MacDevCenter    
 Published on MacDevCenter (http://www.macdevcenter.com/)
 See this if you're having trouble printing code examples


Building Your Personal Anti-Spam Strategy

by Michael Herrick
11/01/2002

You're just getting back from a well-deserved and much-enjoyed vacation. For two weeks, you haven't touched a keyboard, looked at a screen, or put a phone to your ear. Now it's payback time. It's your first morning back in the office and you can't put it off any longer. You've got to check your email.

Your first glance at the email status bar confirms your fears. There are 1,840 messages waiting to be picked up. You groan. You know that translates to about 1,800 spams. Well, it's nice to know someone cares. Hold my calls for the next hour. I'm deleting spam.

What used to be a minor annoyance has become the scourge of the Internet, ruining your email experience. Everyone gets spam, of course, but you've been depending on business email for years, so you get a lot of spam. When your Aunt Gussy starts complaining about the junk she gets on her AOL account--"positively dozens!"--you just roll your eyes. Try hundreds. Try thousands. Day in and day out. What can you do about it?

Maybe you accept spam as an inevitable annoyance. Maybe you've grown used to hovering over the delete key while reading email. Maybe you've given up.

Don't.

Spam may seem like a big problem, and it is, but you can do something about it. In fact, you've got to. You don't have a choice. If you're one of those people who receive 50 or 100 or more spams every day, you've simply got to find a way to manage it. Fortunately, there are steps you can take to reduce the time you spend dealing with spam. In this article, we'll look at some of the ways you can reduce or limit the amount of spam you receive by becoming invisible to spammers. In the next article, we'll discuss some ways you can automatically identify and remove spam you are already receiving. Put them together and you can build a personal anti-spam strategy that works for the kind of mail and the kind of spam you receive.

Spam's Not Funny, But Don't Stop Smiling

The first essential in any anti-spam strategy is a sense of humor. A sense of humor can protect us from the natural, but pointless fits of powerless indignation. I'm not at all suggesting a grin-and-bear-it, "I-just-hit-the-delete-key" approach to dealing with spam. I don't recommend resignation. But if we can't laugh at spam, what can we laugh at? Yes, spam is an unconscionable intrusion on your time, an immoral theft of electronic resources, and a repugnant reminder of the most shameful degradations endemic to human nature. But where else can you receive serious, money-laundering offers from third-world con-artists, candy bars with 1,200 negative calories, or incompetently faked nude photos of celebrities you don't even recognize? Yes, they really expect you to believe it. And some people do. Isn't it fun to imagine a disappointed customer sending before-and-after photos to the attorney general proving the ineffectiveness of the latest enlargement formula?

The need for humor is one reason why I always insist on referring to the problem by its most evocative name, spam. I get impatient with anyone who insists on referring to it with some polysyllabic incantation of Latin origin or, worse, an acronym. Maybe a bombastic name is helpful when trying to bamboozle a senator into sponsoring an anti-spam bill he doesn't really understand, but those of us outside the world of legislation (which was once likened to another processed meat product) can afford to be less stuffy. What better way to refer to in-box crud than with the name of a funny meat that makes a yucky slurking sound when it plops out of the can? Spam is a fun word, even a legally permissible word, that can take some of the sting out of processing the daily flood of digital sewage.

Protect Yourself

SpamFire Box

Spamfire removes unwanted commercial and pornographic email from any email account. Works with any email program. Automatic filter updates keep fighting spam. Click here for more info.

Having armed yourself with the mental attitude needed to protect yourself from useless bursts of wrath, what technical steps can you take to stem the flood of spam? First, you should begin at the beginning. Before you start trying to delete the spam you're already receiving, is there anything you can do to prevent new spam?

In order to send spam, spammers need email addresses. To date, the most common way for spammers to obtain valid email addresses has been Web page harvesting--the use of specialized automation software called "spambots" to scan thousands of Web pages and save all the email addresses that can be found. Spammers continue to develop nasty new ways to get your address, but publishing your email address on a Web page is still the easiest way to get attention from spammers.

Anytime you publish an email address on a Web page, you should take steps to protect it from being harvested by spammers. There are several ways you can protect your email address, ranging from the totally useless to the reasonably effective.

  1. Try to obfuscate the characters of your email address. Some people paraphrase their email address--spelling out "at" and "dot com"--or insert extraneous characters intended to trip up spambots. Not only do such techniques look unprofessional, they provide very little protection. Any decent spambot can decode them and get your actual email address.

