Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Do You Fool Spam Bots?

Cliff posted about 11 years ago | from the email-armor dept.

Privacy 87

ThisIsAnExampleAccou asks: "I am currently researching Spam Bots, and the various methods by which they collect addresses. While doing my research, I have started to notice the various ways that people post their email addresses to fool spam filters (i.e. - go fishing to mail me) What clever ways have you seen/done to fool spambots while still letting people know how to get in contact with you?"

Sorry! There are no comments related to the filter you selected.

I don't. (1)

zcat_NZ (267672) | about 11 years ago | (#7305372)

I post my address unobfuscated, you insensitive clod!

Re:I don't. (4, Insightful)

Alan Shutko (5101) | about 11 years ago | (#7305417)

I post my address unobfuscated, you insensitive clod!

Ditto. Google my address and you'll find it in mailing lists, Usenet, web pages. It's everywhere. It's also about 4 years old, I think.

I don't believe in making people jump through hoops to get in touch with me. And as you've noted, you have to make your email address increasingly more obfuscated to keep it off of lists. And if one of your friends or family gets a virus or sends you an e-card, your address is "contaminated" and you'll get junk.

Instead, I run bogofilter and deal with it. I don't have to constantly send out new addresses to people. If a friend from elementary school wants to look me up, he can find me. (And yes, that's happened.) And people can actually hit "reply" on messages I post. Wow.

Re:I don't. (1)

NanoGator (522640) | about 11 years ago | (#7305766)

"I don't believe in making people jump through hoops to get in touch with me."

For an experiment, I created a new email address and used it as my Slashdot address without 'spam armor' for a couple of weeks. It didn't take me very long to generate quite a few unsolicited messages.

Though I agree with you in spirit, at some point you have to stop and consider that if you don't slightly inconvenience people trying to reach you, then you'll inconvenience them by missing their email due to being lost in a cluttered inbox.

I really hope you don't run into that.

Re:I don't. (1)

Alan Shutko (5101) | about 11 years ago | (#7306554)

Though I agree with you in spirit, at some point you have to stop and consider that if you don't slightly inconvenience people trying to reach you, then you'll inconvenience them by missing their email due to being lost in a cluttered inbox.

I really hope you don't run into that.

I haven't. I receive 700-900 messages a weekday. (Less on weekends.) Bogofilter is very, very good at avoiding false positives. I've had one false positive personal mail, in the time I've used it. (More commercial mail I don't consider spam has fallen in my junk folder. But training remedies the specific cases.) The one false positive was from someone whose sig was really close to spam, and the mail was one sentence.

I haven't gotten any reports of mails I haven't responded to. That's better than I did with spamassassin (pre-bayes).

I also don't worry about a cluttered inbox because my mail is very effectively filtered into folders (gnus is great). My inbox isn't cluttered... only sees 5-10 messages a day.

So, really, it is possible.

Re:I don't. (1)

Elwood P Dowd (16933) | about 11 years ago | (#7306160)

And if one of your friends or family gets a virus or sends you an e-card, your address is "contaminated" and you'll get junk.

Or if one of your friends or family puts you on a giant CC list, and one of those addys CCed is hosted by some fly-by-night free email service on the web, harvesting, harvesting, harvesting.

Help! (1)

YanceyAI (192279) | about 11 years ago | (#7318545)

My work email address is posted all over the Net because I work for a university doing PR and maintaining a Web site. I now get 25-50 emails a day for pills, penis enlargement (I dont even have one), and now I get these new "Hi" subject emails."

I'm on a Mac and my unit requires using Lotus Notes and I am NOT an administrator. I use Lotus Notes built in filter but it is not nearly enough. What can I do?

Re:I don't. (1)

KDan (90353) | about 11 years ago | (#7305506)

And I don't, and I don't get any spam. Weird that.

I'm aware that lots of people get lots of spam... but I don't! Weird huh?


Re:I don't. (1)

Molina the Bofh (99621) | about 11 years ago | (#7305631)

According to my baysean filter stats, since July 19th, I received 13,403 spams. That means 144 spams per day.

Another technological method (1)

Jucius Maximus (229128) | about 11 years ago | (#7305986)

Check out this thing called Sugarplum [] which creates pages with lots of real-looking but truly fake e-mail addresses. The point of using something like this is to poison the spammer databases and reduce the good:bad ratio of addresses. This way hopefully they will have to throw out the database or at least the content they gathered from your web site.

