Does your email address get spam? Have you noticed an increase of spam since building your website? Is that email spam driving you crazy?
If you answered yes to the above then it’s time to find a way to protect your email address from the hackers who scrape websites for email addresses and then sell them to spammers who fill your inbox with crap.
Email spamming is a huge business because believe it or not, it works. There’s a sucker born a day who will click a strange link and download malicious code to their computer to place yet more spam on the internet. Yet more will actually engage with spammer and even buy something!
They have to be stopped!
Read More: How SSL Certificates Give Your URL the Cone of Silence
Email spam stats
According to statistica.com, email has actually dropped in the past two years from 71% in April of 2014 to 54% in December of 2015.
Securelist.com shows that spam comes from everywhere in the world, but the biggest exporters are the USA (we’re #1!), Vietnam and China, in that order.
Canadians should take small comfort that only 1.2% of spam is aimed at them. Germany at 18.4%, Brazil at 11% and Russia at 7.5% are the top three targets.
Trojan-Spy.HTML.Fraud.gen is the most popular malicious program sent through email spam.
So not only is spam a constant annoyance, it’s quite dangerous. Here’s more about email spam.
How email scraping works
The way your email gets on a spam list is through web site scraping. If your email address is visible, then it is scrappable. Scrapers use sophisticated tools to scrape sites by the thousands per minute. Why these tools are not illegal is beyond me.
Why should I bother to victimsplain’ their evil techniques? Here’s some sales text I pulled from the site of one scrapping tool developer, in their own words:
ScrapeJerks has a powerful multi-threaded email scraper which can harvest email addresses from webpages, it also has proxy support so each request is randomly assigned a proxy from from your list to keep your identity hidden or prevent sites blocking your by IP address due to too many queries.
The ScrapeJerks email harvester also works with https URL’s so it can work with sites like FaceBook and Twitter that require a secure connection. It also has an adjustable user-agent option, so you can set your user-agent to Googlebot to work with sites like SoundCloud.com or you can set it as a regular browser or even mobile device for compatibility with most sites. When exporting you also have the option to save the URL along with the scraped email address so you know where each email came from as well as filter options to extract only specific emails.
Because the Email Grabber function is multi-threaded, you can also select the number of simultaneous connections as well as the timeout so you can configure it for any connection type regardless if you have a powerful server or a home connection.
If you need to harvest URL’s to scrape email addresses from, then ScrapeJerks has a powerful Search Engine Harvester with 30 different search engines such as Google, Bing, Yahoo, AOL, Blekko, Lycos, AltaVista as well as numerous other features to extract URL lists such as the Internal External Link Extractor and the Sitemap Scraper.
Also recently added is an option to scrape emails by crawling a site. What this does is allows you to enter a domain name and select how many levels deep you wish to crawl the site, for example 4 levels. It will then fetch the emails and all internal links on the site homepage, then visit each of those pages finding all the emails and fetching the internal links from those pages and so on.
Personally, I think the developers of this tool should be in jail, but that’s another matter.
Read More: After the Hack: How to Restore Your WordPress Website
Your exposed emails
You can find instances of exposed email addresses by first doing a site search. Search for a specific email addresses, or for the link prefix, “mailto:”
The easiest way to create an email link in WordPress is also the easiest way for hackers to scrape your email address: by placing “mailto:” in the link box.
By clicking this link, a users’ email client pops up and creates a pre-addressed email message, ready to complete:
Here is how a scraping tool sees that email address like that in the web site code:
And then the scraper grabs it, using a tool such as the ScrapeJerks described above. Don’t let that happen!
So, the problem is email scrapers. The question is how to protect your email address from them. The solutions are many and varied. Here are three.
Spell out email addresses
This is the oldest solution in the book, spelling out mari [at] marikane [dot] com.
It’s also one of the lamest. Users then have to type the address into their email message which increases the chance of mistakes, and it reduces usability.
Basic, but unsophisticated.
Read More: 5 Easy Ways to Protect Your WordPress Username
Contact Forms
Contact forms do a great job of hiding email addresses.
There are problems with contact forms, though. One is user’s resistance to filling out the annoying Captcha code that filters spambots. Also, users may not like to use a form unless there is an option of sending a copy of the message to themselves. Or, users want to put your email in their database, though hopefully not to spam you.
If you have a contact page and have a lot of “mailto:” links pointed to the URL’s address, I suggest finding and changing all those links to your Contact page link
This can be done easily using a plugin like Search and Replace.
Search for “mailto:xxx@nullxxxxxx.xxx” and replace with ““
That way, when the old “mailto:” link is clicked, users will be directed to the Contact page, and the email scrapers will be none the wiser.
Obfuscate email plugin
What if you have a site that links to many different email addresses, not just the one connected to the Contact page? Say, your professional association’s web site.
All those members who innocently place their email addresses in a “mailto:” link are at risk of have them scrapped and added to some American’s spam list.
What to do? Obfuscate.
There are plugins that will find those “mailto:” links and obfuscate the addresses with code.
The easiest one I’ve found is appropriately named Obfuscate Email and is ready to work right out of the box. Seriously, all you have to do is activate it, save the default settings, refresh the pages and boom! All email addresses are replaced with jibberish on the back end while retaining the appearance and functionality of an email link on the front end.
To see it in action you must refresh the page, then view the Source in your web browser and find the email in question. You’ll see that it looks like this.
Best of all, this is how the email scrapers see your email address.
Voila! Email scrapping foiled!
Read More: The 27 Best WordPress Security Plugins to Prevent Hacking
Protect Your Email Address now
Don’t drown in email spam and if you are already swamped, plug that dike now!
One way or another, you’ve got to protect your email address from hackers and spammers or they will make your life miserable eventually.
Please let me know if you have any other ideas of stopping the theft of email addresses from websites.
And if you haven’t already, please subscribe to Blogsite Studio and get my free ebook, Subscribe and Get Secure Your WordPress Website. Cheers!
Hi Mari,
Obfuscating looks good.
Fortunately I have had my email service from BT since 1997. They have fantastic spam filters. I hardly get any spam and don’t seem to miss important emails. Occasionally I have had to check the filtered spam but mostly any emails that haven’t got through to me are mailshots I’ve previously agreed to.
Any spam I do get usually looks hand written.
Akismet deals with spam comments on my blog.
Thanks for that, Colin. Yes, Akismet is awesome and everyone should be using it. Cheers!
the best way to protect our real email is to use Temporary Disposable Email from http://www.mailfall.com