PC Security — Fighting Spam, Part II: Webmaster Strategies

How would you like to read some of the best, carefully distilled and clearly presented facts and arguments about this hot topic?

Well, all you need to do is keep reading this fantastic article - and the others like it on this site.  I'm sure you'll agree with me after you've read it.

Fighting spam — like countering any illegitimate activity — is a battle fought best on multiple fronts. There are simple steps end-users can take to minimize the impact of junk mail (outlined in Part I), but the webmaster or e-mail provider has even more tools available.

If spammers had to gather e-mails individually the effort would outweigh the reward. Their enterprise takes advantage of automation, in the form of spambots, programs that browse websites looking for e-mail addresses, which they then 'harvest' and collect into large lists.

Foiling them by raising the spammer's cost, without turning your efforts into a full-time job, is the most effective way to shift the equation in your favor. Some of the end-user techniques discussed in Part I are even more useful to the webmaster.

Editor's Note:  I came across this article quite by accident - through a friend.  He was reading a website - and the articles on it captivated him.  He mentioned it, fortunately we managed to convince the author to agree to share this valuable content with others, and now you're reading it!

What you've learned has the potential to change the way you view this topic in the future.  And there's more to come...

CAMOUFLAGE

Spambots can only do what they're programmed to do. Often, disguising a publicly visible e-mail address is enough to cause the spambot to bypass you. They're frequently programmed to look for character strings like John_Example@somecleverdomainname.com. A change to John_Example_at_NOSPAMsomecleverdomainname.com is enough to fool them.

Even if your disguised e-mail address is still harvested, at minimum the address has to be 'scrubbed' in order to be used. Scrubbing routines are even harder to write than spambots, because there are so many possible variations. (NO_SPAM, NOSPAM, no*spam, and many that are much more clever. Be creative!)

The method has a drawback: users have to strip out the extra letters and insert the @-sign (in the above example) — something they sometimes fail to do.

E-mail addresses can be made un-harvestable by embedding them in a graphic, rather than using mailto: or other plain-text options. Very few bots are sophisticated enough to read a graphic and translate the pixel pattern into usable text — particularly since the graphic can have an infinite variety of shapes. Here again, users can't simply copy-and-paste or reply to, so there's some inconvenience for them.

An alternative option is to eliminate visible and accessible e-mail addresses entirely. Instead, provide a feedback form that stores user information in areas unsearchable by spambots. Or, store the information in easy to encode but difficult to crack encrypted formats by using for example javascript.

BARRIERS

Banning visible e-mail addresses, or hiding them in graphical form, makes communication between trusted parties more difficult. Put the burden back on the spammer by blocking known spambots.

They often have an easily spotted signature, in the form of a known IP address or process name (or both), or by looking for non-browser User-Agents.

IP address blocking is a simple matter for any webmaster, but blocking unwanted processes isn't difficult either. Just start a cron job that periodically scans for a process name and uses kill to terminate the associated process ID.

The more sophisticated webmaster can have a daemon that sleeps until a process name is instantiated, wakes up instantly and kills the process before it can do any harvesting. Only slightly more difficult to implement, sample programs are available by searching your favorite engine.

I hope you've found this information helpful and gained something of value from the article. 

In case there is any specific portion that is not clear enough, or that you'd like to know more about, please write to let me know and I'll try and update the article or write another one getting into greater detail.