Do you avoid using mailto: on your website?
  v1.0 Posted at 17/11/2016 4:27 AM by Tiago Araujo

Don't ever display valid individual email addresses or mailto:'s on a website. Nasty people on the web have created "Email Harvesting" tools. These programs search public areas on the Internet to compile, capture, or otherwise "harvest" lists of email addresses from web pages, newsgroups, and chat rooms. Any email address that is spelled out can be captured and therefore gets attacked with spam.

The best way to avoid it is not to display valid individual email addresses in text format (especially in the form of "mailto:") on your website. 


e.g. FirstnameSurname@ssw.com.au 

Figure: Bad way - normal email address in text format

 Better way: encryption technique 

  1. Store email addresses in the web.config file
  2. <configuration>
    <add key="SampleEncodedEmailAddress" value="David@sample.com.au" /> ...</appSettings> </configuration>

  3. Encode them on the server using the BitConverter class 
  4. Dim email As String = ConfigurationSettings.AppSettings("SampleEncodedEmailAddress") Application("SampleEncodedEmailAddress") = BitConverter.ToString( _ ASCIIEncoding.ASCII.GetBytes(email)).Replace("-", "")

  5. Decode on the client with a JavaScript function in the JavaScript
  6. <a id="linkContact" href="javascript:sendEmail('44617669644073616D706C652E636F6D2E6175')">CONTACT David</a>​

We have a program called SSW Code Auditor to check for this rule.

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address: