Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Privacy Spam

How Do You Fool Spam Bots? 87

ThisIsAnExampleAccou asks: "I am currently researching Spam Bots, and the various methods by which they collect addresses. While doing my research, I have started to notice the various ways that people post their email addresses to fool spam filters (i.e. - go fishing to mail me) What clever ways have you seen/done to fool spambots while still letting people know how to get in contact with you?"
This discussion has been archived. No new comments can be posted.

How Do You Fool Spam Bots?

Comments Filter:
  • I post my address unobfuscated, you insensitive clod!
    • Re:I don't. (Score:5, Insightful)

      by Alan Shutko ( 5101 ) on Friday October 24, 2003 @07:29PM (#7305417) Homepage
      I post my address unobfuscated, you insensitive clod!

      Ditto. Google my address and you'll find it in mailing lists, Usenet, web pages. It's everywhere. It's also about 4 years old, I think.

      I don't believe in making people jump through hoops to get in touch with me. And as you've noted, you have to make your email address increasingly more obfuscated to keep it off of lists. And if one of your friends or family gets a virus or sends you an e-card, your address is "contaminated" and you'll get junk.

      Instead, I run bogofilter and deal with it. I don't have to constantly send out new addresses to people. If a friend from elementary school wants to look me up, he can find me. (And yes, that's happened.) And people can actually hit "reply" on messages I post. Wow.
      • "I don't believe in making people jump through hoops to get in touch with me."

        For an experiment, I created a new email address and used it as my Slashdot address without 'spam armor' for a couple of weeks. It didn't take me very long to generate quite a few unsolicited messages.

        Though I agree with you in spirit, at some point you have to stop and consider that if you don't slightly inconvenience people trying to reach you, then you'll inconvenience them by missing their email due to being lost in a clu
        • Though I agree with you in spirit, at some point you have to stop and consider that if you don't slightly inconvenience people trying to reach you, then you'll inconvenience them by missing their email due to being lost in a cluttered inbox.

          I really hope you don't run into that.

          I haven't. I receive 700-900 messages a weekday. (Less on weekends.) Bogofilter is very, very good at avoiding false positives. I've had one false positive personal mail, in the time I've used it. (More commercial mail I don'
      • And if one of your friends or family gets a virus or sends you an e-card, your address is "contaminated" and you'll get junk.

        Or if one of your friends or family puts you on a giant CC list, and one of those addys CCed is hosted by some fly-by-night free email service on the web, harvesting, harvesting, harvesting.
      • My work email address is posted all over the Net because I work for a university doing PR and maintaining a Web site. I now get 25-50 emails a day for pills, penis enlargement (I dont even have one), and now I get these new "Hi" subject emails."

        I'm on a Mac and my unit requires using Lotus Notes and I am NOT an administrator. I use Lotus Notes built in filter but it is not nearly enough. What can I do?

    • And I don't, and I don't get any spam. Weird that.

      I'm aware that lots of people get lots of spam... but I don't! Weird huh?

      • According to my baysean filter stats, since July 19th, I received 13,403 spams. That means 144 spams per day.
        • Check out this thing called Sugarplum [] which creates pages with lots of real-looking but truly fake e-mail addresses. The point of using something like this is to poison the spammer databases and reduce the good:bad ratio of addresses. This way hopefully they will have to throw out the database or at least the content they gathered from your web site.

          Other ANTI-SPAM techniques: Basically the best method is to never let your e-mail address appear in a machine-parseable format except in places where other

  • Hi! (Score:3, Funny)

    by Teancom ( 13486 ) <david.gnuconsulting@com> on Friday October 24, 2003 @07:35PM (#7305457) Homepage
    I'm frustrated because my spambot hasn't been picking up nearly as many email addresses recently, as comparared to what it used to. Some people out there are really clever! :-( Could you please detail to me exactly how you try and keep me from harvesting your address? Oh, and putting into a testcase form would just be the icing on the cake!


    Your Friendly Neighborhood Spammer
    • And no, I'm not accusing the OP of being a spammer. I just thought it was funny...
    • I have two ways of dealing with my "Friendly Neighborhood Spammer" which, although they don't exactly fix the problem, go some way to make me feel better about it.

      Since the spam I get now tends to originate from a few sources (all US-based, incidentally), I collect every email address I can find for those companies and post them on a webpage in full view, with handy mailto: links.

      Another approach (but of questionable legality) is to set up a DoS attack on the culprit, but that takes a bit more effort.

      The po

  • by crstophr ( 529410 ) on Friday October 24, 2003 @07:37PM (#7305465) Homepage
    You just need your own domain... where you can recieve email for any address at that domain.

