case study

Why You Should Never Reveal Email Addresses on Your Website

by

Erika Sanborne

You have probably been told this before, right? Don’t put your email address on your website. Spammers crawl the web searching for the at symbol (@) and yes, they have caught on to your crafty substitution of the word at in place of it. Also, it’s not 1996, and so a good, old-fashioned mailto: link is going to get scooped up in a crawl pretty fast as well. We have known about this source of spam for decades.

Fortunately, with today’s modern websites, we can avoid getting this email spam by employing a properly implemented contact form. Can you still get spam through a contact form? Yes, absolutely. Assuming you are running a Wordpress core, you can defend against most spam bots using honeypot technology.

There is just one type of website-originated spam that technology cannot prevent: the kind that starts with human beings manually visiting your site, and spamming your contact form. That’s the case study I’d like to describe in this article, because it underscores the importance of having a good contact form, and the labor involved in how you respond when they do this.

The Human Spammer

I manage the website, including contact form submissions, for a local nonprofit, specifically a church. This past week, they were hit with spam from humans. Fortunately, they do not have their email addresses available publicly, which means that, in the end, the spammer was only able to waste my time and left without gaining access to the organization’s contact information. This is a win for good web design, despite employing an increasingly common strategy for spammers. Here’s how it went down.

Spam Email #1

Remember, this came in through the contact form, so the spammer does not actually have the target organization’s contact information.

Sent: Tuesday, May 23, 2023 at 01:40:01 PM CDT
On behalf of ARC Retreat Community in [city and state redacted], I invite you as a church, staff, or individuals to ARC for a retreat. It is a quiet place offering a contemplative atmosphere for individuals and small groups for sponsored, private and group retreats year-round on 90 acres of pristine wetlands and woodlands. There are trails for walking and snowshoeing There is also a labyrinth for walking meditation. People from all beliefs and faiths are welcome at ARC.

I personally have been a part of ARC for a number of years, and find it a deeply spiritual, inviting, rejuvinating place for a retreat. The staff is great, and so is the food!! I also invite you to learn more about it on their website. Would you be willing to share a contact person and email so we can add you to our email list?

Thank you! I look foward to hearing from you.
Carol [last name redacted] (I am also a UCC pastor in [state redacted])

Responding to Spam Email #1

The email got through spam filters as it should have, because it was initiated by a human. I manually coded it as spam and saved the sender’s IP address as a spammer, so that subsequent spam messages would be sorted as spam. It is important to not reply directly to unsolicited spam sent through contact forms, because doing so (of course) would provide the spammer with your email address.

Spam Email #2

Sent: Wednesday, May 24, 2023 at 12:02:02 PM CDT
Greetings,
I am contacting you on behalf of ARC Retreat Community in [city and state redacted] to ask if we can add you to our email list. ARC is a quiet place offering a contemplative atmosphere for individuals and small groups retreats year-round. People from all beliefs and faiths are welcome. Learn more at [link redacted] Would you pls send me a contact name and email address? Thank you! I look forward to hearing from you. Carol [last name redacted]

Responding to Spam Email #2

This second spam email was properly sorted as spam. I communicated with staff who were asking about this incoming messaging, and I let them know that after three spam messages (i.e. if this was going to continue), I would actually contact the sending organization directly about it.

Spam Email #3

Sent: Friday, May 26, 2023 at 04:18:36 AM CDT
I am contacting you on behalf of ARC Retreat Community in [city and state redacted] to ask if we can add you to our email list. ARC is a quiet place offering a contemplative atmosphere for individuals and small groups retreats year-round. People from all beliefs and faiths are welcome. Learn more at [link redacted]. Would you pls send me a contact name and email address? Thank you! I look forward to hearing from you. Carol [last name redacted]

Responding to Spam Email #3

I went to the spamming organization’s website, and messaged through their contact form, so as to not expose my own agency email address to this organization, nor the email address of the nonprofit I was handling this issue for. I explained that I was the website administrator providing services for (named local church) and that (name and contact info as provided) had been spamming the contact form with several unsolicited pleas for organizational contact information that (named local church) was not interested in providing. And I asked the spamming organization to stop.

How They Responded

This is the message that promptly came back through the contact form that same day, unedited other than to redact names and contact info.

Sent: Friday, May 26, 2023 at 09:53:32 AM CDT
Eric,
My apologies for the inconvenienced caused by our zealous volunteer Carol [last name redacted]. She was looking for contact information so we could share communication about a discounted day retreat opportunity. I will inform her to stop.
If you are interested in receiving information, you may email me directly.
Again, my apology.
[name and contact information redacted]
Executive Director

The Takeaways

You can stop the spam, even the human-initiated kind. When they put in more time and effort, it will also take more time and effort to stop it, sometimes even requiring that you go to their site and complete their contact form in return!

Remember to never, ever directly respond to human-initiated spam emails that come through your website’s contact form, because if you do that then you’ll be giving a spamming organization your contact info, which is whta they are seeking!

What’s unfortunate is that dealing with human-initiated spam like this can cause you to miss actual messages. For example, in the midst of dealing with this particular nonsense, a real message came in, and I almost missed it, and was delayed in rsponding to it. It had some elements in common and I first thought it was another phishing attempt from this retreat center rather than the genuine communication that the contact form is there for.

But remain diligent and you will have a cleaner inbox, less spam, and better overall communications management.

About Erika Sanborne

Erika Sanborne is the WordPress developer and agency owner at Our Future Site, a division of Erika Sanborne Media LLC. In addition to web development, Erika produces digital graphics, videos, animated explainers, and portraiture work. Her other hats include: long-time math and psychological science educator, ordained UCC clergy, disabled veteran for peace, disability justice advocate, population health and disability policy researcher, and sociology PhD candidate. All at the same time. Yeah. She keeps busy. | More About Erika

Leave a Comment

Our Future Site

a division of Erika Sanborne Media LLC

Reach out for a consultation.

We're always glad to jump on a Zoom call to hear your dreams and discuss ideas for growing your business, and we'll give initial direction and advice, no strings.

Contact Us

Popular Resources

How to Make your Own Free (or almost free) Website

How to Reclaim your Online Identity from Imposters

Learn How to Audit Your Website for Accessibility

© 2020-2024
Erika Sanborne Media LLC

Privacy Policy Cookie Policy Terms of Service Disclaimer