This guide provides some clever methods and best practices to fight against spam and prevent your email addresses from being harvested onto spam lists:
- Limit access by spam robots (or spambots) to your email addresses and their indexing in their directories/lists.
- Avoid cluttering your mailboxes, as well as potential attempts of fraud and data theft.
- How do spammers gain access to and capture your email address?
- How to prevent your email address from ending up on a mailing list/spam database?
- How to protect your email address on the internet to prevent illicit harvesting and avoid spam?
1) Email harvesting: How do spambots track email addresses? Methods used by spammers.
Email harvesting, or email address harvesting as termed in English, is the illicit and mass acquisition of email addresses for various purposes, notably advertising (spam), phishing, etc.
Specialised computer programmes, called email harvesting robots or spambots, continuously scour the internet as well as website content, forms and contact lists, forums, and social networks searching for email addresses to capture.
Here is an overview of the different methods used by spammers to harvest email addresses on the Internet:
Harvesting from discussion groups - forums
Discussion groups abound with email addresses, and it is very easy for spammers to collect them.
Web harvesting
This is probably the most used technique: the spammer uses computer programmes “robots” that analyse all web pages in search of email addresses. As soon as an email address is visible on a website, it is identified and collected to be stored on spam mailing lists.
Automatic generation of email addresses (random)
The spammer selects a target domain and attempts to randomly determine existing email addresses (usually trying commonly used addresses such as admin@, administrator@, hostmaster@, webmaster@, postmaster@, contact@, etc.).
Virus attacks
Spammers increasingly use viruses whose sole purpose is to collect a list of email addresses contained in files or in the address book of the infected computer. Once the list is stolen, the virus can either send spam itself or send the contact list so it can be used or resold.
Hacking
When hackers break into computer systems, they sometimes come across email address lists which they do not hesitate to harvest and resell.
Parallel legal activity
Sometimes a website with perfectly legal activity is edited and controlled by a spammer. Beware of suspicious sites; prefer an alternative email address to avoid your personal or professional email address being polluted and harvested.
Buying and selling mailing lists
Many companies sell email address lists legally and/or illegally compiled. Unfortunately, this type of activity is not illegal.
Note:
- Robots or spambots generally search for the @ character to identify an email address, but the more sophisticated ones often include other spellings such as [at], (at), [AT] or (AT), [point], (point), [POINT] or (POINT) in their search:
email@example.com email[at]example.com email[AT]example.com email(AT)example[POINT]com etc.
- The HTML email format mailto “mailto:email@example.com” also allows spambots to unambiguously identify an email address which they can easily harvest.
2) Format of an unprotected email address
To better protect against spammers and robot attacks, it is essential not to display your email address in clear text on the internet and on your website.
Generally, websites use a simple and easily detectable method by robots to display an email address, the mailto:
<p> Contact us by email at the following address <a href="mailto:email@example.com">email@example.com</a> </p>
From the user’s perspective, this is the best option to make an email address visible and accessible on the internet. From the spammer’s perspective, it is also the best option for identification and harvesting when the address is visible in clear text.
In general, email address protection methods mainly aim to keep it visible for the user while making it invisible in the source code. The most effective methods therefore consist of replacing, hiding or encoding the email address in the source code so that it is not visible and detectable by robots.
3) Replace an email address to make it invisible and protect it
An email address can be easily protected by replacing it with an image or a redirection link to the mailto.
- Embed an email address as an image
When an email address is inserted as an image, it remains visible to users but is difficult for robots to identify. There are indeed some spambots capable of analysing images using optical character recognition (OCR), but these are a tiny minority.
Protection in the form of an image therefore provides very good protection against spam, effective and easy to implement.
The following HTML code allows you to embed an email address as an image on a website:
<a href="mailto:email@example.com"> <img src="https://antispam.png" width="120" height="120" alt="Contact us by email at: email@example.com"</img> </a>
For website visitors, the image displays in the browser like a regular image, as follows:
Be mindful of accessibility: textual information presented as an image is generally not accessible to visually impaired people. It is therefore recommended to include an image description as alternative text (Alt), which must however be protected, as it is otherwise easy for spambots to decipher.