    Every time I give out an email address to someone new I give them a unique email address. Every time I put my email into a web form for some company they get it in the following format:

    friends can get silly things like: or whatever.....

    other examples:

    Then, if I begin recieving spam on one of the addresses I know exactly who it is coming from or who at least is responsible for giving out my email address. I can also go in and specifically turn off the offending email address, or better yet have each mail recieved fire off a "custom" error message or some script I have setup.

    I've been using this method for a year and believe it or not I don't recieve more than 1 spam mail a week and never recieve it more than once on any given address. What is wonderful is that I have no fear or worry about giving out email addresses any more.

    • I do absolutely the same.

      You only get 1 spam a week? Great! I get a lot more on some of these addresses and as soon as I detect one address getting proportionally many the filter has already kicked in.

      Still... I spend a few minutes a week looking at what the spam filter got, some are amusing.

    • I do that, but this results me in not blocking the email that gets sent to that address so I can watch as the remove option doesn't work and the address spreads further. ;)
    • by skinfitz ( 564041 ) on Friday October 24, 2003 @08:16PM (#7305657) Journal
      This is a technique I described at DNSCON [] last year.

      I go one further though - once you start to get spam to an address that you registered with a specific company (say for example) then reroute all mail to that address to the relevant abuse reporting addresses.

      The result? By spamming you they automatically report themselves while you never see the spam.
    • Or you can simply forward it automagicly to the offending companies customer service email. They'd like it alot more than me I think, since the obviously think people like to receive spam. Works well for me :D
  • by Tor ( 2685 ) on Friday October 24, 2003 @07:41PM (#7305490) Homepage
    You could add both a "From: " and a "Sender: " header to your usenet/mailing list postings:
    From: you@yourdomain
    Sender: blockme@yourdomain

    You'll gets tons of spam to both addresses (not neccessarily the same spam, unfortunately - that would make filtering real easy). You run SpamAssassin (or similar) to filter mail to your real address, and you run "spamassassin -r" or "razor-report" to handle mails sent to your spamtrap address (making the Razor service, and in turn, SpamAssassin, more efficient at identifying these spams).

    Better yet, if your MTA is Exim, use SA-Exim [] to add teergrubing [] functionality to SpamAssassin. Oh, the satisfaction! :-)

  • In order of preference:
    1. Don't post/give out the address in the first place. ;)
    2. Use a fairly trivial bit of JavaScript to mangle the address, but render it properly in the browser.
    3. Referral to my CGI based contact form that doesn't include the addresses on the client.
    4. Lame mangling such as used by Slashdot.

    Note that posting in plain test is not up there. I've recently dumped an email address I've been using for over a decade due to an inordinate amount of spams and Joe Jobs. Times have changed, and so

    • It is actually hard to find a CGI contact form that hides email addresses. I ended up writing my own: Stephen Ostermiller's Contact Form [] . You can download and use it yourself if you wish, it requires a web server, perl, and sendmail. I researched other forms that hide email addresses and was only able to find a few others.

      The trick that I use when I need to obfuscate an email address is to leave instructions to amputate the address. Then I will write the address like A compute

  • My solution... (Score:4, Informative)

    by cmowire ( 254489 ) on Friday October 24, 2003 @07:48PM (#7305523) Homepage
    I encode the IP address of whoever's requesting the email address and the current date and time. So each request gets a unique email address.

    The file is forbidden by the robots.txt file. I don't think that it surprises anybody that it still has gotten spambotted. ;)
    • The file is forbidden by the robots.txt file.

      A sensible precaution, I'm sure that spam harvesters pay attention to robots.txt.

      They get the forbidden pages and look at them first, as thats where all the juicy stuff will be.
      • See, mostly I wanted to collect evidence that spammers are tryly scum-of-the-earth.

        I also discovered, once they picked up a few addresses, that the "remove me from this list" still doesn't do anything.

        I need to summarize up the trends and write it up, but I haven't gotten to it yet.
        • Re:My solution... (Score:1, Informative)

          by Anonymous Coward
          Usually the "Remove Me" option is just a method the spammer uses to verify which email addresses are real. If you reply to it, they know you are a real email address and will do quite the opposite than remove you :-)
          • I'm thinking that, lately, they either just ignore the removal requests or maybe remove you from one specific mailing.

            It's also the case that half of the removal URLs will return an error message. ;)

            The influx of spam to the address I've been testing the "remove me" option hasn't gone down appreciabley, but it hasn't gone up that much either.
  • bullshit. (Score:2, Insightful)

    I am currently researching Spam Bots, and improving the methods by which they collect addresses. While doing my research, I have started to notice that people post their email addresses to fool spam filters (i.e. - go fishing to mail me) What clever ways have you seen/done to fool spambots while still letting people know how to get in contact with you?
  • GIF (Score:4, Insightful)

    by Detritus ( 11846 ) on Friday October 24, 2003 @07:56PM (#7305571) Homepage
    I recently tried to email the maintainer of a web page and quickly discovered that the listed email address wasn't text, it was rasterized text in a GIF file. Unless the bot can do OCR, it can't read it. The only problem is that this trick is hostile to the blind.
    • I've read that you can fool many spam bots by using Char codes [].

