Safe way to list e-mail address on webpage

  • Thread starter Thread starter cepheid
  • Start date Start date
  • Tags Tags
    List
Click For Summary

Discussion Overview

The discussion revolves around methods for safely listing an email address on a webpage to avoid spam and phishing attacks. Participants explore various techniques, including HTML attributes, image representations, and CAPTCHA systems, while considering the effectiveness and practicality of each approach.

Discussion Character

  • Exploratory
  • Technical explanation
  • Debate/contested

Main Points Raised

  • Some participants propose using HTML with a title attribute to obscure the email address, but question its effectiveness against phishing.
  • Others argue that displaying the email address in the HTML source makes it vulnerable to scraping by malicious software.
  • A suggestion is made to use a server-side script to retrieve the email address, potentially combined with a CAPTCHA to enhance security.
  • Some participants discuss the idea of using images to display the email address, noting that visual parsing by bots may be less efficient.
  • Concerns are raised about the practicality of using images for important information, as they can be cumbersome to update.
  • One participant mentions that their university already lists email usernames in a way that could expose them to phishing, questioning the security of that method.
  • There is a discussion about using reCAPTCHA's email hiding service and the importance of obfuscating alt text to prevent bots from easily accessing the email address.

Areas of Agreement / Disagreement

Participants express a variety of views on the effectiveness of different methods for protecting email addresses. There is no clear consensus on the best approach, as opinions vary on the practicality and security of each method discussed.

Contextual Notes

Limitations include the potential for email addresses to be exposed in HTML source code, the challenges of updating image-based email representations, and the effectiveness of CAPTCHA systems in preventing automated scraping.

Who May Find This Useful

This discussion may be of interest to web developers, individuals concerned about online privacy, and those looking for methods to protect their email addresses from spam and phishing attacks.

cepheid
Staff Emeritus
Science Advisor
Gold Member
Messages
5,197
Reaction score
38
If I do something like this in HTML:

Code: 
E-mail: <span title="append @domain"> username</span>

the effect is to present the text

E-mail: username

on the web page and the message "append @domain" will appear when the user moves the mouse pointer over the username. Is this a safe (spam impervious) way to present my e-mail address online?

Also: can you think of a better way?
 
Computer science news on Phys.org
cepheid said:
If I do something like this in HTML:

Code: 
E-mail: <span title="append @domain"> username</span>

the effect is to present the text

E-mail: username

on the web page and the message "append @domain" will appear when the user moves the mouse pointer over the username. Is this a safe (spam impervious) way to present my e-mail address online?

Also: can you think of a better way?

Assuming the address (your @domain part) is held in the HTML code of the page it isn't difficult to obtain by reading the page source code. So no, I don't think this is a particularly strong method of defence against phishing.

Your best bet would be having a link which retrieves it from somewhere (even if it's only simple PHP) and shows it in a message so it's never presented on the page itself and in its code. But they could even get around that that. So to improve that you need a 'captcha' system that requires the user enter a randomly generated pair of words before it retrieves it. That way it's very difficult for a computer to get it.
 
Or, you could make a captcha-like picture that has your email in it. Or, write it in purty cursive on a piece of paper then take a picture of it and use that. Just about anything unfeasible for visual parsing would work. Then again, would a phishing bot even attempt to parse a picture? I doubt it. The resources consumed for visual parsing, as compared to just text parsing, is exponentially larger.
 
TylerH said:
Or, you could make a captcha-like picture that has your email in it. Or, write it in purty cursive on a piece of paper then take a picture of it and use that. Just about anything unfeasible for visual parsing would work. Then again, would a phishing bot even attempt to parse a picture? I doubt it. The resources consumed for visual parsing, as compared to just text parsing, is exponentially larger.

Problem with that system is that it's not easy to update. Having it retrieved from a database or hidden source means you can quickly update through a "members access" or the like.

In general, I try to avoid using pictures to show users important info as it's not so easy to manage and quite bulky if not done correctly.

I believe you can get capture services to run off-site so you don't have to store all the images - but this brings it back to my original idea.
 
jarednjames said:
Problem with that system is that it's not easy to update. Having it retrieved from a database or hidden source means you can quickly update through a "members access" or the like.

In general, I try to avoid using pictures to show users important info as it's not so easy to manage and quite bulky if not done correctly.

I believe you can get capture services to run off-site so you don't have to store all the images - but this brings it back to my original idea.

True. I was thinking small, even personal, scale.
 
Thanks for the tips guys. This would just be for my personal academic web page on the web space that has been allocated to me on my university department's web server.

As it turns out, everyone in my department has his/her e-mail username listed in a table on the personnel page, with a note above the table saying "Email addresses are made by concatenating the 'email id' with [@domain]."

So, if what you are saying is true, and malicious software programs are able to perform this concatentation automatically, then I guess that thanks to the department webmaster, my e-mail address is already a target for "phishing" anyway.