  2. Create a robots.txt file to keep spambots away. The robots.txt file is a file you can place on your server to specify how automated software should be allowed to access your pages. But adherence to robots.txt guidelines is wholly voluntary. Legitimate Web crawlers will honor a robots.txt file, but spambots don't care. Simply posting a "No mosquitoes allowed" sign on your patio will not guarantee a pleasant barbecue.

  3. Encode your email address with HTML entity codes. Every keyboard character has an ASCII number equivalent that can be specified on a Web page in lieu of the actual character. Browsers automatically convert the code to the required character, but spambots, it was assumed, do not. In fact, spambots figured out this trick a long time ago, so changing the @ character into @ doesn't offer any protection.

  4. Render your email address with a server-side script. All server-side scripting environments allow you to ask for the name of the browser program. You can choose to block access from known spambots or unrecognized browsers. Unfortunately, most spambots spoof their credentials and claim to be the latest version of Netscape Navigator, so you're not fooling anyone with this trick.

  5. Render the text of your email address in an image file. Don't type your email address into your Web page or link to a graphic file that is an image of your email address. Spambots are unlikely ever to implement graphics-to-text converters, so this method is a pretty sure-fire way to prevent harvesting while still making your address readable by most users. But the graphical approach has disadvantages. Your email address won't be readable by visually-impaired users or users with certain browsers, including some wireless devices. It is not possible to create a clickable email address link with this tactic since the HTML code for the email link would be vulnerable to harvesting. And a graphically rendered email address may be more difficult to maintain, especially when many email addresses are involved. You might be able to alleviate  some of the maintenance problems by creating a single graphic of an @ symbol and using that, in combination with text, to produce a readable email address.

  6. Render your email address with a JavaScript. You can create a very simple JavaScript that any modern browser program can effortlessly convert into an email address but which looks like gibberish to most spambots. In its simplest form, your JavaScript might look something like the following:

    <script language="JavaScript">
    document.write( "jim_smith" );
    document.write( "@" );
    document.write( "matterform.com" );
    </script>

    When interpreted by a JavaScript-enabled Web browser, that script looks like this:

    JavaScripts like this are easy to write; you might even be able to automate their creation. The more complicated you can make the JavaScript, the less likely a spambot will ever be able to decode it. Numerous free Web sites let you instantly convert any email address to a reasonably obscure JavaScript, and a few companies (including mine) publish commercial software that can automate the process on multiple Web pages at once. If your JavaScript creates the right HTML code, you can offer your visitors a clickable email link, something not possible with other techniques described here.

    The main disadvantage to JavaScript rendering is that the resulting email address and/or link is readable only by JavaScript-enabled browsers. Many wireless devices do not support JavaScript, and many desktop users disable JavaScript. Compatibility can be improved through the use of <noscript> tags, which allow you to display special content to non-JavaScript browsers. Just be aware that the contents of the <noscript> tag will be visible to spambots, so any information you put there must be protected. A graphically-rendered email address is a good choice for the <noscript> tag. It allows you to provide a text-based, clickable link to JavaScript users, along with a decent substitute for non-JavaScript users. (The email addresses on this page have been protected by my company's product, Spam Vaccine, which uses just this sort of JavaScript and graphic combination. View the HTML source to see how it's done.)

  7. Create contact forms instead of email links. By making a contact form that sends you an email, or stores messages in a Web-enabled database, you can keep your email address off the Web altogether. Just make sure you store the email address in the server-side script or CGI application that processes the form, not in the form itself, where it would still be vulnerable to spambots. If you do it right, you get complete protection. Your email address will be completely protected and completely hidden from any spambot. It requires additional setup time and expertise, which may be impossible if your Web hosting provider doesn't let you create custom scripts or CGI applications, or unfeasible if you have numerous addresses to protect. And you may decide that contact forms just aren't appropriate for your site. I have always felt that a real email address published on a Web page, along with a phone number and snail-mail address, goes a long way towards establishing credibility in the e-commerce world.