      This is most likely of little use when submitting your address in a form, but for a web content it would seem ideal.

      Of course knowing my luck, you're just planning to write a bigger/better spam bot, and decided to use /. for your R&D
      • Bots are already starting to decode these. I've seen it myself on some spamtrap addresses I have hidden on our site.
  • Sometimes I spell mine out. As in, myadress AT hotmail DOT com.
    • > Please put this in your sig if you think /. should stop posting NYTimes articles.

      I know I shouldnt reply to a sigline, but in all honesty, discriminating against a news source (That publishes) for simply requiring you to log in?

      Or maybe for their political views?

      If its the logging in thing, just use one of a thousand that slashdotters have already set up. Try just about any common keyboard key-run (qwe123, asdf, etc).. odds are, youll hit one.
      And then, if nothing else, your screwing up their statis
  • 1) For USENET messages, I use a Hotmail address that I check once in a blue moon, and a note in my sig that I don't check that address very often
    2) For mailing lists, I use a free address that I can change at any time.
    3) For online forums, "PM me for my e-mail address"

    Does quite well at keeping my main address free of spam
  • I use a good ol' jpeg file. Has never ever let me down. Not even once. Also, I've got a spider trap [] on my website [].
    • You suck (Score:2, Funny)

      by WTFmonkey ( 652603 )
      I must ask that you remove the "spider trap." My email accounts are filling up with SPAM and I now have reason to believe it is your fault.


    • Saw Unsolicited Commando. Looks like fun. I'm just reviewing the source code to see how you do the Tactical Orders thing. One question: how do you know which form box is used for what? For example, a text box could be labeled (on the monitor, the text the user sees) as "Put Your First Name in the below box", but the textbox's NAME attribute could be "phonenumber". Do you parse the page to see what box is related to what, or is it included in your Tactical Orders/Strategic Target orders?
  • very simple, and the address I post to newsgroups rot13'd doesn't recieve very much spam at all.
  • I am fooling spam engines using many of the techniques discussed in the /. article posted on this subject earlier this month. 22 6221

    • For those of you who have used managed services to fight spam - has anyone had any issues with the reliablity of an anti-spam managed service? I heard that Postini was recently down for 12 hours! Not only did it take down all of their spam filtering services, but it also prevented all email from coming through! They claim 99.999 percent reliabilty. Last I checked five nines of uptime meant no more than 5 minutes of downtime a year. Has anyone had the same experience with Postini or other anti-spam services?
  • Damn it - all this work to obfuscate my email address ( bob AT hottroutmail DOT com), the hours and hours of research, the black/grey/whitelists, the spamassassin configs - all to no avail as some smart guy posts my email on the "Email Account O Rama" that is /.! ALL WASTED!

    Seriously though, on a side note - I used to do the easy obfuscating, the user(AT)domain(DOT)com, the, etc etc but then I started thinking...

    I know if *I* were to plan an email harvesting bot, I'd definately add
    • Placing conditionals and alternatives greatly increases search time of the harvestor, especially when almost all e-mail addresses are not obfuscated.

      Regular expression wise: Searching for .*@.* is much easier than searching for .*@.* | .* at .* dot .* | .* (at) .* (dot) .* | .*removethis.*@.* etc... and these conditionals are very expensive and not high yeilding.

      Why would you want to wait several times longer for your spambot to return the same number of addresses?
  • by GeorgeH ( 5469 ) * on Friday October 24, 2003 @08:36PM (#7305748) Homepage Journal
    There's been some research on what methods work best. The CDT put out a paper [] in March detailing their experiment and its results. It was also covered on Slashdot [].
  • Hi,

    I'm writing an evil spambot email collection tool. Much to my surprise, people are making it hard for me to collect email addresses to sell to the scum-of-the-earth spammers. How do you change your email address to fool spambots like mine? This way I can create a new spambot that can determine what your real email address is so that we can stuff it with spam. Please ignore my shinny new account [] and the trolling I'm doing cleverly disguised as an EXPERIMENT.

  • by Anonymous Coward on Friday October 24, 2003 @09:12PM (#7305910)
    If you have your own domain you can do this:

    I set up 1000 mx records like, mail0002... etc. Then I setup my mail program with Every time I sent mail to someone I would increment the number by one. Whenever one of those addresses got spammed I would delete the MX record. And I would know which asshole spammed me.