- HTML redirection link
This method consists of separating the email address from the website so that it is not linked to pages scanned and indexed by robots. Usually, a script is used which redirects users to the mailto link. This has the advantage of opening the user’s email client/application directly with the corresponding email address pre-filled in the “To” field. For spambots, this link looks like any other file. This protection technique can notably be implemented using a link to a PHP file containing the redirection:
<p> Contact us by email at <a href="redirect-mailto.php">Email address</a>. </p>
The content of the redirect-mailto.php file is a script that redirects to the real mailto link.
<?php header("Location:mailto:email@example.com"); ?>
If you want the email address to appear visually on the page, it is necessary to combine this method with that of the image.
4) Hide an email address using encoding
It is possible to encode your email address to hide it by inserting additional elements or by compiling these elements in the web browser using JavaScript. Simple encoding can be created notably using HTML entities, as well as URL and HEX encodings.
Methods to hide an email address use comment features, as well as HTML and CSS elements. There is also a more complex solution which consists of hiding your email through dynamic composition of the address in JavaScript.
- Hide an email address by encoding characters
Character encoding used to hide email addresses in source code is based on HTML entities, HEX code, or percent encoding of URLs.
1. @ = @2. . = . (dot)
More info:
Special Characters for use in HTML documents
w3schools HTML Unicode (UTF-8) Reference
This will appear in the source code as follows:
<p> Contact us by email at: <a href="mailto:email@example.com"> email@example.com</a> </p>
Since HTML entities are defined only for special characters, neither the entire email address nor the HTML mailto reference can be encoded. However, a description with HEX encoding is possible using the corresponding Unicode character or numeric character reference (NCR), which will appear as follows:
&#number;
The email address <email@example.com> including the mailto link ("mailto:email@example.com") will therefore be written in hexadecimal (HEX) as follows:
<p> Contact us by email at: <a href= "6d61696c746f3a656d61696c406578616d706c652e636f6d"> Email address</a>. </p>
Another example of Unicode code points NCR encoding (hexadecimal):
<p> Contact us by email at: <a href= "e m a i l @ e x a m p l e . c o m"> Email address</a>. </p>
Online encoders/decoders (examples):
https://cryptii.com/
https://www.hexator.com/
HTML Symbols, Entities, and ASCII Character Codes
Another method to protect your email address against spam is to use URL encoding (percent encoding), which allows inserting special characters interpretable by the browser in a URL. These are combinations of three characters containing the percent symbol (%), followed by the two-character hexadecimal ASCII code of the desired sign. The following example shows how the @ character is masked by this URL encoding:
<p> Contact us by email at: <a href="mailto:email%40example.com">Email address</a>. </p>
Note: while this character encoding method is quite simple and quick to implement, it offers relatively weak protection compared to other methods, as almost all spambots today can decode it.
URL encoder and decoder
- Hide an email address by adding characters in HTML or CSS
It is also possible to hide your email address by adding unnecessary characters in the source code, which “pollute” it. With this method, robots cannot read or identify the email address. HTML comments are notably an easy solution to implement this protection.
<!– 123@abc –> <!– @def.fr –>
By inserting comments in this way, robots are unable to read and identify the email address:
<p> Contact us by email at: em<!-- 123@abc -->ail@exem<!-- @def.fr -->ple.com. </p>
In the web browser, HTML comments are not visible on the page: the user can therefore see the email address correctly displayed and readable in clear text, without the comments, in its "normal" format: “Contact us by email at: email@example.com.”.
The CSS method: this solution consists of inserting any character without comment, which is invisible in the browser thanks to CSS.
In this example, a span is inserted in the email address. The content of the tag is not interpreted by the browser because the display property is set to none (value = none).
<style type="text/css"> span.spamkiller {display:none;} </style> <p> Contact us by email at: email<span class="spamkiller">yoursuiteofcharacters</span>@example.com. </p>
This method displays the correct email address in the browser so that it is readable only by the user, while the spambot will read the text contained in the span element. This allows the use of an email address dedicated to fighting spam, here for example <emailyoursuiteofcharacters@example.com>, as a honeypot to attract spammers to this address, identify and neutralise them.
NB: this method does not allow inserting a mailto.
- Reverse the display of characters in the email address
It is also possible to use CSS to reverse a sequence of characters, more precisely in our case, to reverse the display of characters of an email address. This allows entering email addresses with source code in reverse order (right-to-left reading direction) to fool robots.
