Do you avoid using mailto: on your website?
17/11/2016 4:27 AM by
Don't ever display valid individual email addresses or mailto:'s on a website. Nasty people on the web have created "Email Harvesting" tools. These programs search public areas on the Internet to compile, capture, or otherwise "harvest" lists of email addresses from web pages, newsgroups, and chat rooms. Any email address that is spelled out can be captured and therefore gets attacked with spam.
The best way to avoid it is not to display valid individual email addresses in text format (especially in the form of "mailto:") on your website.
e.g. FirstnameSurname@ssw.com.au Figure: Bad way - normal email address in text format
Better way: encryption technique
- Store email addresses in the web.config file
<add key="SampleEncodedEmailAddress" value="David@sample.com.au" /> ...</appSettings> </configuration>
- Encode them on the server using the BitConverter class
Dim email As String = ConfigurationSettings.AppSettings("SampleEncodedEmailAddress") Application("SampleEncodedEmailAddress") = BitConverter.ToString( _ ASCIIEncoding.ASCII.GetBytes(email)).Replace("-", "")
We have a program called SSW Code Auditor to check for this rule.
Do you feel this rule needs an update?