Fighting spammers at code level

Business to Business

By Alan K’necht

There is not a company or an individual in this business who doesn’t have to deal with unsolicited e-mail, or spam, at least once a day.

We’ve all read countless articles in a variety of publications that tell us just how much spam is costing us on a daily basis. Companies and individuals now purchase software to help filter out spam from their regular e-mails. Governments around the world have passed laws to reduce spam, yet it continues to grow.

With all this attention and effort, why hasn’t anyone pointed out how to avoid getting on these lists in the first place? An ounce of prevention is worth a pound of cure. So here are three simple rules that we, as Web developers and system managers, can follow to avoid getting our corporate e-mail addresses in a spammer’s database.

Don’t publish e-mail addresses on Web sites. Electronically published pages that contain your corporate e-mail addresses are vulnerable to being picked up by special utilities (worms), which spammers use to search Web sites for e-mail addresses. To hide your addresses, use a Web-based form instead of the HTML mailto function to gather e-mailed user inquiries from a Web site. Many companies want to promote their e-mail addresses on their sites. In this case, you can use various tools to mask the e-mail address.

The one thing about these worms is they can only read the HTML code, so by masking the e-mail address in the code, you won’t affect what the user sees. But you’ll thwart those spammer worms. Each offers a certain level of protection, the minimum level of which is changing the HTML code to not show the “@” symbol of the e-mail address. In the HTML code, simply replace it with the hexadecimal value of “@” – many of the e-mail worms simply look for this character and then capture the e-mail address.

Want to be a little more secure? Try converting the entire e-mail address to hexadecimal. This procedure blocks the more updated worms that now look for “@” symbols or the hexadecimal equivalent followed in some close proximity to a “.com.”

At the higher end of protection is encrypting the entire e-mail address. This is accomplished through the use of a Java script to first encrypt the e-mail address and then to decrypt it when prompted by the user’s click. The nice thing about the Java script solution is that spammer worms only crawl code – they lack the ability to click on anything, so your e-mail address is completely 100 per cent protected.

Guard your e-mail servers. Set up the appropriate security to prevent your e-mail servers from being hacked. Make sure all server patches are current and check reference sites regularly for known cracks in your servers. All it takes is one clever hacker to break into your e-mail server and steal the entire company’s list of e-mail addresses. In addition to protecting your addresses, this has the additional benefit preventing your server from being hijacked by a spammer for the purpose of sending out mail.

Educate your users about giving away their e-mail address on dubious Web sites. While this may be the hardest rule to implement, reminding your users on a regular basis to check privacy policies of Web sites before registering for all those freebies by giving away their e-mail address is always a good idea.

While following all these rules won’t guarantee that your company will never again receive spam, it will help reduce the chance of corporate and e-mail addresses ending up in a spammer’s database, and then openly traded and sold on the Internet. Take it from someone who used to receive up to 300 unsolicited e-mails a day: it is much easier and faster to implement these rules than it is to stop spam.

K’necht is is a speaker and president of K’nechtology Inc., a technology and business strategy and Web development company. He can be reached at