- Why am I receiving spam/unsolicited email?
- How did they obtain my email address?
- What is a spam bot, or email harvester?
- What should I be doing (or not doing) when I receive
unsolicited mail?
- How can I prevent email addresses from being "harvested"
from my web pages?
- How can I prevent email addresses from being "harvested"
from my contact forms?
- I am using a robots.txt file to deny access to known
malicious bots/spiders. How are they still able to crawl my site?
- I heard that I can edit my .htaccess file to stop
malicious bots/spiders from accessing my site. Does this work?
- Does FastVirtual provide anything to assist in dealing
with spam?
- Can I require that senders confirm themselves as
legitimate senders, before their messages are delivered to my mailbox?
- Does FastVirtual support email filtering via
blacklists, such as SpamCop?
- I am using Microsoft FrontPage forms on my site. How
can I hide my email address from email harvesters?
 Why
am I receiving spam/unsolicited email?
If this appears to always come from the same source, your email address
has probably been added to a mailing list. Reputable mailing lists are known
as "opt-in" lists, whereby you must request to be added to the list.
Opt-in mailing lists are also required to provide a way for recipients to
unsubscribe.
However, many spam messages are designed to appear as having
been sent from opt-in lists, so also include removal
links. Unfortunately, such links either lead nowhere, or more commonly, increase the value
of your email address (and therefore your spam problem) by confirming
the email address actually reaches somebody. You should therefore always ensure the
message came from a reputable source that you remember subscribing to
before following any links embedded in the message.
If you are receiving random, unrelated messages from varying sources, you
do indeed have a spam problem. Frequent examples of such messages are stock
offers, body part enhancement products, adult web sites and pharmaceutical
products. You should accept that your email address has been compromised and
is probably included with thousands, or even millions of others on
disreputable mailing lists and marketing CDs. The amount of spam you receive
is likely to increase over time, so you should consider changing your email
address. To ensure your new email address is not vulnerable, you should also
follow the prevention methods outlined elsewhere in the FAQ.
How
did they obtain my email address?
If your email address is included as a clickable link (or even plain
text) on your web site, then this was likely collected by a spam bot, or
email harvester (see the next FAQ for details).
If you use Microsoft FrontPage forms on your web site and have configured
these to send results by email, the email address is included in the HTML of
the page, so was probably also collected by s spam bot, or email harvester.
This also applies to other form types that store the recipient email address
in hidden fields within the form.
There are steps you can take to hide your email address from
malicious spiders, while still making your email and online forms
available to your visitors. Please see other FAQs on this page for details.
This same issue applies to other web sites, so if you have ever posted a
message in a guestbook or discussion forum that is not secure, and your post
included your email address, this is also vulnerable to email harvesters.
If you purchased your own domain name, your email address may be listed
in public WHOIS databases. These databases are frequently targeted as a
source for email addresses. As part of our value-added services, FastVirtual
provides the option to exclude your email address from public WHOIS data.
Other registrars charge a fee for this service.
If you are not running antivirus software, or do not regularly update
your virus definitions, then your email client (software program) is
vulnerable to malicious worms. Such worms can install themselves without
your knowledge, via a web site or email message. Once installed, they will
extract all email addresses from your address book and forward them to an
online collection point. If you have not installed an antivirus program, or
do not update your virus definitions, this not only puts your email address
at risk, but also the email address of every person listed in your address
book.
What
is a spam bot, or email harvester?
Spam bots, or email harvesters are software programs and scripts that
quickly and efficiently search through entire web sites, extracting all email
addresses that they find. Many such programs have been specifically written
for this malicious purpose, so they do not obey rules or comply with
standards. This makes it very difficult to identify them and to stop them
from accessing your web site.
What
should I be doing (or not doing) when I receive unsolicited mail?
You should never click any "remove me" or "unsubscribe" links in
the message, unless this came from a legitimate opt-in mailing list that you
remember subscribing to. Many spam messages include bogus removal links,
which will only increase you problem by confirming the address reaches a
real person.
You should never reply to the message, expressing your annoyance
at receiving junk mail. Spammers scour the Internet looking for unsecured
email relays and mail servers they can exploit to send their messages. They
are not interested in receiving replies, which is why spam messages always
contain links to web sites. The address the message appears to be from is
always either bogus, or belongs to to a third-party, so your reply
will never reach the actual sender.
If you receive the occasional spam message, you should accept that your
email address may have been compromised, and take measures to locate and
resolve the vulnerability as soon as possible (see this FAQ).
If you receive many spam messages, your email address is probably widely
distributed among spammers. Your problem will only increase over time, so you should
consider changing your email address. You should also ensure you locate and
resolve the vulnerability before you publish your new email address to your
web site.
How
can I prevent email addresses from being "harvested" from my web pages?
Change the appearance of your email addresses so that they remain
accessible to your site visitors, but cannot be seen by spam bots or email
harvesters.
One method is to display email addresses as graphic images. Although
effective in combating malicious spiders, this also removes
functionality from your site, as visitors would no longer be able to click
on your email address to send you a message -- adding a "mailto:" link to
the image would write your email address into the code, which would be just
as vulnerable as a normal text link.
