PDA

View Full Version : A Quickie



Spider
08-16-2010, 08:53 PM
Is it still true to say that spam crawlers search for the "mailto" attribute to harvest e-mail addresses? Thus, is it still inadvisable to "hot-link" an e-mail address on public web pages?

cbscreative
08-16-2010, 09:32 PM
As far as I know, yes, but there is a solution that while it may not stop all, will stop a lot of them. I'd rather not post that so check your PM.

Spider
08-17-2010, 08:54 AM
Thank you, Steve. I use exactly the same method, only I code it by hand - I didn't know there was a utility that did it. Thanks for that.

I am still interested to know whether spambots still harvest in this fashion. The last time I heard anyone warn against hotlinking an e-mail address with 'mailto' must have been several years ago - an eternity in net terms. I wondered if the e-mail harvesters were using a different method, these days. Does anyone know?

Harold Mansfield
08-17-2010, 10:04 AM
Harvesters are still hard at work, as are spam commenters. They will probably never go away. I don't think they even need the link to be live anymore, it just needs to be published openly so it is best to use a masking script, contact forms, or images.

Personally, I use contact forms. You still get an occasional solicitation, but it's much cleaner and less opportunity to get harvested.

Spider
08-17-2010, 10:16 AM
Can anyone corroborate that as a fact - that e-mail harvesters do pick up unlinked e-mail addresses from the published page rather than from the code?

cbscreative
08-17-2010, 10:33 AM
Frederick, the masking method I shared does not stop all harvesting, or at least I doubt it does, but it appears to help. I've used it on many sites and the spam levels are no worse than an email that's not published on a web site.

Spider
08-17-2010, 10:56 AM
I agree, Steve. I believe some spambots may have read and translated my coded address but it's not a lot - they may equally have read the published page, as Harold suggested. I'd like comfirmation of unlinked e-mail addresses being harvested. Anyone?

vangogh
08-17-2010, 11:09 AM
Unfortunately I don't think there's any method that works 100%. If you put your email online for some to see it and contact you then you have to accept that some of those people could also place the email on a list for the purposes of spamming. You're never going to be able to spot that actual person who visits and sees the email.

However most (if not all) harvesters are automated so the trick is to make your email not look like an email in the code itself. Think like an email harvester for a moment. Every email contains an @ symbol somewhere so they're typically going to crawl a page looking for that symbol or something like a character entity that will display as that symbol. Once found they can analyze the code around it. The symbol is there whether or not the address is linked.

I do see some people using [at] to represent @, which may help, though it would also be trivial to search for. The best method is probably to use an image, though even those can be harvested and you also have to keep in mind that it would mean people who want to contact you would have to type out your email, potentially getting it wrong.

In the past I tried using masking, but I don't bother any more. I want to make it easy for visitors to my site to contact me and unfortunately making it easy for them also makes it easy for harvesters. I use an email that I don't use for other purposes to help protect my main email addresses.

Also know that harvesting from your website isn't the only way email gets collected. I find it more and more common that email is harvested from domain registrar information and other sites where you use an email address. For example if you have a Facebook account and leave the email public then your email can be harvested there regardless of protections you take on your site.

Spider
08-17-2010, 11:16 AM
Fine, but do you know of unlinked e-mail addresses being harvested from the published page? I realize that they can, just as they can decode the dodge Steve and I use, but do they?

Harold Mansfield
08-17-2010, 11:23 AM
Fine, but do you know of unlinked e-mail addresses being harvested from the published page? I realize that they can, just as they can decode the dodge Steve and I use, but do they?

Of course they do. Any and every opportunity to exploit is being scanned for constantly. Many people out there just refuse to do legitimate work. But if you need a concrete example..my email on my music blog was recently exploited after 3 years of no spam. It took me awhile but I found an instance on an old post where I published the email without a live link...but with the "@".

Now that account is constantly bombarded with Pharmaceutical and ****** spam.

Bottom line online, if you leave it open, someone will exploit it. That's just how the web is. No exceptions.

Steve brings up a lot of good points...there are plenty more places to get your email address.

With a $40 program, all you need is a URL and it will comeback with every email address ever used on that URL. What saves most of us is that this is all illegal in the U.S. now, but outside the U.S. they could care less about our laws...most of my spam comes from India and China. They don't follow any rules and they are relentless.

Spider
08-17-2010, 11:31 AM
So, for 3-years your e-mail address was published unlinked and was not harvested, and the one occasion that it was linked it was harvested. Thanks. That tells me 'though they can harvest a published unlinked address they generally do not. Just the same with the coded e-mail - they could harvest them but generally do not. Too much trouble, I suppose. Great! Thanks, all.

Harold Mansfield
08-17-2010, 11:37 AM
So, for 3-years your e-mail address was published unlinked and was not harvested, and the one occasion that it was linked it was harvested. Thanks. That tells me 'though they can harvest a published unlinked address they generally do not. Just the same with the coded e-mail - they could harvest them but generally do not. Too much trouble, I suppose. Great! Thanks, all.

I really would not count on that nor make such a decision based on one story of one email address. I have at least 20 active email addresses right now and have had many compromised over the last few years , in many different ways that I don't use any more.

If you leave it out there, someone is going to exploit it. You would be taking an unnecessary risk that generally only noobs would take. You aren't a noob, and you have access to the opinions of experienced people in this area,
There is no reason to take this risk. They will eventually get you. That's what they do. That's all they do.

