Cyberdevs’ Notes: The Complete Guide to Website and Email Spam

So imagine this: It’s Sunday Afternoon, and you had a long week. Sunday afternoons are the only time you can rest out properly. You start drifting into a very comfortable sleep. Then, just as you drift off, there is a knock at your front door. One of your neighbour’s kids is participating in a fund-raiser for a school.

To me, this explains the nature of spam. It is any time someone wastes your time with messages you do not want.

To get to the core of the problem: When you have a website, the ideal is for that website to attract attention. Attention is a good thing. Your website can monetize attention. Unfortunately, you will also draw attention that you do not want.

Below I will break down different ways spammers can get hold of your email address, and how you can deal with each.

One way that spammers get your email address is by scraping the internet for data.

If your email account is listed on your website, perhaps on your contact page, that email account can be read by a program that builds a list of email addresses that can be spammed.

This is not just limited to your own website. Your email address could be obtained from Social Media, Forums, Online Directories. Any website that stores your email in plain text can be scraped.

In the vast majority of cases, website scraping is done by automated programs or bots. You can prevent your email address from getting into the hands of spammers by preventing bots from reading your email.

The most common techniques for discouraging spam and their reasoning are below.

Please also keep in mind that the whole purpose of building a website presence is to draw attention. Therefore, avoid any solution that you feel will push away legitimate users.

1) Avoid storing your email addresses on your website

One of the methods I see regularly is to have no email address listed on a website. Instead, some businesses only provide a contact form on their website. This gives you full control of who gets your email account. 

2) Avoid using your email address on external websites.

You have no control over how other websites protect your data. In many cases there’s no protection on data because website owners want as much attention as they can get. That is the monetisation model of the internet. Attention sells. 

A better practice would be to use your own website address online, and have people follow that to get hold of you, instead of placing your direct email address on external websites.

3) Use image instead of text

Most bots read plain text, therefore if you add your email in an image format the bots can often not read it. Some bots can read images, but these are negligible. 

4) Use JavaScript to add the data to your page.

Many bots do not wait for JavaScript to load. They fetch the page as is as it uses much less resources. If you inject your email into the page with JavaScript after page load, you can avoid some bad attention. With this method it is important to still hide your email account in some way. So that the email address is not readable in the JavaScript itself. 

5) Use a Third Party service that prevents Bots.

Some services like Google Recapcha helps prevent bad traffic to your website. The major drawback of these services are they often times slow your website down. 

What is my own preference?

The safeguards you choose to implement depends on your own needs. I prioritise user experience over spam.

The reason I do not store my email in a image is because some users might not want to retype my address. Instead I would add it as a click-able email link. In this instance I choose the inconvenience of some more spam getting through over adding extra steps for my users and leads. 

It’s also the reason I do not add Google Recapcha Checkboxes to my contact forms. It does well to prevent website spam, but it also adds an extra task for your users to complete before submitting a lead.

I prefer to keep my primary email off of external websites and to hide it from bots using JavaScript. It does not catch everything but is enough for my own needs. 

Similar to website Scraping, scammers will build a list of domain names and spam common email extensions like: info@, accounts@, admin@. One way to avoid some spam is to never use common email extensions.

Sometimes when you sign up with your email account to a website, that website leaks your email account to other databases.

I once created a new account, something abnormal like webdirectories@cyberdevs.co.za and signed up for a number of web directories. A few days later I started receiving Web Development Spam to that address.

I cannot tell exactly which of the sites I signed up to it was. I do however know that it was a new address and I only used it for those sign-ups. So one of the directories either intentionally leaked the address or had a security breach allowing my address to leak.

The lesson is simple. Be careful where you sign up.

I have a secondary email account that I will often times use to sign up for services. I have built the habit of not using my primary business address for website signups.

My personal address is all over my website with very little protection and it is reasonably spam free. The alternate emails that I sign up for services that aren’t listed on the open web often receive more spam.

So from my own experience, it appears that my email leaks through third-party services more than through website scraping.

