Do you avoid using mailto: on your website?

Last updated by Brook Jeynes [SSW] 10 months ago.See history

Don't ever display valid individual email addresses or mailto: on a website. Nasty people on the web have created "Email Harvesting" tools. These programs search public areas on the Internet to compile, capture, or otherwise "harvest" lists of email addresses from web pages, newsgroups, and chat rooms. Any email address that is spelled out can be captured and therefore gets attacked with spam.

The best way to avoid it is not to display valid individual email addresses in text format (especially in the form of "mailto:") on your website.

Figure: Bad way - normal email address in text format

 Better way: encryption technique 

  1. Store email addresses in the web.config file
        <add key="SampleEncodedEmailAddress" value="" /> 
  1. Encode them on the server using the BitConverter class
Dim email As String = ConfigurationSettings

Application("SampleEncodedEmailAddress") = BitConverter
        .ToString( _ ASCIIEncoding.ASCII.GetBytes(email))
        .Replace("-", "")
  1. Decode on the client with a JavaScript function in the JavaScript
<a id="linkContact" href="javascript:sendEmail('44617669644073616D706C652E636F6D2E6175')">
    CONTACT David

We have a program called SSW CodeAuditor to check for this rule.

We open source. Powered by GitHub