Safe way to list e-mail address on webpage

  • Thread starter cepheid
  • Start date
  • #1
cepheid
Staff Emeritus
Science Advisor
Gold Member
5,192
36

Main Question or Discussion Point

If I do something like this in HTML:

Code:
E-mail: <span title="append @domain"> username</span>
the effect is to present the text

E-mail: username

on the web page and the message "append @domain" will appear when the user moves the mouse pointer over the username. Is this a safe (spam impervious) way to present my e-mail address online?

Also: can you think of a better way?
 

Answers and Replies

  • #2
2,685
20
If I do something like this in HTML:

Code:
E-mail: <span title="append @domain"> username</span>
the effect is to present the text

E-mail: username

on the web page and the message "append @domain" will appear when the user moves the mouse pointer over the username. Is this a safe (spam impervious) way to present my e-mail address online?

Also: can you think of a better way?
Assuming the address (your @domain part) is held in the HTML code of the page it isn't difficult to obtain by reading the page source code. So no, I don't think this is a particularly strong method of defence against phishing.

Your best bet would be having a link which retrieves it from somewhere (even if it's only simple PHP) and shows it in a message so it's never presented on the page itself and in its code. But they could even get around that that. So to improve that you need a 'captcha' system that requires the user enter a randomly generated pair of words before it retrieves it. That way it's very difficult for a computer to get it.
 
  • #3
724
0
Or, you could make a captcha-like picture that has your email in it. Or, write it in purty cursive on a peice of paper then take a picture of it and use that. Just about anything unfeasible for visual parsing would work. Then again, would a phishing bot even attempt to parse a picture? I doubt it. The resources consumed for visual parsing, as compared to just text parsing, is exponentially larger.
 
  • #4
2,685
20
Or, you could make a captcha-like picture that has your email in it. Or, write it in purty cursive on a peice of paper then take a picture of it and use that. Just about anything unfeasible for visual parsing would work. Then again, would a phishing bot even attempt to parse a picture? I doubt it. The resources consumed for visual parsing, as compared to just text parsing, is exponentially larger.
Problem with that system is that it's not easy to update. Having it retrieved from a database or hidden source means you can quickly update through a "members access" or the like.

In general, I try to avoid using pictures to show users important info as it's not so easy to manage and quite bulky if not done correctly.

I believe you can get capture services to run off-site so you don't have to store all the images - but this brings it back to my original idea.
 
  • #5
724
0
Problem with that system is that it's not easy to update. Having it retrieved from a database or hidden source means you can quickly update through a "members access" or the like.

In general, I try to avoid using pictures to show users important info as it's not so easy to manage and quite bulky if not done correctly.

I believe you can get capture services to run off-site so you don't have to store all the images - but this brings it back to my original idea.
True. I was thinking small, even personal, scale.
 
  • #6
cepheid
Staff Emeritus
Science Advisor
Gold Member
5,192
36
Thanks for the tips guys. This would just be for my personal academic web page on the web space that has been allocated to me on my university department's web server.

As it turns out, everyone in my department has his/her e-mail username listed in a table on the personnel page, with a note above the table saying "Email addresses are made by concatenating the 'email id' with [@domain]."

So, if what you are saying is true, and malicious software programs are able to perform this concatentation automatically, then I guess that thanks to the department webmaster, my e-mail address is already a target for "phishing" anyway.

EDIT: so you mean if I just upload a JPEG or PNG image of my e-mail address in typed text, it would be safe? Or it has to be all fancy and cursive to make it impervious to "visual parsing?"
 
  • #7
2,685
20
So, if what you are saying is true, and malicious software programs are able to perform this concatentation automatically, then I guess that thanks to the department webmaster, my e-mail address is already a target for "phishing" anyway.
To target it, you'd have to write an algorithm to do just that. You'd need to know the page and write the code to work with the page. Relatively pointless on such a small scale, easier to do it by hand.

