Your generous donations help keep this site online! Click here to support

Webmasters' Guide to Outsmarting Idiot Spammers

Spammers suck the addresses off your page with an email address harvester program, compiling huge lists of addresses to send spam to. The way to beat these harvesters is to keep that address out of the text stream. Anytime your address appears as plaintext, you're just askin' for it.

Defensive Measures...


If I put right here on this page that my email address is , you'd probably say to me YOU IDIOT! Here you talk about spammer harvesters and then pull some stupid s**t like this... but mouse over it a few times and....hello what's this? it's a graphic? Looks pretty authentic, no? Any spammer can be foiled just by sticking your address in an image file (the file is small, only a few hundred bytes). Someone who actually wants to mail you can type it into their mailer and send you a message. But no existing spammer software has the ability to read characters from text, a feature known as optical character recognition (OCR). OCR is RFS (Real Slow) no matter how much processing horsepower you have. To incorporate it into a harvester would slow it immensely, and considering many spammers probably run their harvesters on an aging '486 anyway (harvesters can only move as fast as the 'net connection anyhoo, and simple harvesting does not take a lot of computer brainpower), it is simply unprofitable for the spammer considering how few images on the web contain an email address.


Another unprofitable action for address harvesters, then, is running all the JavaScript that litters many pages on the 'net. No sense taking the time to execute every single scrollie, alert and cookie script in the off chance that one of them may produce a valid email address. Nowadays they're mostly ad-scripts, popups and watermarks anyway, what spammer wants to get spammed himself? So, we...
Put this blue part right after your site's BODY tag...
<SCRIPT language="javascript">
   function mailme(text) {
   var myname="johndoe";    // CHANGE this to your actual username
   var myhost=""; // CHANGE this to the name of your mail server
   var myaddy=myname+"@"+myhost;
   document.write("<a href=\"mailto:"+myaddy+"\">"+text+"</a>");

Then, put this other blue part wherever you want a mail link to appear...
<SCRIPT language="javascript"> <!--
  mailme("Send me email");
  // --> </script>
  <a href="email.htm">Send me email</a>

Copy the scripting above into your homepage. In the FIRST part (the one you stick after <BODY>), put in your real username and server. E.g. if your address is, change johndoe to jimmy and to Pretty easy so far?

In the SECOND part (which you copy-paste in wherever you want a mail link), just change where it says "Send me email" to whatever you want your mail link's text to be. Viola! Your email address will be dynamically inserted by the script wherever you want it, completely invisible to address harvesters. For browsers which do not support JavaScript, the link will point to a page named email.htm. Just make yourself a nice little email.htm page (of course, you can change this name if you want) which has your address on it as a graphic, or as a "johndoe (at) example dot com", to foil any harvester that drills down to that page.

Here's an even easier script which is especially useful in situations where you can't (or don't feel like) inserting a bunch of JavaScript in place of an email link. In this, you just link to a page email.htm where the script is located, and put the following script on your email.htm page.
<script language="JavaScript">
<!-- // SP@MGARD by Bill - found somewhere on (feel free to copy to your own page!)

var one="mailto:johndoe"; // CHANGE johndoe to your actual mail username
var two=""; // CHANGE to the name of your email provider

// -->

On the email.htm page, give your address in the form of a graphic, or some other spammerproof form. The scripting makes sending mail even easier for those using a Netscape browser: it will pop up the email window (like a mailto: link) with your correct email address filled in, then quickly redirect back to the page where the link was clicked, simulating an actual mailto: link (but with the advantage of being completely spammer-proof). On other browsers, the viewer will see the spammerproof address you provided.
(Believe it or not, back when I wrote this there were a lot of people using Netscape browsers. More recently, that figure hovers at around 3%...)


If your server supports CGI or Perl scripts, write/find/steal an email-form script that will take the contents of a <FORM> on your page and send it to you as an email. In your page's HTML the form will look something like <FORM method="post" action=""> ...spammer software can't use them. I've found that people will send you a form message who wouldn't send you an email (maybe are more comfortable with the form right there on the page, inviting them to correspond...or maybe they are just lazy :) ...consider this an added bonus for people who like to get email.
More Perl
Joel De Gan shares a method of coding your email address using Perl. (You may see variations on this occasionally used in geek hangouts like Slashdot.) To encode your address, use

perl -e 'print unpack "H*",""'
 then add "0a" at the end of the string for a carriage return. This gives your address as a long hex string. Now you can give out your email address as
perl -e 'print pack "H*","{coded string}"'
This will not only stop spammers, but also keep non-techs from getting your address.

Offensive Measures (the fun part!)

Fun with Harvester Poisoning

"Poisoning" refers to clogging up spammers' lists with bogus addresses--kind of like spamming the spammers. The easiest way to poison is to put WPOISON on your page. Anyone with CGI access can put on their pages this script, which invisibly generates a ton of valid-sounding, bogus addresses to clog up spammers' systems. Many newer harvesters, aware of WPOISON and what it does, will ignore addresses on any page (& sub-pages) which mention it (the harvester assumes the page is probably using it). Double bonus! So even if you don't have CGI access, just mention WPOISON somewhere on your page (in the comments?) and many harvesters will treat you like a king. If you don't have access to CGI, I've written a free program called Toxic Waste Dump that generates a bunch of static, interlinked pages filled with bogus addresses.
Here is a PHP script to do what WPOISON does as well.

Fun with Feds

Put up a page containing the email addresses of your bigwig representatives (you know, the ones in Congress and such that have the power to get anti-spam legislation passed) and link this from your main page. Make it a point to make these pages easy for the harvester to find. Alternatively, throw on a few addresses from government anti-fraud divisions, the CIA, etc (the humourless tie-wearing guys who like to PROSECUTE), to make sure those MLM offers and Ponzi schemes are barking up ALL the right trees.

Fun with spammers' mailers

Serve up a little bad code for the harvester to choke on. Somewhat similar to WPOISONing your site to scuttle the l'il spamdicks, but the idea here is to cause the sending of invalid data to bugger their mail system. Many harvester programs are trained to deal with a NOSPAM or REMOVETHIS inserted somewhere in the address, demunging it and adding it to their lists, as well as convert a "johnny at example dot com" back to its useful format. More advanced ones will kill completely bogus addresses outright, e.g. ones whose domains don't end in a valid country code (address@up.yours will be rejected). Using all of this to our advantage, we can play some fun games with the harvester. If it takes NOSPAM out of an email address, what happens if you have an address whose domain consists of nothing but that text? You give it bill@nospam, the demunging routine returns bill@, and the spammers, thinking their methods flawless and utterly foolproof, might not bother to implement some kind of software trap to catch this happening. Many spam harvesters of the olden days were not very reliable. The mailer reports back a fatal error (not just an "undeliverable" bounce; this is something more serious the program may not be anticipating), and the program pops up an error box for the spammer: "Hey dummy! An error occurred. Anyway, since I'm just a dumb piece of spammer software, I'll just sit here forever doing nothing while waiting for you to click "OK" to acknowledge this error, when you get back from vacation next week." Creative uses of multiple consecutive dots, dots right adjacent to the @, multiple @'s or several domain suffixes in the address can be interesting things for a spam-hating webmaster to toy with on a rainy day.
Another fun thing to do is load bogus addresses with eight-bit, extended-ASCII characters (them hearts, flowers, smiley faces, piping and other stuff you see if you open a .exe file in ms-dos EDIT) or other invalid stuff mailers tend to choke on (hi i'm $?®¶??å?¾ø!), causing havoc with the spamster's mailserver and even making the harvester program crash. Particularly where the spammer lets the bot run overnight (or otherwise unsupervised for long periods) this can be a fun thing to pull off. (Modern spam programs are probably better-written, but you never know...)
For lazy people - Copy this into your HTML for some easy spammer fun:
<!-- mailto:@@@@@@@ MailTo:@.@.@.@ @.@ .@. error@invalid@page@exception@hahahaa!!!mailto::  @nospam ;)  spammer at dot dot com  fakeaddress at dot com dot com dot com dot com dot com
$?®¶??å?¾ø &&$@blah.n?t
We like it when email harvesters crash :)

Fun with Mail Forwarding

I came upon this shortly after signing up for my domain, which has a great mail-handling scheme for handling spammers. Under this scheme, I can have mail addressed to any address, and it comes directly to my inbox (unless I've chosen to route that specific address elsewhere). I can also redirect mail from any address straight to NULL -- the bit bucket. Now, whenever a company wants an email address, I give it to them as (which includes the company the address was provided to along with the date they received it), along with a copy of the Zero Tolerance SPAM Policy. If they spam to this address, I demand payment as described in the Policy. If I start receiving mail to this address from OTHER companies, I know the address was SOLD, who sold it and who bought it, and all hell breaks loose. (Of course, I can also forcibly 'expire' these addresses whenever I want, by changing them to point to Who knows, maybe I'll eventually quit my day job and just sue spammers for a living ;)

If you're interested in this, various companies provide a similar service. A few are listed on the spam page, under Signups for services.

Chris C. shares some similar advice:

For people that have their own domain, where they can setup address alias's
Eg/ if you have the address setup an alias so anything delivered to ? gets delivered to you.

Now, whenever you are at a website that asks for your email address, say Microsoft, you can enter an address that relates to that site. Eg/
This way you will still recieve email from this site, but if you start getting SPAM all of a sudden, you can check the TO address to see which site has sold your email!!!

I find this very usefull, and have uncovered a couple of places that have "passed on" my email address.

Up One Level (Avoiding Spam)
HomeE-mailCopyrights and Disclaimers