Email Address Harvesting - Anti-harvesting Methods

Anti-harvesting Methods

Address munging

Address munging—e.g., changing "bob@example.com" to "bob at example dot com"—is a common technique to make harvesting email addresses more difficult. Though relatively easy to overcome—see, e.g., this Google search—it is still effective. It is somewhat inconvenient to users, who must examine the address and manually correct it.

Images

Using images to display part or all of an email address is a very effective harvesting countermeasure. The processing required to automatically extract text from images is not economically viable for spammers. It is very inconvenient for users, who must manually launch their email client and transcribe the address.

Contact forms

Email contact forms which send an email but do not reveal the recipient's address avoid publishing an email address in the first place. Insecure forms, however, may actually aid spammers by effectively serving as an open mail relay. This method prevents users from composing in their preferred client and limits message content to plain text.

JavaScript obfuscation

JavaScript email obfuscation produces a normal, clickable email link for users while obscuring the address from spiders. In the source code seen by harvesters, the email address is scrambled, encoded, or otherwise obfuscated. In practice, a simple ROT13 encoding has been found to be very effective. This method is very convenient for most users; however, it does reduce accessibility, e.g. for text-based browsers and screen readers. Obfuscation based on a standard key like used in ROT13 is easy to decipher though. Better is to use different keys for standard elements and nonstandard elements of the email address. For users with a JavaScript-enabled browser, this solution is entirely transparent.

HTML obfuscation

In HTML, email addresses may be obfuscated in many ways, such as inserting hidden elements within the address or listing parts out of order and using CSS to restore the correct order. Each has the benefit of being transparent to most users, but none support clickable email links and none are accessible to text-based browsers and screen readers.

CAPTCHA

Requiring users to complete a CAPTCHA before giving out an email address is an effective harvesting countermeasure. A popular solution is the reCAPTCHA Mailhide service.

CAN-SPAM Notice

To enable prosecution of spammers under the CAN-SPAM Act of 2003, a website operator must post a notice that "the site or service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages."

Mail Server Monitoring

A method that can be implemented at the recipient email server for combatting directory harvesting attacks is to reject all email addresses as invalid from any sender that has specified more than one invalid recipient address; however, this carries a risk of legitimate email being blocked too.

Spider Traps

A spider trap is a part of a website which is a honeypot designed to combat email harvesting spiders. Well-behaved spiders are unaffected, as the website's robots.txt file will warn spiders to stay away from that area—a warning that malicious spiders do not heed. Some traps block access from the client's IP as soon as the trap is accessed. Others, like a network tarpit, are designed to waste the time and resources of malicious spiders by slowly and endlessly feeding the spider useless information. The "bait" content may contain large numbers of fake addresses, a technique known as list poisoning, though some consider this practice harmful.