Spam and E-mail encoding

The “at” sign is the trigger for the e-mail harvesting robots who bring you spam.

Any time you publish your e-mail address online, you risk getting spam as a result.

You can’t prevent people from manually copying down your e-mail address.  But that’s not how you usually end up on spammers’ lists.

Spammers acquire huge lists of e-mail addresses that have been automatically “harvested” by bots, automatic programs that surf the web looking for the “@” sign.

But don’t despair!  You can still be contacted by e-mail from your website and not be deluged by spam.   Several levels of protection from e-mail spam are available to you.

When putting an e-mail address on a website, I encode it using the best system I know, Dan Benjamin’s Hivelogic Enkoder, which is based on JavaScript. There is still nothing that can be done to stop someone from manually copying your e-mail address as presented on the screen, but the encoding prevents it from being seen by the evil bots.

There is even a WordPress plugin for the Hivelogic Enkoder (if your website or blog is built on WordPress) that automatically converts any e-mail address to encoded JavaScript. (It doesn’t seem to work for e-mail addresses contained in widgets, however.  Recently I had to insert the encoded script manually into an HTML box widget.)

The only real disadvantage of this system is that JavaScript must be enabled in the browser for the address to be seen.  It is rare that people browse with JavaScript turned off, but some high-security workplace firewalls may block JavaScript.

There is a less encrypted way to encode e-mails which replaces each letter with its numbered character entity, e.g. the letter “a” becomes “a”.  The browser will render these normally, and JavaScript is not an obstacle.  This is a method to consider if a lot of your site visitors are sitting behind firewalls in government or military establishments where security is high.  But I’m sure it is somewhat less secure for you and your inbox.

If the e-mail address you display is being forwarded to the e-mail address you get from your ISP (e.g. Sympatico, Eastlink, Aliant, Rogers) or to a Hotmail, Yahoo or Gmail account, it will pass through filters set up by your provider. If you’re lucky, most of the spam heading your way will get caught. I’ve heard tales of sudden volumes of spam from people who had just switched providers, which tells me that some providers have more effective filters than others (particularly when switching from Sympatico to Eastlink in Nova Scotia. Please leave a comment if you have experience in this.  Hopefully spam filtering will improve for everyone as a result).

If the e-mail address you display is on your domain name and is not being forwarded but rather you access it directly with an e-mail client on your computer or online, you may have spam filters available through your hosting provider.  It depends on what they offer.  So log in and check your hosting account to see if you can improve your spam filters.

Guess which filter keywords this spammer was trying to avoid?

Spammers often design email to slip through filters, for example by inserting blanks or periods in the middle of words that typically trigger filters.  There is a constant cat and mouse game between the spammers and the filter designers.

I have been using the Hivelogic Enkoder to encode my e-mail address which is forwarded to a Sympatico account for about 10 years, using the same e-mail address. You would think that my address would be on all kinds of spam lists by now. But I only get a couple of spam e-mails a day at most. I consider this acceptable, compared to what some people get.  My conclusion is that Sympatico’s filters are pretty good, and that this encoding method works quite well.  I am also careful about how I give out that e-mail address – which I want to be able to use as my main contact e-mail indefinitely.  I’ll often use a different address when filling online forms, and I avoid having my e-mail listed on other people’s websites, referring them to my website instead, because most websites do not encode their e-mail addresses.  I don’t even display my e-mail address to friends on Facebook.

You can also hide your e-mail address by using a form for people to contact you.  However, form spam is very common, and imposes the cat and mouse game on the web designer.  “Captcha” gadgets on forms, which make you enter some fuzzy or scrambled letters before you can send your message, may frustrate the user but they work well to reduce form spam. I like the “Recaptcha” system, which Google has seen fit to buy, because it harnesses millions of form-fillers to help digitize books and audio in the public domain.  There is also WordPress Recaptcha plugin to add to your blog comment forms.

Since the trigger for the e-mail harvesting bots is the @ sign, you can write your e-mail address like this: “contactme – AT –”.  Do most people understand by now what to do with this?  You can’t, however, click on the address and go to your e-mail program; you have to copy it out correctly.  If you make a “mailto:” e-mail link behind it, the bots will be able to read it – unless you encode it using one of the methods mentioned above.

Likewise, some web designers put the e-mail address in an image that bots cannot read.  It works pretty well unless you add a link to the image  If you do this, be sure to encode the address in the HTML.  Beware also of adding your address to alt or title text behind the image.  Bots can read that, too, so use “at” instead of the @ sign.  You risk making your e-mail address invisible to visually-impaired people using readers, or people browsing with images off.

What is your experience?  How do you protect your e-mail address, and what have been your results?  Leave a comment below.