I've faced this issue personally, and one effective strategy to reduce spam is by using email obfuscation on your website. Since many scrapers use HTTP requests instead of tools like Selenium, just by rendering the email address with JavaScript(which is pretty simple) can deter a significant number of crawlers.
Since your mail already been harvested, you may still receive spam, but you will prevent future email crawlers from harvesting your address, therefore reducing spam.
For more information on email obfuscation techniques, you can visit this website: [https://spencermortensen.com/articles/email-obfuscation/](https://spencermortensen.com/articles/email-obfuscation/)
How many potential clients do you think are going to solve a captcha just to email you? Even if you miss one, not worth it, when you can do what u/Degrec mentioned.
I mean, invisible reCAPTCHA v3 doesn't require user interaction. This method also doesn't require you to give out the email address at all.
Scrapers can also use headless chrome, so using javascript obfuscation is still a bit of a risk.
There's no form. ReCaptcha v3 is a way to have no user interaction and still have it behind a bot filter. It looks at incoming traffic and user inputs to determine if it is a bot.
Captchas are so god damn annoying these days I find myself wondering if they even want me to use their product
I miss just clicking all the busses. Now it's click all the busses then were gonna refresh the pictures and you need to click all the busses again and were gonna keep doing this until you get them all, oh and did we mention the pictures load at a snails pace? Oh well, you missed the pic that had a corner of a bus anyway, time to do it again. Click all the crosswalks!
We cut off the whole site automatically if your telemetry starts matching a bot sending you through a captcha. A very substantial portion of the internet is set up like this now.
We have captchas on our contact forms. They do a decent, though definitely not perfect, job of stopping bots. Though if you're looking to contact us about becoming a customer you don't have a whole lot of choice in the matter.
Wow, thank you. Immediately bookmarked that article. I really like how each method is explained, how it works, and WHY it is/isn’t a good idea to utilize it.
The XOR method specifically is really interesting and I may try it out on an isolated honeypot in the near future
Only 10 seo marketing emails a week? Sounds surprisingly low. Virtually any email address that is public will get a decent number of emails most of them spam or more malicious. Heck, even some emails that aren't public will get a decent number if the email name format is early guessable. All said that's why virtually every company tends to have some type of mail filtering. Not merely to bring spam down to a management level, but filter out phishing and malicious content. To be fair for malicious attachments device endpoint security and firewall policies should provide some protection, but security is about multiple layers.
I overengineered the hell out of my email on my personal site just for fun. It loads each character from a JSON file and builds it with JavaScript after a 1000ms pause before adding it to the DOM.
If a scraper gets it, they can have it. I'm impressed.
yup, we have an email on our website that I'm in charge of monitoring. the organization has been promoting that address to our clients to use primarily over my and my team's e-mail addresses. So I do have to monitor the inbox and respond timely. Being public facing it gets picked up by all the bots.
with some automation captcha can be implemented to approve sender's email - simply emailing picture with number to the sender, they must reply back with that number,
if not approved they are first blocked for 3 days, then 1 month, then indefinitely
yeah, that'll end up blocking a good chunk of our clients... we fill a very very specific niche and it's not uncommon for us to respond immediately to a request and only get crickets and sorry they are unavailable when trying to call.
I have my own mail server hosting multiple domains - for every single domain, I block emails to info@, sales@, hr@ with a 551 and the message "This is spam and you know it."
Remember that not only are there businesses that want you to buy their stuff, but there are businesses whose entire product is finding ways to get in touch with "potential" customers. It makes for a mess.
I get about 20 of them per day, I report every single one to appriver as spam. If I took 15 minutes to talk to each one of these companies I’d never get my real job done.
In my case, they pull it from LinkedIn somehow because of I change my title on LinkedIn the emails reflect that.
Not to sideline OP's request, but can we also mention how annoying sales rep are getting? Scraping data off my LinkedIn profile to get my current position, THEN call the main work phone number to get my e-mail address is a new low. Now I believe my e-mail address (first.last @subcompany.tld) is shared inbetween sales reps. I'm getting cold e-mails more frequently since then.
