Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Don't let your Web app help spammers

Spam has unfortunately become a way of life. There are things you can do on Web sites, however, to secure email addresses and prevent distribution of this unwanted email.

We've all been plagued by unsolicited commercial email -- also known as spam. In fact, the Washington Post reported that spam may soon account for half of all U.S. email traffic.

Every company is looking for a way to fight spam, as it costs them a lot in many ways. Apart from the bandwidth issue, spam costs companies in terms of employee productivity, storage and support cost. As a result, almost all companies have some kind of solution to protect their employees. Even Web email providers such as Yahoo and Hotmail have spam features.

Although those solutions help reduce the amount of spam received, they are still reactive approaches. To reduce spam, we need to understand how spammers collect email addresses and stop them from stealing them.

One way spammers gather email addresses is by scouring through Web sites. They use automated programs called spiders or spambots, which crawl through Web sites and collect everything that looks like an email address.

App security talk
Check out Anurag's blog to read what else he has to say about application security.

Although there is no guaranteed way to tell which technique a spammer uses, there are statistics that show that email addresses stolen from Web sites get more spam. During one research study, they found out that after the email address was removed from the site, the amount of spam reduced considerably. That suggests that email addresses on Web sites get more spam because they are for the most part active accounts.

The ideal situation is to remove your email address from the Web site. However, we want to give visitors a way to communicate with us and email is the easiest way. That means we need to figure out how we can display our email address to users but hide it from the spambots.

Let's take a look at a few ways to obfuscate an email address.

  1. Use a Web form that internally sends an email. Essentially you ask the user to enter his name, email address and other details, which upon submitting, gets mailed from the server. If you have more then one email address, make it a drop-down list that people can choose from. That may open you to other problems, but at least it won't give your email address to spammers.
  2. If you want to be able to display the email address, you can create an image instead of text and display it on the Web site.
  3. You can break the email address into multiple parts and use JavaScript to join them dynamically when the user clicks on the email link. For example, you can create a JavaScript function such as this:

    var email_name = "anurag.agarwal";
    var hostname = "yahoo.com";
    var email_address = "mailto:" + email_name + "@" + hostname;
    document.getElementById("email_link").href = email_address;

  4. You can take the above approach a step further by encoding the email address so that it appears jumbled. This is very stealth, but it's also very confusing and complicated. Example:

  5. You can use Ajax to protect your email address from spambots. You can store the email address in a text file on the server and dynamically call it using Ajax when the user clicks on a link. If there are multiple email addresses on your Web site, such as feedback, career, support and sales, then you can use Ajax to call a function on the server that can return the appropriate email address requested for.

Here's a demonstration of how it works.

If you're interested in the source code, you can download it here.

About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at anurag.agarwal@yahoo.com.

Reader Feedback: Share your comments on this article

Dig Deeper on Building security into the SDLC (Software development life cycle)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.