Vectors & Interfaces
The networking specialist
 About Vectors & Interfaces Network support services Useful resources PC News Contact The support specialist Support Guide

Insert the patterns from Listing 1 into a file—in my example, I've called it nospam.conf—and then load it using Apache's Include directive, as I discussed earlier. This lets multiple servers and virtualhosts on the same machine use the same mod_rewrite rules. It also lets you update the patterns in the event that you need to block new spamware with new User-Agent signatures. Note that you may need to include the <IfModule mod_rewrite.c> block in the config for each virtual host, depending on your setup and configuration. Finally, restart the server.

Voila! You've successfully protected your Web server from the most egregious spambots, making it possible to post your users' email addresses on your Web site while preventing undesirable elements from stealing them for nefarious purposes.

A final caution—some spambots masquerade as well-known browser software, rather than announcing their own IDs. That means that this technique above won't block every attempt to scrape addresses. However, the methods described will protect you from, if you'll pardon the pun, the bulk of the spammers out there.

Other Solutions

What else can you do to keep employees' addresses out of spammers' hands? One school of thought suggests that you severely curtail network activities. For example, employees shouldn't post to Usenet, or if they post, they should use bogus email addresses; they shouldn't participate in publicly archived mailing lists; they shouldn't post their email address on any Web site; and so on. (For related information, see " Online Resources".)

I have a problem with this approach: it means that spammers have won. Making it difficult for people to contact your business out of fear that your users might get spammed is a losing proposition.

One solution is to use JavaScript to print any mailto: links and other occurrences of your address, as seen in Listing 2. To print a mailto: link or your email address, simply insert the HTML shown in Listing 3 into the document where you want the link or address to show up. Beware that this won't work in browsers that don't understand JavaScript, or in browsers with disabled JavaScript.

Another option is to use HTML entities to encode mailto: links and other mentions of your address so that extremely brain-dead spamware can't scrape it, like so:

<a href="http://www.newarchitectmag.com/documents/
s=4316/new1013636172/mailto&#58;schampeo&#64;hesketh
&#46;com">Send me email!</a>

To do the same thing with your address, simply replace the @ with the HTML entity for that character, &#64. Then scatter other entities throughout the address, for example, using &#46; for the "." in your domain name. Web browsers will translate the entities into the characters they represent, but spamware is unlikely to understand the encoding. In the future, however, as spammers and their software get smarter, tactics like these may prove to be relatively poor solutions.

Some mail servers also allow "plussed" addresses, which can be used to track who is sending spam. For example, if I fill out an untrusted Web form at example.com, I might add that domain to my address, like so: schampeo+example.com@hesketh.com. Then, if I do get spammed, I'll know who did it. Check with your mail server vendor to see if your software can accommodate this practice.

Make sure that your users don't reply to spam. Asking to be removed from junk mail lists only confirms that a given address is valid.

There are several other approaches to preventing addresses from being harvested, including giving out fake addresses and using obfuscated or invalid HTML on Web pages (see Example 2). I don't recommend these, however, because in using them, you're just giving in to spammers, while making it more difficult for people to send you legitimate email. These approaches can also cause problems for innocent people and systems administrators who have to clean up the mess.

One tactic I do recommend is the use of spamtraps—addresses that you control, but that have no other use besides catching spammers. I have several unpublished freemail accounts that receive nothing but spam, which I then report to the appropriate authorities.

Indeed, in my view this is the best way to combat unwanted bulk email. Mail administrators should make it a policy to immediately report spam to the ISP from which it originates. Many ISPs enforce an Acceptable Use Policy (AUP) that explicitly forbids bulk mailing. Report abuse as soon as it happens and as many times as necessary until either more ISPs wise up and start policing their customers, or until the cost of spamming becomes so high that it loses its appeal.

--------------------------------------------------------------------------------

Steven is CTO of hesketh.com/inc. in Raleigh, NC, but this doesn't free him from the awesome responsibility of managing the popular Webdesign-L mailing list. Reach him at schampeo@hesketh.com.


Back to Pg 1