How to Protect Your Site and Domain from Spam

Spam isn't going away. Moreover, spam has become more difficult to block from our in-boxes. The latest trend in spam is image-based spam, which has spam content inside graphics. Since the emails contain no text, they can't be blocked based on their content. A large percentage of image-based spam makes it through spam filters. Even if we had foolproof spam filters, the best way to avoid spam is to prevent spammers from harvesting our email addresses. By protecting our email addresses online, we help reduce the potential volume of spam that spammers can send.

Email contact methods at websites

You can provide site visitors with a contact form, email addresses, or both on your Contact page.

An email contact form allows you to protect your email address via the form script. It also provides a way for people to contact you without having an email address or an email client, such as when they're using a computer at work. If you use a contact form, check the script to make sure that your email address doesn't appear in the page source code.

While contact forms have their advantages, some people prefer to make contact via email addresses. But if you have any working email addresses in the source code at your site, spambots will harvest them and use them.

Methods of protecting email addresses online

If you choose to display email addresses at your site, there are several ways to protect them from spambots. With all of these except for the JavaScript method, the email addresses are not email links. They all aid in preventing spam, but they also present usability issues.

Obfuscate your email addresses. When people have to put their email addresses online in forums or newsgroups, they often write them as "name AT example DOT com" or "name@REMOVEexample.com." When you aren't at your own site, these may be the only options available. But they have disadvantages:

• They look unprofessional.
• Some people who aren't computer-literate have difficulty making email addresses in these formats into working addresses.
• It's speculated that some spambots can convert these formats into working addresses. If they can't now, they may be able to in the future.
• The second method provides spambots with usable email addresses. Email to them isn't delivered anywhere, but these addresses still end up on spammers' lists, and the email uses up bandwidth and other resources. And when humans (if spammers are human) see these addresses on their spam lists, they can easily remove the extra text.

Use CSS to obfuscate email addresses. With this method, you mix other words and characters into your email address text and use CSS to allow only the email address text to display. These pages have instructions on doing this:

• Obfuscate Email Addresses with CSS: simple directions
• Using CSS to Obfuscate Email Addresses to Spambots: a more complex (but perhaps safer) method

A disadvantage of the CSS method is that people who use text readers will find it difficult or impossible to decipher the email addresses.

Make email addresses into images. Use the same font and background color as the rest of the page, and the email address will (usually) look like part of the page. Disadvantages:

• The email addresses will stand out if users increase the font size for viewing or don't use your default background color.
• People using text readers won't be able to read the email addresses unless the addresses are also in the alt text. But spambots can also read alt text, so the alt text also has be obfuscated.

Encrypt email addresses in JavaScript. JavaScript allows you to separate email addresses into parts in the source code. The JavaScript can reassemble the pieces to display formatted email addresses, but it's generally believed that spambots can't reconstruct the addresses in the source code. Disadvantages:

• The email addresses won't display for people who are at computers with JavaScript disabled.
• It's possible that spambots can decipher email addresses obfuscated with JavaScript.

Joe Maller's instructions for protecting your email address with JavaScript provide steps for inserting the text with JavaScript and displaying an image when JavaScript is disabled.

Protecting your domain registration email address

Unless you use a privacy protection service, your email address appears with your domain registration information at whois lookup sites. Domain Tools uses images for email addresses. Many other whois lookup sites don't, though, so our domain registration email addresses are spambot fodder. And we have to use valid email addresses for our domain records to be able to access our domain name accounts.

While they aren't complete solutions, these methods cut down on the amount of spam to our whois addresses in our in-boxes:

Use a unique email address for your whois address and change it regularly. Start with an address such as whois111@example.com, and when it starts getting too much spam, update your whois email address to a slightly different one, such as whois 112@example.com. Change it as necessary.

Use a challenge-response email filter for your whois address. When you set up an email address to use a challenge-response filter, all email sent to that address that isn't already whitelisted is sent a "challenge" email to verify that the sender is a real person. Senders are required to respond by clicking on a link doing some other task to verify that they are real people.

A drawback of challenge-response filters is that spammers often use other people's email addresses in the "from" field. The challenge-response emails to such spam ends up in those other people's in-boxes.

Have your whois email address redirect to an online mailbox. If email to your whois address doesn't land in your usual in-box, you aren't interrupted by spam to that address, and the spam is easier to delete when it's all together. A problem with this method is that if you don't check that mailbox every few days, you could miss important email concerning your domain.

More tips on avoiding spam

Whether or not spambots can harvest your email addresses, avoid using addresses with first names only or common words such as "sales," "info," or "contact." When spammers find domains, they often combine them with common names and other words. Such spam is called domain spam or dictionary spam.

To avoid receiving any of that spam, don't use a catch-all email address. If legitimate email goes to the wrong address by mistake, it will bounce, and the sender will know to resend it. And spam to addresses that don't exist won't reach you.

Is it Spam?

Let’s say that we want to create a mass email mailing list to promote our products. Being the responsible type, we don’t want to email everyone whose addresses we can acquire. We just want to email a targeted audience — people who are likely to be interested in what we offer.

There are good ways and not-so-good ways to compile that mailing list and send our email. No matter how we collect those email addresses, we’re at risk of being labeled spammers. But if we stay well within both the law and our service providers’ Acceptable Use Policies (AUPs), we’re less likely to be perceived as spammers. We’ll also be better able to fight any allegations of spamming.

So, what is spam? And how do we use email mailing lists without being seen as spammers?

Types of spam

Spam can be classified as email spam, Usenet spam, blog spam, and forum spam, among other types, depending on where the spam is sent. Whatever type it is, spam costs end users in time and bandwidth.