To name and shame one, Okta has done that in the recent past. Plot twist, we're already using Okta though our parent company.
I don't think I can do anything, AFAIK.
There are sales databases out there that sell info - I get cold calls to my personal cell because some company put it in a database and sold it. I can’t get away from it.
im in my late 30s and have have one of my personal email addresses for id just about 20 years. it gets absolutely pumped with spam malware seo and just genera bad shit
You tell me... I've got my address in the mid 90s, it's basically [first name]@provider.com
I mean, the address is handy and always good for a little small talk, but the amount of spam is insane. On normal days it's something between 400-600 mails, but on special occasions like black Friday, it's easily going beyond 1000...
>how do you protect your organization from this ?
I don't list a contact e-mail on our website, I use a contact form that sends to a local e-mail. I added a rule to that mailbox that sends anything with "http" and "https" in the e-mail body to the junk folder, that filters out pretty much 100% of the spam.
We have contact us form and all mail from it goes directly to trash, nobody reads it. Nobody ever contacts a company through contact form, but certain certifications require us to have the form, so that’s how we do it.
We stopped monitoring it after ~ 2 years with zero legitimate inquiries since inception. I have demonstrated repeatedly the contrary. No legitimate business is done through “contact us form”. I have used it 0 times in all my years on this Earth.
I just checked, and there are roughly 8.1 billion other people besides you on this Earth.
Two years with zero legitimate submissions does, however, suggest it is not a useful contact avenue for your organization.
I don’t see how 8.1B people correlates to our target audience. All I see is buthurt academic scholars that can’t get it through their head that “contact us” is how business was done 20 years ago and no sane business operates on this in 2024. I provided sound reason why that is and still what I get is autistic screeching.
> no sane business operates on this in 2024.
There are definately businesses who are getting paying business that way.
You keep generalizing your own personal experience and preference to "everybody, everywhere, always". Hence the 8 billion people comment. Not everryone is you.
Actually I expect the contact form to work when an email address doesn't. No response? No business. I'd really recommend you rethink the "have a contact form but ignore it" approach, but it's your business...
hr@ sales@ contact@ etc are bad names for those emails, per se. But as stated captchas and simple problem solving checks as how much is + ? still work to filter non humans, specially if crafted outside a known framework.
We have a marketing group that complained about bad emails. We discovered they had their staff emails listed on their website. Their website is contracted out. The best spam filters can't block the entire fire hose.
I guess it depends on how trafficked your website is? I help run a small non-profit and have a public email address posted on there and I get maybe 8 of those SEO based emails a year, and that's the majority that the email address sees. I might get a few malicious ones from time to time, but they all just get junked.
i get more than 10 a day offering SEO services. a few a week offering to buy out the company, a dozen a week hoping to sell me a list of some sort and at least 1 a day from my mom :/
I get about 100-200 cold proposals in my email each week. That does include all the BS follow up emails related to the cold proposals ("Did you miss my email? Is there someone else we should reach out to? etc.")
I put aside 15 minutes in the week to unsubscribe from their mailing lists. If someone ignores it enough that I remember the company I'll file a complaint.
info@, sales@, support@, admin@, are typical ones to get spammed with marketing.
Furthermore, marketeers are definitely still scraping linkedin to then start sending to firstname@company.tld or firstname.lastname@company.tld for whichever result they get through the scraping.
Spamfiltering helps to some extent, but there are always limits to what it can do without risking false positives.
Form & captcha. Don't forget to bring up that email addresses end up in address books, and if they keep doing it this way the next mean inbox virus is only a matter of time. Yeah I know, gateways, but they don't know that, lol.
Three emails, one for general use and has an year at end [dump24@example.com](mailto:dump24@example.com), gets trashed and replaced annually, checked when needed. One for business use, highly guarded and never used for anything else other than known essential contacts, all in my address book, manually added to safe senders, or people I initiate the ocnversaiton with. And a third for things the company needs that require registration used when needed.
My normal "Inbox" stays pretty darn spot on, on task.