Spider
08-17-2010, 12:44 PM
I have to work with the information I have. I cannot not publish the email address, otherwise no-one will be able to contact me. I will avoid the most common harvesting and risk the least common harvesting. Noob or non-noob, I see no way of 100 precent protection.

Harold Mansfield
08-17-2010, 12:54 PM
Doesn't Wordpress.com have a contact form option?

Actually it does:
http://en.support.wordpress.com/contact-form/#configuration


* Your email addresses are never shown, and the sender never learns it (unless you reply to the email!).
* All contact form messages are filtered through Akismet, so the amount of spam you receive will be minimal, if not zero.
* Visitors can type anything into the name and email boxes, so it is easy to fake an identity. If a logged-in WordPress.com user sends you a message, the email will tell you that it was sent by a verified user and you can trust the name and email. As with anything online, know that anonymity is both a curse and a blessing :)
* You can include any text or other allowed elements above or below the contact form.
* If you have Custom CSS, you can customize the look of the form. You cannot add/remove form fields (other that subject) from the contact form, however.
* Each post, page, and text widget will only display one contact form. You can have multiple contact forms in the sidebar by using multiple text widgets.

vangogh
08-17-2010, 03:39 PM
Frederick what's going on is that each level of masking you take, from not making the email an active link to using complex javascript code to hide the email address, makes it less likely your email will be harvested. I hope we're not giving you the idea that you shouldn't do anything.

Think of it this way.

If you park your car in the middle of Detroit with the doors unlocked, the keys inside, and the engine running, I'm thinking it won't be there when you get back. Take the keys out and lock the doors and you have a better chance it will still be there. Add the club to lock the steering wheel and you again increase the odds of your car still being there. Add an alarm and again further increase the odds.

However realize that you can do all of the above and your car can still be stolen, probably in less than a minute. Each level of security you added will keep some people away or more likely make another car parked near you the easier to steal. Now just because your car still can be stolen with all the security measures it doesn't mean you should use those security measures. You should as long as you understand there's no such thing as 100% security.

With email addresses the most common are linked to make it easiest for visitors to contact you. So when a harvester is writing a tool or using one to collect email addresses that tool is very likely going to look for linked emails. Those tools can still easily be programmed to look for unlinked emails, but odds are less are. If an email is an active link it's mostly likely an active email. Unlinked emails, emails using [at], etc that are found may include more false positives for the harvester.

Definitely mask the email in some way. Just know the more you do that to prevent harvesters from collecting it, the more difficult you might also be making it for people to contact you. There's a tradeoff and only you can determine where the balance is for your site.

Business Attorney
08-17-2010, 03:52 PM
I find it more and more common that email is harvested from domain registrar information ...

I've noticed that I get a fair amount of spam at an address I only used for a couple of domain registrations.

billbenson
08-17-2010, 03:53 PM
I use JavaScript to hide my email. I haven't had any spam emails on those email addresses and they have been active for years. I don't like the idea of using an image as that allows people to mistype the email, particularly if they are long.

One of the best things you can do is never send an email from the address on your website. If you send it to someone that has an email harvesting virus on their pc, you will end up on a spam list. I only receive emails from the address on my site and no spam on that email ever!

Harold Mansfield
08-17-2010, 04:09 PM
Basically you can deter the amateurs but you can't stop the pros if you are intent in publishing it in some way. That's why forms are so popular. No way to ever see the emails address without hacking the sites files...and most pros won't go that far just for an email address.

vangogh
08-17-2010, 10:58 PM
I've noticed that I get a fair amount of spam at an address I only used for a couple of domain registrations.

That's exactly how I noticed it too. I have so many different emails and I used them for different things. Helps determine who is and isn't giving away your email address. That's not why I have so many email addresses, but it is one side effect.

jimr451
08-19-2010, 12:05 PM
I've recently added my email address back to my website contact page - not as an "href:mailto", but still "cut-pastable" for users.

I find that it's often one of the first questions a client asks me when they call - what's my email address? I have a form on that page, but I think some people are more comfortable sending an email directly.

So, it may increase my spam, but I'm guessing it's worth it if it pulls in more leads from people unwilling to fill out the form.

Maybe I'll regret it, who knows. But I already get so much spam, I can't imagine it getting much worse.

-Jim

cbscreative
08-19-2010, 01:48 PM
Jim, I agree. It is a trade-off, but you have to be willing to put up with inconvenience to make things easier for clients/customers. Publishing your email will invite some amount of spam, but it also makes you "approachable" in business. I find it very annoying if the email is not published. From my understanding of the research, you will lose business that way too.

vangogh
08-19-2010, 09:55 PM
I agree too. I used to spend more time masking the emails on my site, but they'd still get scraped and spammed. I decided to make it as easy for my visitors as possible and deal with the spam. In the end we're trading the annoyance factor between us and our clients. I'd rather put it on me. I set up an email solely for contacts through my site and accept that it will get some spam. It's not too hard to find the legit emails and delete the spam ones.

Business Attorney
08-19-2010, 11:33 PM
I agree, too. I have not only listed an email address, I give my regular firm email address on my site. Yes, i get some spam but the value of the business i have received by being accessible far outweighs the hassle of dealing with the spam.