Up to 80 percent of email sent is spam. Email spam is the focus of this article.

Definitions of email spam

In Google’s list of over 30 definitions of spam, spam email is described as the following:

• Unsolicited email sent to a large number of people
• Unsolicited email promotions or advertisements
• The online version of junk mail

A common theme: spam is unwanted, unasked-for email.

US spam laws

The CAN-SPAM Act of 2003 provides these limitations for unsolicited commercial emails:

• They must include opt-out instructions.
• They must not have deceptive subject lines or false headers.
• They must be labeled if they contain adult content.
• They must include a legitimate address of the mailer.

The above does not make sending spam illegal. In fact, it makes some spam legal. Many US states have state spam laws, such as requiring advertisements to have "ADV" in the subject line and the sender's name, address, and email address in the body. In some states, it’s illegal to claim that an email is unsolicited when it isn’t or to use a third party’s name for the return address without that party’s permission.

Beyond the spam laws, most Internet Service Providers (ISPs) and web hosts have more stringent rules against spam in their AUPs.

When is it spam?

Since US law is more tolerant of spam than most email users are, what rules should we follow concerning mailing lists?

We won’t have the means to send email unless we stay within the AUP of our web host or ISP. Even if we own our own server, datacenters have AUPs to follow as well. If email recipients report us as spammers, we’ll have to prove that our email is not spam.

By following these principles for our mailing lists, we can stay within the bounds of what most people consider acceptable email:

• Use only opt-in email addresses, preferably double opt-in addresses (where recipients have to click on a link to confirm being added to the mailing list).
• Keep a record of when each subscriber confirmed their subscription to your list.
• Include a link to unsubscribe in every email.
• Honor unsubscription requests and send unsubscription confirmations.
• Write accurate subject lines.
• Provide the type of content that subscribers expected when they signed up.
• Use a valid email address for the "reply to" address.
• Include your name or company name and (depending on your state) snail mail address in each email.

Many mailing list programs, both free and commercial, offer a double opt-in option. Having this option provides the greatest proof (if needed) that subscribers chose to receive your email, which means that you aren’t spamming them.

For tips on building mailing lists ethically and legally, see the May 2006 blog entry Improving mailing list opt-in rates.

Canning Spam

Spam. We all hate it. It eats up our time and our bandwidth, sometimes forces us to block legitimate email, and can lead to important emails being accidentally deleted in the flood of scams and other ads.

Along with services to help unscrupulous people spam, systems and services have sprung up to help protect us against spam. We have spam filters, spam blockers, challenge-response email verification systems, temporary email address systems, and places to report spam to. While these methods of combating spam help in the battle, we're still expending our time and energy fighting spam.

Spam not just in a can

Each spam email that makes it to an in-box takes an average of several seconds of the recipient's time to get rid of it. Depending on the statistics we read, from 40 percent (in 2003) to well over half of all email sent is spam. Either way, spam totals billions of emails every day.

As if that weren't enough, spammers spam in other ways too. They spam blogs (in posts and referrer statistics), newsgroups, forums, even helpdesks. With referrer stats spam, servers are set to automatically access various websites and to display the spammer's website in the referrer details. When bloggers display a list of the most recent or most frequent referrers, spammers have even more reason to spam blogs just by visiting them. They get links back to their site, they get visitors who click on the links, and we have to pay for the bandwidth again.

Slamming the door on spam

Most of us have learned some common ways of reducing spam. We may choose not to apply some of these precautions if we have a good spam filter or blocker in place:

• Don't put a valid email address online.
• Avoid email addresses with just first names, sales@, or other common addresses.
• Don't sign up for anything at a website unless it has a privacy policy that doesn't permit spam.

We also hear the advice never to respond to spam email. If even one in a thousand people responds, sending spam is worth the effort from the point of view of spammers. But either not everyone hears that advice or a few are just too tempted by what lands in their in-box.

Fortunately, a lot of referrer spam can be easily stopped via an .htaccess file, but most spam is not that easy to combat.

Battering spam

With phishing scams and V1agra-type emails, we can at least delete them — if we even see them — and they're history. An annoying feature of some spam is that spammers sometimes use a valid email address belonging to an innocent person in the "from" or "reply to" field. When that address is ours, we receive notifications of all the undeliverable emails that the spammers sent out. We also receive error messages notifying us when the emails have been rejected as spam. And we might be tempted to respond saying that no, we weren't the one who sent the spam. To add to the mix are the autoresponders sent out in response to spam that gets past all the filters and blocks.

All of this adds to the cycle of unwanted email that eats up our time and bandwidth. Is the answer to stop fighting it? Of course not. But sometimes less is better.

The bad guys should have to pay. Some of them will as the law catches up with them. As webmasters, should we avoid sending automated messages in response to spam or suspected spam? On the one hand, sending these automated emails lets senders of legitimate email know that their email didn't reach its destination. On the other hand, the automated emails for the most part waste other people's time and bandwidth, just as spam does.

There is no perfect answer. But if we have to become like the enemy to fight in the battle, perhaps we should reconsider how the method fits with the goal.

Spam on the lam?

A glimmer of good news in the spam war is that the spam flood may be receding. According to this December 2005 article, spam now accounts for fewer emails than in previous years. The 2003 CAN-SPAM law is credited in part for this by requiring an opt-out feature for mailing lists. Improved email filters and steps by ISPs to limit the amount of spam sent also contribute to this decrease.

At the same time, though, spammers have developed more sophisticated ways of sending spam and avoiding detection. Unfortunately, spam isn't going to slink away.