web bot email collection,domain default email

[abyrne]

This is actually 2 issues (I didn't want to toss out 2 new posts- but if I've erred, just mention it and it won't happen again)

1. Currently my nonprofit's website has email addresses listed on it so users can email us by clicking on the link. I'm concerned this could be generating spam by webbots coming through the site and collecting those email addresses; however, I like that users are able to email directly from our site. If I use graphics so the bots won't pick up the email in the text, then I won't be able to have a mailto link for the same reason (the email address would be in the HTML). If I do something to prevent bots coming through the site, then search engines won't be able to find us.

so, can anyone suggest a way to offer users a method of emailing from our site and still protect our email from bot collection? or should I not be concerned about spam coming from bot-collection anyway?

2. We use Yahoo Small Business email for our email. Yahoo allows a default address to be set up to send wayward emails coming to our domain. This has been useful since sometimes people misspell addresses and I can still delegate to the appropriate person, but it also means any email to our domain is accepted and spam has become a problem.

I have read the article on not issuing delayed bouncebacks, but if I change the settings on our server so that wayward emails are not accepted, will that "shoot me in the foot" by revealing which emails are valid? (some of the same spam is sent to both valid addresses and invalid addresses)

Thanks, Amanda

[Telarin]

1. Currently my nonprofit's website has email addresses listed on it so users can email us by clicking on the link. I'm concerned this could be generating spam by webbots coming through the site and collecting those email addresses; however, I like that users are able to email directly from our site. If I use graphics so the bots won't pick up the email in the text, then I won't be able to have a mailto link for the same reason (the email address would be in the HTML). If I do something to prevent bots coming through the site, then search engines won't be able to find us.

so, can anyone suggest a way to offer users a method of emailing from our site and still protect our email from bot collection? or should I not be concerned about spam coming from bot-collection anyway?

I've done a little testing using throw-away addresses on our own site, and have found that it takes about 3 days from the time the address is placed on the site before they start to receive spam, so yet, if you put email addresses on the site, they WILL get spam.

Also, it seems after a bit of experimentation, that most of the bots are more interested in the actual mailto: link, than in text that simply looks like an email.

The best solution to this issue is to create a form that someone can fill out that when submitted sends the information they entered as an email to a preselected person. Be careful with this scri_pt to make sure that the destinations are hard coded, or the spammers may inject their own destination addresses and actually use your form to send spam!

I have also noticed that the SCBL catches nearly 100% of the spam destined for the addresses that I used to test web harvesting. So if you run your own mail server, simply implementing the SCBL in your filters may negate this problem.

2. We use Yahoo Small Business email for our email. Yahoo allows a default address to be set up to send wayward emails coming to our domain. This has been useful since sometimes people misspell addresses and I can still delegate to the appropriate person, but it also means any email to our domain is accepted and spam has become a problem.

I have read the article on not issuing delayed bouncebacks, but if I change the settings on our server so that wayward emails are not accepted, will that "shoot me in the foot" by revealing which emails are valid? (some of the same spam is sent to both valid addresses and invalid addresses)

Ok, so much for the "running your own mailserver" suggestion made above.

First of all, I would say be VERY careful using Yahoos mail servers to send mail, they are listed by Spamhaus as the 4th worst spammer IN THE WORLD, so you may find that a lot of your outgoing mail gets blocked by receiving servers that don't want stuff from Yahoo.

Now, on to addressing your actual questions posed here. I would not recommend having a catch-all address, as it will quickly become useless due to the amount of spam it receives. Our 30-user organization receives about 2500 messages to non-existent email addresses every day. These are rejected during the SMTP session to prevent misdirected bounces.

In some cases, yes, this can be shooting yourself in the foot as it does allow for directory harvesting. You should check with Yahoo to see what kind of means they have of preventing this. One good method is the use of trapitting, which is what I use here.

Basically, when a message comes in to an address that doesn't exist, my server stalls and hold the connection open for 2 minutes before issuing the SMTP 500 error message. In order to do a directory harvest attack, a spammer needs to make millions of attempts to get even a handful of good addresses. By using tarpitting like this, their software will either time-out and give up on harvesting because it thinks your server is too slow, or if it is stubborn, it may keep trying taking literally months to complete a single harvest attack. We refer to this as "taking one for the team".

However, in my case, I have a decent mail server, and have it configured to accept enough incoming SMTP connections that I have never had this actually cause a problem. Though I have seen instances where I have as many as 300 SMTP connections "held open".

Since you are using Yahoo to provide your mail service, your best bet is first to check with them and see what is in place to prevent spam and directory harvesting. If they can't tell you, find a mail provider with a clue. If they can tell you, post their response here, and we'll go from there.

[edit]Sorry, didn't mean to write a book[/edit]

[agsteele]

I would not recommend having a catch-all address, as it will quickly become useless due to the amount of spam it receives. Our 30-user organization receives about 2500 messages to non-existent email addresses every day. These are rejected during the SMTP session to prevent misdirected bounces.

41105[/snapback]

I would concur with Will's comment here.

My brother's accountancy business had a catch all address and when I finally got him to abandon it he was receiving between 10,000 and 18,000 spam Emails per day. He has a staff of five or six. Once we set up individual accounts the spam load is down into the 10s per user per day.

A big saving in bandwidth consumption if nothing else :-)

Andrew

[abyrne]

Thanks Andrew and Will for the suggestions- I've already removed the default address and plan to make the suggested changes to the website.

Hurrah, there is actually something you can do to cut down on the crap!

- Amanda

[Merlyn]

For your web pages you can use a Email encoder which will create a java scri_pt to place oin your pages that displays properly but the address is encoded. I have had success with ours. Just google for the freeware.