Address munging

Last updated

Address munging is the practice of disguising an e-mail address to prevent it from being automatically collected by unsolicited bulk e-mail providers. [1] Address munging is intended to disguise an e-mail address in a way that prevents computer software from seeing the real address, or even any address at all, but still allows a human reader to reconstruct the original and contact the author: an email address such as, "no-one@example.com", becomes "no-one at example dot com", for instance.

Contents

Any e-mail address posted in public is likely to be automatically collected by computer software used by bulk emailers (a process known as e-mail address scavenging). Addresses posted on webpages, Usenet or chat rooms are particularly vulnerable to this. [2] Private e-mail sent between individuals is highly unlikely to be collected, but e-mail sent to a mailing list that is archived and made available via the web, or passed onto a Usenet news server and made public, may eventually be scanned and collected.

Disadvantages

Disguising addresses makes it more difficult for people to send e-mail to each other. Many see it as an attempt to fix a symptom rather than solving the real problem of e-mail spam, at the expense of causing problems for innocent users. [3] In addition, there are e-mail address harvesters who have found ways to read the munged email addresses.

The use of address munging on Usenet is contrary to the recommendations of RFC 1036 governing the format of Usenet posts, which requires a valid e-mail address be supplied in the From: field of the post. In practice, few people follow this recommendation strictly. [4]

Disguising e-mail addresses in a systematic manner (for example, user[at]domain[dot]com) offers little protection.[ citation needed ]

Any impediment reduces the user's willingness to take the extra trouble to email the user. In contrast, well-maintained e-mail filtering on the user's end does not drive away potential correspondents. No spam filter is 100% immune to false positives, however, and the same potential correspondent that would have been deterred by address munging may instead end up wasting time on long letters that will merely disappear into junk mail folders.

For commercial entities, maintaining contact forms on web pages rather than publicizing e-mail addresses may be one way to ensure that incoming messages are relatively spam-free yet do not get lost. In conjunction with CAPTCHA fields, spam on such comment fields can be reduced to effectively zero, except that non-accessibility of CAPTCHAs bring the same deterrent problems as address munging itself.

Alternatives

As an alternative to address munging, there are several "transparent" techniques that allow people to post a valid e-mail address, but still make it difficult for automated recognition and collection of the address:

An example of munging "user@example.com" via client-side scripting would be:

<scripttype="text/javascript">varname='user';varat='@';vardomain='example.com';document.write(name+at+domain);</script>

The use of images and scripts for address obfuscation can cause problems for people using screen readers and users with disabilities, and ignores users of text browsers like lynx and w3m, although being transparent means they don't disadvantage non-English speakers that cannot understand the plain text bound to a single language that is part of non-transparent munged addresses or instructions that accompany them.

According to a 2003 study by the Center for Democracy and Technology, even the simplest "transparent name mangling" of e-mail addresses can be effective. [13] [14]

Examples

Common methods of disguising addresses include:

Disguised addressRecovering the original address
no-one at example (dot) comReplace " at " with "@", and " (dot) " with "."
no-one@elpmaxe.com.invalidReverse domain name: elpmaxe to example
remove .invalid
moc.elpmaxe@eno-onReverse the entire address
no-one@exampleREMOVEME.comInstructions in the address itself; remove REMOVEME
no-one@exampleNOSPAM.com.invalidRemove NOSPAM and .invalid from the address.
n o - o n e @ e x a m p l e . c o mThis is still readable, but the spaces between letters stop most automatic spambots.
no-one<i>@</i>example<i>.</i>com (as HTML)This is still readable and can be copied directly from webpages,
but stops many email harvesters.
по-опе@ехатрlе.сотCannot be copied directly from Webpages, must be manually copied. All letters except l are Cyrillic homoglyphs that are identical to Latin equivalents to the human eye but are perceived differently by most computers. (See also IDN homograph attack for more malicious use of this strategy.)
no-oneAt sign.svgexample.comReplace the image with "@".

The reserved top-level domain .invalid is appended to ensure that a real e-mail address is not inadvertently generated.

Related Research Articles

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync.

<span class="mw-page-title-main">Spamming</span> Unsolicited electronic messages, especially advertisements

Spamming is the use of messaging systems to send multiple unsolicited messages (spam) to large numbers of recipients for the purpose of commercial advertising, for the purpose of non-commercial proselytizing, for any prohibited purpose, or simply repeatedly sending the same message to the same user. While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam. It is named after Spam, a luncheon meat, by way of a Monty Python sketch about a restaurant that has Spam in almost every dish in which Vikings annoyingly sing "Spam" repeatedly.

A signature block is a personalized block of text automatically appended at the bottom of an email message, Usenet article, or forum post.

The Spam Prevention Early Warning System (SPEWS) was an anonymous service that maintained a list of IP address ranges belonging to internet service providers (ISPs) that host spammers and show little action to prevent their abuse of other networks' resources. It could be used by Internet sites as an additional source of information about the senders of unsolicited bulk email, better known as spam.