Other ANTI-SPAM techniques: Basically the best method is to never let your e-mail address appear in a machine-parseable format except in places where other data is supposed to go. For example, the 'from' address in all my e-mails is just a forwarder address and not my real address. The point of this is that when some luser that I sent mail to gets infected with the latest mass mailing worm, my real e-mail address will NOT appear in their address book and be spread across half the net. I can just change the forwarder whenever I want. Of course in the 'name' field if the e-mail it shows [My Name (myname-at-mydomain-org)] so the real address can be found that way by anyone with a clue.

Javascript, passwords and mail form (0)

Anonymous Coward | about 11 years ago | (#7305435)

On some web pages, I use a Javascript to piece together my mail address, and then people can click on the "mailto" link.

On another web page, the email addresses are protected by passwords, so the general public can't see it.

On another web page, I use a web-based form people can fill in, so there is no email address exposed.

Hi! (2, Funny)

Teancom (13486) | about 11 years ago | (#7305457)

I'm frustrated because my spambot hasn't been picking up nearly as many email addresses recently, as comparared to what it used to. Some people out there are really clever! :-( Could you please detail to me exactly how you try and keep me from harvesting your address? Oh, and putting into a testcase form would just be the icing on the cake!


Your Friendly Neighborhood Spammer

Re:Hi! (1)

Teancom (13486) | about 11 years ago | (#7305472)

And no, I'm not accusing the OP of being a spammer. I just thought it was funny...

Re:Hi! (1)

BrokenHalo (565198) | about 11 years ago | (#7306151)

I have two ways of dealing with my "Friendly Neighborhood Spammer" which, although they don't exactly fix the problem, go some way to make me feel better about it.

Since the spam I get now tends to originate from a few sources (all US-based, incidentally), I collect every email address I can find for those companies and post them on a webpage in full view, with handy mailto: links.

Another approach (but of questionable legality) is to set up a DoS attack on the culprit, but that takes a bit more effort.

The point of both of these strategies is to render the spammers' computers useless (at least for a while) or to give them enough grief that they might just decide to find another occupation. We can hope, anyway...

I have a million addresses.... (4, Interesting)

crstophr (529410) | about 11 years ago | (#7305465)

You just need your own domain... where you can recieve email for any address at that domain.

Every time I give out an email address to someone new I give them a unique email address. Every time I put my email into a web form for some company they get it in the following format:

friends can get silly things like: or whatever.....

other examples:

Then, if I begin recieving spam on one of the addresses I know exactly who it is coming from or who at least is responsible for giving out my email address. I can also go in and specifically turn off the offending email address, or better yet have each mail recieved fire off a "custom" error message or some script I have setup.

I've been using this method for a year and believe it or not I don't recieve more than 1 spam mail a week and never recieve it more than once on any given address. What is wonderful is that I have no fear or worry about giving out email addresses any more.


Re:I have a million addresses.... (1)

Mod Me God (686647) | about 11 years ago | (#7305522)

I do absolutely the same.

You only get 1 spam a week? Great! I get a lot more on some of these addresses and as soon as I detect one address getting proportionally many the filter has already kicked in.

Still... I spend a few minutes a week looking at what the spam filter got, some are amusing.

Re:I have a million addresses.... (1)

cmowire (254489) | about 11 years ago | (#7305540)

I do that, but this results me in not blocking the email that gets sent to that address so I can watch as the remove option doesn't work and the address spreads further. ;)

Re:I have a million addresses.... (3, Interesting)

skinfitz (564041) | about 11 years ago | (#7305657)

This is a technique I described at DNSCON [] last year.

I go one further though - once you start to get spam to an address that you registered with a specific company (say for example) then reroute all mail to that address to the relevant abuse reporting addresses.

The result? By spamming you they automatically report themselves while you never see the spam.

Re:I have a million addresses.... (1)

jpsowin (325530) | about 11 years ago | (#7306033)

Or you can simply forward it automagicly to the offending companies customer service email. They'd like it alot more than me I think, since the obviously think people like to receive spam. Works well for me :D

Re:I have a million addresses.... (0)

Anonymous Coward | about 11 years ago | (#7317656)

Every time I put my email into a web form for some company they get it in the following format:

So you've got an address such as "" (or similar, I'm assuming you've used Amazon)?. Excellent, I shall use that to fill in some webforms, and Amazon will get the blame!