Another method is to break up the email address into parts using
JavaScript. The parts are defined as variables, then reassembled on the page
to provide the visitor with a proper, clickable text link. Spam bots and
email harvesters will see the code in the function that handles this, but
they will not find a complete email address. However, if your visitor has
disabled JavaScript, he won't see your email address either. Also, it
wouldn't be that difficult for future spam bots and email harvesters to
identify this method and rebuild the address themselves.
Our preferred method is to write the email address and mailto link in
Unicode. This is understood by all browsers and appears to visitors as a
normal, clickable email link, but currently appears as gibberish to spam
bots and email spiders.
For
example, if your email address was "a@b.com", the HTML for a
conventional email
link would be as follows:
<a href="mailto:a@b.com">a@b.com</a>
The HTML tags need
to remain in place, but everything else can be converted to Unicode. We
suggest also converting the mailto: text, as this identifies the email link
and could potentially be targeted by malicious spiders in the future. Using
the above example, mailto:a@b.com would be entered as follows (split over
two lines to fit this page):
mailto:
a@b.com
and a@b.com would be entered as:
a@b.com
The completed link looks like this:
a@b.com
and functions as a regular text link (please view the HTML for this page to see the entire string, as
this is too wide to fit on this page)
Tools and scripts that convert ASCII text to Unicode are freely available
on the Internet -- simply search for "ascii to unicode converter" using your
preferred search engine.
How
can I prevent email addresses from being "harvested" from my contact forms?
If you use Microsoft FrontPage forms on your web site and have configured
these to send results by email, the email address is included with other
form data in a comment tag in the form HTML of
the page. Other form types store the recipient email address in a hidden
field within the form, which is also included in the HTML of the page. In
both instances, the recipient email address can be easily found by malicious
email harvesters.
As with the previous FAQ, you can convert the email address to Unicode,
which is understood by form handlers, but currently appears as gibberish to
spam bots and email spiders.
To do this, simply build your form as normal, then replace your email
address with the Unicode equivalent. For
example, if your email address was "a@b.com", a form that uses a hidden
field to specify the recipient email address might include this as follows:
<input type="hidden" name="email" value="a@b.com">
Microsoft FrontPage forms include the recipient email address together
with other form values in an HTML comment after the <FORM> tag as follows:
s-email-address="a@b.com"
In both instances, simply replace the email address with the Unicode
equivalent. Using the above example, a@b.com would then entered as:
a@b.com
All other text should remain the same.
Note: FrontPage users should not open the form page
in the FrontPage editor to make this change, as this will automatically be
converted back to ASCII text when you save the form, thereby negating the
change. Instead, open the form page in a text editor and make the change. If
you ever edit your form page in FrontPage editor, remember to follow this
process again.
Tools and scripts that convert ASCII text to Unicode are freely available
on the Internet -- simply search for "ascii to unicode converter" using your
preferred search engine.
I
am using a robots.txt file to deny access to known malicious bots/spiders.
How are they still able to crawl my site?
The robots.txt file informs 'polite' spiders (search engines and
directories) about what they should and should not index on your web site.
Malicious spiders are not interested in being polite, so do not obey
instructions specified in this file.
I
heard that I can edit my .htaccess file to stop malicious bots/spiders from
accessing my site. Does this work?
Many advanced webmasters write complex rules into their .htaccess file in
an attempt to stop malicious spiders from accessing their web site. For
example, one such rule might be to deny access to a client if its name was "EmailHarvester".
Once this rule is in place, then any client that identifies itself as
EmailHarvester would then be denied access to the domain.
However, authors of malicious software are fully aware of the methods
being used to exclude them. They are not concerned about writing standards
compliant software, so specifically design their software to avoid such
rules. In the above example, it would be easy for the author of
'EmailHarvester' to bypass this access rule, simply by providing a bogus name
(or no name at all) for his spider. He could also provide the ability for
users to specify a name themselves, which would make this impossible to
detect based on the above rule.
An example of such behavior can probably be found on your own domain. If
you examine your access logs, you may see entries for accessing client and
accessing browser marked as "Unknown" (or specifying gibberish). These are
examples of possible malicious intent, where the software used to access
your site is not conforming to standards, or is deliberately hiding
information.
Does
FastVirtual provide anything to assist in dealing with spam?
Yes. FastVirtual provides comprehensive email filtering options,
available from the email management section of your account control panel.
Options include blacklist filtering, smart spam detection, user defined
filters, pattern matching and confirmation requirements. Filtered messages
can either be delivered labeled as spam, returned to the sender or deleted.
Can
I require that senders confirm themselves as legitimate senders, before
their messages are delivered to my mailbox?
Yes. By configuring your email filtering settings to reject all mail,
then enabling FastVirtual's 'Confirminator', all senders will be required to
confirm themselves before their message is delivered to your mailbox. This
simply involves clicking a link in their notification message. They are only
required to do this once and all their subsequent messages are delivered
normally.
FastVirtual's Confirminator will stop 100% of automated spam messages
from reaching your mailbox, and is easily enabled from the email management
section of your account control panel.
Does
FastVirtual support email filtering via blacklists, such as SpamCop?
Yes. FastVirtual supports email filtering using the following blacklists:
- SBL
- ORDB
- DSBL
- NJABL
- SpamCop
Blacklist filtering options are easily configured from the email
management section in your account control panel.
I
am using Microsoft FrontPage forms on my site. How can I hide my email
address from email harvesters?
Please see this FAQ.
|
support center