Various anti-spam techniques are used to prevent email spam.

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by e-mail

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.

A Joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early Joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them, but they are now typically used by commercial spammers to conceal the true origin of their messages and to trick recipients into opening emails apparently coming from a trusted source.

<span class="mw-page-title-main">Opera Mail</span>

Opera Mail is the email and news client developed by Opera Software. It was an integrated component within the Opera web browser from version 2 through 12. With the release of Opera 15 in 2013, Opera Mail became a separate product and is no longer bundled with Opera. Opera Mail version 1.0 is available for OS X and Windows. It features rich text support and inline spell checking, spam filtering, a contact manager, and supports POP3 and IMAP, newsgroups, and Atom and RSS feeds.

mailto is a Uniform Resource Identifier (URI) scheme for email addresses. It is used to produce hyperlinks on websites that allow users to send an email to a specific address directly from an HTML document, without having to copy it and entering it into an email client.

<span class="mw-page-title-main">Spambot</span> Computer spam program (malware)

A spambot is a computer program designed to assist in the sending of spam. Spambots usually create accounts and send spam messages with them. Web hosts and website operators have responded by banning spammers, leading to an ongoing struggle between them and spammers in which spammers find new ways to evade the bans and anti-spam programs, and hosts counteract these methods.

Disposable email addressing, also known as DEA or dark mail or "masked" email, refers to an approach which involves a unique email address being used for every contact, entity, or for a limited number of times or uses. The benefit is that if anyone compromises the address or utilizes it in connection with email abuse, the address owner can easily cancel it without affecting any of their other contacts.

Email harvesting or scraping is the process of obtaining lists of email addresses using various methods. Typically these are then used for bulk email or spam.

A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. For example, forms can be used to enter shipping or credit card data to order a product, or can be used to retrieve search results from a search engine.

A spamtrap is a honeypot used to collect spam.

A challenge–response system is a type of that automatically sends a reply with a challenge to the (alleged) sender of an incoming e-mail. It was originally designed in 1997 by Stan Weatherby, and was called Email Verification. In this reply, the purported sender is asked to perform some action to assure delivery of the original message, which would otherwise not be delivered. The action to perform typically takes relatively little effort to do once, but great effort to perform in large numbers. This effectively filters out spammers. Challenge–response systems only need to send challenges to unknown senders. Senders that have previously performed the challenging action, or who have previously been sent e-mail(s) to, would be automatically

The term list poisoning refers to poisoning an e-mail mailing list with invalid e-mail addresses.

Backscatter is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

Forum spam consists of posts on Internet forums that contains related or unrelated advertisements, links to malicious websites, trolling and abusive or otherwise unwanted information. Forum spam is usually posted onto message boards by automated spambots or manually with unscrupulous intentions with intent to get the spam in front of readers who would not otherwise have anything to do with it intentionally.

Since Internet users and system administrators have deployed a vast array of techniques to block, filter, or otherwise banish spam from users' mailboxes and almost all Internet service providers forbid the use of their services to send spam or to operate spam-support services, special techniques are employed to deliver spam emails. Both commercial firms and volunteers run subscriber services dedicated to blocking or filtering spam.

People tend to be a lot less bothered by spam slipping through filters into their mailbox than having desired email ("ham") blocked. Trying to balance false negatives and false positives is a critical aspect of a successful anti-spam system. Because servers are not able to block all spam, there are multiple methods for individual users to allow users to control this balance.

References

  1. "Goodreads". Goodreads. Retrieved 2023-06-17.
  2. Email Address Harvesting: How Spammers Reap What You Sow Archived April 24, 2006, at the Wayback Machine , Federal Trade Commission. URL accessed on 24 April 2006.
  3. Address Munging Considered Harmful, Matt Curtin
  4. See Usenet.
  5. "What is Email Address Obfuscation?".
  6. Raffo, Daniele (20 January 2015). "Email Munging". Daniele Raffo. Retrieved 12 February 2015.
  7. "E-mail as an image". Archived from the original on 2009-05-04. Retrieved 2009-05-17.
  8. Client-side contact form generator (the generator requires JavaScript enabled, output for displaying emails requires CSS)
  9. PHP jumbler tool Archived September 27, 2007, at the Wayback Machine
  10. JavaScript address script generator (the generator requires cookies enabled, output for displaying emails requires javascript enabled)
  11. Hattum, Ton van (13 March 2012). "Email Address on Your Site, SPAM Protection, Encrypting". Ton van Hattum. Retrieved 22 February 2017.
  12. PHP contact form generator
  13. "Why Am I Getting All This Spam? Unsolicited Commercial E-mail Research Six Month Report" March 2003. accessed 2016-09-12
  14. "Why Am I Getting All This Spam? Unsolicited Commercial E-mail Research Six Month Report" March 2003. Archived December 18, 2006, at the Wayback Machine

See also