Finally! Inline (Embedded) Images for Gmail!

It’s here folks… turn it on in Labs and go nuts!

If You Post it, they will SPAM it

Most people don't care for spam, in all forms.

I hope that my Internet savvy readers will know that you should never, ever, post a personal email address online in public view. In personal emails, in password-protected forums, sure, post away, but otherwise, posting an email address in plain-text is a one-way ticket to SPAM-ville.

So, if you already know this stuff, why am I writing about it? Because, obviously, not everyone does. Over the past year, I’ve been responsible for the design and upkeep of a local church web site. Of course, one of the best (nerdy) perks is being able to analyze all the unique stats that roll in. One very helpful metric, the “search engine terms” metric, as its commonly referred to, shows you what people terms or phrases that a visitor bounced off a search engine in order to find your site. An interesting trend began to appear after awhile;  one that I hadn’t seen before. It seems that someone, or something, had come to the site after searching for something such as “church in california @hotmail.com.” At first, I only saw a couple of these, but after awhile, these hits began to occurring weekly with different phrases, “pastors in california @hotmail.com,” “email contacts of pearsons @hotmail.com,” “prayer 2009 @gmail.co.th,” and so on. After digging into the stats more, I was able to pull the IP address of the machines that had landed on the site after those searches. The IP address? 74.125.77.132. I’ll wait a second for the nerds to run a trace.

Weird, huh? That address points squarely at Google. Not all the searches had that address attached to them. For example, one search traced back to Togo Telecom, an ISP in France.

No doubt some of you already know what this is all about, but just in case, I’ll dispense with the details of my theory. The hits are coming from bots which are programmed to harvest email addresses for specific campaigns. Yes, even church pastors and staff get spammed from “religious” organizations with special “services” to sell. The method of querying a couple of keywords, then a popular email provider is actually pretty smart in a, let-someone-else-do-the-heavy-lifting kind of way. The hits from Google are most likely a result of the bot choosing to visit the cached link — a snapshot of the web page as it was indexed — provided by Google for each search result so the coveted email address it seeks will still be available on the page, just waiting to be added to a list of email addresses for sale. A search engine bascially hands a list of pages to a bot with email addresses on them, making it even faster to crawl pages than to randomly bounce from site to site hoping to find them.

For example, if I wanted to spam people who are involved with Relay for Life I would search for “relay for life @yahoo.com,” or if I had a fraudulent operation running on fake Scantron forms, I could search “school teacher @hotmail.com.”

So, in review: Don’t post any email address online in plain-text, unless, of course, you enjoy the extra reading material. Currently, the safest way to allow web site visitors to contact you is to use a temporary “throw-away” address, or a form with CAPTCHA verification. Another method I consider safe enough is generating an image that shows the email address without actual text on the page (don’t use the mailto link either!). Any of these email image generators will do. Though your email address appears on the page, it isn’t easily read by a bot harvesting email addresses from text. Though the technology is there, as far as I know, very few spammers bother with OCR (optical character recognition) technology since there are still so many good addresses readily available in plain text.

I wonder what would happen if I Googled “looking for unheard of foreign entity to transfer large sums of cash with no assurance of legitimacy @citibank.com.”