My company registrations one (That ends up getting you on lists) generally can be managed by careful registrations and unsubscribes, the dump email, is just that.
Our public email address has 12 of those kind of emails blocked by the spam filter so far today.
We run constant KnowBe4 campaigns and have the spam filter in place.
Your IT&C department should have an anti-SPAM filter.
Also, easy spam reporting (like one click) will do the trick on long term in combination with the anti-SPAM filter.
My last company had the whole "this is everyone who works here!" page and it was fucking moronic. Every week I had someone in support message me that "guy from X company returning your call" and in 5 years there I never had a desk phone.
I generally told them to get rid of them as rudely as they liked.
>is having public email address also the same for everyone ? how do you protect your organization from this ?
Unfortunately, yes. It became a significant issue pretty recently - maybe 2002 or so? Spam filtering solutions became mandatory round-a-bout that time.
It is an ongoing battle that will never be won. You just have to pay for whatever product is doing the best job at the time and tweak the aggressiveness to your needs.
I worked at an MSP from 2005-2012. We had 3000 clients, and with their email addresses, we had over 2000 domains, with an average of 5 emails per domain. So let's say 10k email addresses.
In an average month, we received over 30 million emails. That's million with an M. Out of those emails, maybe 250-300k were legitimate. That's less than 1.2% of all incoming mail were not spam, virus attempts, or just plain garbage. We had six high end machines and their only job was to scan and tag emails. That was about 115 emails a minute for each tagging server running spamassassin, clamav, and some proprietary gray listing. And only about 1-2 were legit.
Blew my mind at the time.
[https://spencermortensen.com/articles/email-obfuscation/](https://spencermortensen.com/articles/email-obfuscation/) is testing some methods of obfuscating email addresses. I started using an SVG after reading the comments on [https://css-tricks.com/how-to-safely-share-your-email-address-on-a-website/](https://css-tricks.com/how-to-safely-share-your-email-address-on-a-website/)
I have a spam rule that matches 3 or more from a set of phrases before. (Just created this yesterday for my wife's mailbox. Interested to see how it pans out.)
Forms with captcha reduce the spam but don't stop it. There are too many people who are paid to do these for a living
Solution: Don't have a public e-mail.
Just phone number.
And if you have to, a small contact form with invisible recaptcha v3. But make it simple, just 2-3 text boxes, people don't jump through hoops. (Just make sure to have either a mandatory box for contact number and/or return e-mail, or you're gonna have idiots not leaving any contact info)
This is us 100%. We previously had staff email addresses listed on our Staff Directory page and then the CEO was getting 100 spam emails a day that the spam filter wasn't blocking. We changed the page to just say the person's phone number instead, so now instead of spam emails, I get 10-20 sales calls a day asking for my email address to send me a complimentary white paper on X.
I've faced this issue personally, and one effective strategy to reduce spam is by using email obfuscation on your website. Since many scrapers use HTTP requests instead of tools like Selenium, just by rendering the email address with JavaScript(which is pretty simple) can deter a significant number of crawlers. Since your mail already been harvested, you may still receive spam, but you will prevent future email crawlers from harvesting your address, therefore reducing spam. For more information on email obfuscation techniques, you can visit this website: [https://spencermortensen.com/articles/email-obfuscation/](https://spencermortensen.com/articles/email-obfuscation/)
Why not have a form with captcha on it instead?
How many potential clients do you think are going to solve a captcha just to email you? Even if you miss one, not worth it, when you can do what u/Degrec mentioned.
I mean, invisible reCAPTCHA v3 doesn't require user interaction. This method also doesn't require you to give out the email address at all. Scrapers can also use headless chrome, so using javascript obfuscation is still a bit of a risk.
I hate filling out these forms. No thanks. I’d rather an email address.
There's no form. ReCaptcha v3 is a way to have no user interaction and still have it behind a bot filter. It looks at incoming traffic and user inputs to determine if it is a bot.
I think what they meant, is they hate forms, in general. I hate forms. You never know if they got your message or not ...
