Don't let your Web app help spammers

We've all been plagued by unsolicited commercial email -- also known as spam. In fact, the Washington Post reported that spam may soon account for half of all U.S. email traffic.

Every company is looking for a way to fight spam, as it costs them a lot in many ways. Apart from the bandwidth issue, spam costs companies in terms of employee productivity, storage and support cost. As a result, almost all companies have some kind of solution to protect their employees. Even Web email providers such as Yahoo and Hotmail have spam features.

Although those solutions help reduce the amount of spam received, they are still reactive approaches. To reduce spam, we need to understand how spammers collect email addresses and stop them from stealing them.

One way spammers gather email addresses is by scouring through Web sites. They use automated programs called spiders or spambots, which crawl through Web sites and collect everything that looks like an email address.

Although there is no guaranteed way to tell which technique a spammer uses, there are statistics that show

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Common mistakes in real-time Java programming Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws Web application security testing checklist How to develop secure applications Building security into the SDLC (Software development life cycle) The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' How to prevent HTTP response splitting Browser security a concern for website development Web application security and the PCI DSS PCI DSS compliance: Web application firewalls (WAFs) PCI DSS compliance: The basics

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

that email addresses stolen from Web sites get more spam. During one research study, they found out that after the email address was removed from the site, the amount of spam reduced considerably. That suggests that email addresses on Web sites get more spam because they are for the most part active accounts.

The ideal situation is to remove your email address from the Web site. However, we want to give visitors a way to communicate with us and email is the easiest way. That means we need to figure out how we can display our email address to users but hide it from the spambots.

Let's take a look at a few ways to obfuscate an email address.

Here's a demonstration of how it works.

If you're interested in the source code, you can download it here.

-------------------------------
About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at anurag.agarwal@yahoo.com.