Bruce Schneier described this technique in his newsletter

link because of slashdot weirdness:

Add both From: and Sender: headers (2, Informative)

Tor (2685) | about 11 years ago | (#7305490)

You could add both a "From: " and a "Sender: " header to your usenet/mailing list postings:
From: you@yourdomain
Sender: blockme@yourdomain

You'll gets tons of spam to both addresses (not neccessarily the same spam, unfortunately - that would make filtering real easy). You run SpamAssassin (or similar) to filter mail to your real address, and you run "spamassassin -r" or "razor-report" to handle mails sent to your spamtrap address (making the Razor service, and in turn, SpamAssassin, more efficient at identifying these spams).

Better yet, if your MTA is Exim, use SA-Exim [] to add teergrubing [] functionality to SpamAssassin. Oh, the satisfaction! :-)

Depends on the situation (1)

Zocalo (252965) | about 11 years ago | (#7305507)

In order of preference:
  1. Don't post/give out the address in the first place. ;)
  2. Use a fairly trivial bit of JavaScript to mangle the address, but render it properly in the browser.
  3. Referral to my CGI based contact form that doesn't include the addresses on the client.
  4. Lame mangling such as used by Slashdot.
Note that posting in plain test is not up there. I've recently dumped an email address I've been using for over a decade due to an inordinate amount of spams and Joe Jobs. Times have changed, and so have my attitudes to giving out my email address. Total spams in my inbox since doing this in August is just three (yes that's right - I've seen one spam a month), previously I was getting (with filtering) about 40 a day!

Re:Depends on the situation (0)

Anonymous Coward | about 11 years ago | (#7305954)

What really burns me up is having to do that to an e-mail on *my own domain* because the bastards are pounding it with shit from

As an aside, if anyone feels a compulsion to drop by Mr Craig Diedrich's home or office,, of 8392 West 63rd Street, Miami, FL 33166 and politely ask him to take me off all his mailing lists, it would be greatly appreciated. Prefer large swarthy football-player or ex-military types with bad attitudes, hair-trigger tempers and fantasies of raping short and ulgy little men like they've raped my mailbox.

Re:Depends on the situation (1)

DeadSea (69598) | about 11 years ago | (#7306025)

It is actually hard to find a CGI contact form that hides email addresses. I ended up writing my own: Stephen Ostermiller's Contact Form [] . You can download and use it yourself if you wish, it requires a web server, perl, and sendmail. I researched other forms that hide email addresses and was only able to find a few others.

The trick that I use when I need to obfuscate an email address is to leave instructions to amputate the address. Then I will write the address like A computer won't know that amputate means to remove the arm and the leg, but a human will.

My solution... (3, Informative)

cmowire (254489) | about 11 years ago | (#7305523)

I encode the IP address of whoever's requesting the email address and the current date and time. So each request gets a unique email address.

The file is forbidden by the robots.txt file. I don't think that it surprises anybody that it still has gotten spambotted. ;)

Re:My solution... (1)

isorox (205688) | about 11 years ago | (#7309242)

The file is forbidden by the robots.txt file.

A sensible precaution, I'm sure that spam harvesters pay attention to robots.txt.

They get the forbidden pages and look at them first, as thats where all the juicy stuff will be.

Re:My solution... (1)

cmowire (254489) | about 11 years ago | (#7313654)

See, mostly I wanted to collect evidence that spammers are tryly scum-of-the-earth.

I also discovered, once they picked up a few addresses, that the "remove me from this list" still doesn't do anything.

I need to summarize up the trends and write it up, but I haven't gotten to it yet.

Re:My solution... (1, Informative)

Anonymous Coward | about 11 years ago | (#7315141)

Usually the "Remove Me" option is just a method the spammer uses to verify which email addresses are real. If you reply to it, they know you are a real email address and will do quite the opposite than remove you :-)

Re:My solution... (1)

cmowire (254489) | about 11 years ago | (#7320224)

I'm thinking that, lately, they either just ignore the removal requests or maybe remove you from one specific mailing.