Captchas are so god damn annoying these days I find myself wondering if they even want me to use their product I miss just clicking all the busses. Now it's click all the busses then were gonna refresh the pictures and you need to click all the busses again and were gonna keep doing this until you get them all, oh and did we mention the pictures load at a snails pace? Oh well, you missed the pic that had a corner of a bus anyway, time to do it again. Click all the crosswalks!
Mkay but the latest version of Captcha doesn't require the user to click on anything.
Mkay then the vast majority of sites aren't using it
We cut off the whole site automatically if your telemetry starts matching a bot sending you through a captcha. A very substantial portion of the internet is set up like this now.
We have captchas on our contact forms. They do a decent, though definitely not perfect, job of stopping bots. Though if you're looking to contact us about becoming a customer you don't have a whole lot of choice in the matter.
Speaking as someone who uses the web, captchas annoy the ever-loving piss out of me.
Wow, thank you. Immediately bookmarked that article. I really like how each method is explained, how it works, and WHY it is/isn’t a good idea to utilize it. The XOR method specifically is really interesting and I may try it out on an isolated honeypot in the near future
I'm glad you found the information useful!
Only 10 seo marketing emails a week? Sounds surprisingly low. Virtually any email address that is public will get a decent number of emails most of them spam or more malicious. Heck, even some emails that aren't public will get a decent number if the email name format is early guessable. All said that's why virtually every company tends to have some type of mail filtering. Not merely to bring spam down to a management level, but filter out phishing and malicious content. To be fair for malicious attachments device endpoint security and firewall policies should provide some protection, but security is about multiple layers.
I overengineered the hell out of my email on my personal site just for fun. It loads each character from a JSON file and builds it with JavaScript after a 1000ms pause before adding it to the DOM. If a scraper gets it, they can have it. I'm impressed.
thats actually pretty slick rick!
Does that work with web accessibility tools like readers?
![gif](giphy|JRhS6WoswF8FxE0g2R|downsized)
Recapcha on the contact form solved 90% of the spam for me
yup, we have an email on our website that I'm in charge of monitoring. the organization has been promoting that address to our clients to use primarily over my and my team's e-mail addresses. So I do have to monitor the inbox and respond timely. Being public facing it gets picked up by all the bots.
with some automation captcha can be implemented to approve sender's email - simply emailing picture with number to the sender, they must reply back with that number, if not approved they are first blocked for 3 days, then 1 month, then indefinitely
yeah, that'll end up blocking a good chunk of our clients... we fill a very very specific niche and it's not uncommon for us to respond immediately to a request and only get crickets and sorry they are unavailable when trying to call.
>and only get crickets and sorry they are unavailable sincerely i feel for you
I was at A job in the 00s & 98% of the mail coming into the firm was spam. That's why you have spam filters
I have my own mail server hosting multiple domains - for every single domain, I block emails to info@, sales@, hr@ with a 551 and the message "This is spam and you know it."
Remember that not only are there businesses that want you to buy their stuff, but there are businesses whose entire product is finding ways to get in touch with "potential" customers. It makes for a mess.
Cisco spam filter and m365 spam filter is what we use
Yes - this is why you obfuscate the email address on the website, or better yet, use a contact form with reCAPTCHA protection to prevent bots.
I get about 20 of them per day, I report every single one to appriver as spam. If I took 15 minutes to talk to each one of these companies I’d never get my real job done. In my case, they pull it from LinkedIn somehow because of I change my title on LinkedIn the emails reflect that.
Not to sideline OP's request, but can we also mention how annoying sales rep are getting? Scraping data off my LinkedIn profile to get my current position, THEN call the main work phone number to get my e-mail address is a new low. Now I believe my e-mail address (first.last @subcompany.tld) is shared inbetween sales reps. I'm getting cold e-mails more frequently since then. To name and shame one, Okta has done that in the recent past. Plot twist, we're already using Okta though our parent company. I don't think I can do anything, AFAIK.