It's only if this technique is found in large scale would there be something looking for it, and even then it would be very difficult to determine the username part (every word on the page is a potential username).

So no, phishing isn't really a worry given the method used by your department/university. It generally looks for what it recognises as complete addresses.

I thought you meant that it would display your whole email address when the user clicks - which would mean storing it in the HTML, which is a problem.
 
  • #8
2,685
20
EDIT: so you mean if I just upload a JPEG or PNG image of my e-mail address in typed text, it would be safe? Or it has to be all fancy and cursive to make it impervious to "visual parsing?"
They generally don't run text recognition, it just doesn't pay to. An image would mean nothing could grab it without taking the picture or running text based analysis.
 
  • #9
cepheid
Staff Emeritus
Science Advisor
Gold Member
5,192
36
So no, phishing isn't really a worry given the method used by your department/university. It generally looks for what it recognises as complete addresses.

I thought you meant that it would display your whole email address when the user clicks - which would mean storing it in the HTML, which is a problem.
Ahh I see. No, my complete e-mail address does not appear anywhere in the source code for the webpage.

They generally don't run text recognition, it just doesn't pay to. An image would mean nothing could grab it without taking the picture or running text based analysis.
I tried this by making a text box in a drawing program with the same font, text colour and background colour as my page, and then exporting it as a PNG. Then I experimented with the width and height attributes in the <IMG> tag until it matched the surrounding text. It looks quite nice.

Thanks to both of you for the replies.
 
  • #10
352
2
reCAPTCHA has an email hiding service.
http://www.google.com/recaptcha/mailhide/ [Broken]

On my personal site I used a png file. The text isn't distorted at all, but I have it the format of:
"my email is at hotmail, and the name is PNG"

A note about the image route is that you should add alt text so that the blind can still get your email address. Since the alt text is readable by bots it must be somewhat obfuscated again.
 
Last edited by a moderator:
  • #11
cepheid
Staff Emeritus
Science Advisor
Gold Member
5,192
36
reCAPTCHA has an email hiding service.
http://www.google.com/recaptcha/mailhide/ [Broken]

On my personal site I used a png file. The text isn't distorted at all, but I have it the format of:
"my email is at hotmail, and the name is PNG"

A note about the image route is that you should add alt text so that the blind can still get your email address. Since the alt text is readable by bots it must be somewhat obfuscated again.
Sorry for being slow, but I'm not sure I know what you mean by "alt text." Can you explain?
 
Last edited by a moderator:
  • #12
2,685
20
Alt text for the blind? Sounds like a comb for a bald man.

Normally for text based captcha images they have a sound file to read the word out.
 
  • #13
jtbell
Mentor
15,544
3,453
I'm not sure I know what you mean by "alt text."
When you display an inline image in a Web page you can do it with an HTML tag that looks like this:

Code:
<img src="myimage.jpg" alt="My Image">
If the person viewing the page is using a browser that can't display images (e.g. the Lynx browser for text-only terminals), or has set his browser to disable automatic display of images, he sees the text "My Image" instead of the image itself.

If you're using Firefox, go to Preferences, choose the Content tab, uncheck the "Load images automatically" box, and refresh your current page to see what the result looks like.
 
  • #14
352
2
As jtbell said alt text is as simple as adding alt="Alt Text" to your image tags. Blind users will hear that text read to them.

If you want one, a much more thorough explanation of alt text is here:
http://jimthatcher.com/webcourse2.htm" [Broken]
 
Last edited by a moderator:

Related Threads on Safe way to list e-mail address on webpage

  • Last Post
Replies
5
Views
626
  • Last Post
Replies
8
Views
2K
  • Last Post
Replies
1
Views
4K
  • Last Post
Replies
2
Views
2K
  • Last Post
Replies
8
Views
3K
  • Last Post
Replies
3
Views
2K
  • Last Post
Replies
4
Views
2K
  • Last Post
Replies
8
Views
6K
  • Last Post
Replies
2
Views
781
  • Last Post
Replies
6
Views
3K
Top