin
user = "myaddress";
domain = "mydomain";
document.write('<a href=\"mai' + 'lto:' + user + '@' + domain + '\">');
document.write(user + '@' + domain + '</a>');
// End -->
</script>
<noscript>
Here goes some text that can be seen if Javascript is disabled.
</noscript>

It is a simple program, and even if you're a novice to Javascipt you probably see what it does. First two variables are assigned with the two portions of your e-mail address. Then these two variables are used to write a piece of text to your document, containing the href="mailto: part and the human readable part of your e-mail address.
This results in an apparently normal looking clickable e-mail address on your page, but this time your html code doesn't contain the dangerous mailto tag nor does it contain a readable copy of your e-mail address.
The last 3 lines of code will make your e-mail address visible on browsers which have Javascript disabled. This time you should take care not to make it too obvious for a machine that it is an e-mail address, e.g. by replacing the @ symbol in your address by a # symbol. Humans are hopefully clever enough to understand that it should be changed in order to make it a valid e-mail address.