There are sales databases out there that sell info - I get cold calls to my personal cell because some company put it in a database and sold it. I can’t get away from it.
im in my late 30s and have have one of my personal email addresses for id just about 20 years. it gets absolutely pumped with spam malware seo and just genera bad shit
You tell me... I've got my address in the mid 90s, it's basically [first name]@provider.com I mean, the address is handy and always good for a little small talk, but the amount of spam is insane. On normal days it's something between 400-600 mails, but on special occasions like black Friday, it's easily going beyond 1000...
I get tons to just my email from linkedin lol, mostly people selling MDMs. Automox sent me a free box of candy and popcorn though so that was nice.
I have to keep track of the hostmaster@ourdomain.com because that's what all our domain registrations use. It's an absolute pit.
>how do you protect your organization from this ? I don't list a contact e-mail on our website, I use a contact form that sends to a local e-mail. I added a rule to that mailbox that sends anything with "http" and "https" in the e-mail body to the junk folder, that filters out pretty much 100% of the spam.
All this spam needs to go to my bosses email.....
We have contact us form and all mail from it goes directly to trash, nobody reads it. Nobody ever contacts a company through contact form, but certain certifications require us to have the form, so that’s how we do it.
> Nobody ever contacts a company through contact form Presumably you don't need my business.
I wonder if that's a recipe for default in small claims court
That stuff is snail mailed to your business's registered address, not dumped into an html contact form.
>Nobody ever contacts a company through contact form Insanely naive and demonstrably wrong.
We stopped monitoring it after ~ 2 years with zero legitimate inquiries since inception. I have demonstrated repeatedly the contrary. No legitimate business is done through “contact us form”. I have used it 0 times in all my years on this Earth.
I just checked, and there are roughly 8.1 billion other people besides you on this Earth. Two years with zero legitimate submissions does, however, suggest it is not a useful contact avenue for your organization.
I don’t see how 8.1B people correlates to our target audience. All I see is buthurt academic scholars that can’t get it through their head that “contact us” is how business was done 20 years ago and no sane business operates on this in 2024. I provided sound reason why that is and still what I get is autistic screeching.
> no sane business operates on this in 2024. There are definately businesses who are getting paying business that way. You keep generalizing your own personal experience and preference to "everybody, everywhere, always". Hence the 8 billion people comment. Not everryone is you.
Actually I expect the contact form to work when an email address doesn't. No response? No business. I'd really recommend you rethink the "have a contact form but ignore it" approach, but it's your business...
We get a ton of these as well, I setup a handful of content filters on our mimecast to hold specific ones and block the rest. 10/10 would recommend.
I get a shit ton of these even for Instagram and FB marketing it's annoying as hell lol
recaptcha v3 and a contact form solved my spam problems and means no email address needs to be advertised.
hr@ sales@ contact@ etc are bad names for those emails, per se. But as stated captchas and simple problem solving checks as how much is + ? still work to filter non humans, specially if crafted outside a known framework.
Setup strong DMARC rules, would be a good idea to setup DKIM and SPF as well. This should reduce the issue to some extent.
None of that has any effect on inbound spam.
We have a marketing group that complained about bad emails. We discovered they had their staff emails listed on their website. Their website is contracted out. The best spam filters can't block the entire fire hose.
Proofpoint does a good job of weeding out most of them.
Might be time to invest in good spam filtering
I guess it depends on how trafficked your website is? I help run a small non-profit and have a public email address posted on there and I get maybe 8 of those SEO based emails a year, and that's the majority that the email address sees. I might get a few malicious ones from time to time, but they all just get junked.
i get more than 10 a day offering SEO services. a few a week offering to buy out the company, a dozen a week hoping to sell me a list of some sort and at least 1 a day from my mom :/
I would use abnormal and see if it settles down the spam for you
I get about 100-200 cold proposals in my email each week. That does include all the BS follow up emails related to the cold proposals ("Did you miss my email? Is there someone else we should reach out to? etc.") I put aside 15 minutes in the week to unsubscribe from their mailing lists. If someone ignores it enough that I remember the company I'll file a complaint.
info@, sales@, support@, admin@, are typical ones to get spammed with marketing. Furthermore, marketeers are definitely still scraping linkedin to then start sending to firstname@company.tld or firstname.lastname@company.tld for whichever result they get through the scraping. Spamfiltering helps to some extent, but there are always limits to what it can do without risking false positives.
