About a month ago, somebody asked me if there was a way they could write their email address on a web page and yet avoid having it picked up by spammers. I was about to tell them it was impossible, but then I had an idea–and it seems to have been a good one. I tested it, and indeed, it did work. The best part is, it incorporates a technique used by spammers themselves, and beats them at their own game!
A little background first. Putting an email address on a web page, or for that matter, anywhere on the Internet where the public can see, is an open invitation for spam. Spammers use automated programs, called “bots,” to “harvest” email addresses. The bots scour every last web page, discussion group, and other public piece of information on the Internet for anything that looks like an email address. When they find one, they add it to a list, and start sending spam to it.
I know this is true because I have tested it. FIrst, I create a brand-new email address (e.g., “brandnewemailaddress@blogd.com”), one which has never been used before, and one which no one but me knows about. I then put the email address up on this blog’s main page. To ensure that only spammers can see it, I make the address the same color as the background, rendering it invisible to the human eye. Five months ago, I put up one such address, and after a week, spam started coming through; after one month, it had drawn 41 spams; this week, it has been getting about 7-8 spams per day, and has collected about 500 spams altogether.
So, I know these bots are constantly surveilling my web site. I know that any email address posted in such a fashion will be picked up. So how could I post an email address and not have it be picked up?
The idea came from a technique I saw spammers use themselves. When spammers send email, they know that certain words will trip spam filters, and that will send their spam to the waste pile, where it will never be read. One key word, for example, is “Viagra.” So spammers who want to use this word will try to disguise is. One way is to misspell the word, for example, “V1@gra” or any other of a hundred variants. But the technique I saw spammers use years ago works to foil the spammers themselves.
It involves the use of HTML code. HTML is the language used to write web pages. If you go to the “View” menu of your browser and choose the “View Source” command (or anything that promises to show the “source”), you’ll see the same page, but as it appears originally, the source code. You will see that it is filled with stuff inside <angled brackets>. On a web page, anything in angled brackets is considered a command for the browser. As a simple example, “<b>” is a command to make text bold. One “harmless” command is <!– text –>. That is a comment command, an exclamation point followed by double-hyphens within a set of angled brackets. It doesn’t do anything, it’s intended solely as a comment in the code. Because it’s an HTML command, it does not “render,” that is, it does not get shown to the viewer on the web page; it is “edited out” by the browser.
Now, spammers used to use this as a way to break up a word so it would get past the spam filters for email. For example, instead of writing “Viagra,” if they instead wrote “Vi<!– text –>ag<!– text –>ra,” the spam filters of the time would not see the word “Viagra,” but since an email reader will render HTML code, the stuff in the brackets would disappear for the person who was looking at the email, and they would see “Viagra” in the clear. Clever! Until, of course, the email spam filters were updated, and it no longer worked for spammers, so they stopped doing it.
But apparently, the spammers never updated their own bots to filter out their own trick! I tried writing an email address in the clear, broken up by this old spammer’s trick, and it has been a month, and not a single spam has been generated! In all other tests where I put up email addresses, spam started coming within a week, and dozens had come by the end of the first month.
So if you want to post an email address so that people can see it but spammers (who are not people, after all) cannot, then add those comment commands within the HTML code on your web page. Look at this new email address I just made:
spammerssuck@blogd.com
Now, I didn’t really type that in the HTML code. You see it as being in the clear, but if you were to look at the HTML code for this page, you would see that it really looks like:
spa<!– toy –>mm<!– blue –>erss<!– bottle –>uck@blo<!– phone –>gd.<!– box –>com
Note that in the HTML comments breaking up the email, I inserted random common words–another spammer’s trick, to throw off filters. But really, you could probably put anything in the comments, it likely doesn’t matter.
Now, will you be safe by doing this forever? Hard to say. Spammers might never pick up on this, or they might write a fix for this tomorrow. Heck, they might read this blog regularly, and I might be tipping them off. My guess is that they won’t bother changing their code to account for this trick until a significant number of people start using it. So if you’re forced to put your email address up on a web page anyway, and you don’t have access to complex coding that might protect it, then you might as well give this method a try.