It's also the case that half of the removal URLs will return an error message. ;)

The influx of spam to the address I've been testing the "remove me" option hasn't gone down appreciabley, but it hasn't gone up that much either.

bullshit. (1, Insightful)

Elwood P Dowd (16933) | about 11 years ago | (#7305547)

I am currently researching Spam Bots, and improving the methods by which they collect addresses. While doing my research, I have started to notice that people post their email addresses to fool spam filters (i.e. - go fishing to mail me) What clever ways have you seen/done to fool spambots while still letting people know how to get in contact with you?

+5, Informative (0)

Anonymous Coward | about 11 years ago | (#7305639)

How'd ya piece that one together, Steinbeck?

Re:bullshit. (1)

Uma Thurman (623807) | about 11 years ago | (#7306355)

I just post plaintext, unobfuscated. No spammer expects that.

Re:bullshit. (1)

Elwood P Dowd (16933) | about 11 years ago | (#7311870)

Someone doesn't know what flamebait is.

Re:bullshit. (0)

Anonymous Coward | about 11 years ago | (#7316306)

I think Insightful is about right for the comment. My immediate thought was very similar;

"Hi I'm working on how to make spam collection bots more effective now that all you guys have started obfuscating your addresses. Could you all possibly provide me with the ways in which you objuscate them so that I can include all these methods in my new software. I really don't want to find all these methods myself and would really appreciate it if you could save me the hassle.


Mr Employed by Spammers"

Re:bullshit. (1)

Elwood P Dowd (16933) | about 11 years ago | (#7319951)

Well. I didn't think it was insightful exactly. Just kindof funny.

Offtopic or overrated would have been fine. It waren't no genius comment. But it waren't flamebait neither.

GIF (3, Insightful)

Detritus (11846) | about 11 years ago | (#7305571)

I recently tried to email the maintainer of a web page and quickly discovered that the listed email address wasn't text, it was rasterized text in a GIF file. Unless the bot can do OCR, it can't read it. The only problem is that this trick is hostile to the blind.

Re:GIF (0)

Anonymous Coward | about 11 years ago | (#7305835)

COMMON SENSE! why/how the fuck would the blind e-mail you?

Re:GIF (0)

Anonymous Coward | about 11 years ago | (#7306775)

How: with a screen reader and a speech-to-text program

Why: because humans like to communicate

Why is it bad: Because if spammers force everyone to use something that's hostile to the disabled, the disabled won't be able to email anymore, and an increasingly common means of communication will be cut off from them.

Why are there TDD/TDY services for the deaf? Because that's how most business talk with customers for now. Why shouldn't the blind have email?

Re:GIF (1)

Anti_Climax (447121) | about 11 years ago | (#7306465)

I've read that you can fool many spam bots by using Char codes [] .

This is most likely of little use when submitting your address in a form, but for a web content it would seem ideal.

Of course knowing my luck, you're just planning to write a bigger/better spam bot, and decided to use /. for your R&D

Re:GIF (1)

bobbozzo (622815) | about 11 years ago | (#7360944)

Bots are already starting to decode these. I've seen it myself on some spamtrap addresses I have hidden on our site.

Spelling it out. (1)

jasamaman (221350) | about 11 years ago | (#7305603)

Sometimes I spell mine out. As in, myadress AT hotmail DOT com.

Re:Spelling it out. (1)

Fubar420 (701126) | about 11 years ago | (#7305917)

> Please put this in your sig if you think /. should stop posting NYTimes articles.

I know I shouldnt reply to a sigline, but in all honesty, discriminating against a news source (That publishes) for simply requiring you to log in?

Or maybe for their political views?

If its the logging in thing, just use one of a thousand that slashdotters have already set up. Try just about any common keyboard key-run (qwe123, asdf, etc).. odds are, youll hit one.
And then, if nothing else, your screwing up their statistics, and you got your chance to "stick it to the man"!

If its the political views of the NYT, then realize that EVERY news source has its own spin. BBC, Wired, NYT, Wash/Post (which also requires an anonymous login of sorts... yet nobody complains), or pretty much any news source used here, at lovely old /.


