Anti-spam strategies

From UUWiki
Jump to: navigation, search

Main Page > Websters

Putting email addresses on web pages is sure to result in spam being sent to the address, since many robots harvest them for spammers. Currently, most of the robots can be thwarted by these simple methods. But they will probably get smarter over time.

Use a image of an email address

Email Image Generator

JavaScript replacing Mailto

Davies Memorial UU Church uses a no-spam javascript. You need to put it both in the header and replace each mailto link. The drawback is that browsers with javascript disabled will not be able to use the links. Also, see below for "Include a Subject Line".

Text email addresses

You can create text for the email address with "at" replacing "@" and have spaces on either side of the word as is done in the Mailman list archives and subscribers' lists for UUA email lists (accessible only by list subscribers). For instance, dmuuc at dmuuc.org. One would have to view it and reform it into an email address. Most spammers wouldn't be bothered.

To make sure your text email addresses stay together on one line, use some variation of this markup:

     Source                             Result

name at email.org       name at email.org
name @ email.org        name @ email.org

Mundge your addresses

This is a better way to disguise address since 1) the links still work for humans, and 2) spammers are soon gonna figure out about Mailman-style obfuscation. See Stopping Spam and Malware with Open Source by Brett Glass for complete details.


Invisible HTML

If you insert meaningless html into an e-mail address then the Spambots will not recognize the e-mail address pattern, but when it is rendered for the end user it will be in the correct format. For example "<NoSpam>Username@</NoSpam>domain.tld" will render to the end user as "Username@domain.tld" with the meaningless tags dropping out. The advantage over images being the ability for the user to cut and paste the address.

Server Side Form instead of an Email Address

Spambots can not collect information that is never displayed. If you have the ability to use server side scripting then you can create an "Contact Us" form for users to fill out.

This could further be beneficial by setting up standard subject lines or body content (subject "E-mail from online form"). That way if you are running spam filters on your e-mail account you can make sure that e-mail submitted from online forms are not filtered.

Forms can take user input and email it to a list, sort it, stuff it into a log or database, or perform any desired operation including any combination of the above. One disadvatage: if the vistor does not enter their email address correctly, you won't be able to respond to them with email.

Include a subject line

With all the spam we're getting, it's best to write your own subject line so that you can catch the message when it comes into your In Box or accidentally sorts into your Spam Box. This can be done on standard mailto links, javascript links, as above, and server side email forms.

Run a Baysian Filter

Rather than write endless rules, you *teach* Baysian Filters with actualy samples of spam and "ham." The filter calculates a "spamminess" score for each subsequent email based on content. Since each person has different criteria, bulk emailers cannot easily defeat with forged headers, intentional misspelling, hash busing dictionary attacks, etc. And since they are adaptive, Bayesian filters get better and better with time.

There's free software from http://spambayes.sourceforge.net/ If you are running Outlook (not Outlook Express), there's a free binary plugin - I've used it and it works great!

Installation & Configuration
1. Quit Outlook.  
2. Run installer
3. Launch Outlook
4. Config wizard starts: accept all defaults.

SpamBayes works with 3 sets of folders: Inbox(es), Junk, and Unsure (I renamed the from the default "Junk-Suspects" and it was created for me). Messages with > 90% spamminess are moved to the Junk folder. Message < 20% spammy aren't touched. Message between the thresholds are moved to the Unsure folder. These thresholds are adjustable, but the defaults work well. When I first installed SpamBayes, I thought Outlook had hung. However, because the filter had not yet been trained, it was simply busy moving everything to the Unsure folder. I forced-quit (End Task) a couple of times with no ill effect.

Training The plugin adds a pair of "smiley/frowny" buttons to Outlook. These are labeled "Recover from Spam" and "Delete as Spam" respectively. Simply marking messages appropriately trains the filter. I found it's helpful to initially sort by subject as this puts related messages together so you can easily select and mark many at once. Ironically, while I was training on old mail, I found a couple of unread message from by boss, a potentially career-limiting mistake!