    The nice thing about blocking spam via DNS is that the spammers never connect to your SMTP server, which saves a lot of bandwidth.
    • not such a bad idea... as long as you leave out or fake the admin address in the SOA line :)
    • for sites that require registraion I identify them in the address itself. It you control the domain, it's ccake to setup/use.
      www.gatorbuddy .

      It INSTANTLY identifies where the email was scarfed from.

      This also works for snail mail also. I usually use the store/companies name as my firstname. For example, I wanted a Black Diamond catalog. The companies initials are bdel. For my name I gave:

      Bdel Coles
  • My email is filtered, so I don't worry about hiding my email address. It's pretty much always at the cost of the convenience of people trying to mail me, and the spammers will find the one place where it is posted (possibly by someone else) in the clear.

    By the time spam gets through SpamCop with the zones I've said, two spam a day is unusually high.

  • There are some people who spell out the email address as "john at domain dot com" as if the spam harvester hasn't heard of regular expression and wild card searches. All they need to do is search for a pattern "* at * dot com" or something similar. Then they can do a lookup on the domain name to be even more confident.
  • by njchick ( 611256 ) on Friday October 24, 2003 @11:02PM (#7306389) Journal
    I use <strong> attribute around "@" on my homepage. me<strong>@</strong> renders to, which is easy to cut and paste, but not trivial for bots to extract.
  • Anybody who reads slashdot, or obfuscates their email address, is not going to buy any spam advertised product. So perhaps, it's better you don't harvest those emails.

    With that said, I prefer my analog generated, random noise filtered, grayscale solution. Yes, nothing beats a black and white scan of a handwritten copy of my email address. How many shades of gray can you parse.
  • the spam bot authors have already patched their bots for anything mildly useful mentioned in this thread.
  • Hey, what says you aren't a spammer who urges to find out our secret tricks?! =D
  • Sneakemail [] is my method of choice. Generate a custom address (e.g. for every transaction you do, along with one for your web pages. Mail sent to these addresses gets forwarded to your real address, which no one gets (except Sneakemail).

    Dispose of them if you ever get junk mail, and you will know exactly which companies not to trust or which web page got spidered.

    I get no spam and haven't for several years now. I have had to generate a total of 5 or 6 new addresses for my own va

  • Ever since i subscribed to Spam Interceptor [] (free as in beer), i am able to post a url to my email that shows a web form asking for a challenge/response.

    The web page is here [].

    Pretty clever if you ask me.
  • Displays perfectly, user can copy and paste, but slightly harder for spambots.


    There was a Slashdot story about someone's research on this topic a while ago, and they found that entities do decrease the amount of spam significantly.

    Of course, the $#@%$# spammers probably figured that out by now. :(
  • I wrote a simple CGI page that spews forth about 100 very annoyingly random email address, such as: t ...

    The trick is that it waits for 5 seconds in between each email address, giving the viewer the impression that the page is loading slow as balls for some reason. In theory, a spambot will sit there and wait for the page to load, then parse it, and follow any links to more pages. You have a link waiting that sends you to another site with the same CGI on it, t
    • Be careful -- this may bugger up Google and other legitimate search engines that follow it.. and you may find that you'll get banned from them because of it. (This is basically search engine spamming, even if you aren't using it to sell something)

      I think putting the address in a robots.txt file would prevent the legitimate search engines from indexing it, and would let the spambots through, though.

    • Could you please post the CGI script? The more people who use this, the better.

      I agree with another person who replied in that a robots.txt file should protect this script. That way, legitimate and well-behaved spiders (Google, etc.) won't be adversely affected, but badly-behaved spiders (spambots, etc.) that ignore robots.txt will be severely punished. :-)
  • very effective!!

  • Any method of munging the address must still be clickable within the visitor's browser. If it is clickable, it can be harvested. Javascript and html encoding may stop most of the bots, but bots exist that can slurp the address no matter how much javascript you wrap it in.

    I use a PHP email form that never sends the address to the to client accessing it. Short of hacking the server and looking at the php script in plain text, there is no way to harvest the address. I have no need to let the public know my ad
  • for yet another javascript address mangler/demangler, check out
    AddressScrambler []

    Don't listen to people who say these don't work -- if a spammer can spend $x and a get buzillion unmasked addresses, but has to spend a great deal more to get a few hundred masked ones, what do you think he or she will do? And to the people who say -- yeah, but what about when everyone starts doing this? Everyone is not about to start doing this. Relax.
  • It creates email addresses on the fly, and forwards email to my real email address. If I buy something from, I'll create an address like If I start getting spam at that address, I block email to that address, and I also know who the bastard is--and don't go to that website anymore.

Yet magic and hierarchy arise from the same source, and this source has a null pointer.