Re:Spelling it out. (0)

Anonymous Coward | about 11 years ago | (#7310015)

I agree with him actually. It takes just a few seconds at to find a link to a comparable or even the same article on a site that doesn't force a survey before you can read it. If the person submitting the story can't be bothered to do that, the editors shouldn't accept it. I'm sure a dozen or more people submit the exact same story using links to other sites.

I'm not willing to fill out a survey to read an article. For the very few times I can't find an alternate link or a partner link, I use the unofficial slashdot log-in, cypherpunk69/cypherpunk

Re:Spelling it out. (0)

Anonymous Coward | about 11 years ago | (#7325412)

Someone at a small web forum I frequent ended up making a NYTimes account with the name of the forum as the username and password. It's really nice since I didn't have to bother making one myself and remember a weird user/pass combo, and it screws up their statistics a bit. I'd make one for Slashdot, but I'm sure the same losers who post GNAA/TrollKore/BSDisdying/firstpost crap will just change the password and render it useless in about five minutes.

How (1)

Carnildo (712617) | about 11 years ago | (#7305614)

1) For USENET messages, I use a Hotmail address that I check once in a blue moon, and a note in my sig that I don't check that address very often
2) For mailing lists, I use a free address that I can change at any time.
3) For online forums, "PM me for my e-mail address"

Does quite well at keeping my main address free of spam

Good ol' jpeg (2, Interesting)

Unsolicited Commando (711252) | about 11 years ago | (#7305616)

I use a good ol' jpeg file. Has never ever let me down. Not even once. Also, I've got a spider trap [] on my website [] .

You suck (1, Funny)

WTFmonkey (652603) | about 11 years ago | (#7305661)

I must ask that you remove the "spider trap." My email accounts are filling up with SPAM and I now have reason to believe it is your fault.


Re:Good ol' jpeg (0)

Anonymous Coward | about 11 years ago | (#7305820)

cack [mailto] etc

Re:Good ol' jpeg (0)

Anonymous Coward | about 11 years ago | (#7306309)

damn that is low... funny has hell... but so, so, so low.

Re:Good ol' jpeg (1)

herrvinny (698679) | about 11 years ago | (#7309030)

Saw Unsolicited Commando. Looks like fun. I'm just reviewing the source code to see how you do the Tactical Orders thing. One question: how do you know which form box is used for what? For example, a text box could be labeled (on the monitor, the text the user sees) as "Put Your First Name in the below box", but the textbox's NAME attribute could be "phonenumber". Do you parse the page to see what box is related to what, or is it included in your Tactical Orders/Strategic Target orders?

rot13 (1)

Captain Rotundo (165816) | about 11 years ago | (#7305620)

very simple, and the address I post to newsgroups rot13'd doesn't recieve very much spam at all.

list of many spam fighting techniques (1)

jcbphi (235355) | about 11 years ago | (#7305623)

I am fooling spam engines using many of the techniques discussed in the /. article posted on this subject earlier this month. 22 6221


Re:list of many spam fighting techniques (1)

Steven287 (720682) | about 11 years ago | (#7361737)

For those of you who have used managed services to fight spam - has anyone had any issues with the reliablity of an anti-spam managed service? I heard that Postini was recently down for 12 hours! Not only did it take down all of their spam filtering services, but it also prevented all email from coming through! They claim 99.999 percent reliabilty. Last I checked five nines of uptime meant no more than 5 minutes of downtime a year. Has anyone had the same experience with Postini or other anti-spam services? "

Damn it - Thanks A LOT ThisIsAnExampleAccou (1)

Judg3 (88435) | about 11 years ago | (#7305710)

Damn it - all this work to obfuscate my email address ( bob AT hottroutmail DOT com), the hours and hours of research, the black/grey/whitelists, the spamassassin configs - all to no avail as some smart guy posts my email on the "Email Account O Rama" that is /.! ALL WASTED!

Seriously though, on a side note - I used to do the easy obfuscating, the user(AT)domain(DOT)com, the, etc etc but then I started thinking...

I know if *I* were to plan an email harvesting bot, I'd definately add things like "(AT)", "(DOT)", "NO-Spam", "RemoveTHis", "Remove-This", etc etc as keywords to email addresses. Odds are I'd get even more valid addresses that way, since it's so common place. You could even do it via a Google search of "NOSPAM" +COM -"" [] and variations of it. Sure, there's a lot of things that pop up that DON'T have to do with an email address, but click next a few times and look, it'll pull things up. I'm almost attempted to write a little script with the google api to see how many valid addresses I could pull up like this.