Anti-Harvest Measures

Setting aside the first four methods, which don't work, what anti-harvest measures would work best on your Web site? If you have a casual, personal Web site, a simple GIF image file displaying the text of your email address is a simple and certain way to escape the attention of a spambot. Your site may require a more professional solution. If compatible with the overall design of your Web site, custom contact forms provide unbeatable protection, but they can be time-consuming to set-up and don't usually work well with long lists of email addresses such as might be found in a staff directory. For situations like this, a JavaScript solution may be your best bet. While not totally spam-proof, JavaScript protection is reasonably effective, scalable and maintainable. Just make sure you provide some way for non-JavaScript browsers to get your email address or alternate contact information.

Will anti-harvest measures reduce the amount of spam you receive? Not anytime soon. If you already get lots of spam, don't expect it to disappear overnight just because you've scrambled your email addresses with JavaScript. However, anti-harvest measures are a must for any new email address. Whether you're putting a new employee's address on the company directory, creating a Web site for a new business, or adding a contact point for a new product or service, you should never publish a new address without implementing some anti-harvest measures. Harvest deterrence should be standard practice for all Web sites and all Webmasters.

New email addresses can stay spam-free for a long time if you simply take some precautions against harvesting. Of course, you also need to be aware of how you use the new address. Don't type it into other Web sites or into Usenet discussion groups. Keep throwaway addresses on hand for those occasions or type out the URL of a spam-protected Web page. Don't allow employees to use their business email address for personal purposes; offer them a free personal account on your mail server that can be kept separate from the business account, or insist that they get a personal account elsewhere. And don't publish personal addresses at all if you can avoid it. Instead, publish department addresses, like

, which can be redirected when new staff come on board and abandoned entirely and replaced if they start to get bogged down in spam.

Protecting email addresses on your Web site will prevent most new spam, but there are other ways spammers can get your address. Other ways to protect the privacy of your email address include the following:

  1. Don't give out your address unless you have to. Whether it's an online business or a brick-and-mortar business that's asking you, phony addresses, throwaway addresses and outright stubborn refusal are your best protection.

  2. I don't really have to remind you, do I, that you should never reply to a spam or use an unsubscribe link. If it's something legitimate you really remember signing up for, you can probably sign off, but don't believe the dirt balls who tell you that you asked for their spam.

  3. Don't even open or preview spam unless you know that your email program is configured not to auto-load images and other rich media content. Not only does this expose you to graphics you'd rather not see, the images themselves can be configured to trigger a script on a spam server that marks you as someone who reads spam. This nasty trick is called a WebBug and is becoming more and more common.

  4. Don't use your primary address when registering a domain name. Spammers can look up domain name records and steal the email addresses of the administrative, technical, and billing contacts. When registering a domain, use an email address that you've set aside for nothing but domain name registrations. It will still get spam, but it will be separate from the rest of your mail and easier to deal with.

  5. An unusual, unguessable email username can't hurt. Because spammers send out junk to randomly chosen addresses, gets way more spam than . You  may want to consider disabling any wildcard email addresses that forward anything, including lots of spam, right to your personal account. Also, you should be aware that some domains have worse spam problems than others. Hotmail is notorious for the amount of spam their addresses receive, but Apple's .Mac service goes largely unnoticed by spammers.

  6. As far as I know this hasn't happened yet, but it's only a matter of time before spammers figure out how to use viruses to harvest email addresses. You could be put on a spam list not because you got a virus but because the cousin who forwards all those chain letters to you got a virus and you were in her address book. It will be a technical challenge to deliver the email addresses to the spammer without leaving a trail for law enforcement to trace, but you can bet that spammers are working on it right now.

  7. The big and dirty spammers are beginning to use a technique called "Directory Harvest Attacks" to obtain valid email addresses. This allows them to steal addresses right from your service provider's mail server. I don't have room here to discuss counter-measures, but you should make sure your system administrator or Internet service provider is taking steps to protect your email addresses from these attacks.

Final Thought

Unfortunately, the only way to become perfectly and permanently invisible to spammers is to become invisible to everyone else. Close your email accounts, and stay off the Net and the spam will disappear like magic. If that's not an option for you, though, spammers will find you from time to time, no matter what you do. Nevertheless, prevention remains an important part of any anti-spam strategy. Once you've patched the serious privacy leaks that are opening you up to lots of spam, you'll be ready to get serious about identifying and deleting existing spam, and that will be the topic of our next article.

Michael Herrick is the president of Matterform Media, a small software development company, and the lead developer of Spamfire.


Return to Mac DevCenter.

Copyright © 2009 O'Reilly Media, Inc.