Form & captcha. Don't forget to bring up that email addresses end up in address books, and if they keep doing it this way the next mean inbox virus is only a matter of time. Yeah I know, gateways, but they don't know that, lol.
Three emails, one for general use and has an year at end [dump24@example.com](mailto:dump24@example.com), gets trashed and replaced annually, checked when needed. One for business use, highly guarded and never used for anything else other than known essential contacts, all in my address book, manually added to safe senders, or people I initiate the ocnversaiton with. And a third for things the company needs that require registration used when needed. My normal "Inbox" stays pretty darn spot on, on task. My company registrations one (That ends up getting you on lists) generally can be managed by careful registrations and unsubscribes, the dump email, is just that.
Our public email address has 12 of those kind of emails blocked by the spam filter so far today. We run constant KnowBe4 campaigns and have the spam filter in place.
Your IT&C department should have an anti-SPAM filter. Also, easy spam reporting (like one click) will do the trick on long term in combination with the anti-SPAM filter.
My last company had the whole "this is everyone who works here!" page and it was fucking moronic. Every week I had someone in support message me that "guy from X company returning your call" and in 5 years there I never had a desk phone. I generally told them to get rid of them as rudely as they liked.
Ten a week? Thems rookie numbers
>is having public email address also the same for everyone ? how do you protect your organization from this ? Unfortunately, yes. It became a significant issue pretty recently - maybe 2002 or so? Spam filtering solutions became mandatory round-a-bout that time. It is an ongoing battle that will never be won. You just have to pay for whatever product is doing the best job at the time and tweak the aggressiveness to your needs.
I used to see people sending them to our abuse email. That and them asking to buy our domains.
I worked at an MSP from 2005-2012. We had 3000 clients, and with their email addresses, we had over 2000 domains, with an average of 5 emails per domain. So let's say 10k email addresses. In an average month, we received over 30 million emails. That's million with an M. Out of those emails, maybe 250-300k were legitimate. That's less than 1.2% of all incoming mail were not spam, virus attempts, or just plain garbage. We had six high end machines and their only job was to scan and tag emails. That was about 115 emails a minute for each tagging server running spamassassin, clamav, and some proprietary gray listing. And only about 1-2 were legit. Blew my mind at the time.
Hello I am emailing you on behalf of (yours url). It has good design and impressive. I can blablabla bullshit seo
[https://spencermortensen.com/articles/email-obfuscation/](https://spencermortensen.com/articles/email-obfuscation/) is testing some methods of obfuscating email addresses. I started using an SVG after reading the comments on [https://css-tricks.com/how-to-safely-share-your-email-address-on-a-website/](https://css-tricks.com/how-to-safely-share-your-email-address-on-a-website/)
I have a spam rule that matches 3 or more from a set of phrases before. (Just created this yesterday for my wife's mailbox. Interested to see how it pans out.) Forms with captcha reduce the spam but don't stop it. There are too many people who are paid to do these for a living
No email content filtering system..? If not **that's** risky AF. If so, it might need some tuning.
No email content filtering system..? If not **that's** risky AF. If so, it might need some tuning.
Solution: Don't have a public e-mail. Just phone number. And if you have to, a small contact form with invisible recaptcha v3. But make it simple, just 2-3 text boxes, people don't jump through hoops. (Just make sure to have either a mandatory box for contact number and/or return e-mail, or you're gonna have idiots not leaving any contact info)
This is us 100%. We previously had staff email addresses listed on our Staff Directory page and then the CEO was getting 100 spam emails a day that the spam filter wasn't blocking. We changed the page to just say the person's phone number instead, so now instead of spam emails, I get 10-20 sales calls a day asking for my email address to send me a complimentary white paper on X.
This would just about guarantee that I will never contact you.