Interactive Llama :: Interactive media tutorials and tips » email

Hiding an email address from spambots and spiders

Stephen James — Mon, 08 Jun 2009 14:24:22 +0000

There is an army of spiders out there. Some, like GoogleBot, you want scanning your site to be listed in their search engine. Many however have a devious purpose–to collect email addresses to add to spam email lists. If your email address is already out there, then there is no pulling it back in. The only way to eliminate spam is to create a different address and inform all your contacts that you have changed email addresses.

Ways to combat email spam:

A non-linked image
HTML entity encoding
Client-side obfuscation/abstraction (via JavaScript)
Server-side redirect
Contact form (no email address listed)

If your email address, is spelled out with any client viewable code, it is possible to obtain. Now that search engines can read PDF documents, including your email within a PDF as text may be suspect. I have not gone into great depth on any of them below but have provided a short description of each method with advantages and disadvantages listed.

A non-linked image

Anyone viewing images can see your address, but has to visually remember and re-type this address
Low chance of your email address being grabbed by a spam robot

This is how Facebook displays email addresses in one’s profile. It is inconvenient to the user, since he or she cannot click the email address in order to send an email. The spider may grab one’s email address if a spam robot uses image reading (Optical Character Recognition) though this is unlikely at this time.

HTML entity encoding

Anyone with a typical browser will be able to contact you
Medium to high chance of your email address being grabbed by a spam robot

This method encodes certain characters of the email address into Unicode. For instance, “Bob” in Unicode is “Bob” Since computers create Unicode, it does not seem like a hard task to decode from Unicode. I do not recommend this solution.

Client-side obfuscation/abstraction (via JavaScript)

Anyone with a typical browser will be able to contact you
Low chance of your email address being grabbed by a spam robot

This anti-spam solution is not a cure all–but it is my favorite right now. Some spider bots do run JavaScript. The majority of the spider robots do not however. The method described here not only prevents your email address from being obvious simple text, but it also performs levels of obfuscation and abstraction that makes it useable for actual browsers to read and gracefully degrade for those without JavaScript running.

In a related form, if you create your JavaScript function or call of the function on the server-side (ASP, PHP, etc) then you can slightly change the function over a period of time. The user will never notice, since the output being given is exactly the same. It is only the input (the simple text) into the JavaScript function that is being changed.

Server-side redirect

Anyone with a typical browser will be able to contact you
Medium to high chance of your email address being grabbed by a spam robot

There are several ways to do this. Most redirect to a script that provides the email address. The problem with this solution is that spam robots will follow the link and eventually grab the URL although the email address is not in plain text. It is being given out. This is an example of the server-side redirect method. A similar solution is MailHide from Captcha. I don’t recommend any use of Captcha except as a last resort, since I don’t enjoy using captchas myself.

Contact form (no email address listed)

Anyone with a typical browser will be able to contact you, but will not know your email address
Next to no chance of your email address being grabbed by a spam robot

This is guaranteed to save your email address from spam lists, since your email address is never used within your page. This solution could be annoying, since a potential vendor will have to use the contact form to hear more about your product. I’ve always thought this was impersonal. Although less of an issue for personal sites, a user often does not feel he or she is contacting the site owner.

In conclusion

The contact form is the only full-proof way, but right now, I prefer JavaScript obscuration. If my email address is captured, Gmail does a very good job (if sometimes, too aggressive) of ferreting out the email spam. If you’d like to have a small sense of justice, you can link your website to a multitude of email addresses that are all fake.

Photo: Lake Tawakoni State Park, Texas, August 15, 2007 (Donna Garde)

Why email isn’t sending on the iPhone

Stephen James — Wed, 19 Sep 2007 20:19:46 +0000

I don’t own an Apple iPhone. I don’t have a need for a smart phone (maps, sending email on my phone, or watching YouTube videos–can you do and still call it a “smart” phone?). I also don’t want to pay for AT&T’s media plan either. And I only use my 20GB iPod in the car. Three of my co-workers own iPhones though, and one asked me to configure it to send email.

You would think, since the only wireless carrier that the Apple iPhone works with is AT&T (albeit the new hacks that have appeared), that they would make the default SMTP server AT&T’s SMTP’s server. However, they didn’t.

In AT&T’s Support KnowledgeBase KB7276 it says:

AT&T will provide support for sending E-mail using AT&T owned and operated outgoing server addresses:

Former AT&T Wireless customers use “smtp.mymmode.com” (Standard POP/IMAP compatible via port 25 with no SSL.)
AT&T customers use “cwmx.com” (Standard POP/IMAP compatible via port 25 with no SSL.)

The configuration and use of any other outgoing server address will not be supported due to several factors including, but not limited to, the inability for the outgoing server to authenticate users (whether by IP or username/password) that are not directly connected to that Internet Service Providers network. This is mainly done to prevent unsolicited users from sending SPAM via the ISPs servers.

Problem fixed!

Domain and hosting problems and how to prevent them

Stephen James — Thu, 06 Sep 2007 17:38:57 +0000

I have had a client choose to register their domain and host their website with AnywhereHost. About two weeks ago, AnywhereHost upgraded their servers and in the last week, they and GoDaddy, their registrar, have been having problems. This makes the client’s website intermittently down. It also has made the client’s email stop working entirely. As you know, email is essential to day-to-day operation at any modern company. Can you trust your email to a $7/month company with personnel that you’ve never met in person. This hosting company, AnyWhereHost has been called multiple times, but they refuse to answer their phone. We have been unable to obtain the domain from them.

The best advice to prevent this from happening to you is DO NOT allow a shared hosting service to register YOUR domain for you.

I know from experience. Many years ago, I tried to retrieve my domain from a hosting company and spent hours on the phone. It turned out that the hosting company had been bought out and split. I was talking to the part of the company that kept the old name, but had sold out. They still had my records, too, and told me I was their customer until I talked to a manager that knew the situation.

Yes, you do need to know something of what you are doing to enter information into a few fields at a third-party registrar, such as Register.com or ItsYourDomain.com. You need to know your host’s name servers and that’s all. You can request those in a simple email to your host. It will cost you $15-$20 a year more to have a third-party registrar, but what is that small amount of money for a domain that you have control of at any moment. If you’re server and/or hosting company goes down, just move it.

Also, remember to regularly back up your online site to you local computer in case you cannot contact your hosting service.