Phishing is the act of trying to bait a user into revealing their personal information to themselves online. 

Below is a breakdown of some of the common ways people get targeted by phishing:

A) Email phishing: 

Attackers send emails that appear to be from a legitimate source, such as a bank or social media site, requesting personal information or prompting the user to click on a link that will lead them to a fake login page.

B) Spear phishing: 

A targeted phishing attack is where the attacker researches the victim and sends an email that appears to be from someone the victim knows or trusts, such as a colleague, in order to gain access to sensitive information.

C) Smishing: 

An attack where attackers send text messages that appear to be from a legitimate source, such as a bank or delivery service, and prompt the user to click on a link or provide personal information.

D) Vishing: 

A form of phishing where attackers call the victim and pretend to be from a trusted organization, such as a bank, and request personal or financial information.

E) Fake websites: 

Attackers create fake websites that look like legitimate sites, such as banking or social media sites, in order to trick users into entering their personal information.

F) Malware: 

Attackers use malicious software to infect a user’s computer or device in order to steal sensitive information or gain access to the user’s network or email account passwords.

G) Baiting: 

Attackers use the promise of something desirable, such as a free download or prize, to trick users into downloading malware or providing personal information. Phishing attacks can be devastating, and prevention is key to avoiding them.

Here are some tips to help prevent phishing attacks:

1. Exercise caution: The first rule of preventing phishing attacks is to be cautious. Be wary of any unsolicited emails, texts, or websites that ask for personal information or prompt you to click on links.
2. Avoid filling in personal details on untrusted websites: Do not provide your personal information on websites that you do not trust. Only provide your information on reputable and secure websites.
3. Use different passwords: Use different passwords for different websites. Do not use the same password for all your online accounts, as a breach on one website can spill over onto another.
4. Be careful with downloads and attachments: Avoid downloading and opening files from websites or emails that you do not trust.
5. Verify requests: Always ask yourself if there is a legitimate reason for the request. If it is a major request, consider calling or messaging a trusted contact at the company to verify the request.
6. Be aware of real-life examples: Real-life examples such as the Lawfirm: EMS Africa case where a client of theirs were tricked into paying R5.5 Million into a fraudulent account should be taken as cautionary tales to highlight the importance of being vigilant.
7. Take responsibility: Internet Service Providers can only do so much to prevent phishing attacks. Every user needs to take responsibility for their own habits.

Remember, preventing phishing attacks requires a combination of vigilance, caution, and good online habits. By following these tips, you can protect yourself and your personal information from phishing attacks.

These are all spam prevention methods. It prevents spam by preventing access. 

One of the reasons why spam is so large is because it’s generally not system vulnerabilities. One day someone’s email account is legitimate and clean. The next day it is compromised and used to spam others. If you scale that large enough it becomes a pretty large problem. 

What if an email has already entered spam lists and is being attacked?

The first step is always to change your passwords. Just in case there was some kind of compromise.

Email Service providers make use of email blacklists.

Whenever emails are compromised and found to send spam they normally end in a blacklist. These blacklists are used to block spam. The drawback is these blacklists do not always pick up all offenders so they do not block everything, and sometimes they block good traffic, especially on shared hosting environments.

Any time a pattern can be identified, something can be done to block the behaviours.

Some of the patterns can include:

• All emails contain the same wording or phrasing
• All Emails come from the same IP Address or Domain
• All Emails come from the same domain extension.

If you do business with .co.za for example. And you receive a lot of spam from .co.nz for example. You could block the foreign domain extensions.

You have to factor in whether or not legitimate traffic will also be affected by your blocks.

In the worst cases. You might not be able to identify a meaningful pattern. If this is a problem it could be a good idea to create a new email account.

A person can really do a lot between preventing email accounts from landing in the hands of spammers and then having measures in place that help combat spam further.

A lot of what I mentioned should be the responsibility of hosting and email providers. But, a large amount of it is the responsibility of the email user.

If you do feel you have an issue with spam and you are either a client of ours or willing to outsource, feel free to reach out to see how we can help you with your problem.