It's because of this reason that (except for Slashdot's obfuscating) I don't do anything except try to run the best anti-spam setup I can.

Re:Damn it - Thanks A LOT ThisIsAnExampleAccou (0)

Anonymous Coward | about 11 years ago | (#7306977)

Someone posted a comment a while back that said the exact opposite of this - if you are trying to hide your address, then you are the sort of person who doesn't like spam (duh), and are also the type of person who will cause spammers grief when they do decipher your address.

They don't want your address.

It would be nice to think spammers maintained blacklists (add me! add me!) so they can spam the clueless while avoiding the troublemakers.

Of course, the domain name might be useful for a dictionary spamming spree, and what happens if everyone hides their address?

Re:Damn it - Thanks A LOT ThisIsAnExampleAccou (1)

dubious9 (580994) | more than 10 years ago | (#7418076)

Placing conditionals and alternatives greatly increases search time of the harvestor, especially when almost all e-mail addresses are not obfuscated.

Regular expression wise: Searching for .*@.* is much easier than searching for .*@.* | .* at .* dot .* | .* (at) .* (dot) .* | .*removethis.*@.* etc... and these conditionals are very expensive and not high yeilding.

Why would you want to wait several times longer for your spambot to return the same number of addresses?

Shoulders of Giants... (2, Informative)

GeorgeH (5469) | about 11 years ago | (#7305748)

There's been some research on what methods work best. The CDT put out a paper [] in March detailing their experiment and its results. It was also covered on Slashdot [] .

Ask Slashdot (1)

tiny69 (34486) | about 11 years ago | (#7305809)


I'm writing an evil spambot email collection tool. Much to my surprise, people are making it hard for me to collect email addresses to sell to the scum-of-the-earth spammers. How do you change your email address to fool spambots like mine? This way I can create a new spambot that can determine what your real email address is so that we can stuff it with spam. Please ignore my shinny new account [] and the trolling I'm doing cleverly disguised as an EXPERIMENT.

Block spammers via DNS (4, Interesting)

Anonymous Coward | about 11 years ago | (#7305910)

If you have your own domain you can do this:

I set up 1000 mx records like, mail0002... etc. Then I setup my mail program with Every time I sent mail to someone I would increment the number by one. Whenever one of those addresses got spammed I would delete the MX record. And I would know which asshole spammed me.

The nice thing about blocking spam via DNS is that the spammers never connect to your SMTP server, which saves a lot of bandwidth.

Re:Block spammers via DNS (1)

buttahead (266220) | about 11 years ago | (#7306321)

not such a bad idea... as long as you leave out or fake the admin address in the SOA line :)

Re:Block spammers via DNS (2, Informative)

bluelip (123578) | about 11 years ago | (#7318250)

for sites that require registraion I identify them in the address itself. It you control the domain, it's ccake to setup/use.

It INSTANTLY identifies where the email was scarfed from.

This also works for snail mail also. I usually use the store/companies name as my firstname. For example, I wanted a Black Diamond catalog. The companies initials are bdel. For my name I gave:

Bdel Coles

It was humorous watching the junk mail arrive sent to bdel. Easily tell whether or not your address was sold/rented.

I don't. (1)

Trillan (597339) | about 11 years ago | (#7305958)

My email is filtered, so I don't worry about hiding my email address. It's pretty much always at the cost of the convenience of people trying to mail me, and the spammers will find the one place where it is posted (possibly by someone else) in the clear.

By the time spam gets through SpamCop with the zones I've said, two spam a day is unusually high.

I don't bother (0)

anaphora (680342) | about 11 years ago | (#7306018)

Life is too short to worry about obfuscation. I post my full email everywhere, and if I get spammed, well, I use AOL's handy dandy "Report Spam" button. It blocks the domain and keeps me from getting spam in the future. Pushing the limit: Can I mention that I use AOL for email and not get -1 Flamebait?

Re:I don't bother (1)

RickL (64901) | about 11 years ago | (#7308044)

There is a huge problem with this. I just purchased a domain name, and the instant the DNS propagated, I started getting hundreds of bounced messages into my catchall. A spammer decided to use my domain to fake the From: lines.

