Until a few years ago anyone with an email address had a very personal relationship with penis enlargement, cheap meds, and nude celebrities.
These days email providers are making a real effort to protect the helpless civilians from an ever increasing barrage of spam, and most are learning not to give their email address to questionable websites.
While said civilians go about their lives receiving “poked” notifications, and sending jokes they insist are “OMG the funniest thing you’ll ever see” we ask that you take a minute of silence to remember us webmaster@s, support@s, and contactus@s. In the name of business we climb from the trenches and publish our contact addresses to the enemy.
Before you decide this is Gallipoli all over again, we have been given a few defenses to use at our discretion.
- Secret Question – We can start our defense by removing the blindfold. We realize spam bots exist, and that sooner or later they will try to take advantage of us. This is a poor man’s attempt at a Turing test where we can ask the user to answer a simple question the answer to which both parties are likely to know. “What animal is man’s best friend?”; “What is one plus two?”.
- Hidden Fields – Most spam bots know that if they don’t fill out all of the fields (name, email address, message) their submission will likely be rejected. Thus they simply fill in all of the fields. This is where we can out-smart them by deploying our decoy. A hidden field. It’s not visible to the user and should never be filled in.
A spam bot, on the other hand, reads the code and not the screen. All it sees is a field, thus it fills it with text.
If your form is submitted and the hidden field isn’t blank, you’ve got a spam message and can safely discard it. - Sessions – Any good soldier is suspicious of a new face. The comrade to your left has fought by your side before. You trust him. When he submits the form he does so with a hidden one time code. It can be hidden so he doesn’t even know he had it.You gave him the code in a hidden field when he loaded the form, and kept a copy in his session. Upon submission you compare the code he’s offered with the one in his session. If he’s given you the wrong code, burn the message.
- CAPTCHA – This is our super power. Like all programs, spam bots are bound by logic. A CAPTCHA leverages a human’s interpretive powers to deduce an answer a spam bot’s logic can’t. Again this is a secret code that our server knows.. but instead of giving it to the user in plaintext (even hidden a spam bot can still read it!) we encode it as an image. Sometimes even warp it or bury amongst tangles of superfluous lines. This makes the code unreadable to a program. Even one with character-recognition.
A good soldier doesn’t step onto the battle field unprotected. Neither should a web developer.