EDIT: so you mean if I just upload a JPEG or PNG image of my e-mail address in typed text, it would be safe? Or it has to be all fancy and cursive to make it impervious to "visual parsing?"
 
cepheid said:
So, if what you are saying is true, and malicious software programs are able to perform this concatentation automatically, then I guess that thanks to the department webmaster, my e-mail address is already a target for "phishing" anyway.

To target it, you'd have to write an algorithm to do just that. You'd need to know the page and write the code to work with the page. Relatively pointless on such a small scale, easier to do it by hand.

It's only if this technique is found in large scale would there be something looking for it, and even then it would be very difficult to determine the username part (every word on the page is a potential username).

So no, phishing isn't really a worry given the method used by your department/university. It generally looks for what it recognises as complete addresses.

I thought you meant that it would display your whole email address when the user clicks - which would mean storing it in the HTML, which is a problem.
 
cepheid said:
EDIT: so you mean if I just upload a JPEG or PNG image of my e-mail address in typed text, it would be safe? Or it has to be all fancy and cursive to make it impervious to "visual parsing?"

They generally don't run text recognition, it just doesn't pay to. An image would mean nothing could grab it without taking the picture or running text based analysis.
 
jarednjames said:
So no, phishing isn't really a worry given the method used by your department/university. It generally looks for what it recognises as complete addresses.

I thought you meant that it would display your whole email address when the user clicks - which would mean storing it in the HTML, which is a problem.

Ahh I see. No, my complete e-mail address does not appear anywhere in the source code for the webpage.

jarednjames said:
They generally don't run text recognition, it just doesn't pay to. An image would mean nothing could grab it without taking the picture or running text based analysis.

I tried this by making a text box in a drawing program with the same font, text colour and background colour as my page, and then exporting it as a PNG. Then I experimented with the width and height attributes in the <IMG> tag until it matched the surrounding text. It looks quite nice.

Thanks to both of you for the replies.
 
  • #10
reCAPTCHA has an email hiding service.
http://www.google.com/recaptcha/mailhide/

On my personal site I used a png file. The text isn't distorted at all, but I have it the format of:
"my email is at hotmail, and the name is PNG"

A note about the image route is that you should add alt text so that the blind can still get your email address. Since the alt text is readable by bots it must be somewhat obfuscated again.
 
Last edited by a moderator:
  • #11
DaleSwanson said:
reCAPTCHA has an email hiding service.
http://www.google.com/recaptcha/mailhide/

On my personal site I used a png file. The text isn't distorted at all, but I have it the format of:
"my email is at hotmail, and the name is PNG"

A note about the image route is that you should add alt text so that the blind can still get your email address. Since the alt text is readable by bots it must be somewhat obfuscated again.

Sorry for being slow, but I'm not sure I know what you mean by "alt text." Can you explain?
 
Last edited by a moderator:
  • #12
Alt text for the blind? Sounds like a comb for a bald man.

Normally for text based captcha images they have a sound file to read the word out.
 
  • #13
cepheid said:
I'm not sure I know what you mean by "alt text."

When you display an inline image in a Web page you can do it with an HTML tag that looks like this:

Code: 
<img src="myimage.jpg" alt="My Image">

If the person viewing the page is using a browser that can't display images (e.g. the Lynx browser for text-only terminals), or has set his browser to disable automatic display of images, he sees the text "My Image" instead of the image itself.

If you're using Firefox, go to Preferences, choose the Content tab, uncheck the "Load images automatically" box, and refresh your current page to see what the result looks like.
 
  • #14
As jtbell said alt text is as simple as adding alt="Alt Text" to your image tags. Blind users will hear that text read to them.

If you want one, a much more thorough explanation of alt text is here:
http://jimthatcher.com/webcourse2.htm"
 
Last edited by a moderator:

Similar threads

Receiving E-mails Not Addressed to Me
  • · Replies 5 ·
Replies
5
Views
2K
Send Bulk Email from .TXT File w/ Linux (Ubuntu 9.04)
  • · Replies 8 ·
Replies
8
Views
4K
Why do emails from my contact form bounce?
  • · Replies 10 ·
Replies
10
Views
4K
Suggestion Managing E-mail User Names on PF
  • · Replies 12 ·
Replies
12
Views
4K
Is Google Scanning Your Emails Really a Privacy Concern?
  • · Replies 8 ·
Replies
8
Views
4K
Didn't receive Confirmation E-mail
  • · Replies 34 ·
2
Replies
34
Views
7K
Online videos may be conduits for viruses
  • · Replies 1 ·
Replies
1
Views
5K
Anonimity: Time to take the internet back.
  • · Replies 3 ·
Replies
3
Views
4K
Web Scraping Py Script Generates Error for Old Norse Chars
  • · Replies 4 ·
Replies
4
Views
2K
Did You Receive a Fake eBay Email? How to Protect Your Account Today
  • · Replies 12 ·
Replies
12
Views
7K