Does AOL really think that spammers use the real domain name?

Spelling out the email address (1)

baywulf (214371) | about 11 years ago | (#7306045)

There are some people who spell out the email address as "john at domain dot com" as if the spam harvester hasn't heard of regular expression and wild card searches. All they need to do is search for a pattern "* at * dot com" or something similar. Then they can do a lookup on the domain name to be even more confident.

Using html tags inside the e-mail address (2)

njchick (611256) | about 11 years ago | (#7306389)

I use <strong> attribute around "@" on my homepage. me<strong>@</strong> renders to, which is easy to cut and paste, but not trivial for bots to extract.

Re:Using html tags inside the e-mail address (1)

nuintari (47926) | about 11 years ago | (#7308626)

Sure, its fine for bots that pull the raw file down and parse for addresses from it. But honestly, I am sure this can be beaten by something along the lines of:

lynx -dump <URL> | parseForEmails | spam!

I would imagine most of them attempt to extract from the html first, then parse it into human readable text, and check for more. I would, as it would kill your defence.

Re:Using html tags inside the e-mail address (1)

Yottabyte84 (217942) | about 11 years ago | (#7311206)

echo '' | sed 's/]*>//g'

Re:Using html tags inside the e-mail address (1)

Yottabyte84 (217942) | about 11 years ago | (#7311219)

Note to self: use preview...

echo 'me<strong>@</strong>' | sed 's/<[^>]*>//g'

Re:Using html tags inside the e-mail address (1)

Eil (82413) | about 11 years ago | (#7322831)

One thing that has worked suprisingly well for me over the years is the old URL-encoding trick. What was once:

<a href="">username@domain. com</a>


<a href="mailto:username%40domain%2ecom">username at domain dot com</a>

It would be ridiculously trivial to write a spambot that catches this, but so far none seem to. My main aggrevation used to be the Microsoft Outlook Virus of the Week, because IE must convert %40 and such to normal characters before caching a web page. These stopped since I recently enabled spam filtering at my email provider.

Kind of an obvious question (1)

1iar_parad0x (676662) | about 11 years ago | (#7306619)

Anybody who reads slashdot, or obfuscates their email address, is not going to buy any spam advertised product. So perhaps, it's better you don't harvest those emails.

With that said, I prefer my analog generated, random noise filtered, grayscale solution. Yes, nothing beats a black and white scan of a handwritten copy of my email address. How many shades of gray can you parse.

Re:Kind of an obvious question (0)

Anonymous Coward | about 11 years ago | (#7315145)

So perhaps, it's better you don't harvest those emails.

Except the harvesting is done to SELL the addresses to rubes, not for DIRECT use by the harvester.

you don't use any answers read here (2, Insightful)

Splork (13498) | about 11 years ago | (#7306695)

the spam bot authors have already patched their bots for anything mildly useful mentioned in this thread.

You are a spammer aren't you? (1)

aliquis (678370) | about 11 years ago | (#7306940)

Hey, what says you aren't a spammer who urges to find out our secret tricks?! =D

Don't Hide--Go Disposable (1)

hojo (94118) | about 11 years ago | (#7307359)

Sneakemail [] is my method of choice. Generate a custom address (e.g. for every transaction you do, along with one for your web pages. Mail sent to these addresses gets forwarded to your real address, which no one gets (except Sneakemail).

Dispose of them if you ever get junk mail, and you will know exactly which companies not to trust or which web page got spidered.

I get no spam and haven't for several years now. I have had to generate a total of 5 or 6 new addresses for my own vanity page since that one does get spidered from time to time. People can still simply click and mail me.

The downside is that the address that someone uses today to mail me may not exist 6 months from now, and unless he checks my page for an updated address, he may think I don't exist any longer either. But that's okay, I think.


100% safe (0)

Anonymous Coward | about 11 years ago | (#7307528)

the email links on my site bring up a little php form which asks for name of the president of the usa, like the turing test in blade runner. javascript checks onkeyup for input. when it matches bush, the form submits and displays an email link. since php is server side there is no way round answering the question to get at the address. i also have catch all email at the domain, so i use php to make the email address start with the current ip address of the sender. that way, if a generated address gets spammed it is easy to filter. of course, no manual spammer would be stupid enough to give away his ip address like this...

the other day somebody called me and said they couldn't send an email to me as the form didn't react. i asked what she was typing in and she said "clinto... whoops!" We both laughed out loud and she was embarrassed. now it accepts 'bush' or 'clinton'.