<style type="text/css"> span.ltrText {unicode-bidi: bidi-override; direction: rtl} </style> <p> Contact us by email at: <span class="ltrText">moc.elpmaxe@liame</span> </p>
Robots will therefore read the email address backwards <moc.elpmaxe@liame> in the source code. However, for website visitors the email address will display correctly, because the CSS property unicode-bidi with the value bidi-override and the direction rtl (right to left) causes all characters of the span element to be reoriented and readable in the correct format by the user in the browser.
NB: the most advanced spambots are also able to decode this.
- JavaScript
Simple JavaScript
Principle: use a JavaScript function to display the email address only at the time of rendering by the browser: JavaScript is processed by the web browser and not by the server.
<script language=JavaScript> function generateAddress(firstName,lastName,domain) { document.write("<a href=" + "mail" + "to:" + firstName + lastName + "@" + domain + ">" + firstName + lastName + "@" + domain + "</a>") } </script> <!-- display the email address on the web page --> <script language=JavaScript>generateAddress("john","doe","yourdomain.com"); </script>
Dynamic JavaScript composition
JavaScript offers another option to ensure that the email address is correctly entered in the browser. The address is divided into several parts, which are dynamically composed by the browser when the website is displayed, then assembled, and the email address is then reconstructed.
<script type="text/JavaScript"> var part1 = "email"; var part2 = Math.pow(2,6); var part3 = String.fromCharCode(part2); var part4 = "example.com" var part5 = part1 + String.fromCharCode(part2) + part4; document.write("Contact us by email at: <a href=" + "mai" + "lto" + ":" + part5 + ">" + part1 + part3 + part4 + "</a>"); </script>
Result:
“Contact us by email at: email@example.com”
Each of the different parts of the email address is defined individually from line 2 to 6.
The special character @ is defined in two parts: the expression Math.pow(2,6) in part2 designates the number corresponding to the character in the ASCII-compatible character set (26 = 64). Then this number is converted into a character thanks to part3 and the function String.fromCharCode(part2).
The steps defined in part1 and part5 are executed within line 7 by the function document.write().
The email address is only available once the script is executed client-side by the web browser. It is also possible to trigger the script execution after a click.
5) Encrypt an email address
JavaScript also allows encrypting your email address to protect it from robots and spam, using a common rotation encryption algorithm, ROT13, which can be easily implemented with a few lines of JavaScript code as detailed below.
<script type="text/JavaScript"> function decode(a) { return a.replace(/[a-zA-Z]/g, function(c){ return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26); }) }; function openMailer(element) { var y = decode("znvygb:wbuaqbr@ibgerqbznvar.pbz"); element.setAttribute("href", y); element.setAttribute("onclick", ""); element.firstChild.nodeValue = "Open the mail application"; }; </script> <a id="email" href=" " onclick='openMailer(this);'>Click here to see the contact email</a>
Code explanation:
Lines 2 to 7 - instructions for encryption: encoding and decoding the email address.
Line 9 - the encrypted version of the example email address <johndoe@yourdomain.com> using ROT13, which includes the mailto: "znvygb:wbuaqbr@ibgerqbznvar.pbz".
Lines 8 to 13 - functions to open the mail application configured by default by the user and pre-fill the “To” field with the contact email address.
The script launches when clicking the displayed link: “Click here to see the contact email” (line 15). After clicking, the link “Open the mail application” is displayed (line 12).
NB: You can also use the encrypted email address as a honeypot. In this case, the domain name and extension should not be encrypted.
6) CAPTCHA
CAPTCHA solutions provide additional protection against spam. The most widespread is Google’s free solution: reCAPTCHA.
Our advice: implement a CAPTCHA that is as readable as possible, preferably using word series in the user’s language with slight distortions. You can also allow slight tolerance for typos.
NB: there are now solutions capable of solving and bypassing image captchas.
7) Contact form
The last solution to protect your email address on the internet is to use a contact form, which allows not publishing and displaying your email addresses on the website. To prevent robots from automatically filling out your forms, remember to protect them with captchas.
8) Alternative email addresses
When registering on certain sites, social networks or newsletters, simply avoid giving your primary email address and prefer the use of email addresses dedicated to this use or disposable addresses.