I use SI20 challenge/response. (1)

conner_bw (120497) | about 11 years ago | (#7308248)

Ever since i subscribed to Spam Interceptor [] (free as in beer), i am able to post a url to my email that shows a web form asking for a challenge/response.

The web page is here [] .

Pretty clever if you ask me.

HTML entities (1)

Micah (278) | about 11 years ago | (#7308556)

Displays perfectly, user can copy and paste, but slightly harder for spambots.


There was a Slashdot story about someone's research on this topic a while ago, and they found that entities do decrease the amount of spam significantly.

Of course, the $#@%$# spammers probably figured that out by now. :(

The slow random garbage page (1)

nuintari (47926) | about 11 years ago | (#7308670)

I wrote a simple CGI page that spews forth about 100 very annoyingly random email address, such as: ...

The trick is that it waits for 5 seconds in between each email address, giving the viewer the impression that the page is loading slow as balls for some reason. In theory, a spambot will sit there and wait for the page to load, then parse it, and follow any links to more pages. You have a link waiting that sends you to another site with the same CGI on it, they in turn pass the bot on, and etc....

Its all theory based on my limited knowlage of how spam bots work. But if it succeeds at loading up spam lists with tons of crap, we should all be doing it.

I may rewrite it to just insert tons of crap commented emails in all my main pages, make it even harder for the spammers to avoid.

Re:The slow random garbage page (1)

iantri (687643) | about 11 years ago | (#7310719)

Be careful -- this may bugger up Google and other legitimate search engines that follow it.. and you may find that you'll get banned from them because of it. (This is basically search engine spamming, even if you aren't using it to sell something)

I think putting the address in a robots.txt file would prevent the legitimate search engines from indexing it, and would let the spambots through, though.

Re:The slow random garbage page (1)

nuintari (47926) | about 11 years ago | (#7311215)

already do that, sometimes, i think using a robots.txt actually attrracts spammers, they seem to have no regard for them whatsoever.

Re:The slow random garbage page (1)

FCKGW (664530) | about 11 years ago | (#7325601)

Could you please post the CGI script? The more people who use this, the better.

I agree with another person who replied in that a robots.txt file should protect this script. That way, legitimate and well-behaved spiders (Google, etc.) won't be adversely affected, but badly-behaved spiders (spambots, etc.) that ignore robots.txt will be severely punished. :-) (1)

raj2569 (211951) | about 11 years ago | (#7308904)

very effective!!


Server side scripting (1)

mikeswi (658619) | about 11 years ago | (#7309946)

Any method of munging the address must still be clickable within the visitor's browser. If it is clickable, it can be harvested. Javascript and html encoding may stop most of the bots, but bots exist that can slurp the address no matter how much javascript you wrap it in.

I use a PHP email form that never sends the address to the to client accessing it. Short of hacking the server and looking at the php script in plain text, there is no way to harvest the address. I have no need to let the public know my address. If they want to email me, use the form or use my site's message board.

I don't want the guy getting slashdotted, so I won't link his site. If you really want the script I use (available in PHP or ASP), go to and search for dbmaster's mail form.

AddressScramber (1)

jqh1 (212455) | about 11 years ago | (#7312143)

for yet another javascript address mangler/demangler, check out
AddressScrambler []

Don't listen to people who say these don't work -- if a spammer can spend $x and a get buzillion unmasked addresses, but has to spend a great deal more to get a few hundred masked ones, what do you think he or she will do? And to the people who say -- yeah, but what about when everyone starts doing this? Everyone is not about to start doing this. Relax.

wouldn't worry about giving away info (0)

Anonymous Coward | about 11 years ago | (#7314579)

Look, the guy who wrote this isn't a spammer. I think spammers know that anyone on /. isn't going to open spam anyway. (1)

spitzig (73300) | about 11 years ago | (#7315901)

It creates email addresses on the fly, and forwards email to my real email address. If I buy something from, I'll create an address like If I start getting spam at that address, I block email to that address, and I also know who the bastard is--and don't go to that website anymore.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?